P
Paul G
SETUP:
I have a clean install of XP ghosted over which I'm using
to evaluate the anti spyware and noticed a rather
significant problem.
help->about microsoft antispyware
Microsoft AntiSpyware Version: 1.0.501
This version expires on: 7/31/2005
Current User: Administrator
Spyware Definition Version: 5701 (3/28/2005 8:57:01 PM)
file->check for updates
most recent spyware definitions installed
most recent software installed
PROBLEM:
I seek web sites that are infested with spyware in an
attempt to spook the antispyware tool and I think I've
found a very serious shortcoming of the utility.
At one point, I go to a site that offers cracks and it
insists I load an activex control, so I say yes, run this.
This control then spawns a process that loads a half
dozen spyware.
Each one tries to add themselves to the startup registry
which the antispyware security agent catches.
Through my action selection on the notification popups
that comes up above the system tray, the agent denies it
being added to the startup registry, removes it, then
suggests I do a fill scan. I say 'yes' start full scan,
so it does a full scan and removes the same spyware
threats again, then it says I should do a reboot which I
do, and it keeps coming back. Each time the security
agent cleans it and reboots, there is some kind of
process that starts up again, it keeps coming back in
some kind of endless loop.
RESOLUTION:
I was able to break out of it by going into the task
manager and killing off the process trees (not just the
processes, but the entire process tree for the various
spyware processes) of the various spywares, then do a
full spyware scan to finally get rid of them.
CONCLUSION:
Some spyware process resident in memory seems to be able
to monitor harddrive/registry activity and reenable
itself when it detects a removal attempt. Scanning for
spyware in files/registry can in some cases be futile
until the active process list is free of them.
RECOMMENDATION:
Spyware scanning should be done in two passes. Pass 1)
Identifies actively running spyware and determines the
best way to terminate all of them (such as terminate the
entire process tree for a given known spyware threat).
Pass 1) is repeated as many times as is necessary with a
10 to 30 second pause to ensure all spyware is really
gone. If this phase of removal fails after 5 or 10
attempts, it's very possible an as of yet undetected
spyware/software is running and restarting the various
spywares. In this condition, it is futile to scan the
harddrive/registry, as some smarter spyware will detect a
shutdown attempt and restart themselves. On shutdown, it
may very well succeed to update the registry (as the
antispyware security agent is also shutting down) to
ensure it starts up again on reboot. If pass 1) IS
successful, THEN and ONLY then proceed to Pass 2) Scan
spyware on local drives and in registry and
delete/quarantine as necessary.
I have a clean install of XP ghosted over which I'm using
to evaluate the anti spyware and noticed a rather
significant problem.
help->about microsoft antispyware
Microsoft AntiSpyware Version: 1.0.501
This version expires on: 7/31/2005
Current User: Administrator
Spyware Definition Version: 5701 (3/28/2005 8:57:01 PM)
file->check for updates
most recent spyware definitions installed
most recent software installed
PROBLEM:
I seek web sites that are infested with spyware in an
attempt to spook the antispyware tool and I think I've
found a very serious shortcoming of the utility.
At one point, I go to a site that offers cracks and it
insists I load an activex control, so I say yes, run this.
This control then spawns a process that loads a half
dozen spyware.
Each one tries to add themselves to the startup registry
which the antispyware security agent catches.
Through my action selection on the notification popups
that comes up above the system tray, the agent denies it
being added to the startup registry, removes it, then
suggests I do a fill scan. I say 'yes' start full scan,
so it does a full scan and removes the same spyware
threats again, then it says I should do a reboot which I
do, and it keeps coming back. Each time the security
agent cleans it and reboots, there is some kind of
process that starts up again, it keeps coming back in
some kind of endless loop.
RESOLUTION:
I was able to break out of it by going into the task
manager and killing off the process trees (not just the
processes, but the entire process tree for the various
spyware processes) of the various spywares, then do a
full spyware scan to finally get rid of them.
CONCLUSION:
Some spyware process resident in memory seems to be able
to monitor harddrive/registry activity and reenable
itself when it detects a removal attempt. Scanning for
spyware in files/registry can in some cases be futile
until the active process list is free of them.
RECOMMENDATION:
Spyware scanning should be done in two passes. Pass 1)
Identifies actively running spyware and determines the
best way to terminate all of them (such as terminate the
entire process tree for a given known spyware threat).
Pass 1) is repeated as many times as is necessary with a
10 to 30 second pause to ensure all spyware is really
gone. If this phase of removal fails after 5 or 10
attempts, it's very possible an as of yet undetected
spyware/software is running and restarting the various
spywares. In this condition, it is futile to scan the
harddrive/registry, as some smarter spyware will detect a
shutdown attempt and restart themselves. On shutdown, it
may very well succeed to update the registry (as the
antispyware security agent is also shutting down) to
ensure it starts up again on reboot. If pass 1) IS
successful, THEN and ONLY then proceed to Pass 2) Scan
spyware on local drives and in registry and
delete/quarantine as necessary.