Beating Spyware

About 9 months have passed since Microsoft released Windows Anti-Spyware Beta 1, and I'm pleased to say that I have yet to see any spyware infestations on the dozens of computers I've personally installed it on. My clients have reported similar success stories. This achievement isn't entirely the result of using this one application, but Windows AntiSpyware certainly has a lot to do with it.

Microsoft has done an excellent job of integrating this antispyware tool, which it acquired from Giant Company Software in December 2004. Automated updates of both the software and the spyware definition files have functioned smoothly, keeping the software version and the latest definition files updated on users' computers without requiring manual intervention. I've seen only a few reports of major problems with the tool—you can find reports of known problems at Microsoft's "Windows AntiSpyware (Beta): Release notes" page at http://www.microsoft.com/athome/security/spyware/software/release notes .mspx.

MULTIPRONGED APPROACH
Windows AntiSpyware takes a multipronged approach to protecting your computer from spyware, adware, and other forms of malware.

Daily scans. The first prong is simply the initial act of installing the software and scanning for potential threats, as Figure 1 shows. By default, after you've installed the software, scans run on a daily basis. If the tool detects a threat, it offers a variety of actions the user can take to respond to the problem, ranging from Remove to Ignore. The tool also provides an evaluation of the discovered software's threat level, ranging from Low to Severe.

The software doesn't require the user to take any action on a detected threat—selecting Ignore from the Recommended Action list ignores the threat until the user's next scan. If the user feels that the threat is insignificant or erroneous, or if the tool is triggering on a piece of software that the user needs, the user can select Always Ignore. This option prevents Windows AntiSpyware from alerting the user about that particular threat by adding it to the Ignored Threats list that the software maintains.

Protection agents. Whereas the daily scan is one aspect of the tool's defense strategy, the Real-Time Protection agents are the user's first line of defense. Broken into three categories—Internet Agents, System Agents, and Application Agents—these checkpoint agents monitor the behavior of their assigned areas for changes that are potentially harmful to the computer's OS.

The nine Internet Agents monitor items such as the name server defined for your network (thereby preventing it from being hijacked), the TCP/IP configuration, and the users who are accessing your wireless connection. The 25 System Agents perform such activities as preventing changes to the Windows Shell and stopping unauthorized programs from loading at boot time. The 25 Application Agents monitor running processes, watch for change attempts made to the Microsoft Internet Explorer (IE) configuration, monitor changes to the computer's access-restriction policies, and so on.

The software logs all events, and alerts the user about all events that affect a monitored checkpoint. The alert might simply be informational, notifying the user that a change has been permitted (e.g., when the user installs new software from the console that affects a monitored checkpoint). Or, the alert might actually prompt the user to allow or prevent a modification to the affected checkpoint. By clicking Real-Time Protection in the Windows AntiSpyware console, the user can check each set of agents to see whether they've blocked any events (which are reported on the display) or check for all events that the checkpoint agents have monitored.

The user can individually enable or disable each of the 59 available checkpoints, and once the user has actually allowed or blocked an application at a specific checkpoint, he or she can also manage an Allowed/Blocked list for that checkpoint. (This list exists only if the specific checkpoint has blocked an action.) Information is also available from each checkpoint to explain specifically what the checkpoint is and what it will do.

Neither the checkpoint agents nor system scanning actually manage cookies. Microsoft's opinion is that cookies have many legitimate uses, and unlike antispyware software such as Ad-Aware and Spybot - Search & Destroy, Windows AntiSpyware doesn't flag cookies and data miners as threats to the system. This policy—as well as Microsoft's methodology for dealing with cookies and data miners—might change by the time the shipping version of Windows AntiSpyware hits the streets.

Advanced tools. The third prong of the Windows AntiSpyware trident comprises three Advanced Tools—System Explorers, Browser Restore, and Tracks Eraser—the user can use to manually correct changes made to the computer's configuration. All these tools provide a simple interface with which to make system and registry changes that can be manually accomplished elsewhere (if the user knows where to find the affected settings).

• Tracks Eraser is commonly known as a history-eraser tool. It removes entries in the Most Recently Used (MRU) lists of many applications, including parts of the OS and third-party tools. Tracks Eraser also deletes all the Temporary Internet files that IE creates, and clears all auto-Complete Password information stored on the system. The user must manually select each application, utility, and tool whose history he or she wants erased; the tool won't bulk-clear everything on the computer. The user selects from a list of items to act on, then clicks the Erase Tracks button to clear the selected data. By default, when the utility is launched, nothing is selected to be cleared.
• Browser Restore lets the user restore common browser settings to their installation defaults. Items such as Start Page, Search Page, Default Page, and Search Bar are particularly vulnerable to malware hijacking; this tool not only shows an item's current setting but also lets the user restore that setting to the system default with two clicks. The Current Setting and the Restore Setting appear side by side, so the user can determine, at a glance, whether a setting has been changed inappropriately. For example, a search-page change from http://www.microsoft.com/search/lobby/search.asp to http://www.google.com is obvious, and if the user has chosen to use Google as his or her default search site, that's clearly not a hijack. However, if the search page is suddenly set to a site with which the user is unfamiliar, that's a potential hijack, and the user can restore it to the Microsoft page by selecting the check box next to that item and clicking Restore.
• The final tool is a set of System Explorers. These tools let you view and change many of the system activities that are running or in use. For example, if a user has ever opened Task Manager, clicked on the Processes tab, and wondered what all those obscurely named images are, he or she now has an easy way to find out. By opening Advanced Tools, System Explorers, Running Processes, the user will find a list that's similar to the one Task Manager presents—with the exception that all the running processes are identified and information is provided about each process.

System Explorers also includes such items as Internet Explorer Toolbars, with the ability to block a toolbar from running or permanently delete it. Users can also create a new list of default IE settings, which—once saved—become the default settings that the aforementioned Browser Restore option uses. So, if you have a heavily customized IE experience, you can save all your preferred settings as the default, which other IE tools in the Windows AntiSpyware product will then use.

ONE PART OF THE PUZZLE
Windows AntiSpyware is an effective tool for preventing malware infections, but remember that Microsoft says the software is only one piece of the solution—a solution that also includes user education, industry collaboration, and legislation. All these efforts are directed toward making malware attacks a thing of the past.

—David Chernicoff