Out, Foul Spyware!

Beta Man looks at the recently released beta Microsoft Windows AntiSpyware software.

• By Don Jones
• 04/01/2005

Microsoft's December 2004 acquisition of Giant Software made waves. Long rumored to be working on an anti-virus software package of its own, Microsoft instead purchased a giant (pun intended) in the anti-spyware industry. Before long, Microsoft released a beta of the Microsoft Windows AntiSpyware software, which I've found to be fairly straightforward, easy to use and effective. Of course, it hasn't changed much from Giant Software's version of the product, which I've always liked.

Spyware is an odd class of software. There's no doubt that users don't like it, but some spyware programs perform a useful function. Often, that useful function—such as providing a search toolbar in IE—is provided to disguise the spyware functionality. Spyware isn't a virus, in that it doesn't propagate itself maliciously and doesn't deliberately do damage to your computer. What makes people dislike spyware is the fact that it often installs itself without warning (frequently packaged along with peer-to-peer file-sharing software, for example), is difficult to uninstall, it tracks users' computing habits (such as Web sites they surf), and reports back to its parent company with that demographic information.

Microsoft Windows AntiSpyware Version reviewed:Beta Current status: Beta Expected release: Mid-2005

A similar class of software is adware, which exists primarily to throw up pop-up ads, redirect your IE home page to an ad site and so forth. These software packages aren't usually detected by anti-virus software, because, as I've said, they aren't strictly viruses. They're annoying enough, however, to have users clamoring for a solution, which commercial vendors such as McAfee, Norton and now Microsoft offer.

The AntiSpyware Package
Windows AntiSpyware runs only on Windows 2000, Windows XP, and Windows Server 2003. (If anyone hasn't gotten the memo about support for older operating systems, this is a reminder: Microsoft kindly requests that you upgrade your copies of Windows 98 and Windows Me, to say nothing of Windows 95 and Windows NT.)

Despite the product's name, Windows AntiSpyware searches out adware as well as spyware; Microsoft terms the entire category Potentially Unwanted Software, giving us a rather appropriate acronym, if you think about it. It's difficult to tell how "final" this beta is in terms of functionality and how closely related it is to its non-Microsoft origins. The installer, for example, commits the unpardonable sin of adding an icon to your desktop without asking, and adding an "uninstall" icon to its program group in the Start menu. Both actions are frowned upon by Microsoft user interface guidelines and may be leftovers from the product's days at Giant.

Are You Genuine? Downloading the beta for AntiSpyware requires you to decide if you'd like to participate in the Windows Genuine Advantage program. Participation is optional; I was able to download the beta without participating. If you choose to participate, however, you'll download a very small executable, which generates a unique, short string of characters. Typing that string of characters into the Genuine Windows Web page confirms that you have a genuine copy of Microsoft Windows. Microsoft's intent here is to help users figure out if they've got a bogus copy of Windows. If you haven't activated Windows, you'll be prompted to enter that insanely long string of characters that you were supposed to get with your PC (many OEMs put the code on a sticker somewhere on the computer's case). Genuine Windows Validation is becoming a requirement for all access to the Microsoft Download Center. Read more about the program here. — D.J.

Once installed, you'll walk through a brief Wizard on first launch that sets up Automatic Updates for the Potentially Unwanted Software definitions as well as updates to the product itself. You also have the option to enable real-time protection and join the SpyNet Community (more on that in a bit), and then you're ready to go.

How It Works
Like anti-virus software, AntiSpyware can provide both continuous real-time monitoring and complete point-in-time system scans. It defaults to scanning your computer every night at 2 a.m. (you can change or disable the schedule) and turns on real-time monitoring. The scan process is straightforward and not unlike the scans offered by LavaSoft Ad-Aware and many other anti-spyware products. Figure 1 shows a scan in progress, including a notification that spyware has been detected.

Figure 1. As it scans your computer, Microsoft AntiSpyware notifies you when it finds spyware and adware. (Click image to view larger version.)

Finding spyware isn't the difficult part. Like anti-virus solutions, AntiSpyware uses a definition database that describes what various spyware software looks like, and it simply scans for files, Registry keys and processes matching those signatures. AntiSpyware found several pieces of Potentially Unwanted Software on my system, including three pieces of spyware that the then-current version of Ad-Aware didn't pick up. That kind of performance isn't surprising. Giant was well-liked in the industry for the thoroughness of its product. (Incidentally, every piece of spyware on my system was some kind of Internet Explorer Browser Helper Object [BHO] or in some other way targeted IE. To me, that's yet another argument for not building IE into the operating system, and for not using IE at all. Not a single piece of spyware was accused of "redirecting the home page" in FireFox, for example.)

Removing the spyware is the tricky part. Some spyware hides itself really well, and in so many places, that removal can be challenging. I had seven instances of eXact.BargainBuddy, for example, which is categorized by AntiSpyware as high-risk.

Figure 2. For each piece of spyware or adware that AntiSpyware finds, it spells out the threat level, provides a description and offers advice on how to handle it, with the default action being "Remove." (Click image to view larger version.)

