Personal Website of Yakov Shafranovich

« Strange IE Bug         Stopping Spam by Being Accountable »

Microsoft AntiSpyware: What Lurks Beneath

While recently I discussed the possible motivation behind Microsoft’s purchase of an antispyware company, today I wanted to share my observations on the actual program, Microsoft AntiSpyware BETA 1.

The download and installation process went smoothly although two things were a bit strange. First I was prompted to whether I wanted to verify the genuity of my Windows copy (this was mentioned by MicrosoftWatch). Second, the program did not update itself automatically until I did it myself (as pointed out by Larry Seltzer as well). Given that it is a beta, I let it pass.

Once installed, I ran it and refused the realtime protection feature. While I appreciate Microsoft bundling this by default into the product (unlike AdAware who charges extra), it was a tad too annoying for my taste. After declining this option, I ran a default “quick scan”. Surpisingly enough I found seven different spyware products on my machine, four of which were rated high enough to be removed by default. I do consider myself computer literate enough to keep my computer clean so I was very surprised to see something slip by me like that. Additionally, given that I used an alternative browser (Opera) and email client (Mozilla Mail), regularly run spyware utilities (SpyBot and AdAware) and have an antivirus installed (AVG) this was even more suprising. So I decided to take a better look at what actually was found. I also wanted to figure out why SpyBot and AdAware detected less threats.

Microsoft’s program reported seven threats, with only two of them being reported by AdAware, and none by SpyBot. Of these, three has an “ignore” suggestion attached to it and the other four “remove”. Suprisingly, Microsoft’s program did not look for cookies which I later found to be a feature, not a bug. In any case, the following threats were detected:

BrilliantDigital Entertainment
Morpheus
Exact.BargainBuddy
Kazaa
Claria
IncrediFind
eDonkey2000

1. BrilliantDigital Entertainment.
Two items were detected, a file called “bdupd.dll” and a registry entry for a file extension “s3d”, with an “elevated” threat setting and a recommendation to “remove”. After taking a better look at the actual file, it happened to be part of an anti-virus program called “BitDefender”. As for the “s3d” file, the actual entry was empty but according to FileExt.com its part of Sony’s EverQuest game which happened to be installed on my computer at some time. So far, two false positives.

2. Morpheus
I had several P2P applications installed on my machine over two years ago for a research paper on the technology. All of them have been uninstalled years ago, but apprently traces were left. Among the detected stuff were one EXE file (which was also detected by AdAware as “WurldMedia”), a bunch of registry entries and four DLL. This item had a “moderate” threat level and an “ignore” recommendation. The registry entries while detected correctly as well as two of the DLL files (”decl.dll” and “decw.dll”) and the EXE file (mscstat.exe). HOWEVER, the two other DLL files (mfimage.dll and npmirage.dll) were part of the MediaForge development library supplied by ClearSand Corp. While these two files might have been used for development of Morpheus, a large client list at ClearSand points out numerous other legitimate applications that use these files. So another two semi-false positives.

3. Exact.BargainBuddy
This entry consisted of one EXE file “chktrust.exe” in the WINDOWS\SYSTEM32 directory, with “high” rating and a “remove” suggestion. After looking at the file suprisingly this turned out to a Microsoft utility for checking digital certificates in executibles, part of the .NET Framework (as described in MSDN). While I am not sure what the removal of this tool will do, I don’t think I want to find out.

4. Kazaa.
The next on the list was the infamous Kazaa, detected entirely in registry under “SOFTWARE\KAZAA” entries. While these were detected correctly, they are really harmless which explained the “ignore” recommendation given by the software.

5. Claria.
Claria, formely known as Gator, was detected as well under a single registry entry in the “Start” menu. Being that the “Start Menu” is crucial, the “remove” recommendation is entirely correct. This was also detected by AdAware.

6. IncrediFind.
Supringly enough this “high risk” item was pointed to the registry entries for AceHTML, a freeware HTML editor from Visicomm. After doing some searches, it seems that AceHTML does not come with spyware, so this is another false positive (although I wonder if FrontPage has any connection to this).

7. eDonkey2000.
This was rated as “low” with an “ignore” suggestion. All the items for this were in the registry and looked relatively harmeless since they were sitting under “SOFTWARE\eDonkey2000″.

“ALL THAT IS GOLD DOES NOT GLITTER”

To get a more level analysis, I also installed a commercial product. I chose Webroot’s Spy Sweeper which is the current top choice at PC Magazine. Aside from a bunch of Cookies, Webroot detected the WurldMedia EXE file which was part of Morpheus, Claria’s registry entries and BrillianDigital’s registry entries (but not the file). So far the results matched AdAware almost exactly and did not detect any of the false positives that Microsoft’s program did. Webroot also detected traces in the registry of another spyware product called “BonziBuddy” not seen by any other programs. Since the entries were all empty, they were pretty much harmeless.

I came away extremely surpised at the large percentage of false positives and their severity. While Larry Seltzer also reported having one false positive, it was nowhere near what I found. Based in the above data, a user choosing the to remove ALL of the spyware detected would have possibly broken BitDefender, EverQuest, Microsoft’s .NET Framework, AceHTML and an unknown number of programs relying on MediaForge (some of which can be found here). Even choose the default settings of removing only four threats would have only left MediaForge while still possible breaking the rest. While this product is a BETA, nevertheless it is based on an existing commercial product and if this is what they were selling before, than I wonder how they stayed in business. While an occasional false positive with anti-virus software does happen, a false positive on a core Windows file almost never happens.

One other thing which bothered me all along is the extremely large number of results for Microsoft’s AntiSpyware, more than both SpyBot and AdAware combined. As a matter of fact, FlexBeta mentioned in their review that ” Microsoft AntiSpyware was able to detect more infected files than the current leading anti-spyware applications in the market today, Ad-Aware and SpyBot S&D”. After actually using the programs, the false positives accounted for one of the reasons for this disrepency. Another reasons which cause SpyBot and AdAware to detect less threats are the default settings for Microsoft’s AntiSpyware which scans the entire Windows and Program Files directories unlike AdAware which does smart scanning. Additionally, both SpyBot and AdAware ignored the registry entries left behind by various products which are not active since they are harmeless except of course, Claria’s presence in the “Start Menu” which was detected by AdAware.

It is also very surpising that no review mentioned the issue of false positives except eWeek’s Larry Seltzer. FlexBeta marveled at the large number of results, PC Magazine didn’t like the fact that some stuff was not detected and ZDNET talked about strategy. The issue of false positives, which seems to be very significant was not even mentioned.

CONCLUSION

It seems that Microsoft’s beta is more like an alpha, basically useless since the amount of false positives is too large for this program to be reliable. Thus may very well prove an old saying true again – it takes Microsoft three times to get anything right.

UPDATE #1 – Jan 17, 2005
I just updated MS Anti-Spyware and rerun it to see if the same results are returned. So far six instead of seven items were detected, with BitDefender (detected as BrilliantDigital) no longer being falsely detected. CHKTRUST.EXE is still being detected falsely as spyware and is still recommended for removal.

Tags: microsoft, security —

Permalink | Trackback URL | This post has