Defender disaster: some feedback for Joe F & co.

A

Alan D

Here's a tale ... bear with me.

My daughter (who knows nothing about computers and doesn't live nearby) has
been running AVG Free along with Defender (with rtp switched on, and an
automatic daily scan). (I know, that's not enough protection - but it took
some persuasion to get even that far.) She also has Spybot, but had let her
scanning routine lapse. After a conversation with me, in which I suggested
that she really needed more protection, and to scan regularly, she updated
and scanned with Spybot and it found a few items (not just cookies). She
asked Spybot to remove them, and it seemed to work; but some returned the
next day. So she phoned me.

We spent several hours on the phone, on and off, as I talked her through a
variety of procedures. The first thing we did was install Superantispyware,
which found two more threats, and AVG Antirootkit, which was clear. As far
as I can see, Superantispyware seems to have done the job. It did a clear
complete scan after a restart, and both the Panda online scanner, and
Spybot, gave a clear result too. Fingers crossed for the next couple of
days - but at least it looks good so far, and she is now seriously planning
the building up of some more solid defences.

But what really troubles me is this. She was infected with ABetterInternet,
Spyware Stormer, Shopathomeselect, and some others than she didn't make a
note of before Spybot removed them. Through all this infection, day after
day, Defender carried on without so much as blinking. It detected nothing,
neither in real-time mode, nor in its daily scan. Certainly my daughter was
far too slack in her approach, but the simple fact is that having Defender
on board was a complete waste of time. Yet she is typical of the kind of
person that Defender was supposed to have been designed for.

This has really shaken my confidence in the program, to be honest. I am,
myself, now questioning whether it's worth having. I would very much like to
read some responses from the Defender team to this. Spybot and
Superantispyware, both free programs, seem to have done the business between
them. Yet Defender, with the whole weight of Microsoft behind its
development, failed at every turn.

What's going on, guys?
 
G

Guest

Alan,

And why did your trust Spybot and SASW?

SpyBot has been detecting AbetterInternet and Straton.C on my new machine
for over 3 weeks now, They Are Wrong!

I have scanned they machine 15 times with my entire arsenal. The locations
in question have been checked. The files were placed there by our sysops.

I pointed out a different False Positive from SB in this group just the
other day.

Currently McAfee AV is detecting a file From ClamWin AV as infected. They
Are Wrong.

Does your daughter visit porn, hacker, free download, file sharing sites
often?
Is/was she Actually having ANY problems that needed to be fixed?
Did her system show any improvement after the "fixes".

My philosophy is that with ANYTHING other than Keyloggers it's best to wait
and confirm before letting ANY program fix ANYTHING if there is not a
MANIFEST problem! [keyloggers are special case]

I hope your daughter does not try to run a program in a couple of weeks only
to find out that some of it's key files or registry setting have been deleted.

Good Luck and Slow Down,
Think before Deleting Anything with verification unless something is
obviously wrong, and even then be careful.

?:-\
Tim
Geek w/o Portfolio
 
G

Guest

Hello Tim,
I had same problems with WD and even WLOC didn't protect my machine XP SP2
very well. I had to formate. Since using Avast!, Spywareblaster, Spybot with
RTP and Comodo BOClean, Comodo Firewall I have no surprises surfing in the
same deep areas as before (your examples). Well protected!

Tim Clark said:
Alan,

And why did your trust Spybot and SASW?

SpyBot has been detecting AbetterInternet and Straton.C on my new machine
for over 3 weeks now, They Are Wrong!

I have scanned they machine 15 times with my entire arsenal. The locations
in question have been checked. The files were placed there by our sysops.

I pointed out a different False Positive from SB in this group just the
other day.

Currently McAfee AV is detecting a file From ClamWin AV as infected. They
Are Wrong.

Does your daughter visit porn, hacker, free download, file sharing sites
often?
Is/was she Actually having ANY problems that needed to be fixed?
Did her system show any improvement after the "fixes".

My philosophy is that with ANYTHING other than Keyloggers it's best to wait
and confirm before letting ANY program fix ANYTHING if there is not a
MANIFEST problem! [keyloggers are special case]

I hope your daughter does not try to run a program in a couple of weeks only
to find out that some of it's key files or registry setting have been deleted.

