Update: I’ve made some small but significant changes to this list based on excellent feedback from the anti-spyware community. I’ve also published a second installment in this series. See “Six steps you can take to block unwanted software.”
Carl Siechert and I are currently working on an update to our 2002 book Windows Security Inside Out. It’s been only a little over two years, but a lot has changed in the computer security landscape during that time. So much, in fact, that the update is much more extensive than we originally envisioned.
The biggest change, in my opinion, is the explosive growth in what’s commonly called spyware. We spent about four paragraphs on the topic in the first edition, basically telling readers to install a firewall and use Ad-Aware. In this edition, we’re devoting an entire chapter to spyware, and we’ll have significant coverage of related topics in at least four other chapters.
One frustrating aspect of the whole spyware topic is the extraordinary amount of misinformation floating around about what spyware is, how it gets on your computer, and how you can protect yourself most effectively from being a victim. To organize my thinking, I’ve put together the following list of ten essential facts about spyware. This list forms the basis of the spyware coverage in the new edition. I recognize that some of these statements may be controversial, and I’m open to alternative points of view. (If you want to reply, add a comment or create your own blog entry and send me a trackback.)
The list begins after the jump.
- There is no general agreement on what spyware is. Google offers these five definitions. Most of them focus on the classic definition of programs that “monitor your actions” and “gather information without your knowledge.” The term spyware is routinely conflated with adware, which refers to a broad category of software that is supported by advertising. In reality, people begin to care about spyware when it starts to have a negative effect on their computer’s performance and they can’t get rid of it. My definition of spyware is: “Any program that is installed without the user’s full and informed consent, often through deceptive means, and that displays advertising, records personal information, or changes a PC’s configuration without the user’s explicit permission.”
- Any decision to classify a program as spyware will, by definition, be subjective. Not to mention controversial. Some software programs are universally considered to be spyware, but others aren’t so easy to classify. What happens when I think a program is perfectly innocent and you think it should be banned or blocked? Who decides which definition prevails? Any anti-spyware solution should include a way of classifying possible threats on a scale, so that the user can decide which ones to pay attention to and which ones to ignore.
- Cookies are not spyware. I’ve written plenty about this before (see here, here, here, and here). I’ve published easy-to-follow instructions to give you complete control over cookies, using nothing but the basic features in your favorite browser, if that’s what you prefer. If someone wants to add cookie-control features to a security suite that also includes anti-spyware features, fine, but don’t mix them together.
- If you have to scan your system for spyware and remove unwanted programs every week, you’re doing something wrong. My antivirus software is configured to scan my whole system weekly. It never finds anything, because it does such a good job of blocking infected attachments, hostile Web scripts, network worms, and so on. Running a weekly scan is probably not a bad idea, from a belt-and-suspenders point of view. But it shouldn’t be necessary, because …
- The whole point of anti-spyware software should be to prevent unwanted programs from being installed. The two most popular anti-spyware programs in recent years, Spybot S&D and Ad-Aware, started out as scan-and-remove utilities. You get infested with a piece of scumware, and then you run one of these programs to knock it out. Wouldn’t it be better if the unwanted software never got installed in the first place? That’s the point behind the Resident TeaTimer feature in Spybot 1.3 and the real-time protection features in Microsoft AntiSpyware.
- There is such a thing as high-risk behavior. Recently, I was accused of “blaming the user” for writing that the spyware epidemic can be traced, at least in part, to users “running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything…” Let’s acknowledge that the purveyors of spyware do everything they can to mislead users into making incorrect decisions, and that the architecture of Windows, especially in older versions, makes their job easy. Does that let the user completely off the hook? I don’t think so. If you regularly download files from unknown sources over peer-to-peer networks or browse adult-oriented Web sites, you are at far greater risk of getting zapped by unwanted software. The risk increases dramatically if you aren’t diligent about installing security patches and Critical Updates. If you’re going to visit dangerous neighborhoods, it makes sense to pay extra attention to your surroundings so you don’t get mugged.
- Be suspicious, but don’t be paranoid. A little healthy skepticism goes a long way toward keeping you secure. If you let your suspicions take over completely, you’ll find that the Internet is almost unusable. A completely locked-down workstation might be appropriate in a bank or at the CIA, but it’s overkill at home.