As shown in Figure 2, you're presented with a list of detected spyware, with each defaulted to "Remove." On the odd chance that you want one of these pieces of software on your system, you can easily change it to "Ignore." If you're concerned about possible negative impact, you can select "Quarantine," which will disable the spyware but leave it on your system for possible restoration. AntiSpyware can also create a Windows XP System Restore Point prior to removing anything, giving you the ability to roll back AntiSpyware's changes, if desired. I left everything set to "Remove" and allowed AntiSpyware to report its findings to SpyNet; it was then able to successfully remove everything.

At What Price? Offering a free beta version of AntiSpyware is a traditional Microsoft tactic. It gets lots and lots of people to test the software and provide feedback. At the same time, those folks get to try new software and see if they like it, at no charge. Everyone wins. Eventually charging business customers for AntiSpyware software—although Bill Gates has said that the software will be free to consumers—would be perfectly acceptable. Or would it? Spyware gets on your system not by exploiting vulnerabilities per se, but rather "loopholes" in how software—primarily Internet Explorer—works. Should Microsoft choose to charge business customers for its AntiSpyware software, there'd always be a lingering question: Is the company on one hand building more "loopholes" into Windows so that spyware can get in, and on the other hand charging you for a product that'll remove that spyware? Should Microsoft ever offer a commercial anti-virus package, the question would be asked even louder: Was last week's security vulnerability a bug, or a deliberate doorway for viruses which are quickly blocked by Microsoft's anti-virus software? I'm not suggesting that Microsoft would do such a thing; the folks I know at Microsoft really do want to do the right thing for their products and customers. But the question would always be on the table. Gates' recent decision is probably the best path: Give the software away for free, at least to consumers (and depending on their licensing agreement, or lack thereof, many business customers are considered consumers by Microsoft). Of course, Microsoft will now be be accused of "Netscaping" the current anti-spyware companies, and it wouldn't surprise me to find that those companies are already calling their lawyers. And anti-spyware represents a relatively small market niche right now. Should Microsoft release a free anti-virus package, you can bet on lawsuits being filed. — D.J.

Staying Safe
AntiSpyware's real-time protection includes more than just scanning for spyware. Because so many pieces of spyware target IE and attempt to hijack its settings (changing your home page to an ad page, for example), AntiSpyware can be configured with your preferred IE configuration settings. It will then enforce those settings even if they're later changed by spyware.

AntiSpyware also includes a number of System Explorers, which expose configuration information that's normally difficult to access. For example, you can browse downloaded ActiveX controls, view registered IE BHOs, IE toolbars and so forth. In many cases you'll spot spyware yourself using these Explorers. A Tracks Eraser removes cookies, browser history, and other traces of your Web-surfing past, helping to preserve your privacy.

The real-time protection component of AntiSpyware includes 59 checkpoints, each of which guards against a specific spyware infection vector, such as running processes, Registry files and so forth. Annoyingly (for me, because I do a lot of scripting), a script blocker is one of these built-in checkpoints. Fortunately, you can disable the checkpoints that you don't like, allowing me to run my scripts without constant pop-up warnings.

Beta Man's Routine Disclaimer: The software described here is incomplete and still under development; expect it to change before its final release—and hope it changes for the better.

SpyNet Connected
AntiSpyware can also work with SpyNet, an online community effort to reduce and eliminate Potentially Unwanted Software. You can optionally report your AntiSpyware scan results to SpyNet, helping the community quickly identify new spyware. SpyNet provides updated information to your copy of AntiSpyware to help keep it updated. SpyNet does require an outgoing Internet connection; AntiSpyware's help file includes details for configuring the Windows Firewall as well as general guidelines for configuring hardware and software firewalls to allow the connection.

And lest you think SpyNet is itself a form of spyware, check out the lengthy (and, for Microsoft, oddly plain-English) privacy policy included in the help file. You're given a clear notification each time information is to be transmitted to Microsoft, and you always have the option to decline. You can also disable SpyNet functionality entirely, making AntiSpyware run in a standalone mode without reporting information on new spyware to SpyNet.

Integration, Pricing and More
Sadly, spyware wasn't on Microsoft's mind when it shipped the security-enhancing Windows XP Service Pack 2. SP2's new Security Center doesn't detect Microsoft AntiSpyware as an anti-virus solution (nor should it), and Security Center doesn't have a category for anti-spyware, so this new software sort of sits out on its own rather than being integrated into the operating system's central security console. That's a shame, and hopefully something Microsoft will address in a future update.

Wanted: Betas for Review Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at [email protected]. Vendors are welcome, but please act early—the meticulous Beta Man needs plenty of lead time.

As of this writing, Microsoft has committed to providing AntiSpyware to consumers at no additional charge. The company also says it's planning a "managed anti-spyware solution that will be available as part of a paid solution." Whether business customers will be able to deploy AntiSpyware on their own free of charge isn't yet clear.

Microsoft has also announced a Malicious Software Removal tool that removes specific viruses (but doesn't prevent them), and industry expectations are that Microsoft will eventually release a full anti-virus suite. It's doubtful such a suite would ever be bundled with Windows—I'm sure lawyers at Symantec and McAfee have legal filings ready to go on that score—but Microsoft could potentially offer anti-virus software as a free add-on. Given how plagued Windows has been by viruses exploiting Windows vulnerabilities, it's probably the least they can do.