Good Luck and Slow Down,
Think before Deleting Anything with verification unless something is
obviously wrong, and even then be careful.

?:-\
Tim
Geek w/o Portfolio

--
World Domination
(\__/)(=''.''=)(}><{)o(")_(")
Some Assembly Required

:
Here's a tale ... bear with me.

My daughter (who knows nothing about computers and doesn't live nearby) has
been running AVG Free along with Defender (with rtp switched on, and an
automatic daily scan). (I know, that's not enough protection - but it took
some persuasion to get even that far.) She also has Spybot, but had let her
scanning routine lapse. After a conversation with me, in which I suggested
that she really needed more protection, and to scan regularly, she updated
and scanned with Spybot and it found a few items (not just cookies). She
asked Spybot to remove them, and it seemed to work; but some returned the
next day. So she phoned me.

We spent several hours on the phone, on and off, as I talked her through a
variety of procedures. The first thing we did was install Superantispyware,
which found two more threats, and AVG Antirootkit, which was clear. As far
as I can see, Superantispyware seems to have done the job. It did a clear
complete scan after a restart, and both the Panda online scanner, and
Spybot, gave a clear result too. Fingers crossed for the next couple of
days - but at least it looks good so far, and she is now seriously planning
the building up of some more solid defences.

But what really troubles me is this. She was infected with ABetterInternet,
Spyware Stormer, Shopathomeselect, and some others than she didn't make a
note of before Spybot removed them. Through all this infection, day after
day, Defender carried on without so much as blinking. It detected nothing,
neither in real-time mode, nor in its daily scan. Certainly my daughter was
far too slack in her approach, but the simple fact is that having Defender
on board was a complete waste of time. Yet she is typical of the kind of
person that Defender was supposed to have been designed for.

This has really shaken my confidence in the program, to be honest. I am,
myself, now questioning whether it's worth having. I would very much like to
read some responses from the Defender team to this. Spybot and
Superantispyware, both free programs, seem to have done the business between
them. Yet Defender, with the whole weight of Microsoft behind its
development, failed at every turn.

What's going on, guys?
 
D

Dave M

Hi Alan D,

Check her option settings, cause you know that Ms tracks these things with
SpyNet. One of the things that's been claimed is, that since Defender came
out of Beta, ABetterInternet was among the top 25 most removed of all it's
detections, so I seriously doubt that they have this particular one wrong,
unless there's been some very recent mods to that code and they're not
picking it up. You should confirm she is both using heuristics and
scanning archives. If not, she could be missing detections, particularly
in the system volume area, email stores, and archived/zipped files. Logic
tells me you should dig deeper here.

Let us know what develops.
 
A

Alan D

Tim Clark said:
And why did your trust Spybot and SASW?

1. Spybot: I've used Spybot for years. One detection - yes, OK, maybe an fp.
But it found at least three separate detections. I've never encountered such
a thing with Spybot. Unfortunately they were gone by the time I was involved
so I couldn't investigate those.
2. Superantispyware: I've yet to experience a single fp with this program,
myself. Its shopathomeselect detection was definitely NOT a false positive -
I know of no good reason why sahpackage.exe would be on anyone's computer.
From her description over the phone I think the spyware stormer detection
may just have been a few registry traces (or, as you say, possibly an fp).
Does your daughter visit porn, hacker, free download, file sharing sites
often?

I think times are changing, Tim, and those are not the only dangerous
activities. I've experienced, myself, the shock of visiting an apparently
harmless website, only to be redirected and confronted with a delay,
followed by a big red warning from AVG about the infected file it's just
intercepted. She had no protection via a hosts file (though she does now).
She could easily have been infected by clicking in error on a popup ad.
Is/was she Actually having ANY problems that needed to be fixed?

She said it was running quite slowly. It was hard to get a clear picture of
the pop-up situation.
Did her system show any improvement after the "fixes".

Too soon to tell.
Good Luck and Slow Down,
Think before Deleting Anything with verification unless something is
obviously wrong, and even then be careful.

