Monday, January 15, 2007

Anti-Malware Tool Roundup - #2

It has been a while since I posted a review of the anti-spyware/anti-malware "Top 10 Anti-Malware Tools".

In it I listed the top 10 tools I use when working to clean junk off a Windows computer. Since then I have found three four fantastic new anti-malware tools that I have to add to the list!

This post isn't intended to be a "how-to" guide...more like a resource list. One day I will try to do a general tutorial on malware removal.

To summarize

My (updated) selection conditions: Must be available in a 100% freeware version or have a free for personal-use version (restriction of "non-essential" features for the free version is OK), and must be able to be used (safely or not) by users with normal to above-normal computer experience. With the exception of the Microsoft product (big-surprise) all of these can be downloaded to a USB device and used as portable tools!

I also have additional utilities and tools I need to use at times (Portable SysAdmin Tools), but these are the primary ones I depend on time-after-time for dealing with malware and spyware cleaning.

The List

(in alphabetical order)

2nd-String Players

(not used near as much...but good to have handy)

Meet the New First Round Draft Picks

A-Squared Free - Thanks to an anonymous commenter, I'm adding this one in as I completely missed it the other day. I had a chance to download this application earlier today and then (lucky me) got to try it out on a real-world malware infected pc. I must say, the GUI interface is very simple and well laid out. It allows you a number of malware scanning options (Quick Scan - all active programs, spyware traces, and tracking cookies; Smart Scan - same as above, but only important folders will be scanned; Deep Scan - same as above, and all files on hard disks will be deep scanned; and Custom Scan - you edit your own preferences). I ran a Deep Scan on the machine and it did a good job of finding what was targeted. I was also impressed when it found a malware log file remnant, even though the malware application was long gone years ago by the file date. Signature updates are easy to get and apply and seem to be offered daily or more frequently. The application even has an "Windows Explorer" context menu integration option, so you can click files to scan on demand. That's a very nice touch! It appears to me to be using the same DAT files and engine as their Command Line Scanner version listed below. It's pretty fast and can dig down deep with a very large DAT file list. Well worth using. With some easy steps, it can be made "USB Portable" (for the most part) so you wouldn't have to necessarily "install" it on each pc. I'm going to let you work out how to do that. It seems to be a very well supported and designed program. I'm looking forward to adding this to my first-strike team! An expanded-feature version a-squared Anti-Malware is also available for purchase with a 30-day free trial period. - Added to original post 01/16/06

A-Squared Command Line Scanner 2.1 - I had passed on this one before as it is "...a console application to scan your PC. It was made for professionals who don't need a setup or graphical user interface. All features of the Anti-Malware scanner are included." In most cases, I wouldn't recommend a command line tool that requires clear understanding of command arguments/switches, but it is just too good to pass up. My only tip is to create a "Logs" subfolder where unpacked so it can find the location to save you log results (if so desired). It did seem to stumble on some files I had on my system with the "~" character in them, but on others it did just fine. Just be sure to read and make sure you understand the brief "readme" file in the download package. You will also need to be sure to run the update command to get the latest DAT files for it. Overall it is an amazing tool and I can't believe a-squared is making it available for free just because it is a command-line tool!

AVG Anti-Spyware 7.5 - I love AVG's free anti-virus product and it is my personal recommendation for home users. It is light and fast, has a decent interface, doesn't use too much memory, nor hook too deeply into your system, and the DAT files are updated daily.

So imagine my surprise when I stumbled across Ewido Network's anti-spyware tool, only to then see that Ewido is now owned by Grisoft (AVG) and is being offered free for personal use! Wow. I had to check it out and came away highly impressed. It had the highest detection rate when compared to the other malware scanners I recommend (keep reading for results).

The free-for-personal use version is a "full" version for 30 days. With it you get: daily database updates, heuristic detection, and an automatic cleaning engine. Once the 30 days is up, you loose the following additional features--unless you pay for a full license: automatic online-update (manual updates can be run fine), real-time monitoring of the entire system, self-protection at kernel layer, and consent for commercial use.

