Thursday, May 04, 2006

Security on the Net - MS Antispyware?

Last year about this time I was beta testing Microsofts Antispyware. Let me tell you first of all that it sucks. It was great at detecting things but was crap for actual removal of things. Even if you told MS Antispyware to remove it completely no matter what it said the spyware would come back on the next reboot. I wrote it off as just usual crap from MS and removed Antispyware from my system and went back to my tried and true standbys of Ad-aware, Spybot S&D, and Hijack This.

So today I was doing some research here at work and I stumbled on some interesting information. I wasn't researching spyware I was researching something completely different, but yea that's the nature of the internet.

Anyway I found some blog posts about a software company called Claria. Claria before their name change some years back was called GAIN, and before that Gator. GAIN and Gator are both well known spyware/malware companies.

Here is the Wikipedia entry for Claria:

So now that I have established Claria's presence in the spyware world let me describe what happened around the time I stopped using MS-Antispyware.

Antispyware originally had any products from Claria (GAIN and Gator) flagged as high risk and quarantine remove. At some point in time the default settings for those spyware programs were changed BY MICROSOFT to ignore and moderate risk. So what this meant is that is you used scheduled spyware scans MS-Antispyware would completely ignore anything by Claria and allow it to pass. If you used manual scan and removal then the next day MS-Antispyware would not flag the incoming reinstallation of Claria software as hostile, and again allow it to pass by.

This problem was of course easily remedied by ignoring the MS-Antispyware settings and setting them manually to remove/quarantine for the particular spyware. However on the next update (usually weekly during beta) the settings for those particular spywares would go back to the Microsoft settings of ignore moderate threat and the whole process would start over again.

Interestingly enough Claria is not the only company that MS has let skate by on their spyware/malware.

WeatherBug, which ships WITH AOL software (including AIM and ICQ), is considered spyware. While it seems to serve out weather information it also collects surfing habits and feeds that information back to a server for serving up directed advertisements. Yep spyware.

So MS-Antispyware originally had Weatherbug flagged as spyware for removal. Again the same thing happened. They updated the spyware database to show Weatherbug as a moderate threat, ignore. Here is the twist on this one though. AOL THEMSELVES threatened to sue Microsoft on the spyware classification of WeatherBug. Yea AOL, the guys with all the commercials touting their service and supposedly protecting their users agains spyware/malware. Microsoft instead of fighting, caved and deflagged WeatherBug as spyware.

It goes on more. WhenU, WebHancer and Ezula Toptext have also been autoflagged as ignore on MS-Antispyware. WhenU in particular was the program I was having the most fits with trying to remove.

Take a look at this screenshot from one of the reports:

That is pretty much what my MS-Antispyware report would look like every morning, even AFTER spyware removal with MS-Antispyware.

So the point of all this is just because something is made by a company supposedly looking out for you remember that with enough money and scratch through back channels, or in some cases threat of lawsuit, changes everything.

Current Setup:

Firefox + Adblock + Filterset.G
Grisoft AVG
Lavasoft Ad-Aware

Virus and Adware Free since August 2005.

Various links and references:,13793423

No comments: