Skip navigation

Microsoft Windows Anti-Spyware

On December 17, 2004, Microsoft announced the acquisition of an anti-spyware company, surprising many in the industry. The acquisition is notable for two reasons. First, Microsoft had already revealed its intention to get into the anti-spyware market. Second, the company it purchased, Giant Company Software, was largely an unknown in the industry. But in a rare moment of luck, I'd actually been a fan, customer, and advocate of Giant AntiSpyware, as their anti-spyware solution is logically named, for several months. In fact, I've found it to be far more effective than the industry darlings, Ad-aware and Spybot Search & Destroy. And I've been recommending it to friends and family ever since.

But wait, the luck doesn't end there. While my experience using Giant Antispyware gives me a unique perspective of this product, I was also lucky enough to interview Giant co-founder Andrew Newman just days before his company was purchased by Microsoft. Newman discussed with me Giant's plans for future versions of the product, including a centrally-managed enterprise version (Figure) that, I suspect, played a large part in Microsoft's interest. Newman explained to me why Giant's approach to tackling spyware is superior to that of the competition, and provided some valuable insight into how spyware can be confronted and defeated.

First, a bit about Giant

Giant Company Software was founded by Ron Franczyk and Andrew Newman in Chicago in November 2000. The pair were both working in corporations and were frustrated by spam and the horrible anti-spam solutions that were available at the time. Rallying around the message "Online Peace of Mind," the two started Giant Company Software with the goal of creating a better anti-spam mousetrap. The resulting product, Giant Spam Inspector, now protects over 2 million email inboxes from spam.

Despite their name, Giant Company Software was never a giant company. It grew from the two cofounders to 11 employees who are today based in Chicago, Atlanta, and New York, and it also sells a pop-up ad blocker and the anti-spyware solution that we're now most interested in. But Giant has been profitable and self-sustaining since its inception, Newman told me, and its products are currently used by almost 1 million customers. That success, he said, has been driven by Giant's community-based approach.

"We decided to leverage the power of community and create an anti-spam community," he said. "Many products are like that now, including Cloudmark and others. But there wasn't anything like that four years ago. We allow the Internet community to help us solve a huge problem, and we build into that system an intelligent approach to anti-spam that combines [traditional anti-spam] rules with heuristics."

About a year ago, Giant began looking into anti-spyware for both consumers and enterprises. Here, the company knew it could use some of its existing anti-spam technology. But it also solidified its community-based approach into a community Web site called Spynet, which helps ensure that Giant customers know about spyware threats before anyone else. Spynet was an immediate success, with over 200,000 contributors in its first month alone.

Why Giant AntiSpyware is better

Because many of the companies that are getting into the anti-spyware market come from an anti-spam background, they tend to bring with them the habits and methods that worked there. That makes some sense, Newman told me, because spyware is essentially an extension of spam, or the technological successor to spam. However, Newman told me that battling spam and spyware are not identical. That's because spyware is typically more pathological and invasive than is spam.

"Windows was developed as a platform, and is extremely extensible, so we can integrate into the system," Newman said. "The problem is, anyone can do that, including malware writers." To effectively fight spyware, he said, you need software that can do more than just look at a file, poll a list of known bad files, and identify it as good or malicious. Spyware often imitates legitimate files, or finds ways of hiding itself on your system. For this reason, Giant AntiSpyware uses logic that is based partially on feedback from Spynet to examine the "genetic fingerprints" of files and determine whether those files are valid. "We can detect variations of files," Newman said. "The way anti-virus works is it looks at strings and patterns in file. This looks at the file as a whole. They're completely different approaches."

Indeed, the signature-based methods used to combat spam are ineffective against spyware, because the methods spyware use to attack your system change so often. Newman said Giant AntiSpyware provides a three-pronged attack on spyware. First, the product can perform spyware scanning and cleaning, as you'd expect. Second, the aforementioned Spynet provides Giant with valuable community contributions. And third, Giant AntiSpyware runs constantly in your system, providing real-time protection from spyware, preventing it from getting a foothold in your system. It's better to prevent an attack from happening than to try and remove malware after it's already infested your system.

"Real-time protection is the key," Newman told me. "Spyware has to integrate into your computer somehow, using a Brower Helper Object or whatever. The real-time protection monitors virtually every single auto start point on your system, detecting changes and notifying you, via a pop-up window, when anything changes." If you're installing an application, for example, you will know to dismiss the pop-up, because you've instituted the changes it's detecting. But if you're browsing the Web (with IE, no doubt), and you receive such a notification, it's time to start paying attention.