It can be made "USB Portable" (for the most part) but doing so would break the spirit of Grisoft's License Agreement on Use of an AVG Anti-Spyware Free so I'm going to take a pass and not post how to do it. Grisoft is a stand-up software company and I think it's fair to respect them for that.

Anti-Malware / Anti-Spyware Scan-Off!

Just for kicks, I decided to run a highly non-controlled, non-scientific comparison between the following products: Spybot S&D, Microsoft Windows Defender, LavaSoft Ad-AwareSE, AVG Anti-Spyware, and a-squared Command Line Scanner 2.1.

They were run on the same system (Lavie's XP Home laptop) under my user-profile. Each scan was run using the "default" setting where best compared to each application. I updated all the DAT files for each program to the most recent versions available.

No files were removed after each scan was performed; each application had a fair chance to find the same things.

Your mileage may vary.

Results

Application: AVG Anti-Spyware
Scan type: Quick Scan
Scan time: 12min 57sec
Items found: 290 cookies under 51 trackers

Application: Spybot S&D
Scan type: default settings
Scan time: 12min 22sec
Items found: 48 cookies under 13 trackers

Application: LavaSoft Ad-AwareSE
Scan type: Smart Scan
Scan time: 2min 51sec
Items found: 7 tracking cookies.

Application: A-Squared Command Line Scanner 2.1
Scan type: Memory, Traces and Cookie scan enabled, Use heuristics, display riskware and scan in ADS
Scan time: 1min 25sec
Items found: 27 Traces, 88 Cookies

Application: Microsoft Windows Defender
Scan type: Quick Scan
Scan time: 9min 23sec
Items found: none.

Reflections on the Results

AVG Anti-Spyware and Spybot both took about the same amount of time (quite long) to complete their scans, but AVG Anti-Spyware found a total of 290 cookies compared to the 48 found by Spybot!

Ad-AwareSE ran a very quick scan, but only found 7 cookies. Ad-Aware only seems to scans for IE cookies, not for Firefox, even when told to look in the Mozilla profile folder where they are stored. Since I don't user IE much, that's likely why it found so few items. Firefox users of Ad-AwareSE need to remember that fact!

A-Squared Command Line Scanner was the fastest, finding over 88 cookies in just under 2 minutes.

Finally, Microsoft's Windows Defender took almost 10 minutes to complete its scan...and found nothing.

Since I keep our home systems very clean, no "hostile malware/spyware applications" were on my system to begin with, so I cannot really say how effective an "advanced" cleaning session would turn out as compared to this "cookie" cleaning test. However, I have used Ad-AwareSE, Spybot, and Windows Defender more times that I would like to clean heavily infected machines in the past with good success. When I get the chance to try out the two newcomers out under "hostile live-fire", I will let you know the results.

In my experience, it takes multiple products and techniques (and tons of patience) to fully sanitize a Windows system heavily compromised by malware/spyware. Hence why I keep a number of these products on my USB stick at all times.

Kinda-Related Links

RunAlyzer - Spybot Search and Destroy team's "...brand-new autostart and configuration manager that allows you to view and edit all the spots where Windows looks for programs or services to start. It's a combination of a standard configuration manager and an advanced tool to locate and remove places where hijackers, spyware and other malware hide."

FileAlyzer - From the same Spybot folks, "...allows a basic analysis of files (showing file properties and file contents in hex dump form) and is able to interpret common file contents like resources structures (like text, graphics, HTML, media and PE).

Blink Personal Edition - This freeware product from eEye Digital Security "...combines intrusion prevention, application and network firewall, identity theft protection, and vulnerability assessment into a single, unified client security solution." It does quite a large number of things, and is a bigger package than I am interested in, but looks to be a promising solution for security-minded users.

Ad-Aware 2007 is on its way -via Download Squad. Not available to the public just yet, but a promising sign. Sign up for their Beta tester program and maybe you can get your hands on a version. I'm hoping the new version supports automatic scanning of the Firefox folders as well.

CounterSpy - ($) From the ever-amazing Alex Eckelberry's Sunbelt Software, this anti-spyware product is top-notch. I have only two reasons why I didn't list it above. First, it has a 15-day trial period (fair enough). Secondly, it isn't portable to USB devices (that I know of). But for a home user who has an ongoing issue with stumbling into malware and needing protection and cleaning--it's a very good product. They are also offering their v2 (beta) for users who join their beta test team! Nice! Keep up the fine product work, Alex!

There you go!

--Claus

9 comments:

Alex Eckelberry said...

Thanks Claus ;-)

Anonymous said...

Found two mistakes in your test:

1. Not only the command line scanner of a-squared is freeware. Please take a look at a-squared Free, which is freeware as well and comes with a rich GUI. Only the a-squared Anti-Malware version is a 30 day trial.

2. The results of the programs can't be compared. Why? You did only a memory and traces scan, no disk file scanning at all. A traces signature can contain single file paths for a specific spyware (usually several hundreds of single files) or a file path only (that covers all files with one result). That means, if e.g. AVG detects 200 files and a-squared only 1 folder, the security result is the same (both will delete all spyware files in that folder), but the number of detections differs a lot.

Anonymous said...

Sunbelt--thanks for stopping by! Any chance you will offer a portable/stripped-down freeware version? Just wondering.... ;)

Anonymous--I appreciate the thoughtful clarifications you provided.

RE: 1) I did indeed miss the a-squared Free product--no slight was intended! I've been familiar with the Hijack Free product for a long time (and the command-line scanner as well, although haven't used it until recently). I will give the a-squared Free application a look sometime this week, and add it into the post. I'm looking forward to getting familiar with it.

RE: 2) I'll be the first one to admit that I don't run an anti-virus/anti-malware certification shop here (unlike ICSAlabs. In fact in the post I said "...I decided to run a highly non-controlled, non-scientific comparison." (For those interested, the "traces" found were related to UltraVNC programs I have installed on my workstation to handle remote (home) desktop support.) Since I was pretty (99%) certain my system didn't have any "hostile-malware" files on it, my focus ended up being on the cookies.

If anything, those results for the "trace, cookie and memory scans" by a-squared Command Line Scanner are meant to be a very positive reflection. It VERY QUICKLY picked up the presence of a "potentially malware" program, even without having run a full-disk scan. That's what makes the tool very good to me. None of the others did.

I do understand that each vendor has its own criteria for "inclusions" into their DAT files. It's possible that a vendor could load their DAT file with all kinds of more common cookie bits (good or bad) to generate a "high hit rate"--I DON'T feel that any of the vendor products listed do that--that's why I recommended them.

So even the numbers alone aren't necessarily reflective of efficacy in securing a user's system.

In my years of field-experience attempting to take malware off corporate and home-users' systems, I (and others) have found that the best policy is often to just reimage/reinstall the entire system. Unfortunately, that isn't an option for some systems nor is it a job most home users would consider tackling.

So it's off to option #2) Run a pass on the compromised system using several different trusted-vendors (there are lots of scam-ones out there that will infect a system they promise to clean!) anti-malware products. And in many cases, some hands-on, manual cleaning of the registry and auto-run areas is still required--hence the need for other "auto-run" and process utilities.

I actually see all these products as very complementary of one-another.

You raised some very good observations and I'm glad you posted them.

If you have any other suggestions or know of any helpful links/forum posts on the finer points of a-squared's Command Line Scanner...(beyond the readme file that comes with it)...please share!

I think this is looks to be very a good utility--hence my enthusiasm once I finally tried it out!

One final point I'd like to make is that this isn't intended to cover any of these product's anti-malware inoculation/system guarding features.

As a rule, I don't run any of them in that role on my systems...only for malware scanning and removal. Windows Defender is the only one we install in our corporate environment (which could be the subject of a different post all its own)...and though many of these vendors/products do offer that feature...my personal behavior is to keep as few additional processes running and then practice safer-surfing habits.

That works for my systems at home and work...but for less-savvy Web users who seem to stumble into trouble--those additional features may be very valuable and worth consideration.

Claus said...

Anonymous...

I've updated the post to include a-squared HiJack Free. It is a very nice application and works great.

Recommended!

Thanks for bringing it to my attention.

Claus said...

Corrections...

Found that I was still referring/linking to the anti-spyware product of a-squared as HiJackFree (which is their auto-run/process tool) with a-squared Free which is their anti-spyware scanner.

Fixed links and references.

Anonymous said...

Claus, it was not my intention to put your test results in a bad image. But if you post numbers of detected items, most people will rate the products quality based on those numbers. That's why it is always necessary to describe the test in detail and maybe add a note that the number of detected items does not tell anything about the security a product can achieve.

Btw. it would be great to see a real comparison test of a few background protection systems. A scan is important, but as you said, in many cases the only way to get rid of a spyware is to format the harddisk. Therefore it is much more important to see which background protection tools can BLOCK most of the spywares before they can do any damage. But I understand that such a test can take really a lot of time to setup a test environment to restore the system after each software tested. That's why you can find tons of scanner comparisons at the internet, but nearly no reliable prevention tests. ;)

Claus said...

Anonymous...

No offense at all was taken! I sincerely appreciate you taking the time to give some criticisms on the post. I agree with the points you raise. Hopefully, feedback like yours will help my posts get sharper and better!

What seems clear to me in posting, may not be clear to others...and a little bit more detail formatted in a clear way about what the results are intended to reflect--and what they aren't--might indeed go a long way to help avoid confusion.

I spend quite a bit of time in the enterprise world just focusing on "removing" malware off a system and recovery/restoration of the system. Our "shop" doesn't place much of priority on blocking/prevention of malware (just virus/trojan activity)...just that once it's on--it needs to get pulled off. I keep our home systems pretty well covered--so it's always just "nuissance cookies" I'm dealing with there. So my day-to-day operational mindset is more "response/removal" than proactive prevention.

Like you, I would also like to see some control test-lab type comparisons. It would indeed take quite a bit of work to do.

Get a fresh pc image loaded up with malware, and document exactly what was done to infect it.

Capture an image of the system.

Install only one version of an anti-malware program and do a full/deep scan. Document what it finds and how effective it is at removing it.

Reimage and try each other product, reimaging after getting results.

Then run a "prevention/block" test by going back to a pristine system image, and installing the anti-malware application FIRST then repeat the stages done to infect in the first place and check the results for efficacy. Reimaging again between applications.

One last note, this would almost certainly have to be done on a "live" system as more and more malware programs are being coded to detect if they are running in an "virtual pc" environment. If so, they don't load.

Whew!

Maybe that's why we don't see many comparison "prevention" reviews.

I did recently find the following website...Malware-Test.com that appears to run frequent tests of many products: AntiSpyware Comparison Report. They also post a Test Methodology explanation as well that is pretty detailed.

I can't independently vouch for their results and testing.

ConsumerSearch has a review of, well, malware reviews. Many listed are more current than others...

Then I always have to keep in my mind that whole Consumer Reports testing fiasco blogged over by Alex Eckelberry at Sunbelt Software: The Consumer Reports testing scandal: It's far, far worse than we initially thought.

Where do we go to find trustworthy and effectively designed anti-malware test comparisons and results? I don't have a good answer...and my personal experiences in the trenches has taught me to use several, since no single one is 100% effective.

