Download Microsoft Anti-Spyware Beta1

[SDK]

You want to test Microsoft Windows Anti-Spyware, it go here.

Link : http://www.microsoft.com/downloads/d...DisplayLang=en

If you want to pass the Genuine Program thing, here a direct download link.

http://download.microsoft.com/downlo...areInstall.exe

[zencoder]

Thanks SDK. I think'll I'll give it a shot, to see how well it works. It's not like this is *MY* pc or anything...I'll have desktop support re-image this thing if it gets hosed.

[Negative]

I like this thing

Doesn't look/feel like a beta at all!

I checked my box (XP Pro SP2) with Ad-Aware and Spybot, and it came up clean. I then ran MS's application.

It uses the recently acquired SpyNet technology, and provides "a revolutionary network community that connects hundreds of thousands users to quickly share and identify unknown applications, blocking spyware almost as quickly as it is released". It's optional, but if you enable it, it will send signatures of all spyware detected on your computer to SpyNet's central server.

It comes with real-time protection (9 Internet Agent checkpoints, 25 system checkpoints, and 25 application agent checkpoints), and some "advanced tools" (system explorers and "browser hijack restore", and a nice "tracks eraser" function which lets you, for example, delete the Google toolbar history).

The scan results are extremely detailed (application, location, instances, extended information on the threath,...). It marked Kazaa as spyware, although I'm using the Lite version (as far as I know, it only detected the installation of Kazaa, not actual spyware), but advised to ignore it (same for WinPCap). Deletion of actual spyware is painless.

Anyone else have an opinion?

[ttau]

Very cool, found 2 spyware and SDbot worm after Spybot, Adware and AVG showed a clean system. Easy to use. Looks like it has alot of interesting advanced features.

[morganlefay]

Well


I have just run this on a W2k system...

On this system I have been recently testing several anti spyware programs as I have been looking for a corporate solution to the spyware problem....I had heard that MS was maybe working on a solution so I have held off on the purchase as the cost per desktop was more than AV.....I was also looking at an integrated AV\ASW solution willing to toss Norton AV...but that is another issue.

Anyway

I must say I am very impressed as this beta ran well...and found a piece of spyware sitting on my machine...that nothing else has found!!!

I opened explorer (thought it maybe a false positive....regular norton issue )and sure enough it was there in the system32 directory

winsys.exe

Nothing else has found this...properties show it was created in May 2004...and I have tested SEVERAL antispyware programs on this machine.

Good job MS....

My .02 cdn

MLF

[phishphreek]

BTW: This is a microsoft "beta". The program or engine itself has been around for a while. It used to be Giant's. Giants antispyware has been rated in the top 10 for quite a while. No reason to reinvent the wheel...

Ran adaware and spybot (both updated) prior to scanning with ms anti-spyware.
I do like the look and feel though. I also like the realtime protection.

I got a couple of false positives though...

Detected Threats

Timbuktu Pro Commercial Remote Control more information...
Status: Ignored
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.

Infected files detected
C:\WINNT\system32\nsldapssl32v30.dll

Not really installed on my machine. Just that file was found.

Netscape nsldapssl32v30.dll

The nsldapssl32v30.dll file is required for any LDAP functionality that may be used in your application. We recommended that you install this into the Window's System32 directory.

http://www.betrusted.com/downloads/p...alc-7.1.3.html

InstSrv Trojan more information...
Status: Ignored
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.

Infected files detected
C:\Program Files\Resource Pro Kit\instsrv.exe

It *can* be used to install a trojan as a service, but it is not a trojan in itself.

SearchSquire Adware more information...
Details: SearchSquire is an Internet Explorer sidebar containing paid links that open when you use search engines.
Status: Removed
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com * 4

Got me there... not legitimate but easily removed. adaware and spybot didn't find this.
EDIT: Actually, this is also a false positive. According to a post on slashdot, this is party of spybot's immunizitation feature... which I use.

WinPCap Enabler more information...
Details: WinPCap is an Open Source Windows Packet Filtering Library. It provides low level internet & system traffic data to other applications that leverage its utilities.
Status: Ignored
Low threat - Low risk threats pose a very low risk or no immediate danger to your computer or your privacy, however these types of applications may profile user online habits, but only according to specific privacy policies stated in the applications End-User License. These types of threats generally borderline on being a threat to being a standard application that has a complex license agreement that you knowingly installed.

