Here's a tale ... bear with me.

My daughter (who knows nothing about computers and doesn't live nearby) has
been running AVG Free along with Defender (with rtp switched on, and an
automatic daily scan). (I know, that's not enough protection - but it took
some persuasion to get even that far.) She also has Spybot, but had let her
scanning routine lapse. After a conversation with me, in which I suggested
that she really needed more protection, and to scan regularly, she updated
and scanned with Spybot and it found a few items (not just cookies). She
asked Spybot to remove them, and it seemed to work; but some returned the
next day. So she phoned me.

We spent several hours on the phone, on and off, as I talked her through a
variety of procedures. The first thing we did was install Superantispyware,
which found two more threats, and AVG Antirootkit, which was clear. As far
as I can see, Superantispyware seems to have done the job. It did a clear
complete scan after a restart, and both the Panda online scanner, and
Spybot, gave a clear result too. Fingers crossed for the next couple of
days - but at least it looks good so far, and she is now seriously planning
the building up of some more solid defences.

But what really troubles me is this. She was infected with ABetterInternet,
Spyware Stormer, Shopathomeselect, and some others than she didn't make a
note of before Spybot removed them. Through all this infection, day after
day, Defender carried on without so much as blinking. It detected nothing,
neither in real-time mode, nor in its daily scan. Certainly my daughter was
far too slack in her approach, but the simple fact is that having Defender
on board was a complete waste of time. Yet she is typical of the kind of
person that Defender was supposed to have been designed for.

This has really shaken my confidence in the program, to be honest. I am,
myself, now questioning whether it's worth having. I would very much like to
read some responses from the Defender team to this. Spybot and
Superantispyware, both free programs, seem to have done the business between
them. Yet Defender, with the whole weight of Microsoft behind its
development, failed at every turn.

What's going on, guys?

Alan,

And why did your trust Spybot and SASW?

SpyBot has been detecting AbetterInternet and Straton.C on my new machine
for over 3 weeks now, They Are Wrong!

I have scanned they machine 15 times with my entire arsenal. The locations
in question have been checked. The files were placed there by our sysops.

I pointed out a different False Positive from SB in this group just the
other day.

Currently McAfee AV is detecting a file From ClamWin AV as infected. They
Are Wrong.

Does your daughter visit porn, hacker, free download, file sharing sites
often?
Is/was she Actually having ANY problems that needed to be fixed?
Did her system show any improvement after the "fixes".

My philosophy is that with ANYTHING other than Keyloggers it's best to wait
and confirm before letting ANY program fix ANYTHING if there is not a
MANIFEST problem! [keyloggers are special case]

I hope your daughter does not try to run a program in a couple of weeks only
to find out that some of it's key files or registry setting have been deleted.

Good Luck and Slow Down,
Think before Deleting Anything with verification unless something is
obviously wrong, and even then be careful.

?:-\
Tim
Geek w/o Portfolio

--
World Domination
(\__/)(=''.''=)(}><{)o(")_(")
Some Assembly Required


>"Alan D" wrote:
> Here's a tale ... bear with me.
>
> My daughter (who knows nothing about computers and doesn't live nearby) has
> been running AVG Free along with Defender (with rtp switched on, and an
> automatic daily scan). (I know, that's not enough protection - but it took
> some persuasion to get even that far.) She also has Spybot, but had let her
> scanning routine lapse. After a conversation with me, in which I suggested
> that she really needed more protection, and to scan regularly, she updated
> and scanned with Spybot and it found a few items (not just cookies). She
> asked Spybot to remove them, and it seemed to work; but some returned the
> next day. So she phoned me.
>
> We spent several hours on the phone, on and off, as I talked her through a
> variety of procedures. The first thing we did was install Superantispyware,
> which found two more threats, and AVG Antirootkit, which was clear. As far
> as I can see, Superantispyware seems to have done the job. It did a clear
> complete scan after a restart, and both the Panda online scanner, and
> Spybot, gave a clear result too. Fingers crossed for the next couple of
> days - but at least it looks good so far, and she is now seriously planning
> the building up of some more solid defences.
>
> But what really troubles me is this. She was infected with ABetterInternet,
> Spyware Stormer, Shopathomeselect, and some others than she didn't make a
> note of before Spybot removed them. Through all this infection, day after
> day, Defender carried on without so much as blinking. It detected nothing,
> neither in real-time mode, nor in its daily scan. Certainly my daughter was
> far too slack in her approach, but the simple fact is that having Defender
> on board was a complete waste of time. Yet she is typical of the kind of
> person that Defender was supposed to have been designed for.
>
> This has really shaken my confidence in the program, to be honest. I am,
> myself, now questioning whether it's worth having. I would very much like to
> read some responses from the Defender team to this. Spybot and
> Superantispyware, both free programs, seem to have done the business between
> them. Yet Defender, with the whole weight of Microsoft behind its
> development, failed at every turn.
>
> What's going on, guys?

