MS Spyware Beta vs other spyware

[Guest]

I recently noted on this site that every time I ran the MS beta spyware, I
got a notification of 6 Netspy Keyloggers -- every time!! Safe mode,
immediate repeats, didn't matter. Then, at the advice I got on this site, I
ran Ewido, which appeared to find and remove these items. MS spyware,
unfortunately, continued to "find" them.

I then finally installed the newest version of Computer Associates' eTrust
Security (which I get for free as a subscriber to Time-Warner's high-speed
cable RoadRunner). I then ran its "eTrust PestPatrol," which was not included
in previous versions. Unscientifically, it appears to run a much deeper scan
than MS (one option takes about as long as a full-blown virus scan), and it
found NOTHING!

My non-technical conclusion: MS Antispyware Beta gives false positives
and/or can't clean some of what it "finds." P.S. I didn't bother to
re-install MS to see if it will still "find" spyware (which, I believe, isn't
there) for fear of screwing up my CA systems which seem to work just fine.

 

[Mikolaj]

I recently noted on this site that every time I ran the MS beta spyware, I

got a notification of 6 Netspy Keyloggers -- every time!! Safe mode,
immediate repeats, didn't matter. Then, at the advice I got on this site,
I
ran Ewido, which appeared to find and remove these items. MS spyware,
unfortunately, continued to "find" them.

I then finally installed the newest version of Computer Associates'
eTrust
Security (which I get for free as a subscriber to Time-Warner's
high-speed
cable RoadRunner). I then ran its "eTrust PestPatrol," which was not
included
in previous versions. Unscientifically, it appears to run a much deeper
scan
than MS (one option takes about as long as a full-blown virus scan), and
it
found NOTHING!

My non-technical conclusion: MS Antispyware Beta gives false positives
and/or can't clean some of what it "finds." P.S. I didn't bother to
re-install MS to see if it will still "find" spyware (which, I believe,
isn't
there) for fear of screwing up my CA systems which seem to work just
fine.

If this is a problem of either false positive or uncomplete definition
files for MSAS (detection OK, but lack of remove procedures) then I might
suggest sending a Suspected Spyware Report to the SpyNet with some extra
comment from your side - have them work on it to make the MSAS be able to
deal with such situations in the future.

 

[Bill Sanderson]

I recently noted on this site that every time I ran the MS beta spyware, I
got a notification of 6 Netspy Keyloggers -- every time!! Safe mode,
immediate repeats, didn't matter. Then, at the advice I got on this site,
I
ran Ewido, which appeared to find and remove these items. MS spyware,
unfortunately, continued to "find" them.

I then finally installed the newest version of Computer Associates' eTrust
Security (which I get for free as a subscriber to Time-Warner's
high-speed
cable RoadRunner). I then ran its "eTrust PestPatrol," which was not
included
in previous versions. Unscientifically, it appears to run a much deeper
scan
than MS (one option takes about as long as a full-blown virus scan), and
it
found NOTHING!

My non-technical conclusion: MS Antispyware Beta gives false positives
and/or can't clean some of what it "finds." P.S. I didn't bother to
re-install MS to see if it will still "find" spyware (which, I believe,
isn't
there) for fear of screwing up my CA systems which seem to work just fine.

Every antispyware app has some instances of false positives, and Microsoft
Antispyware is no exception. However, we've first-hand evidence in this
forum of the speed with which such false positives are resolved, once
reported, and it's been good.

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073579

has a pretty good technical description of the files associated with the
real threat that you've named--do you recall what Microsoft Antispyware was
finding?

Even though you've uninstalled, there may be some evidence left in the form
of \program files\microsoft antispyware\cleaner.log a text file showing
what was (purported?!) to be cleaned.

There are also definitely instances in which Microsoft Antispyware claims to
have cleaned a threat, and that threat is either not cleaned, or reappears
on the next scan. There are several possible explanations for these issues,
but the most common on is that the cleaning is, in fact, not successful, and
the threat has reconstituted itself. That seems less likely in the case of
your particular threat, which is a commercial keylogger, rather than a
virus, or viral adware.

So--I can't disagree with your description of the facts on the ground on
your system. I would like to have seen the specifics of what was detected
as the keylogger, though and I do wonder what was preventing the cleaning.

What I can say is that, unlike the long list of applications found here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Microsoft Antispyware trys very hard to limit false positives--they
certainly are not intentional, nor is failure to clean.

 

[Guest]

Gentlemen, thank you for your responses, and rest assured that I wasn't
trying to belittle the MS spyware in any way. Just reporting my recent
experiences. Granted, I didn't sufficiantly document my difficulties with MS,
but then, I'm no expert at any of this. If I get the time to re-install MS
and get the same results, I'll certainly try to document the results for the
benefit of the entire community.

 

[Bill Sanderson]

I wasn't trying to chide you--but the uninstall doesn't remove the file I
mentioned, so that might still be lying around--cleaner.log.

You can feel free to delete the \program files\microsoft antispyware folder
and all subfolders. Quite a bit is left behind after an uninstall for
various reasons--but you don't need it!

--

 

[Ed Forsythe]

Hi Bill,
If you don't need it why does the MS Uninstall leave it behind?

 

[Bill Sanderson]

I believe that it is left behind so that an uninstall/reinstall or upgrade
retains all the users preferences, history information, and quarantined
items. If you are uninstalling for good, none of that matters.

I don't think this way of doing things is likely to be retained in
beta2--we'll see.

--