Sunday, March 25, 2007

Spyware Doctor with AntiVirus 5.0 Review

Spyware Doctor 5.0 with AntiVirus is effectively a completely different product from Spyware Doctor 4.0. PC Tools rebuilt its flagship product from the ground up over a period of many months, developing it in parallel with the existing product. This Vista-compatible from-scratch rewrite was designed to deliver a "smaller, faster and supercharged" product. It also displays some of the problems you might expect in a version 1.0.

PC Tools developed the antivirus component entirely in-house. West Coast Labs has already awarded it Checkmark certification for virus detection and removal; ICSA Labs hasn't finished testing it yet. And it will be included in the next round of testing by Virus Bulletin. The virus and spyware scans are completely integrated, so the biggest difference you'll notice is the much longer time required for a full scan. On my standard clean system, a full scan with all options enabled needed 1 hour 15 minutes. That's not what I'd call supercharged. The faster but less-comprehensive IntelliScan component ran in about 15 minutes. Spyware Doctor 4.0 scanned the same system in 7 minutes! Of course, it wasn't trying to scan for viruses too. A better comparison would be Spy Sweeper 5.2 with Anti-Virus at just under 25 minutes or Norton Internet Security 2007 at a bit under 30 minutes. [Note: Representatives from PC Tools were surprised at my report of Intelli-Scan taking 15 minutes. Their tests showed it running in one to two minutes, though they did identify a situation in which turning AV settings to their highest could slow the scan way down. Naturally, they plan to fix that problem ASAP. And in fact, it turned out I had accidentally cranked up the AV settings on my clean test system. When I re-tested with the default settings, Intelli-Scan ran in under two minutes. It really did take fifteen minutes on the malware-infested systems; that didn't change. –njr]

Though I didn't actually measure performance before and after installation, I got the distinct impression that SD5 slowed down my test systems, especially the malware-infested ones. Launching programs from the desktop seemed to take extra long, and IE7 in particular loaded slowly. Of course, these virtual machines have significantly less memory and hard drive space than your average computer, so any performance hits will be exaggerated.

As always, Spyware Doctor employs many layers of security to keep your system free of malicious software. The first line of defense is Site Guard, which blocks access to malicious sites. Site Guard isn't browser-specific—in fact, it blocks access to bad sites even if the program trying to connect isn't a browser. Site Guard would have prevented me from downloading over half of my malware samples, about the same as Spy Sweeper's equivalent Internet Protection Shield. It also derailed the installation of several samples that require Web access for full installation.

There are a bunch of other "OnGuard" layers, too. The new E-mail Guard scans incoming and outgoing mail attachments for spyware and viruses. Startup Guard, Browser Guard and Network Guard block malicious changes to the start-up sequence, your browser, and network settings, respectively. Process Guard halts malicious processes, File Guard prevents access to known malware files, and Keylogger Guard stops keyloggers based on behavior. Taken all together this layered protection should keep out most malware. However, in testing it seemed to me that not all the OnGuard modules were pulling their weight. Process Guard and Keylogger Guard in particular didn't seem to be giving a 100 percent effort to the team, as I found during testing.—Next: Can the Doctor Cure My Ills?

Can the Doctor Cure My Ills?

I installed SD5 with AV on a clean system and let it get all available updates. Then I threw nineteen malware samples at it, including adware, spyware, Trojan horses, and rogue antispyware products. Impressively, it wiped out fifteen of the malware installers the moment I clicked on them, completely preventing any whiff of installation. The other four managed to launch, but SD5 didn't let them finish installing their malicious payloads. Wow! That's better than SD4 did, and in fact better than any other product tested with this same collection. However, it didn't hold up against my commercial keylogger samples. Where SD4 detected all eight samples and prevented installation of all but one, SD5 detected only seven and didn't completely block one of those. That's not a huge difference, but I expected as good or better performance.

Because SD5 blocked so very many of the spyware samples by whacking their installers on sight, I challenged it with a set of twenty modified samples. In each case I renamed the file and changed a few nonexecutable bytes using a byte-level editor. Here's where the OnGuard modules seemed to be asleep at the switch. SD5 still blocked eight of the modified samples from installing, but completely missed six others, including a rather nasty Trojan. As for the remaining six, it popped up warning after warning about this or that malicious behavior but didn't actually manage to keep the malware from installing. In a similar test with modified samples, NIS 2007 and Spy Sweeper 5.2 both did much better.

As usual, I tested SD5's ability to clean up existing problems by installing it on eight malware-infested systems and running its full scan, including the optional rootkit scan. One system put on a veritable fireworks display during SD5's installation, popping up dozens of messages about errors in different areas. The installation finally completed, but the program itself crashed every time I launched it. Fortunately, rebooting in Safe Mode and running a scan there solved that problem—good save!

The full scans were taking well over an hour per system, so after a few of those I switched to Intelli-Scan. This more focused scan finished in about 15 minutes and detected all of the preinstalled malware. However, several of the threats required a full scan for complete removal, so I didn't really save time. That doesn't worry me; if my antispyware reported that it detected a serious problem I would definitely scan again with every possible detection method turned on.

In the end, SD5 detected every single one of the nineteen spyware samples and successfully removed all but two. It left behind significant executable files for those other two, though they may not have been able to function at their full nasty efficiency. That's pretty good, but in an equivalent test SD4 successfully removed all but one—a different one! Here's more evidence that this really is a brand-new product. Like its predecessor, SD5 detected seven of the eight commercial keyloggers. But whereas SD4 fully removed the seven it recognized, SD5 left one crippled but running and left the rootkit portion of another still hiding.

I ran into some other oddities while testing. I have a simple text file listing my malware samples by name along with their associated files and Registry keys. SD5's full scan insisted that this file was actually a part of the SurfSideKick malware and kept deleting it. PC Tools technicians verified that this behavior is caused by some of the new heuristic detection methods. I didn't hit any other false positives, but this one left me wary. I mean, it's just a text file! On several systems the main Spyware Doctor screen got stuck in a "checking status" mode at start-up and didn't recover for 5 minutes or more. The experts at PC Tools know why this happened and they say it'll be fixed very shortly.

I like the way all of the OnGuard modules now report their actions in a single History list. I like the fact that Smart Update works without any user intervention. The list of quarantined malware items is now much more informative than in the past, offering as much detail as the scan results page and more. There's a lot to like in this update. The problem is, as many users in the Spyware Doctor forums are commenting, it seems the company released it before it was entirely ready. For blocking and removal of spyware it's slightly better than SD4, but it's not as strong against commercial keyloggers. And my tests with modified malware installers suggest it may not do as well against new and unknown threats. Spyware Doctor 5.0 is still a good choice if you're currently without protection (shame on you!), but if you're using 4.0 you may want to wait for 5.1 before you upgrade. If you don't have any protection at all (shame on you!) and you can't wait for version 5.1, you ought to check out Spy Sweeper 5.2 with AntiVirus.
Computers Blogs - Blog Top Sites Directory of Computers/Tech Blogs