Over the past 2 days I've performed yet another round of tests with 20 anti-spyware scanners, this time using a new collection of spyware and adware picked up from my favorite "test" site, "Innovators of Wrestling" (iowrestling.com). As before, I identified a core set of "critical" detections and monitored how throughly each anti-spyware scanner removed the "critical" detections. You can find a list of those detections on the Guide page here:
The results of this new round of tests can be found on these two pages:
As I requested before, please have a look at the Guide page before proceeding to the results pages. The Guide page has been revised to account for these new tests. As always, the "Disclaimers" section on the Guide page is "must read":
One aspect of these latest tests worth noting: the collection of spyware and adware used for this round of tests included some especially nasty software that proved difficult, if not next to impossible to remove for the anti-spyware scanners. In particular, the key processes for the following adware/spyware was not killable at all:
The executables were simply too well protected in memory. Even the DiamondCS process tools APM and APT could not remove those processes and modules from memory.
The standard procedure that anti-spyware scanners use in this situation is to remove the files on reboot by configuring the scanners to run through the HKLM\...\RunOnce key. Not a single anti-spyware scanner succeeded in doing that, however, because one of the above processes -- or perhaps it was the VX2 3dsdpi.dll module that was attached to the Winlogon process, a core Windows system process -- blocked changes to the RunOnce key. Still worse, the files mentioned above could not even be removed in Safe Mode.
This all is a potentially huge problem. The only way I succeeded in removing those files was to boot to a command line using SysInternals' ERD Commander 2000. A bootable CD could be used to achieve the same result.
Finally, before anyone asks, let me indicate right now that I am not going to put together a table summarizing the combined results of both rounds of tests. Were I to do so, that table would immediately be taken as a definitive ranking of the products tested, and that kind of ranking is simply not warranted solely on the basis of these two rounds of tests. Moreover, I know that once that table appeared, people would link only to the table, and the rest of the critical information and context regarding these tests would get lost in the rush to judgment.
In any case, questions, comments, and suggestions are always welcome.
Eric L. Howes
Eric Hows Anti Spyware Tests, New
Posted 09 October 2004 - 04:29 PM
Malware Advisor Blog | Calendar Of Updates | HijackThis! Trusted Advisor | Ultimate Countermeasures Page | TeMerc Internet Countermeasures
Register to Remove
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users