In my own admittedly unscientific testing, Giant AntiSpyware has proven notably superior to perennial favorites like Ad-aware and Spybot Search & Destroy. Indeed, I find it interesting that so many reviewers recommend that users install both Ad-aware and Spybot in order to fully protect themselves from spyware. That's because neither seems to be able to remove all of the spyware on any PC I've tested. I've had much better success with Giant AntiSpyware. And I'm not alone: In a Spywarewarrior.com product tests, Giant AntiSpyware came out on top, detecting 111 of 138 possible spyware installs, compared to just 79 for Ad-aware (second place) and 69 for Spybot (fourth place). None of those programs reported any false positives, though another popular product, Pest Patrol, suffered a whopping 10 false positives and found just 55 real spyware installs.

Effectiveness is obviously the most important aspect of any spyware solution, but I'm also a big fan of Giant's user interface, which is far nicer than that of Ad-aware or Spybot, and more Windows-like. Let's take a look.

A look at Giant Antispyware

If you set it up correctly, you'll never see the AntiSpyware application after your first manual spyware scan, because it will sit resident in your system and automatically deal with most spyware attacks, prompting you only with pop-up windows occasionally as needed. However, Giant AntiSpyware, unlike some other spyware solutions, presents a pleasant, easily-navigated user interface that is similar, in some ways, to a Microsoft taskpad or activity center.

Spyware Scanning

There are three main screens. From the Spyware Scan screen, you can initiate a manual spyware scan, set scan options, and view information about prior scans (Figure). If you choose to run a scan now, Giant AntiSpyware can perform a number of scan types, including a deep scan, which scans all files and folders, and a more typical intelligent scan, which will just test common entry points for spyware. When a scan is complete, you can view the scan results (Figure) and then optionally decide what to do with any found spyware (Figure); spyware can be ignored, quarantined, removed (the default), or always ignored.

Real-time Protection

In the Real-time Protection screen (Figure), you can configure whether the real-time protection feature is active and view the status of Giant AntiSpyware's three agent types (Internet, System, and Application). The Internet Agents prevent applications from modifying or monitoring your Internet connection and settings. The System Agents prevent against threats making unauthorized or hazardous changes to your system, including alerting security permissions. The Application Agents prevent threats from installing, deleting, or modifying Internet Explorer or downloading ActiveX controls, which can contain malicious code.

Currently, these three agent types protect 58 so-called system checkpoints, entry-points in your system where malicious code can be inserted. For example, one typical checkpoint is called process execution. This checkpoint prevents spyware from executing processes (applications or services) on your PC. If an unknown process attempts to execute on your computer, the process will be blocked and you will receive an alert, which lets you remove the process. This is, possibly, the most critical function of this software: It blocks errant software from executing on your system, before it happens.

From the Real-time Protection screen, you can also access information about blocked events, which are changes to your system that you have chosen to block.

Advanced Tools

The third screen, Advanced Tools (Figure), provides you with links to numerous other functions, including System Explorers, which are system settings that are often hard or impossible to otherwise configure. For example, you may be familiar with the new Manage Add-ons functionality that is included with the Windows XP SP2 version of Internet Explorer; this feature lets you enable or disable Browser Helper Objects and other IE plug-ins. However, the Internet Explorer System Explorer in Giant AntiSpyware also lets you permanently remove such add-ons, which, frankly, is exactly what you need (Figure). There are all kinds of System Explorers in Giant AntiSpyware, and if you're interested in security, you should spend some time here. You can configure such things as which applications run when Windows starts, which ActiveX controls are installed, and which processes are currently running. It's a wonderful set of functionality that Microsoft should bubble up more obviously from within Windows itself.

Other Advanced Tools include System Inoculation, which examines your PC for possible security holes (Figure); Browser Hijack Restore, which helps restore features of IE that have been hijacked by malware (Figure), Tracks Eraser, which can be used to remove the history of your activities in a surprisingly wide range of applications and system services, such as Adobe Acrobat Reader, Microsoft's Windows Common Dialog, the Google Toolbar (Figure); and Secure File Shredder, a wonderful utility that can be used to completely eliminate files from your PC using US Department of Justice (DOJ) recommendations for secure file destruction (Figure). How this product doesn't have the word "suite" in its title is beyond me.

AntiSpyware pop-ups

Like a firewall or anti-virus application, Giant AntiSpyware more typically makes itself known by popping up the occasional pop-up window in the lower right corner of your desktop. These pop-ups arrive when the product detects a potential spyware attack, or, by default, when it's completed a spyware scan (you can turn that latter feature off, which I recommend).