Hello Tim,
I had same problems with WD and even WLOC didn't protect my machine XP SP2
very well. I had to formate. Since using Avast!, Spywareblaster, Spybot with
RTP and Comodo BOClean, Comodo Firewall I have no surprises surfing in the
same deep areas as before (your examples). Well protected!

"Tim Clark" wrote:

> Alan,
>
> And why did your trust Spybot and SASW?
>
> SpyBot has been detecting AbetterInternet and Straton.C on my new machine
> for over 3 weeks now, They Are Wrong!
>
> I have scanned they machine 15 times with my entire arsenal. The locations
> in question have been checked. The files were placed there by our sysops.
>
> I pointed out a different False Positive from SB in this group just the
> other day.
>
> Currently McAfee AV is detecting a file From ClamWin AV as infected. They
> Are Wrong.
>
> Does your daughter visit porn, hacker, free download, file sharing sites
> often?
> Is/was she Actually having ANY problems that needed to be fixed?
> Did her system show any improvement after the "fixes".
>
> My philosophy is that with ANYTHING other than Keyloggers it's best to wait
> and confirm before letting ANY program fix ANYTHING if there is not a
> MANIFEST problem! [keyloggers are special case]
>
> I hope your daughter does not try to run a program in a couple of weeks only
> to find out that some of it's key files or registry setting have been deleted.
>
> Good Luck and Slow Down,
> Think before Deleting Anything with verification unless something is
> obviously wrong, and even then be careful.
>
> ?:-\
> Tim
> Geek w/o Portfolio
>
> --
> World Domination
> (\__/)(=''.''=)(}><{)o(")_(")
> Some Assembly Required
>
>
> >"Alan D" wrote:
> > Here's a tale ... bear with me.
> >
> > My daughter (who knows nothing about computers and doesn't live nearby) has
> > been running AVG Free along with Defender (with rtp switched on, and an
> > automatic daily scan). (I know, that's not enough protection - but it took
> > some persuasion to get even that far.) She also has Spybot, but had let her
> > scanning routine lapse. After a conversation with me, in which I suggested
> > that she really needed more protection, and to scan regularly, she updated
> > and scanned with Spybot and it found a few items (not just cookies). She
> > asked Spybot to remove them, and it seemed to work; but some returned the
> > next day. So she phoned me.
> >
> > We spent several hours on the phone, on and off, as I talked her through a
> > variety of procedures. The first thing we did was install Superantispyware,
> > which found two more threats, and AVG Antirootkit, which was clear. As far
> > as I can see, Superantispyware seems to have done the job. It did a clear
> > complete scan after a restart, and both the Panda online scanner, and
> > Spybot, gave a clear result too. Fingers crossed for the next couple of
> > days - but at least it looks good so far, and she is now seriously planning
> > the building up of some more solid defences.
> >
> > But what really troubles me is this. She was infected with ABetterInternet,
> > Spyware Stormer, Shopathomeselect, and some others than she didn't make a
> > note of before Spybot removed them. Through all this infection, day after
> > day, Defender carried on without so much as blinking. It detected nothing,
> > neither in real-time mode, nor in its daily scan. Certainly my daughter was
> > far too slack in her approach, but the simple fact is that having Defender
> > on board was a complete waste of time. Yet she is typical of the kind of
> > person that Defender was supposed to have been designed for.
> >
> > This has really shaken my confidence in the program, to be honest. I am,
> > myself, now questioning whether it's worth having. I would very much like to
> > read some responses from the Defender team to this. Spybot and
> > Superantispyware, both free programs, seem to have done the business between
> > them. Yet Defender, with the whole weight of Microsoft behind its
> > development, failed at every turn.
> >
> > What's going on, guys?

