More on Slamming Spyware
Choosing and implementing the right tools; Bass at his most shameless.Steve Bass
Steve Bass writes the "Hassle-Free PC" column in PC World's print edition and is the author of PC Annoyances, 2nd Edition: How to Fix the Most Annoying Things About Your Personal Computer, available from O'Reilly. Sign up to have Steve Bass's Tips and Tweaks newsletter e-mailed to you each week. Comments or questions? Send Steve e-mail.
Last week I laid down the background about spyware: what it is, how you get it, and who's behind it.
The big question now is which anti-spyware program to choose.
Frankly, it's a difficult decision. That's because there are many issues to evaluate, and some are complex. For instance, I need to be confident that the product's ability to monitor and prevent future attacks is as good as its scanning skills. Let's say that a particular anti-spyware program can ferret out and remove spyware; if its real-time monitoring sucks, then chances are good I'll end up with spyware back on my PC.
Another concern is how well the program handles false positives. It's essential the product can identify both legitimate programs and portions of such programs. That way it won't falsely identify as spyware a DLL (a helper file) that could be used by legitimate programs as well as spyware.
For instance, libexpat.dll rides along with various spyware products--but it's also used by Trillian, my instant messaging program. When I used Tenebril's SpyCatcher, its scan told me the DLL was spyware and suggested I quarantine it. I did so. Then, much to my dismay, I was locked out of Trillian because it was missing the DLL. SpyCatcher couldn't reverse the quarantine. A Tenebril rep promised to resolve the problem for me, then planned to modify the program so it wouldn't happen again. (See how I suffer for you?)
So it's essential that the anti-spyware program can completely reverse the quarantining or removal of false positives. More on this issue later on.
Read the Article: Spyware Stoppers
Over the last month, I've tried 12 anti-spyware products. I'm not 100 percent happy with any of them. But don't furrow your brow, I do have two recommendations. Coincidentally, they're pretty close to those in our massive April cover story: "Spyware Stoppers."
That article's what I've been waiting for--a thorough, comprehensive, and technical piece with lots of details. For instance, one chart shows exactly how each of nine products scored in eight tests. Another details the type of attacks--Registry additions and home page modifications, for instance--and which anti-spyware products did the best at cleaning up after them.
I encourage you to spend some time with another portion of the article, "Real-Time Monitoring," which tells you about what I think is an immensely important part of any anti-spyware product, how it monitors for ongoing attacks.
A word of caution: Some of you might think that using more than one anti-spyware product for real-time monitoring provides an extra layer of security. Nope. You can certainly scan your system with more than one product, but use just one real-time monitor to avoid any conflicts.
Shameless Self-Promotion: I've got to do it, so I'll be quick. The second edition of my book, PC Annoyances, is finally available. I blast away 150 new PC annoyances (the first 150 are still in the book, too) and discuss more than 150 free utility downloads to help you demolish all your other computing irritations. Go ahead, scan a sample chapter, then grab a discounted copy. BTW, there's a bonus: The $16.95 price includes a free copy of the PC World "Super Guide to Problem Solving" PDF.
My Favorite Anti-Spyware Product
The one I'm using--and the PC World Best Buy--is CounterSpy from Sunbelt Software. It's $20 and there's a 15-day trial at Sunbelt's site. I strongly encourage you to try it. Counterspy consistently found more spyware on my production and test PCs than other products, including my former favorites, Lavasoft's Ad-Aware SE Personal and Safer Networking's Spybot Search & Destroy.
On the downside, CounterSpy found a few false positives. But while this is annoying, it's a good thing in a way: I'd rather that an anti-spyware program be overly protective. I'll show you how to handle the situation in a moment.
What happened is that CounterSpy claimed two legit programs, Undelete and CommView (a network sniffer from Tamos.com), were suspect. I recognized these two apps and was easily able to mark them both as okay, essentially putting them on CounterSpy's whitelist. That way CounterSpy would ignore them in future scans.
I asked Alex Eckelberry, the president of Sunbelt Software, why the program called the two legit programs spyware. He explained, "Since many [spyware] programs are written using off-the-shelf commercial tools, a nasty keylogger could actually use a component that is completely legitimate and used by other programs (such as a DLL to uncompress graphic files, or a standard help file). An anti-spyware application might get confused and think that this [same] component is part of the keylogger." That's what I experienced, and I agree with Eckelberry's response.
My strategy on false positives, and this works with most anti-spyware programs, is similar to what Eckelberry said later in my interview with him. If I'm the slightest bit concerned that the program accused of being spyware is a legit application, I quarantine it and set a system restore point. (Most anti-spyware programs give you a way to set the system restore point.) Quarantining lets you keep the suspected spyware at bay. If it was a false positive--you'll know it if a legit application stops working--you can use the anti-spyware program to bring it out of quarantine.
Dig This: Do you have a Web site you're unhappy with? Your cell phone company's, maybe. Would you like to bomb it, virtually speaking? Go ahead, use Netdisaster to send meteors, missiles, floods, or, well, I don't want to spoil it... [Thanks, Brad L.]
What About Microsoft?
At the time I wrote this column, I was going to recommend Microsoft's AntiSpyware program. As I wrote last week, it's free--and it seems to work really well. When I first started using it, it was doing a good job at removing spyware.
But I delayed submitting this column to give myself more time--over three weeks--to bang away at Microsoft's program. In that time, I watched CounterSpy find spyware that AntiSpyware missed. Also, Microsoft's product is in beta--and unlike other betas I've used, this one doesn't have an easy way to report problems or get support.
Still, if you're not willing or able to spend $20 for CounterSpy, feel free to grab a copy of Microsoft AntiSpyware from us.
BTW, if you think AntiSpyware looks just like CounterSpy, you're right. And the similarity is no accident. Giant Company Software, the manufacturer of Microsoft's anti-spyware product, was in partnership with Sunbelt Software before Microsoft stepped into the picture. Sunbelt went its own way, but because of the pre-Microsoft agreement, it still gets updates from Giant Software's spyware-signature technology. At the same time, Sunbelt has staff adding spyware updates to CounterSpy.
The other difference between the products, and I think this one's critical, is that Sunbelt provides toll-free tech support for problems you encounter with CounterSpy. If you want more details about the arrangement between Microsoft and Sunbelt, and there are plenty, read Brian Livingston's "Microsoft AntiSpyware: Separated at Birth." (Yep, Brian's newsletter may be seen as competition, but it's great--and Brian's an old drinking buddy.)
My Anti-Spyware Strategy
I've talked to lots of technicians--Rod, George, Gus, Brain, and others. These guys are out in the trenches, actually working on individual and corporate PCs loaded with spyware. I've distilled their advice into a few key points:
Dig This: I don't know if you've seen this headline yet, "Microsoft's AntiSpyware Tool Removes Internet Explorer." But that's no surprise, because it's still in beta. (I know I'm spoiling the gag, but I worry you might take this seriously. It's a spoof.)