A First Look at Microsoft's Anti Spyware Beta
It never fails to amaze me how hostile of an environment the Internet really is. The Internet is loaded with Web sites containing malicious code. Accidentally landing on one of these sites can infect your computer with a plethora of ad ware or spyware modules. The scary part is that you may never even know that your computer is infected. While its true that some ad ware and spy ware infections are obvious because of the way that they hijack your browser, often times key stroke loggers and other Trojans are working silently in the background where you would never notice them.
The worst part of spy ware and ad ware is how easy it is to get an infection. Not only are the owners of countless malicious Web sites doing everything that they can to deceive you into accidentally visiting their site, nowadays perfectly legitimate and otherwise harmless sites can spread infections. There have recently been reports of legitimate sites that sell ad space infecting PC's because someone has imbedded malicious code within an ad.
For the most part I have done a fairly good job of keeping spyware off of my machines, but I have lost count of how many machines that I have cleaned up for friends and family. A few months ago, I was listening to a speech by Bill Gates. In his speech, he made a comment that his own personal machines had become infected by spyware on more than one occasion, and that as a result, Microsoft was declaring war on spyware. At the time, no one was quite sure what this off handed comment really meant, but a few months have passed, and Microsoft has just released the first beta version of Microsoft Windows AntiSpyware.
Before you start sending me E-mails, I just want to say that I do realize that Microsoft's anti SPAM initiative hasn't been very successful. Even so, I think that Microsoft's anti spyware initiative will be effective because I believe that Microsoft is in the perfect position to prevent spyware infections. Think about it for a moment. Most spyware infections occur when a malicious Web site modifies obscure files, registry keys, or browser settings. Microsoft created Windows and Internet Explorer, so they are intimately familiar with even the most obscure registry keys, files, and settings. Being that they know what these values are supposed to be set to, it only makes sense that Microsoft should be able to create an application that scans Windows and Internet Explorer for anything that just doesn't look right. They should also be able to monitor changes to the registry and to the file system and block anything that appears potentially malicious. Other anti spyware programs use a similar approach, but I think that it's Microsoft's thorough understanding of the inner workings of Internet Explorer and the Windows operating system that will make Microsoft's AntiSpyware software a success.
Acquiring Microsoft Windows AntiSpyware Beta
Unlike many of Microsoft's beta programs, the AntiSpyware beta program is open to the public. You can download a copy of the software from: http://www.microsoft.com/athome/security/spyware/software/default.mspx The only restriction to downloading the beta is that you must have a legitimate (not pirated) copy of Microsoft Windows, and if you are running Windows XP, then Windows must be activated prior to the download.
The AntiSpyware software is designed to run under Windows 2000, XP, and Server 2003. The minimum hardware requirements include a 300 MHz CPU, 64 MB of RAM, and 10 MB of free hard disk space.
Although Microsoft AntiSpyware runs in the background, it also has a handy user interface. The main AntiSpyware screen, shown in Figure A, is designed to give you a sort of overview of your current spyware situation. As you can see in the figure, the system summary reports that AntiSpyware is running normally. It also gives you the date and results of your most recent scan. You can even see when your spyware definitions were last updated and can confirm that AntiSpyware is indeed running.
Figure A: AntiSpyware's user interface gives you a handy spyware status summary
The main screen also contains a button that you can use to initiate a manual scan at any time. By default AntiSpyware is configured to perform an intelligent quick scan when you scan manually, but you can click the Settings button and opt for a full system scan instead. The full system scan allows you to scan files and folders as you would expect, but the scan is also capable of scanning the system's memory and even the running processes.
Although AntiSpyware can disinfect an infected system, it's primary goal is to prevent infections from ever occurring in the first place. This is accomplished through the use of three agents; an Internet agent, a system agent, and an application agent.
Each of these agents contains multiple checkpoints which may be enabled or disabled individually. Each check point guards a common point of entry for spyware. For example, if you look at Figure B, you can see that some of the Internet Agent Checkpoints include dial up connections, Wi-Fi connections, Internet Safe Sites, Winsock Layered Service Providers, Windows Messenger Service, and SPAM Zombie prevention.
Figure B: Each agent contains multiple checkpoints, which guard common points of spyware entry
The nice thing about AntiSpyware's Agent / Checkpoint design is that it is modular. As new types of spyware are discovered, Microsoft can add additional checkpoints as necessary.
The final component to AntiSpyware are the Advanced Tools. The Advanced Tools contain a tool for restoring a hijacked browser, a privacy tool designed for covering your tracks, and something called System Explorer. System Explorer allows you to view or modify Internet Explorer settings that are normally hidden within the registry.
I first downloaded the AntiSpyware beta about a week ago, and installed it onto a machine running Windows XP. Since that time, I have been surfing the Web non discriminately from that machine. The machine has not picked up on any noticeable infections.
Although I haven't personally had any spyware infections recently, I received phone calls over the weekend from a friend and from my father. Both of them had accidentally gotten spyware infections and needed to disinfect their machines. I asked each person to download Microsoft's AntiSpyware beta and try using it to clean their system. In both cases, Microsoft's software was able to clean the infected systems with no unusual side effects.
It's also worth noting that earlier this week, I was working on a comparative analysis on various anti virus programs. For this particular paper, I had to install and test several different anti virus programs. I used the same machine for testing the anti virus programs as I used for testing Microsoft's anti spyware software.
The reason why I am telling you this is because I found it interesting the way that Microsoft's AntiSpyware software reacted to my testing. When I was installing the better known anti virus programs, I would receive a pop up message from the AntiSpyware software telling me that changes had been made to my system by a trusted program. However, when ever I tried to install lesser known anti virus programs, I received a pop up message telling me that a program was trying to add itself to Windows' shortcut menus or to Internet Explorer. It then gave me the chance to either allow or block the change. I thought that this was interesting since the AntiSpyware program was intercepting attempts to modify my system by a user installed program, rather than by malicious code hidden in a Web site. It gives me a good feeling about the level of protection that the software will eventually provide.