Spyware sneaks onto your computer disguised as an ActiveX control or a mischievous program that a Web site tricks you into installing, or can even piggyback on legitimate software that you download and install. Spyware earned its name because it steals your private data without your knowledge. Over the past few years, spyware has proliferated to the point that a computer connected to the Internet behind a firewall with properly configured antivirus software can still be infected with spyware--some cases have contained as many as 100 instances of infection--because, until recently, most antivirus-detection software hasn't targeted spyware. However, the latest versions of most antivirus software can detect certain installations of spyware. Microsoft has joined this battle with its recently released beta version of Windows AntiSpyware. The program packs useful and innovative features in a slick and easy-to-use interface.
Just What Is Spyware?
Enter Windows AntiSpyware
The beta version of Windows AntiSpyware is targeted at small office/home office (SOHO) users and doesn't include enterprise features such as centralized management, configuration, or reporting. But the program is easy to use and effective, and even larger organizations will want to take a look at it. (It wouldn't be difficult to script wrappers around the program to consolidate data.) Microsoft purchased the AntiSpyware technology from GIANT Company Software in December 2004, and users of the original program will recognize the interface.
You can download Windows AntiSpyware (Beta) from the Microsoft Web site at http://www.microsoft .com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en. Ironically, to access the download you're asked to download and install a Microsoft ActiveX control that certifies that your computer is a Genuine Microsoft Windows Installation. I'm not sure what exactly the control looks for, but it's funny that to download a program that protects your computer's privacy you must allow Microsoft to search your computer for specific data. I wonder whether future versions of Windows AntiSpyware will detect this Microsoft ActiveX detection utility--the beta version doesn't.
Installation and first-time configuration is very easy--you simply run the downloaded executable on the computer you want to protect. The first time you launch the program, the Setup Assistant wizard walks you through the main configurable components of the program. During configuration, you can choose to have your computer protected through the program's real-time checkpoints. The program also gives you the option to scan your computer immediately after configuration to discover any previously installed spyware. Figure 1 shows the results of a spyware scan. You can also see in Figure 1 the clean user interface, from which you can configure scans, set real-time options, access advanced tools, or change options. Real-time checks are included, so you should keep Windows AntiSpyware running on your computer, just as you do antivirus software. The real-time protection blocks spyware from making changes to your system. The program installs itself to run in the background, and a dialog box will pop up in the bottom right corner of your screen with any messages or event announcements. You can access the program by clicking on its icon, which looks like a bull's-eye, in your system tray.
How the Program Works: Real-time Protection
Windows AntiSpyware uses mechanisms called Security Checkpoints to search for spyware that has been installed on a computer. These real-time checks can be triggered when a user installs new software. The program is pretty smart and won't alert you when you update software that's already installed on your system. But it will alert you if a Web site attempts to install a program through your Web browser. When a Security Checkpoint is triggered, Microsoft AntiSpyware will suspend the suspicious activity and prompt you with a warning dialog box asking whether you want to allow the activity. The program classifies its more than 100 Security Checkpoints into three groups: Application Agents, System Agents, and Internet Agents. These real-time protection agents block spyware from executing. You can view, activate, or deactivate any Security Checkpoints by clicking the Real-time Protection icon.
Application Agents include checkpoints that watch the installation of new ActiveX controls or determine whether Microsoft Internet Explorer (IE) has been modified. Other Application Agents monitor system activities, including running processes, the addition of new startup files, running scripts, or the modification of certain registry values. Application Agents are active and continuously monitor your system. For example, Windows AntiSpyware will alert you if it detects an unknown process attempting to execute on your computer.
System Agents watch your computer for security permission or system setting changes. For example, a few of the System Agents include checkpoints that monitor whether your hosts file has been altered, whether the Windows logon policy has been modified, or whether the Windows standard protocol drivers have been tampered with.
Internet Agents monitor unauthorized modem activity, inbound wireless connections to your computer, and changes to the Windows Messenger Service. Agents also prevent your computer's proxy, DNS, or TCP/IP settings from being modified and include a "Spam Zombie" checkpoint that prevents your computer from sending unwanted email.
All Security Checkpoints watch your system in real time. For example, you're undoubtedly familiar with Web sites that invite you to click a link to make them your home page. If you do so while running Windows AntiSpyware, the program will immediately warn you when the home page change is attempted, as Figure 2, page 10, shows. In this example, I had visited the Google home page and clicked a link there to make www.google.com my home page. Even though I wanted to make the change and initiated it myself, Windows AntiSpyware noticed the attempt to change my IE settings and rightfully intercepted it.