Hi Alan D,

Check her option settings, cause you know that Ms tracks these things with
SpyNet. One of the things that's been claimed is, that since Defender came
out of Beta, ABetterInternet was among the top 25 most removed of all it's
detections, so I seriously doubt that they have this particular one wrong,
unless there's been some very recent mods to that code and they're not
picking it up. You should confirm she is both using heuristics and
scanning archives. If not, she could be missing detections, particularly
in the system volume area, email stores, and archived/zipped files. Logic
tells me you should dig deeper here.

Let us know what develops.
--

Regards, Dave


Alan D wrote:
> Here's a tale ... bear with me.
>
> My daughter (who knows nothing about computers and doesn't live nearby)
> has
> been running AVG Free along with Defender (with rtp switched on, and an
> automatic daily scan). (I know, that's not enough protection - but it
> took
> some persuasion to get even that far.) She also has Spybot, but had let
> her
> scanning routine lapse. After a conversation with me, in which I
> suggested
> that she really needed more protection, and to scan regularly, she
> updated
> and scanned with Spybot and it found a few items (not just cookies). She
> asked Spybot to remove them, and it seemed to work; but some returned the
> next day. So she phoned me.
>
> We spent several hours on the phone, on and off, as I talked her through
> a
> variety of procedures. The first thing we did was install
> Superantispyware,
> which found two more threats, and AVG Antirootkit, which was clear. As
> far
> as I can see, Superantispyware seems to have done the job. It did a clear
> complete scan after a restart, and both the Panda online scanner, and
> Spybot, gave a clear result too. Fingers crossed for the next couple of
> days - but at least it looks good so far, and she is now seriously
> planning
> the building up of some more solid defences.
>
> But what really troubles me is this. She was infected with
> ABetterInternet,
> Spyware Stormer, Shopathomeselect, and some others than she didn't make a
> note of before Spybot removed them. Through all this infection, day after
> day, Defender carried on without so much as blinking. It detected
> nothing,
> neither in real-time mode, nor in its daily scan. Certainly my daughter
> was
> far too slack in her approach, but the simple fact is that having
> Defender
> on board was a complete waste of time. Yet she is typical of the kind of
> person that Defender was supposed to have been designed for.
>
> This has really shaken my confidence in the program, to be honest. I am,
> myself, now questioning whether it's worth having. I would very much like
> to
> read some responses from the Defender team to this. Spybot and
> Superantispyware, both free programs, seem to have done the business
> between
> them. Yet Defender, with the whole weight of Microsoft behind its
> development, failed at every turn.
>
> What's going on, guys?

"Tim Clark" wrote:

> And why did your trust Spybot and SASW?

1. Spybot: I've used Spybot for years. One detection - yes, OK, maybe an fp.
But it found at least three separate detections. I've never encountered such
a thing with Spybot. Unfortunately they were gone by the time I was involved
so I couldn't investigate those.
2. Superantispyware: I've yet to experience a single fp with this program,
myself. Its shopathomeselect detection was definitely NOT a false positive -
I know of no good reason why sahpackage.exe would be on anyone's computer.
From her description over the phone I think the spyware stormer detection
may just have been a few registry traces (or, as you say, possibly an fp).

> Does your daughter visit porn, hacker, free download, file sharing sites
> often?

I think times are changing, Tim, and those are not the only dangerous
activities. I've experienced, myself, the shock of visiting an apparently
harmless website, only to be redirected and confronted with a delay,
followed by a big red warning from AVG about the infected file it's just
intercepted. She had no protection via a hosts file (though she does now).
She could easily have been infected by clicking in error on a popup ad.

> Is/was she Actually having ANY problems that needed to be fixed?

She said it was running quite slowly. It was hard to get a clear picture of
the pop-up situation.

> Did her system show any improvement after the "fixes".

Too soon to tell.

> Good Luck and Slow Down,
> Think before Deleting Anything with verification unless something is
> obviously wrong, and even then be careful.

Good advice, and thanks for the reminder.

"Dave M" wrote:

> You should confirm she is both using heuristics and
> scanning archives. If not, she could be missing detections, particularly
> in the system volume area, email stores, and archived/zipped files. Logic
> tells me you should dig deeper here.

Thanks for this Dave. I'll send her an email now and ask her to check those
settings.

My particular thoughts: I don't waste my time with a WD full scan. I'd
rather use SuperAntiSpyware. WD doesn't seem to be able to fully remove
virtumonde or SmithFraud, so re-infestation occurs. WD real-time protection
shines but is totally unusable for non-technical types. Several months ago,
there was a post in this newsgroup with the complaint that he was using WD
and still got infected. After I read the post, I did some research and the
malware puts a Run Key in the registry. Enough said. I've used Spybot for
several years. It seems that the number of false positives by Spybot has
gone up. I agree that it is wise not to blissfully remove detected malware
until confirming the detection with other anti-malware programs combined with
research.

