CounterSpy vs MS Antispy

[Darren Rose]

Just ran both the Microsoft version and the version
produced by sunbelt software - CounterSpy (remember both
companies bought the code from GIANT).

Isn't it strange that CounterSpy found 34 components
detected and scanned over 76000 files while the MS
version found zilch and scanned only 22000 files despite
both being set to do a full (deep) scan?!?!?!?!

I think I know which one I will buy!!

 

[Steve Moss]

Since you don't say what those 34 'components' were, I suspect they
were tracking cookies (and MSAS Beta 1 doesn't scan cookies - it's
still not known whether it will in future releases). I would prefer
that MSAS does reinstate cookie handling, but I also accept that
cookies are less of an issue than executable spyware. Given their joint
- and recently so - heritage, I think you will find both products
perform more or less the same on non-cookie malware.

All this said, my recent personal evaluation of CounterSpy concluded
that it is subject to too many false positives at this time, and a few
other glitches (all of which I reported to Sunbelt). Hopefully thay
will fix these in their next update, due out in the next couple of
weeks or so, they tell me.

It is interesting to compare how these two products might stack up
against each other over time. I understand that Sunbelt claim they will
release a version to protect Firefox - so this will make CounterSpy
more attractive to non-IE users (and I would not expect MS to follow
suit with MSAS) - but the overall effectiveness of any anti-spyware
product in detecting and cleaning malware will, I would contend, depend
on the extent of their definition database, which in turn depends
heavily on the submissions made to it by users. Given the sheer size
the MSAS user base will inevitably achieve, I would not expect Sunbelt
to be able to compete effectively in this respect, so they will need to
distinguish CounterSpy in other ways. It will be interesting to see.

 

[Darren Rose]

Some of the items found were cookies but four were spyware

I still don't understand why MS only scanned 22240 files
wherease sunbelt scanned 76769, same with registry MS did
8368 and sunbelt 11221

For the curious, the logs are copied below:-

Microsoft AntiSpy Results
-------------------------

Spyware Scan Details
Start Date: 11/02/2005 23:30:00
End Date: 11/02/2005 23:36:13
Total Time: 6 mins 13 secs

Detected Threats
No spyware threats were found during this scan.



CounterSpy Results
-------------------

Spyware Scan Details
Start Date: 11/02/2005 20:55:24
End Date: 11/02/2005 21:00:37
Total Time: 5 mins 13 secs
Memory spyware detected: 0\1238
Files detected: 0\76769
Registry spyware detected: 5\11221
Cookie spyware detected: 41\394
Definition version: 102

Detected spyware

eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that
watches the pages your browser requests and the terms you
enter into a search engine web form. If a term matches a
preset list of sites or keywords, BargainBuddy will
display an ad.
Status: Ignored
High spyware - High risk threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction. May open up communication ports,
use polymorphic tactics, stealth installations, and/or
anti-spy counter measures. May us a security flaw in the
operating system to gain access to your computer.


PriceBandit Adware more information...
Details: It is an adware program that creates
advertisments on your PC.
Status: Ignored
High spyware - High risk threats typically are remotely
exploitable vulnerabilities, which can lead to system
compromise. Successful exploitation does not normally
require any interaction. May open up communication ports,
use polymorphic tactics, stealth installations, and/or
anti-spy counter measures. May us a security flaw in the
operating system to gain access to your computer.


Parental Control X-treme Misc more information...
Details: Keeps Record of all Websites visited. Logs all
keystrokes.
Status: Ignored
Elevated spyware - Elevated threats are usually threats
that fall into the range of adware in which data about a
user's habits are tracked and sent back to a server for
analysis without your consent or knowledge.


brutus-v1-b2.exe Password Hijacker more information...
Details: Brutus is a multi-protocol authentication
negotiation agent or password cracker.
Status: Ignored
Elevated spyware - Elevated threats are usually threats
that fall into the range of adware in which data about a
user's habits are tracked and sent back to a server for
analysis without your consent or knowledge.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86E75BE0-
83F1-11CF-A8A0-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86E75BE0-
83F1-11CF-A8A0-444553540000}\1.0\0\win32
C:\WINDOWS\system32\CSRAS32.OCX
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86E75BE0-
83F1-11CF-A8A0-444553540000}\1.0\FLAGS 2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86E75BE0-
83F1-11CF-A8A0-444553540000}\1.0\HELPDIR
C:\WINDOWS\system32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86E75BE0-
83F1-11CF-A8A0-444553540000}\1.0 Catalyst Remote Access
Dialer Control 3.6 (SP5)


Detected Spyware Cookies

Qksrv.net
247RealMedia.com
Com.com
Mediaplex.com
RedEye.Willhill.com
SageAnalyst
Advertising.com
SpyLog.com
Adserver.com
ValueClick.com
WindowsMedia
as-us.falkag
myaffiliateprogram
casalemedia.com
statcounter.com
hitslink.com
Adviva
Trafficmp.com
ATDMT.com
BFast.com
BS.Serving-Sys
BurstNet.com
CGI-Bin
Commission-Junction.com
DoubleClick
Hitbox.com
FastClick.com
IndexTools.com
Passport.com
PriceGrabber

 

[Steve Moss]

I can't comment on the difference in file counts, but the 5 registry
keys claimed to be spyware by CounterSpy are all part of the
registration of Catalyst's RAS ActiveX control. This is not spyware,
and the control is installed as part of various legitimate products.