Some of the pop-ups are innocuous. For example, you may upgrade a product to a newer version. In such a case, Giant AntiSpyware will typically note that an acceptable application change has occurred and let you get on with your life without having to approve the change (Figure).

Some of the pop-ups, however, warn of more dangerous problems. Perhaps you've navigated to a malicious Web site that is attempting to install some spyware. Or maybe you or an application is attempting a system configuration change with which Giant Spyware is not familiar. In such a case, you're provided with information about the change and prompted to Allow or Block it.

Microsoft Windows AntiSpyware Beta: Changes from the Giant product

So now that Microsoft has purchased Giant and its anti-spyware solution, attention logically turns toward what the company will do with it. Previously, Microsoft had revealed that it would release an anti-spyware solution in 2005, a year ahead of the mid-2006 release of Longhorn (where its anti-spyware solution was originally set to appear). The company has internal anti-spyware and malware projects, codenamed Strider and GhostBuster, respectively, which would have fulfilled those goals, and sources I've spoken with suggest that Microsoft understands, perhaps better than anyone, how today's malicious spyware is now hooking into Windows systems and intends to rectify that situation. In late 2004, Microsoft started beta testing an internal version of Giant AntiSpyware, codenamed "Atlanta," that was only a minor revision over the version Giant last released (Figure).

Since posting my initial version of this preview, Microsoft has shipped two public beta releases of what it's now calling Windows AntiSpyware (Figure). The first, which arrived in January 2005, less than a month after the Giant acquisition, was visually identical to the Giant release, but lacked a few interesting features from the original. Specifically, Windows AntiSpyware does not include the File Shredder and System Inoculation features, both of which were excellent. The result is a less full-featured Advanced Tools area in the Windows AntiSpyware UI (Figure).

"We removed the Secure File Shredder and System Inoculation tools because they were not essential, and overlap in functionality with the Microsoft Baseline Security Advisor tool," Paul Brian, the Director of Product Management for the Security Business and Technology Unit, AntiSpyware at Microsoft told me recently. "We've also removed the cookie tracking functionality because we're formulating how we want to tackle that one."

Other than that, the Windows AntiSpyware beta is very similar, visually, to the Giant product. That will change, Brian told me. "We've kept the same UI for the beta release in order to get it out quickly," he said. "We will change it. We're getting feedback from customers about what kinds of things they want to see improved, and we definitely have a lot of work to do: Localization, making it more accessible, that kind of thing. Giant wasn?t big enough to do that. But spyware is a serious enough issue that we did want to get the product out as quickly as possible. We'll improve it over time."

In February 2005, Microsoft shipped a second public beta version of Windows AntiSpyware that features "enhanced real-time protection agents, new threat categories, and improved stability and performance." It does not appear to be much different from the previous beta version.

And what about the good folks from Giant? Brian told me that cofounders Ron Franczyk and Andrew Newman and the rest of Giant are now working for Microsoft, and the entire Giant organization will eventually be working in Redmond. Franczyk and Newman are in the engineering group within the Security Business and Technology Unit, working on Windows AntiSpyware, similar to their work before the acquisition.

Licensing and pricing

In February 2005, Microsoft announced that it would provide Windows AntiSpyware to consumers for free when the final version is release. However, unlike Giant AntiSpyware, Windows AntiSpyware will only be made available to Windows XP SP2 users as one of the benefits of using that platform. A managed corporate version, first revealed in this preview, will be made available later, but will not be free. Instead, the corporate version of Windows AntiSpyware will be licensed on a subscription basis. Microsoft has not revealed the timing for the final release.

Conclusions

Like Giant AntiSpyware before it, Windows AntiSpyware is an excellent product and is inarguably the finest anti-spyware product made available thus far. Given its price (free) and its excellent functionality, Windows XP SP2 users would be crazy not to install this product, even in beta form, and leaving it monitoring their systems. However, as many spyware experts have noted, no one anti-spyware product catches all malware and spyware. For this reason, I also recommend that you download and manually run another anti-spyware product regularly. The best non-Microsoft solution is Webroot Spy Sweeper, which I use and recommend, but if you'd rather not pay for protection, the free version of Lavasoft Ad-aware is decent but not excellent. Between Windows AntiSpyware beta and one of these products, you should see a marked decrease in spyware on your systems. The best way to avoid spyware, of course, is to use a safer Web browser. On that note, I strongly recommend Mozilla Firefox over Internet Explorer.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish