Though I wasn't able to compare the effectiveness of leading anti-spyware software, I was able to distill the best practices for handling spyware and adware. Any system builder will help their clients by following these best practices:
- Use at least two anti-spyware packages: Because no single package attains 100 percent detection or repair ratings, you must use more than one anti-spyware package to keep your systems ship-shape. My recommendation is to use two. Run the first one as a real-time blocker, and let it scan and repair frequently. (For example, Microsoft AntiSpyware scans nightly by default.) Then schedule the second package as a backup scan; use its repair tool about once a week. Automate the operations of both packages, if possible, so the user won't forget or postpone this essential activity.
- Keep up with Windows and other software updates: Spyware, like viruses and other malware, often exploits vulnerabilities in the runtime environment. Keep Windows patched, and keep anti-spyware software and definitions updated. Here again, an automatic or scheduled update is the best way to ensure you're not fighting today's problems with yesterday's tools.
- Provide adequate browser security : For Windows XP SP2 and Windows Server 2003, the base environment (if current) provides ample browser protection, including managing browser helper objects, active content and scripts, default page and search assignments, and blocking pop-ups and other means that spyware uses to infest systems. Users of older versions of Windows should take care to lock down browsers and block or limit active content and scripts. Security-scanning tools like AuditMyPC.com--which includes firewall tests, spyware check, pop-up handling test, and more--will not only help system builders check and assess individual PCs, but also suggest remedies and provide further information when needed.
- Educate your users: Though nobody wants to read End User License Agreements (EULAs), these often contain information that warn users to steer clear of certain Web sites and to avoide installing certain downloads--but only if they read the fine print. Users need to either take responsibility for such perusal, or steer clear of any and all software that a company or organization neither supplies nor sanctions.
Sidebar: Spyware Sleuthing With Eric Howes
Eric Howes is a researcher at the University of Illinois who has been chasing spyware for the last five years, or about as early as anybody began to notice evidence of spyware in the wild. In late 2004 Howes published the results of his several-month study of spyware here. During this study he systematically exposed an unprotected machine to a broad range of spyware representing common threats that most users are likely to encounter. Howes created a reference image of that system for ready re-use, ran all of the anti-spyware packages he could identify against that test bed, and compared their results. To say the least, his findings are unsettling.
While respected sources like ICSA and Virus Bulletin routinely report 100 percent effectiveness from multiple anti-virus packages in their yearly surveys or comparisons, Howes' best results barely topped 90 percent effectiveness. Those ratings came from Sunbelt Software's CounterSpy and Microsoft's AntiSpyware. But many better known anti-spyware products--including Spybot Search & Destroy, LavaSoft Ad-Aware SE, and Webroot SpySweeper--typically reported effectiveness ratings in the range of only 60 percent to 75 percent.
Preparing this spyware test bed took more than 100 hours, Howes says. He also painstakingly went through the process of using the InControl 5 software package to create before-and-after snapshots for all infestations. That way Howes could compare logs; investigate all new and changed files; detect all Registry adds, edits, and deletes; and pick through all the temporary Internet files left behind in the current user's account directory. (& ; userprofile % ; \Local Settings\Temporary Internet Files is a symbolic specification for this directory that will work for anyone logged in on a modern Windows system. As a pretty typical example, my own system's Temporary Internet Files directory right now contains more than 9,500 files.) This is a huge amount of data to sift through and analyze. Howes has been saving this data for the past nine months in Zip format, and he has already collected more than 2 GB worth of such data.
Howes' advice to any system builder who is considering building their own anti-spyware test bed: "You can't just look at the pure functionality of the software, as you can with viruses. You have to look at the context of the user experience and the mechanisms and types of delivery used."
Howes continues: "Then you have to understand exactly how unwanted information or software arrives on a computer. You must visit the Web site and go through the user's experience, rather than simply evaluating the functions of the left-behind software itself. Spyware/adware research has to look at business practices, human decision making, and user interactions."
This takes more time and effort than producing virus signatures and related repair scripts or routines. It also explains why anti-spyware vendors need anywhere from two to five days to post a response to a new problem, while anti-virus vendors routinely post responses within 24 hours.
ED TITTEL is a technology writer who has contributed to more than 100 computer books; a trainer; and a consultant who specializes in IT certification and information security, with a special emphasis on Windows desktops.