Infected files detected
C:\Program Files\WinPcap\daemon_mgm.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINNT\system32\wanpacket.dll
C:\WINNT\system32\wpcap.dll
c:\program files\winpcap\install.log
c:\program files\winpcap\uninstall.exe
C:\Program Files\WinPcap\NetMonInstaller.exe
C:\WINNT\system32\drivers\npf.sys
C:\Program Files\WinPcap\npf_mgm.exe
C:\libnetnt\LibnetNT\DRIVERS\Packet2K\Packet.dll
C:\libnetnt\LibnetNT\DRIVERS\PacketNT\Packet.dll
C:\WINNT\system32\packet.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\packet.sys
C:\WINNT\system32\pthreadVC.dll

Infected folders detected
c:\program files\winpcap

Again, false positive.
Well... kinda. I guess this could be offending software depending on who has installed it and for what purpose.


Thus far, I'm inpressed. But this was someone elses product. Lets see what comes of it.

Does anyone know about pricing? If any? I didn't find much on that. Hopefully it'll be free?!

From the "help about"

Microsoft AntiSpyware Version: 1.0.501
This version expires on: 7/31/2005
Current User: user
Spyware Definition Version: 5678 (1/5/2005 11:44:42 AM)

Now... I want a console from which I can manage all of this on different computers.

[ZomBieMann77]

I also got a few very minor easily spoted false positives and also found a little peice of spyware niether spybot od adaware pro found. All in all for a microsoft product and especialy a beta I am impressed. I hate to think what its going to cost when it is released a final rlease is developed.

[phishphreek]

If m$ were to release a pay version, woudln't fixing known bugs that can be exploited by adware/spyware be a conflict of interest? If they fix the bugs and people apply the paches... people don't get infected and they can't sell the software.

But we all know that m$ would *never* do something like that... right?... right?

[RoadClosed]

Hey they gave out the Firewall and packet sniffer for free.

Just like everyone else, I had a false positive (but I can see why it picks up the program) but it didn't find anything "extra". The interface is slick and it's a good program. This is what I learned playing with it:

There are three categories of "agents" that load on startup if you desire. They are Application, System, and Internet settings. These can be like a local security tool because they each seek out and monitor changes to various properties.

Application Agent: monitor changes in IE settings and Active X controls as they are processed

System Agent: Monitor changes in security settings such as privilege escalation and also system properties of the OS.

Internet Agent: Monitors changes in the settings for either the dial-up or Ethernet/USB for the internet connection in Network Properties.

In addition you can enable your system (I chose not too) to participate in a network "spy-net" to report system changes detected by the agents. They will use that data to update signatures.

Very Nice. Kind of shocked really.

Oh and the license expires in July 2005. Since it is MS and there are agents running I would imagine a whole slew of command line abilities are there along with a console to plug into MS Management or Active Directory integration. But that ability to control clients via remote will make or break this in the enterprise. Home users should down load it.

//EDIT Ooops it picked up WinPCap like with Phish while I was typing. Another falsie, unless you don't know what that is and it pops up on your PC.

Well NOW, I am even more impressed the “Tracks Erraser” module automatically detected the installation of several programs and with one click enables you to ERASE the history files of them. Sure there are other programs that do that but this is an added benefit to an already seemingly excellent product. Mine detected:

Adobe
MS Common Dialog (used by programs to list files etc)
Google Toolbar History (very nice)
ICQ
IE (history, cookies, Form entries
Kazaa

And it goes on and on to include the history files of just about every piece of software I have, including MS Office files and Paint etc.

In addition there is a system explorer that lets you look at extreme details of system function, a change or trace events. Sweet

[mjco96]

It found RadLight on my machine, which neither SpyBot or Ad-Aware found.

I guess RadLight can be pretty nasty, but it's been on my machine since 10/03 and didn't seem to be doing anything. Got it with a download from CNET it seems.

I think the MS product worked well. I think it's biggest contribution will be its ease of use, and the fact that it's an MS product. The more spyware protection and removal software that gets used by casual/home computer users, the better off we'll all be.

And we know that MS has the channels and enough clout to get the software out there. Like it or not, I think that's a fact.


__________________
Intranet Journal's Spyware Guide
http://www.intranetjournal.com/spyware/