Good advice, and thanks for the reminder.
 
A

Alan D

Dave M said:
You should confirm she is both using heuristics and
scanning archives. If not, she could be missing detections, particularly
in the system volume area, email stores, and archived/zipped files. Logic
tells me you should dig deeper here.

Thanks for this Dave. I'll send her an email now and ask her to check those
settings.
 
G

Guest

My particular thoughts: I don't waste my time with a WD full scan. I'd
rather use SuperAntiSpyware. WD doesn't seem to be able to fully remove
virtumonde or SmithFraud, so re-infestation occurs. WD real-time protection
shines but is totally unusable for non-technical types. Several months ago,
there was a post in this newsgroup with the complaint that he was using WD
and still got infected. After I read the post, I did some research and the
malware puts a Run Key in the registry. Enough said. I've used Spybot for
several years. It seems that the number of false positives by Spybot has
gone up. I agree that it is wise not to blissfully remove detected malware
until confirming the detection with other anti-malware programs combined with
research.
 
D

Dave M

Did I write that?.

I should have said for purposes of comparing apples to apples make sure
that she *had* used those settings before she got Spybot and SAS involved.
I didn't meant to imply that everyone should enable them all of the time as
a standard. On a slower machine, examining archives continually may not be
such a great idea unless they have the time to devote to it. Those
unexamined archive locations are normally not a problem since everything in
them is packed and nothing can execute... unless the computer operator
unpacks them either unknowingly or by accident... yikes.

However, the bottom line is that it's important to have a multi-layered
defense... AND to use it. :blush:)
 
A

Alan D

Dave M said:
Did I write that?.

You did, and it was good advice for various reasons - not least of which is
that she'll actually check all those settings for herself now, and become
more familar with the software. (Actually, I have all those items checked,
on my machine, as a matter of course).

She tells me her scans with Spybot and SAS came up clear again today, so
it's looking hopeful.
 
A

Alan D

I should have said for purposes of comparing apples to apples make sure
that she *had* used those settings before she got Spybot and SAS involved.

I've been thinking further about this, Dave. If this were an academic
scientific exercise, and we were concerned about fair testing and level
playing fields, then yes. But that isn't the issue. The issue is whether
Defender, in the hands of the typical computer user (which was effectively
the design brief, we are told), could be left with minimal user interaction
to provide adequate protection. So the only worthwhile tests of Defender are
'in the field' as it were, using its default settings (very few 'typical
users' are likely to meddle with those 'advanced' settings, if you think
about it, even if they manage to find them).

Here was one such test - a failure. In fact, a resounding failure (I don't
know about the others, but sahpackage.exe wasn't making any effort to hide
itself that I could determine). Depressing though it is, if Defender doesn't
offer a reasonable measure of protection for the typical user, it's no
good - and in this case it didn't even whisper that anything might be wrong.
 
D

Dave M

Hi Alan;

While I generally agree with your thoughts regarding WD defaults and it's
submission to the community as a set it and forget it anti-spyware,
ShopAtHomeSelect is certainly an interesting case. Since October of 2005
it's distributors have more or less agreed to clean up their previous
performance. I'm not sure if you were around for the Beta1 of MSAS but
this was the ongoing debate at that time - what is enough of a malware
threat to include within the imbedded definition threat levels of Microsoft
A-S? That basically consisted of:
did the user opt-in to the installation,
is the purpose and nature clearly stated in the EULA,
does the software not attempt to hide,
is it's removal fairly straightforward i.e. Add/Remove.

