ATTENTION 1.0.509 release has numerous new bugs !

[Travis Mitchell]

I have noticed numerous changes in this latest beta
release on Feb. 16. I am running this beta on 75 plus
corporate machines and the new release is not finding or
removing anywhere near what 1.0.501 release did.

Even though both versions have the latest def installed
the release from Feb 16th fails to find mywebsearch,
popular screensavers, myway, funwebproducts and at least
10 more popular spyware programs.

I would recommend microsoft pull this version from the
16th immediately version 1.0.509 because there is
obviously something seriously wrong. I have
uninstalled .509 on several machines and reinstalled
the .501 version and sucessfully found and removed lots of
additional spyware. This should not be something has
changed!

If Microsoft would like to contact me I would be happy to
show my results in detail for them.

Travis Mitchell
Sintering Tech
812-663-5058 ext. 544
(e-mail address removed)

 

[JohnF.]

Can you be more specific in your description of the problem?

If you are talking about the same 75 machines, if MSAS .501 REMOVED those
entities, then they should not get back on any of those machines and of
course .509 will not find them because they don't get back on due to MSAS
using active defense.

IF those entities are getting back on the machines, you have several
problems and MSAS is not the only one.

Pleas explain.

JohnF.

 

[Travis Mitchell]

Sorry, I was not very specific. I had 5 machines this
morning that I had not installed MSAS on before and
installed release .509. This new release did find some
entries for mywebsearch toolbar and popular screensaver
and some additional misc. spyware. However, It seemed
unusual to me because the number was so low, so I went
ahead and removed all the spyware in MSAS.509 and notice
that it did remove the actual toolbar or screensaver.

Now, I am very familiar with both mywebsearch toolbar and
popular screensaver because I have about 50 workstations
that users had both of these installed on. So I
removed .509 through add/remove programs and install .501
and reran MSAS and found hundreds of files and registry
keys which I expected to see and sucessfully removed
everything with MSAS.501

I understand this is not a very scientific finding yet and
I have only tested a small number of spyware infected
machines but there is a noticable difference with at least
these two specific spyware related software. These
machines were 2000, XPSP1 and XPSP2. I will try to post
additional findings over the next week but for now I am
finding much more with MSAS.501

Time permitting I will futher prove this in a controlled
test environment as well.

Plese let me know if you have futher questions.

Travis Mitchell

 

[JohnF.]

Thank you for your details! Wow - that is disconcerting - please keep us
informed. I'll have to setup a test of this as well.

Thanks again,

JohnF.

 

[Bill Sanderson]

Can you give a testing protocol for a particular bug? Pick something easy
to find--give us a URL, ideally, so that we can install and test this for
ourselves under the two builds.

 

[Steve Dodson [MSFT]]

Travis,

Thank you for sharing your experience in the beta of Microsoft Windows
AntiSpyware. As with any beta product we are actively seeking ways to
improve the product and feedback like yours is an important part of this
work. To help us better understand your experience please submit a
suspected spyware report to us through the application by clicking Tools ->
Suspected Spyware Report.
Once the report is submitted, please view your completed report from SpyNet
and reply back to the newsgroup with the ScanID listed in the web browser.

An example ScanID would be: ScanID=732e5e60-d3b5-4c4e-926a-f7a7a7db5d79"


--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Danny Kile]

I have noticed numerous changes in this latest beta
release on Feb. 16. I am running this beta on 75 plus
corporate machines and the new release is not finding or
removing anywhere near what 1.0.501 release did.

Even though both versions have the latest def installed
the release from Feb 16th fails to find mywebsearch,
popular screensavers, myway, funwebproducts and at least
10 more popular spyware programs.

I would recommend microsoft pull this version from the
16th immediately version 1.0.509 because there is
obviously something seriously wrong. I have
uninstalled .509 on several machines and reinstalled
the .501 version and sucessfully found and removed lots of
additional spyware. This should not be something has
changed!

If Microsoft would like to contact me I would be happy to
show my results in detail for them.

Travis Mitchell
Sintering Tech
812-663-5058 ext. 544
(e-mail address removed)

After reading this I performed the same test, with MSAS version 1.0.509
I did two Full Scans one right after the other and got two complete
clean scans. Then I uninstalled ver. .509 and installed version 1.0.501
did a download to make sure I was running the same definition file and
then did a Full Scan and got the following hits:

MYWebSearch
Popular Screensavers
FunWeb Products
MyWay Search Bar

Removed all of the above and then did a second scan with .501 and it
came back clean.