This is yet another example of CounterSpy's propensity for false
positives (FPs) - since the report shows that you also chose 'ignore'
as the action for said 'spyware', have you come to a similar conclusion
about its findings?

When a product delivers so many FPs, it becomes untrustworthy in my
view - following its recommendations to remove 'spyware' can quickly
bring down vital apps.

 

[Bob Dietz]

From the Counter Spy scan details -

Memory spyware detected: 0\1238

That 1238 number corresponds to the number of currently opened DLLs
(sort of.) For example:
Program A opened example1.dll and example2.dll
Program B opened example2.dll and example3.dll
Program C opened example1.dll and example3.dll
Counter Spy would report that as
Memory spyware detected: 0\6
Another application might report it as 3 DLLs in memory.

Given the similar times to complete scans, I'd guess that something
similar is going on here.

When a zip archive is scanned does that count as one file or does each
file in the zip count as one file?
HKEY_CLASSES_ROOT is an exact duplicate of
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
Does each exact duplicate entry count as one or two?

 

[Bill Sanderson]

Since you don't say what those 34 'components' were, I suspect they
were tracking cookies (and MSAS Beta 1 doesn't scan cookies - it's
still not known whether it will in future releases). I would prefer
that MSAS does reinstate cookie handling, but I also accept that
cookies are less of an issue than executable spyware. Given their joint
- and recently so - heritage, I think you will find both products
perform more or less the same on non-cookie malware.

All this said, my recent personal evaluation of CounterSpy concluded
that it is subject to too many false positives at this time, and a few
other glitches (all of which I reported to Sunbelt). Hopefully thay
will fix these in their next update, due out in the next couple of
weeks or so, they tell me.

It is interesting to compare how these two products might stack up
against each other over time. I understand that Sunbelt claim they will
release a version to protect Firefox - so this will make CounterSpy
more attractive to non-IE users (and I would not expect MS to follow
suit with MSAS) - but the overall effectiveness of any anti-spyware
product in detecting and cleaning malware will, I would contend, depend
on the extent of their definition database, which in turn depends
heavily on the submissions made to it by users. Given the sheer size
the MSAS user base will inevitably achieve, I would not expect Sunbelt
to be able to compete effectively in this respect, so they will need to
distinguish CounterSpy in other ways. It will be interesting to see.

Thanks for the post. I've wondered how easily extensible the application
agents were--it seems like a good idea to extend the app to cover other
popular browsers, and I'm glad to hear Sunbelt is doing it--and I wish
Microsoft would too!

 

[Steve Moss]

Yes, my experience with CounterSpy is that it plays the numbers game.
For instance, the report Darren posted shows 5 registry keys, but in
reality there is only one item that is being reported, that is the
TypeLib identified by the
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{86E75BE0-83F1-11CF-A8A0-444
553540000} key. Apart from it not being spyware in the first place, 4
of the 5 keys are just subkeys of the first.

 

[Darren Rose]

Yes I had come to the same conclusion!

My main reason for testing them is that I have my own
computer repair business and removing spyware for
customers takes up most of my time lately, and with some
real troublesome spyware such as the CWS series neither
Spy Sweeper or the MS version find them, hence trying
CounterSpy to see if it was any better!

Any suggestions if not?

 

[Bob Dietz]

Yes I had come to the same conclusion!

My main reason for testing them is that I have my own
computer repair business and removing spyware for
customers takes up most of my time lately, and with some
real troublesome spyware such as the CWS series neither
Spy Sweeper or the MS version find them, hence trying
CounterSpy to see if it was any better!

Don't find them? Or fail to remove them?
Most things I've tried don't have a problem "finding" CWS,
they just don't do a good job of removing it.

Why aren't you using the CWShredder coolwebsearch_smartkiller combo?
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.safer-networking.org/minifiles.html

 

[Darren Rose]

In one case not even finding them, both spy sweeper and
ms scanned the PC's and came back clean after removing
some other junk, then rebooted and both did clean scans
but CWS still very much present.

On another MS found nothing, Spy Sweeper found CWS but as
you say doesn't do a very good job of cleaning up

Any suggestions for proper removal?

-----Original Message-----


Don't find them? Or fail to remove them?
Most things I've tried don't have a problem "finding" CWS,
they just don't do a good job of removing it.

Why aren't you using the CWShredder

coolwebsearch_smartkiller combo?

 

[Bob Dietz]

Try CWShredder and coolwebsearch_smartkiller.
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.safer-networking.org/minifiles.html

That combo has always worked for me, but new versions of CoolWebSearch
show up pretty frequently. Should those fail me, guess I'd start with
SysInternals Autoruns -
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
or
Process Viewer
http://www.xmlsp.com/pview/prcview.htm

 

[Darren Rose]

Cheers Bob

-----Original Message-----
Try CWShredder and coolwebsearch_smartkiller.
http://www.intermute.com/spysubtract/cwshredder_download.h
tml
http://www.safer-networking.org/minifiles.html

That combo has always worked for me, but new versions of CoolWebSearch
show up pretty frequently. Should those fail me, guess I'd start with
SysInternals Autoruns -
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
or
Process Viewer
http://www.xmlsp.com/pview/prcview.htm

--
Bob Dietz


.

 

[Andre Da Costa]

Its beta, I wouldn't start the races just yet.