"Alan D" wrote:

> Here's a tale ... bear with me.
>
> My daughter (who knows nothing about computers and doesn't live nearby) has
> been running AVG Free along with Defender (with rtp switched on, and an
> automatic daily scan). (I know, that's not enough protection - but it took
> some persuasion to get even that far.) She also has Spybot, but had let her
> scanning routine lapse. After a conversation with me, in which I suggested
> that she really needed more protection, and to scan regularly, she updated
> and scanned with Spybot and it found a few items (not just cookies). She
> asked Spybot to remove them, and it seemed to work; but some returned the
> next day. So she phoned me.
>
> We spent several hours on the phone, on and off, as I talked her through a
> variety of procedures. The first thing we did was install Superantispyware,
> which found two more threats, and AVG Antirootkit, which was clear. As far
> as I can see, Superantispyware seems to have done the job. It did a clear
> complete scan after a restart, and both the Panda online scanner, and
> Spybot, gave a clear result too. Fingers crossed for the next couple of
> days - but at least it looks good so far, and she is now seriously planning
> the building up of some more solid defences.
>
> But what really troubles me is this. She was infected with ABetterInternet,
> Spyware Stormer, Shopathomeselect, and some others than she didn't make a
> note of before Spybot removed them. Through all this infection, day after
> day, Defender carried on without so much as blinking. It detected nothing,
> neither in real-time mode, nor in its daily scan. Certainly my daughter was
> far too slack in her approach, but the simple fact is that having Defender
> on board was a complete waste of time. Yet she is typical of the kind of
> person that Defender was supposed to have been designed for.
>
> This has really shaken my confidence in the program, to be honest. I am,
> myself, now questioning whether it's worth having. I would very much like to
> read some responses from the Defender team to this. Spybot and
> Superantispyware, both free programs, seem to have done the business between
> them. Yet Defender, with the whole weight of Microsoft behind its
> development, failed at every turn.
>
> What's going on, guys?
>
>
>
>

Did I write that?.

I should have said for purposes of comparing apples to apples make sure
that she *had* used those settings before she got Spybot and SAS involved.
I didn't meant to imply that everyone should enable them all of the time as
a standard. On a slower machine, examining archives continually may not be
such a great idea unless they have the time to devote to it. Those
unexamined archive locations are normally not a problem since everything in
them is packed and nothing can execute... unless the computer operator
unpacks them either unknowingly or by accident... yikes.

However, the bottom line is that it's important to have a multi-layered
defense... AND to use it. )

--

Regards, Dave


Alan D wrote:
> "Dave M" wrote:
>
>> You should confirm she is both using heuristics and
>> scanning archives. If not, she could be missing detections,
>> particularly
>> in the system volume area, email stores, and archived/zipped files.
>> Logic
>> tells me you should dig deeper here.
>
> Thanks for this Dave. I'll send her an email now and ask her to check
> those
> settings.

"Dave M" wrote:
> Did I write that?.

You did, and it was good advice for various reasons - not least of which is
that she'll actually check all those settings for herself now, and become
more familar with the software. (Actually, I have all those items checked,
on my machine, as a matter of course).

She tells me her scans with Spybot and SAS came up clear again today, so
it's looking hopeful.

"Dave M" wrote

> I should have said for purposes of comparing apples to apples make sure
> that she *had* used those settings before she got Spybot and SAS involved.

I've been thinking further about this, Dave. If this were an academic
scientific exercise, and we were concerned about fair testing and level
playing fields, then yes. But that isn't the issue. The issue is whether
Defender, in the hands of the typical computer user (which was effectively
the design brief, we are told), could be left with minimal user interaction
to provide adequate protection. So the only worthwhile tests of Defender are
'in the field' as it were, using its default settings (very few 'typical
users' are likely to meddle with those 'advanced' settings, if you think
about it, even if they manage to find them).

Here was one such test - a failure. In fact, a resounding failure (I don't
know about the others, but sahpackage.exe wasn't making any effort to hide
itself that I could determine). Depressing though it is, if Defender doesn't
offer a reasonable measure of protection for the typical user, it's no
good - and in this case it didn't even whisper that anything might be wrong.