I am taking another short hiatus from the multi-part series on firewalls to address a topic that has come to my attention for a second time in the past few weeks. Yesterday I was asked to help with a possible malware infection. The client had downloaded Spyware Detector, a commercially-available program that makes some pretty remarkable claims about its ability to detect malware with super-fast scan speeds.

This product has been around for quite a while and is legitimate enough to have been reviewed by PC Magazine. PC Magazine rated it very poorly, but stopped short of classifying it as scamware. Spybot Search and Destroy has been less generous, and has continued to list it as malware because of its long history of producing false positives and its very limited effectiveness.

I did some additional testing, with the same results that I had obtained a few weeks ago. I installed it into a number if virtual machines first, and after ensuring that it was not actually INSTALLING malware (which it does not), I installed it on some of my other computers. I was confident that all of these machines were free of malware (except for the usual tracking cookies), and scanned them with several other products that I know and trust before installing Spyware Detector. I also analyzed the Hijackthis logs and scoured through autoruns entries before installation. In every case, Spyware Detector indicated serious infections of malware, even on one virtual machine that was a fresh installation and had never been connected to the internet. It identified Windows registry entries, FoxIt PDF Creator registry entries, and a number of other benign registry entries as evidence of infection. Spyware Detector does live up to its promise of being really fast - much faster than other products. This is no surprise, since it appears to rely on registry scans alone for its results.

I bring this to your attention because it is a perfect example of one of those products that lives in the shades of gray between legitimate software and scamware. The company's website looks respectable enough, and if you went to this website, you would think that Spyware Detector is the best anti-spyware available (hmmm, does this look like a paid advertisement or affiliate site to you?). The unsuspecting or unwary client could easily be duped into downloading the free version of this product, seeing the alarming results, purchasing the paid version, and thinkng that they had made a wise choice. YOUR CLIENTS NEED YOU TO ADVISE THEM ON ANTI-MALWARE. We all know that there are products that are effective, many of which have free basic versions.

To be fair, I was using the free scan offered by this product (I am not willing to shell out good money for it, even for testing), and the paid version may produce different results. Uninstalling it does leave an orphaned driver reference in the registry, which may cause an error to show up in the error logs, but the product seems to to no harm otherwise.

Personally, I would label it as scamware, but that is JUST MY OPINION. You be the judge. What products do you find effective and recommend to clients?

Next: Back to firewalls and outbound filtering

Dennis H in West Virginia, US

January 31, 2009