- If you’re not sure whether to install a program, don’t install it. I’ve written previously about my two-week rule: “ I won’t install a new program until I’ve had at least two weeks to check it for known problems, unfortunate interactions with other programs, and unwanted behavior. Every Windows user has at least one horror story about installing a program that caused so many problems the only cure was a complete reinstall. Most such problems (including spyware-related issues) are well documented; you’ll save yourself a lot of grief if you do your research before you click the Install button.
- If you get a piece of spyware on your system, you’re in trouble. The most insidious forms of spyware burrow into well-hidden corners of the file system and the Registry and immediately begin downloading additional components. Even if you succeed at removing the parts that cause pop-up ads and general system slow-downs, can you really be certain you got rid of every trace of the offending program? It’s far, far better to prevent the infestation in the first place, if possible.
- One anti-spyware program should be enough. I regularly read advice from spyware experts who recommend that you scan your system with two (or more) programs, because each program they tested has a different set of strengths and weaknesses. I disagree. For everyday use, pick an anti-spyware program that does the best job possible of preventing unwanted software from getting on your system in the first place. If, despite your best efforts, you find yourself needing to remove an unwanted program, use whatever tools it takes. If your preferred tool can’t get rid of the pest, go ahead and use a second or third scanner. And then, after you get rid of it, figure out how you can prevent the same thing from happening again.
Update: Interesting feedback so far from Eric L. Howes (in the comments section), from Michael Pollitt, and from Suzi at Spyware Warrior. Keep it coming, please!
Ed Bott 
Excellent list. Following up on your Item 9, is there a way to detect, e.g. through Event Viewer, whether the crudware is downloading additional components without your knowledge or consent? If not, can Event Viewer be reconfigured to monitor such events, or does this idea cause more problems than it solves (e.g. because of excessive monitoring and logging of outbound communications)?
Also following up on the same item 9, isn’t one solution a third party firewall that monitors outgoing communications as well as incoming communications? Does the Trend Micro 2005 firewall monitor outgoing communications? Do you recommend that I use it (or another third party firewall) in lieu of the Windows firewall that comes with SP2? Do such firewalls come at a cost in overall performance or Internet connection speed, as some people contend?
Incidentally, I still maintain the view that a more agressive third party firewall is not the ideal way to approach this problem, i.e. the best solution is to prevent the crudware from getting on your machine in the first place, e.g. through a program like the Microsoft beta antispyware program.
TIA as always.
Ed:
This is a useful list for the most part, though there are few items that deserve comment, elaboration, and, yes, criticism.
Your advice for anti-spyware vendors in # 2 is right on the mark. In fact, this is something that I have pushing a number of anti-spyware vendors to adopt in their programs. Many of the big anti-malware vendors, however, resist this advice because they want to make their programs as uncomplicated and “idiot-proof” as possible. The latest consumer version of Pest Patrol is a good example of the direction some vendors are taking, unfortunately.
Your # 5 is also a point very well-taken — prevention is always preferable to remediation. In addition to using the prevention features of a popular anti-spyware scanner, users would also be advised to:
lock down their browsers (which means IE, in this case), either by configuring the Internet zone more securely or by adding known problem sites and domains to the Restricted sites zone.
install one or both of JavaCool’s excellent programs SpywareBlaster and SpywareGuard:
http://www.javacoolsoftware.com/spywareblaster.html
http://www.javacoolsoftware.com/spywareguard.html
swing by Windows Update and install all the latest critical updates for their systems:
http://windowsupdate.microsoft.com/
read license agreements (EULAs) and privacy policies carefully before installing any software off the web, esp. those that appear to be plug-ins or gizmos necessary to view content at web sites or that appear to be “freeware.”
Your # 10, unfortunately, is a bit muddled. In fact, the best argument against your # 10 is the point you make in # 9. Now, I would certainly agree that in an ideal world one spyware program would be enough, and the goal of “one program is enough” would be an excellent target for anti-spyware vendors to adopt.
The sad fact is, though, that we’re not there yet. One program is not enough, and the best testing and experience that we have with anti-spyware programs confirms it. Moreover, any reputable anti-spyware developer or vendor who’s knowledgeable and honest will admit as much, too.
You write that “if, despite your best efforts, you find yourself needing to remove an unwanted program, use whatever tools it takes.” But that begs the question (which you ask in # 9): how is the user to know whether any unwanted programs remain on the system and still need to be removed? How can the user be sure that the system is really “pest-free”? How can the user be certain that no spyware/adware remains on the system? By relying on but one tool that we already know is not 100 percent?
