antispyware memory leak

[Emmett Keyser]

some info for anyone looking for memory leaks, hang,
stops responding...

I recently had to take care of someone's spyware
problems. One problem I
encountered was Microsoft Antispyware would produce a
memory leak when doing
the registry scan. Problem turned out to be that one of
the spyware programs
had removed all security from its registry keys. So if
you have this problem
use regedt32 to reset or add appropriate permissions to
the registry keys
where MS antispyware pukes on. You can find this info by
noticing which key
MS AS hangs on during its scan. You might have to do this
multiple times
since there might be multiple separate keys that are
affected.

Best,

Emmett

 

[Bill Sanderson]

Thanks for the report Emmett. This has been observed here before, and I
believe the development team is aware of the issue.

 

[Alan]

Don't think this is a TRUE memory leak.

The true defintiion of a memory leak is once a program
has finished using the memory allocated to the
application to accomplish a certain task, that
application fails to release the memory back to the
system in a timely manner. If this application keeps
running the same task over and over, then the system will
crash due to a lack of memory. Hence the wording memory
leak. The system has no way of regaining that memory,
unless the application is killed. Even then, the memory
might still be tied up by that application.

I'm a electrical engineer, and has some experience with
writing source code for programs. There are many other
definitions of a memory leak, got to
http://www.webopedia.com/TERM/M/memory_leak.html and
http://en.wikipedia.org/wiki/Memory_leak for two
differing, but almost similar definitions. The second
makes mention of poor memory management.

One problem that people have with this issue is they fell
a program does not need to use all of this memory to do
what it's doing. Hence they say there is a memory leak,
when if fact there likely is not. MSAS does in fact use
up more memory when it scans the registry, since it is
doing an indepth scan of the entire registry.

Since you said there's a problem with the security of
certain registry keys, it's likely NOT a memory leak.
Since it hits a snag trying to scan these keys, it must
infact use more memory to accomplish the current task,
scanning those damaged registry keys. What's likely the
problem is that the registry has become compromised by
the spyware program itself, not the fault of MSAS.

Alan

 

[Bill Sanderson]

When Microsoft Antispyware hits such a key, it loops infinitely. In the
course of this loop, various "out of memory" messages apparently appear. I
haven't seen this first-hand, but I think this actually is a true "memory
leak."

--

 

[Alan]

But since the keys have become compromised/damaged, it's
not MSAS' fault that it needs more memory to scan the
damaged keys. Therefore, for it to be a memory leak, the
problem must lie in MSAS' source code. But infact, the
problem doesn't lie there, it lies in the fact that those
keys have become compromised/damaged by the infection
itself.

I'm wondering if the same might happen with Ad-Aware. If
so, then it definately is not a memory leak.

What would ne nice to see is for a checkpoint to be added
that makes it absoultely impossible for any
spyware/malware program to affect the security of ANY
registry keys, nor to create keys that have no security
at all.

Alan

 

[Bill Sanderson]

It's a bug in various ways.

It'd be nice to be able to prevent malware from setting such permissions. I
don't think that's possible with the current versions of Windows,
realistically.

It'd be nice if Microsoft Antispyware would be able to identify when it is
in such a loop. I'll look for that in beta2, for sure, but don't know
whether to expect it.

It'd be nice if whatever resource is being leaked (be it memory or something
else) wasn't being leaked. This is an issue with Microsoft Antispyware's
code, and it can be fixed.

In fact, my recommendation for users who hit this situation is that they use
a different product to remove the malware. Some users will be sufficiently
skilled as to be able to fix the permissions issue, but many will not. For
them using a different product to get that issue cleaned is the best
alternative. In my experience, the other products don't have the same
problem with these keys.

--