Many of the program settings let you customize alerts and messages. For example, you can disable prompts and notifications about installing updates and new versions. You can also configure the program to automatically (and silently) block detected threats, such as running .vbs or .js files.
Scanning Your Computer
One of Windows AntiSpyware's major features is the scheduled scanning it can perform on your computer. Scans compare files and registry settings against a database of known spyware. The scans can detect latent or previously installed spyware that the Security Checkpoints might miss. You can initiate a quick scan to check your computer for existing spyware or create a customized scan. The scanning process is relatively quick, and when the scan is finished, Windows AntiSpyware presents you with a summary report similar to the one Figure 3 shows.
The report lists spyware that the program has detected and prompts you to designate which instances to remove. What's cool about this report is that it includes an informative description of the spyware it lists. For example, as you can see in Figure 1, Windows AntiSpyware has detected the file-sharing program Kazaa and also explains under Spyware Threat Details that Kazaa itself isn't spyware--rather, the software that is installed along with Kazaa is considered spyware.
System scans serve a different purpose than the real-time checkpoints do. For example, a real-time checkpoint will alert you if a Web site tries to change your home page or if software that might affect your browser is installed (e.g., a browser helper object). But because legitimate programs also make such changes, a scan might not detect them. Used together, real-time protection and regular scanning provide two layers of spyware protection for your computer.
To keep up with the ever-growing deluge of new spyware, Windows AntiSpyware includes an automatic update service that downloads new spyware signatures from Microsoft. You can specify the download interval or check manually for new signatures. The beta version of Windows AntiSpyware boasts more than 100,000 threat files and settings. The automatic updater uses TCP port 80 to download spyware signatures, so it works with most firewalls and proxy servers. After new signatures are downloaded and installed, a small window pops up to inform you.
Perhaps one of the most intriguing features of Windows AntiSpyware is the SpyNet AntiSpyware Community feature. This voluntary feature enrolls your computer in a community made up of users of Windows AntiSpyware and GIANT AntiSpyware. The feature is designed so that if a community member identifies a new type of spyware, he or she can submit a spyware report to Microsoft that will raise an alarm and notify other members of the SpyNet community of the newly discovered threat. Community members have the choice of whether or not to submit a report to Microsoft.
Other Useful Features
Technically savvy users will appreciate Windows AntiSpyware's Advanced Tools, which let them dive into the details of spyware detection on their system. For example, the Browser Hijack Restore tool lets you set 15 IE settings (e.g., start page, search page, default page URLs) to be restored after Windows AntiSpyware cleans your computer after detecting spyware. The AntiSpyware Advanced Tools let you compare your current settings with a benign setting.
The System Explorers tool lets you inspect and configure many typically hidden settings. For example, you can inspect IE's browser helper objects to see which IE extensions are installed. System Explorers includes abundant Help files. If you don't know what a browser helper object is, for example, simply access the Help menu for further information. With System Explorers, you can inspect (and block) all installed ActiveX controls, running processes, startup programs, IE settings and toolbars, and even commonly attacked Windows files such as hosts and Winsock.
Tracks Eraser lets you remove various activity trails on your computer--for example, IE history logs and cookies. The tool lets you erase the tracks that many popular applications store, such as ICQ chat histories and Adobe Acrobat histories. You can even erase histories from less well-known programs, such as the Kazaa file search history.
With the Advanced File Analyzer, you can discover information about any file's installation and other technical details, such as display name, publisher, path, size, and version. The tool will also show you time stamps for when a file was created, last accessed, or last modified, and gives you an MD5 checksum that you can use to verify the file's integrity.
Testing Your Configuration and Viewing Event Data
You can easily test Windows AntiSpyware's real-time system by visiting any Web page that prompts you to set it as your home page. When you click the link to do so, the activity should trigger an alert. Another easy test is to run any .vbs or .js file on your protected computer. The first time the script runs, Windows AntiSpyware will ask whether you want to allow the action. When you receive a Windows AntiSpyware alert, you can view its details by clicking the Real-time Protection icon in the program interface, then selecting View all events. As Figure 4 shows, the list of Agent Events displays the event's date and time as well as details such as the filename and path of scripts that have run and a description of the checkpoint that triggered the alert. A link to even more technical information is included under Event Details.
Get the Spyware Out
Spyware has become more than a nuisance--it slows down computers, steals private information, and clogs networks. The Windows AntiSpyware beta version offers solid monitoring and alerting functionality along with innovative features such as the SpyNet community. The only thing missing from the package is obvious support for the enterprise, such as centralized management and aggregated reporting and alerting.