Danny

 

[Bill Sanderson]

Danny - I don't know how you "prepped" the system you used for this test.
Are you able to do a similar test, but, after scanning clean with .509, can
you do the step Steve Dodson suggested--do a Tools, Suspected Spyware
report, and post the URL for your report here?

Maybe then do .501, scan, clean, and another such suspected spyware report,
with a URL?

 

[JohnF.]

That's what I'm trying to do myself, but I can't find a good place to get
infested. I rmember someone posting that he went to one page and picked up
20 some bugs but I can't find the post.

Any ideas? I'm ready to run a test of .501 versus.509 on a separate machine
I have set up in my DMZ.

JohnF.

 

[plun]

-----Original Message-----
That's what I'm trying to do myself, but I can't find a
good place to get infested.

Maybe to use this as test reference:

The Tests: Design & Methodology
http://spywarewarrior.com/asw-test-guide.htm#test

Then we also have Kazaa:
http://www.kazaa.com/us/index.htm

And some cliks inside cracks.am and belonging pop up
pages.... Not scientific but a lot happens if you follow
some links.

http://www.cracks.am/

 

[Bill Sanderson]

I don't have a quick lead off the top of my head--sorry--I've been spending
too much time talking and not enough actually testing.

Pluns leads look good to me--if you do googles on VX2 there are some good
pages with lots of leads on the various vx2 associates, and they have their
own web pages--abetterinternet, for example.

 

[JohnF.]

I have resorted to installing junk on purpose but so far it also uninstalls
from add/remove quite easily. I'm trying to junk up this machine and then
install 509 and see what happens then 501 to see what it finds.

Googling for spyware has so far just found how to remove them, not get them!
Shoot - I just cannot get infested. How do these folks do it?

JohnF.

 

[C.J.Patten]

Google just about anything these days!

Try "porn blonde girls sex" and "crack serialz software adobe" and visit the
first 10 links. (with no blocking software installed, of course - just let
it rip)

I'm curious about the suspected problems you've suggested in the new
release. I just upgraded and want to be sure I'm not open to any
infestations.

Good luck! (I wouldn't touch those links with a ten foot pole BTW...

C.

 

[JohnF.]

I'm running Windows 2000 SP4 with just the security and critical updates. I
searched on cracks, serials, torrent downloads, and free movies, and there
were some popups but nothing else. Now I'm installing stuff manually like
Kazaa, Flashtalk, MySearch, SpiderToolbar, Atomic Clock sync, and others to
get something started.

JohnF.

 

[JohnF.]

Found a good install popup, downloads unlimited, now let's see what this
does!

JohnF.

 

[plun]

Good luck! (I wouldn't touch those links with a ten foot pole BTW...

Users on SP1 must, they click on one and gets hundreds of pages
as popups....

Perhaps they using a foot poole......

 

[JohnF.]

I found the right address - I'm hosed now! All I'm missing is the homepage
hijacker.

JohnF.

 

[plun]

Found a good install popup, downloads unlimited, now let's see what this
does!

Go and get them: cracks and russia

http://www.google.com/search?hl=sv&q=cracks+ru&meta=

and mispelled kaaza and free porn

http://www.google.com/search?hl=sv&q=kaaza+free+porn&btnG=Google-sökning&meta=

Maybe we can start a warez shop with this............

 

[Bill Sanderson]

Find some references for VX2--as I mentioned--abetterinternet, for example.

Don't be put off by the fact that the stuff has an uninstall.

Oh--bearshare's pretty good--its very up front about what is included, and
there are removals, but you'll see--it gets quite sticky.

I can't believe anything as big as bearshare and what it bundles wouldn't be
caught by both builds--you may need to hit one of the sites that essentially
lands you with a trojan that keeps bringing in more stuff. I haven't got a
good reference for that yet.

I'd actually like to keep these groups fairly clean--i.e. I don't want to
have a public listing of "bad" sites. Risky for inexperienced folks, not
good PR for Microsoft, etc. Some spyware vendors have threatened legal
action against posters in newsgroups, although I don't think anything has
come of it.

 

[Bill Sanderson]

Good luck--or maybe I should say Happy Hunting!