That’s poor advice, esp. given what you pointed out in # 9 — namely that “the most insidious forms of spyware burrow into well-hidden corners of the file system and the Registry and immediately begin downloading additional components.” Absolutely correct. In fact, it’s quite common for the even the best anti-spyware programs to leave stray executables and DLLs lying around in the oddest places, and even one missed file can be the seed for a re-infestation. This is esp. true now that so many spyware/adware problems we’re seeing are the result of massive infestations in which 15-25 different programs (in the form of dozens of new directories, hundreds of files, and thousands of new Registry keys) are dropped on the system at a single time.
In these kinds of situations, a single anti-spyware program — even one that can be counted on to remove 80 percent of the resulting mess (and even 80 percent is asking a lot from the current crop of anti-spyware programs) — is still going to leave critical adware/spyware components on the user’s system. And after that single anti-spyware program pronounces the system clean, inexperienced users may not even recognize that there’s still unwanted software on the system until the damage is done.
No, the best advice — the safest, most responsible advice — for dealing with known or suspected spyware/adware infestations is always to seek a second opinion, even when your main anti-spyware program has pronounced the system clean and even when it appears to you that the system is clean, because there’s a very good chance that it’s not. In fact, it goes beyond a “good chance” that the system is still infested — it’s almost guaranteed.
Prevention is, of course, always the best policy, and perhaps a year or so from now we will have anti-spyware programs that are 100 percent in their detections and removals. But when dealing with a spyware/adware infestation at the present point in time, the safest policy is to assume from the get-go that your main anti-spyware program can’t and won’t do the job completely and that a second scan from another program is both prudent and necessary. Anything short of that could leave users with a false sense of security.
Regards,
Eric L. Howes
One thing I was asked recently by a novice PC user was: “how do you know which apps to delete from the HD and which to keep” by apps they where referring to “apps” that MS Anti-Spyware detected as threats, after it did it’s scan and found “spyware” they were not sure what should be removed and what shouldn’t be removed.
Hellsbellboy,
After MS Anti-Spyware runs a scan and finds those “apps”, you can click on each one and see a brief description on why it was flagged and what the perceived severity of it is [for the reasons listed in Ed’s point #2]. Also, as always, Google is your friend. Search the “apps” and see what others are saying about them. SpyBot S&D has a similar sidebar with links [although it hidden by default].
Yeah that’s what I told my friend.. but I was thinking it would be good to add to the book.. š cause Novice users get turned off when things start getting too technical
While here reading you good information about spyware, protection, and the need for running several products, I was not sure if I should be amused or upset that your google ad’s linked me to five sites that wanted to sell me spyware removal software that are all contained on http://www.spywarewarrior.com/rogue_anti-spyware.htm at Spyware Warrior’s site. Ironically it was Spyware Warriors blog that led me to this page.
Spider
This article is good but its nothing that we haven’t heard before. In a corporate workspace or even the novice home user, they will not be able to follow all steps or don’t even know how to. The wat the syware/trojans get around all the removal tools and Anti-virus applications out there is amazing to me. I can take an infected PC and run the latest version of Ad-aware with todays definitions and it will find and remove all infected files. Run it again and it says the PC is clean. Now run MS Anti-Spyware (again with the latest version and the same days definitions) and it will find ~20 instances of Spyware that Ad-aware did not (all the time running this disconnected from the Internet). Run Search and Destroy and it finds more.
Either these companies products are not performing as they should be or the spyware writters are somehow “in-bed” with the companies that we are trusting to remove them.
Instead of spending your time on the Internet like “a person with a price on their head from the mob” and affraid to go anywhere, something from a legal stand-point needs to be done to go after the people (NOT the companies) but the very wealthy people that are funding, running and profiting from these spyware applications. Until that is done, there will be no 100% proven way to prevent PC’s from getting infected.
Its a shame and a turn off for a PC novice to have to deal with this, I have been in IT for over 16 years and I long for the old days of a Compuserve account and a 24000 bit modem to go out on the Internet (before the WWW) and truely enjoy the information available by this wonderful technology. Like radio and TV, the media has destroyed a good thing.
I cant wait till I retire and dont have to deal with this anymore.