Unfortunately, ShopAtHomeSelect seems to pass most of these Ms criteria
from the end of 2005 onward. Unless that software was installed before
this date, someone using your daughter's computer would have had to agree
to opt-in to it's installation and therefore should technically be aware of
it's activity. Why would they reasonably choose to do this... the
answer... A Rebate program from the distributor and it's advertisers was
offered for using the opt-in ware.

http://www.sunbelt-software.com/spyware/elh/sahs_summ.pdf

I don't know what the current Defender signatures specify for
ShopAtHomeSelect, or if it's even detected (we all know that's another
problem - not being published), but I'd suspect it's automated default
action is to "ignore" if it's detection is there at all, because of the
narrow definition of Malware as Microsoft defines it. Frankly, this
distributor has clearly managed to skirt that published policy and has
attempted to avoid the Ms axe by doing so.

http://www.microsoft.com/athome/security/spyware/software/msft/analysis.mspx
 
A

Anonymous Bob

Dave M said:
Hi Alan;

While I generally agree with your thoughts regarding WD defaults and it's
submission to the community as a set it and forget it anti-spyware,
ShopAtHomeSelect is certainly an interesting case. Since October of 2005
it's distributors have more or less agreed to clean up their previous
performance. I'm not sure if you were around for the Beta1 of MSAS but
this was the ongoing debate at that time - what is enough of a malware
threat to include within the imbedded definition threat levels of Microsoft
A-S? That basically consisted of:
did the user opt-in to the installation,
is the purpose and nature clearly stated in the EULA,
does the software not attempt to hide,
is it's removal fairly straightforward i.e. Add/Remove.

Unfortunately, ShopAtHomeSelect seems to pass most of these Ms criteria
from the end of 2005 onward. Unless that software was installed before
this date, someone using your daughter's computer would have had to agree
to opt-in to it's installation and therefore should technically be aware of
it's activity. Why would they reasonably choose to do this... the
answer... A Rebate program from the distributor and it's advertisers was
offered for using the opt-in ware.

http://www.sunbelt-software.com/spyware/elh/sahs_summ.pdf

I don't know what the current Defender signatures specify for
ShopAtHomeSelect, or if it's even detected (we all know that's another
problem - not being published), but I'd suspect it's automated default
action is to "ignore" if it's detection is there at all, because of the
narrow definition of Malware as Microsoft defines it. Frankly, this
distributor has clearly managed to skirt that published policy and has
attempted to avoid the Ms axe by doing so.
http://www.microsoft.com/athome/security/spyware/software/msft/analysis.mspx

Perhaps then another solution is in order. I would highly recommend the MVPS
hosts file. Here are the shopathome entries:
127.0.0.1 www.shopathome.com
127.0.0.1 shopathomeselect.com #[AdWare.Win32.Sahat.ad]
127.0.0.1 downloads.shopathomeselect.com
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 ehg-shopathome.hitbox.com

Bob Vanderveen
 
A

Alan D

Dave M said:
I'm not sure if you were around for the Beta1 of MSAS

I used MSAS, but didn't find my way to the newsgroup until it became
Defender. Sounds like I missed some interesting discussions.
ShopAtHomeSelect is certainly an interesting case .... etc.

What you say does show the issue to be very fuzzy, I must agree. Reading
what you say, my guess is that at some stage she's signed up to 'something'
(probably unknowingly, possibly by accident), and that's how SAHS got there
(she's had the computer less than 2 years I think, so it would probably be
post October 2005. Of course no software can protect people from themselves,
and your explanation for it not being picked up by Defender seems pretty
convincing. This really is another example among many that argues in favour
of a transparent detection list, I agree.

There remain the additional Spybot detections to account for, and sadly I
have no information about those except that
1. They weren't cookies.
2. There were at least three
3. One was A Better Internet.

I don't believe all could have been fps - but they may well have been 'grey'
threats lying outside Defender's definition range (apart from A Better
Internet), and that
may indeed explain what happened. I wish I'd been involved sooner than I
was, obviously.

Thanks for these thoughts Dave. Very helpful.
 
J

Joe Faulhaber[MSFT]

Hi Alan,

Thank you for the feedback, I wish there was a better outcome in this case
from Windows Defender.
WD does have definitions for all three of the threats you mention, but
obviously not for the variants that infected your daughter's machine.
I totally agree with you that WD should have done better with the default
configuration, particularly when WD-detected versions of SpywareStormer and
ABetterInternet are alert level High.

In the future you help us build better detections by joining SpyNet and if
you find suspicious software, please submit it to us at
http://www.microsoft.com/security/portal/, though I bet you're already doing
so.

Thanks for using Windows Defender,
Joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top