Oh yeah, and I am always prepared to manually pull stuff off myself. But knowing how to do that takes a lot of hands-on experience with knowing where to look, how to pull it off, and how to fix stuff that gets broken (LSP services) that can get bad-broke when some malware get's taken off.

Finally, my focus is really on personal/home applications...specifically those that offer versions free for home users. Not trialware or shareware versions. There are lots of commercial products out there that may perform quite well, but since I don't/won't look to use those in normal circumstances...I can't/won't post regarding them and their efficacy either.

Meanwhile the battle for control over the end-user's pc rages on....

(sighs....)

Anonymous said...

This is Circle from Taiwan which is,you might know, the most virus-buffeting area on this planet.

I wondered and I'm still wondering why you(and some of your fellow) praise a-squared, which we geeks in Taiwan call Make-Me-Laugh software.

Not long ago[2006~], a-squared free made my friends laugh because it informed us that ' C: \ WINDOWS \ system32 \ sndvol32.exe' in our PCs is a Trojan.

I just download the latest version from emsisoft 30 mins ago.

And now, it's making me laugh again for telling me there is a Trace.Registry.SpywareQuake in my pc.

Maybe we should report this to ...uh...Spyware Warrior !??

Claus said...

Hi Terry circle yu.

I appreciate you taking the time to post a comment.

I've been thinking about what you said...let me see if I can share with you my own personal perspective.

While a-squared isn't one of the first anti-malware tools I reach for when I am doing an "infected" malware response, I am glad to have it available on my USB stick.

I generally use a variety of tools, some with overlap, when I attempt to clean a system.

It's been my experience that no one anti-malware product can 100% clean a system. That's why I often run Spybot, Adaware, AVG anti-spyware, and a-squared free; all on the same system, one right after the other. I will have to use Microsoft's Sysinternals Process Explorer and Process Monitor to identify malicious processes, maybe their Autoruns application and always take a peek at things with HiJackThis.

Then comes some anti-rootkit scans from various developers, and at least an installed A/V scan..and I might also run a 2nd A/V scan or two as well...depending on what I have uncovered up to this point. It might even require me booting the PC with a Linux LiveCD or a BartPE disk to do some cleaning work.

As you shared, it sounds like you also have a great deal of experience dealing with cleaning malware off systems.

Please don't misunderstand my "praise" for a-squared. I see it as one of many tools that are available for consideration. It has its own set of strengths and weaknesses.

As you point out, it does have a history of false-positives. But then, due to the nature of the game, I don't expect them all to be perfect....heck, my AVG A/V software had a false-positive on a Firefox file a while back. I sent them a note along with the file, and I got a note back thanking me for pointing this out and a few hours later they had a new DAT file released, fixing the issue.

That did impress me.

I also just got done running a scan of my system with a-squared free.

It found a few more low-risk cookies the other scanners had passed over. No biggie. It also found all my UltraVNC program references (which I ignored) as well as a tool that lets me inspect the contents of Microsoft's protected storage area (also ignored).

Just like you reported, it also found the same Trace.Registry.SpywareQuake on my pc:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\SpywareQuaked.exe detected: Trace.Registry.SpywareQuake

I ran regedit and looked for it but it couldn't be found. I also did a registry keyword search and a file system search, as well as rootkit scan of my registry, and a hidden reg-key scan as well. All came back clean. So I am at a loss to understand what is triggering that alert.

So I agree with you, that a-squared's reporting of this thing is almost certainly a false positive.

So in response, I decided to report it to EMSI's false positive mailbox: fp@emsisoft.com

a-squared products: Contact us

The way I see it, this is the only way I can do my part to help them get better....and that helps me.

I hope they let me know if this is the case...and what triggered it, but I'm not holding out too much hope. If they respond, I'll add it into the comments.

Circle, just out of curiosity, which anti-malware/spyware products do you personally recommend and use most often?

I'm always on the lookout for effective and dependable utilities...

Thanks for sharing your comments. I value them all!