More free security tools from Microsoft

Topic

New Reply

	LANGALIST PLUS More free security tools from Microsoft
	By Fred Langa Three useful malware tools from Microsoft run on XP, Vista, and Windows 7 but — inexplicably — don’t work on Windows 8! Plus: Questions about running multiple security apps together, solving hangs at shutdown, and curing homepage hijacking in a browser.

---

The full text of this column is posted at windowssecrets.com/langalist-plus/more-free-security-tools-from-microsoft/ (paid content, opens in a new window/tab).

UPDATE: On May 18, one day after this story was published, Microsoft released the Enhanced Mitigation Experience Toolkit v4 Beta. According to the specs published on the app’s download page, EMET now supports Windows 8.

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Hi Fred,

Been years since I corresponded with you on the old LangaList. Howdy, and all that.

Re running multiple security products: I’ve used MSE combined with Prevx (paid) for several years. Works great, and I haven’t had an infection since I started, despite some fairly devil-may-care surfing from time to time. I have the same setup on our desktop, my laptop and my wife’s netbook (Win 7 Pro, 7 Home Premium and 7 Starter Edition). All work perfectly, and all are malware free when I do my monthly scans with other products.

Sitting here with a printout of your upgrade/refresh article while “upgrading” 7 on the desktop. So far so good…

Regards,
Bill Webb

Reply | Quote

Hi Fred,
What are the issues with EMET under windows 8? I have it (v3.0) installed and apparently working okay on two computers. Should I be uninstalling it?

Kev

Reply | Quote

Hi Fred,
What are the issues with EMET under windows 8? I have it (v3.0) installed and apparently working okay on two computers. Should I be uninstalling it?

Kev

Here is the story of EMET and its issues on Windows 8. It will install and does work — sort of. Sort of is not good enough for me.

-- rc primak

Reply | Quote

Here is the story of EMET and its issues on Windows 8. It will install and does work — sort of. Sort of is not good enough for me.

EMET 4.0 due for full release within a month sounds promising though (includes Windows 8 compatibility fixes).

Bruce

Reply | Quote

EMET 4.0 due for full release within a month sounds promising though (includes Windows 8 compatibility fixes).

Bruce

Thanks for the update, but we’ve been warned that this EMET discussion seems to be getting to be too much for the Lounge Moderators. I guess this means we have to drop the discussion now. The update does look promising.

-- rc primak

Reply | Quote

In my experience running multiple real-time scanners always becomes a problem when one of them is Norton or AVG or McAfee, etc. Running MSE alongside MalwareBytes seems to work fine, with no major performance hit. One of the biggest problems I see happens when the fools from Comcast install their special flavor of Norton and its associated dumb-ware on top of an existing anti-malware tools. It can bring systems to a halt.

As to Fred’s dissing of SuperAnti Spyware…it’s deserved. The tool is excellent but the marketing guys at that company are idiots. SAS is one of the few tools that kills off tracking cookies, its results reports are very good, and it also has easy settings for how much CPU power to use.

Reply | Quote

If for some reason Super Antispyware does not completely uninstall with the built-in uninstaller, you can download and run the Super Antispyware Uninstaller Assistant. (FAQ Page)

I have found that when used only as an installed but non-active second-opinion spyware scanner, Super Antispyware has found spyware which was ignored or not detected by MSE, Malwarebytes and other AV/AS applications. Whether or not you prefer to keep cookies will determine whether or not you appreciate the Tracking Cookies being labeled as malicious and removed. Fred has labeled this kind of behavior as “scareware tactics” in past columns.

The fact that the SAS Technician’s Edition (their actual name for the USB-based stand-alone .COM program — it is NOT a Win32 .exe program unless the download link was not working when you tried to obtain it) must be installed into a computer to work does deprecate this tool below the usefulness of a CD or USB based true stand-alone application like Microsoft’s Windows Defender Offline Tool. But the purpose of getting a scan to run when malware blocks access to the Internet or to specific AV definitions download sites, is equally well served by SAS Technician’s Edition as by any truly offline scanner tool. It gets the same job done. In most cases where folks resort to such extreme measures, I would recommend wiping the hard drive and restoring from a backup image using an offline backup and recovery CD. You’d be safer and more sure of a quick return to a clean PC status.

So Super Antispyware is not perfect. Neither is Malwarebytes, as it routinely sends dire messages about Nir Sofer’s utilities and tries to mark them as “Hack Tools” or some such, raising the need to make 50 Exceptions with every MBAM run. MSE has the same nasty habit.

Overall, no I wouldn’t recommend SAS as the only second-opinion scanner to be used. And I wouldn’t recommend it for use if the hard drive won’t boot or if there’s a severe infection which is messing around with Internet access. Then again, in such extreme cases I wouldn’t advise continuing to use that installation of Windows at all. It’s safer and faster to wipe the drive and restore from a disk image or system image and data backup.

-- rc primak

Reply | Quote

I had the opportunity last year to clean two machines (my brother-in-law”s and a friend”s machine). Both were badly infected by a malware program. On the first machine I ran Spybot, then Malware Bytes to no avail. I ran both on startup before windows starts and it still was there. Finally I ran SuperAntiSpyware and it cleaned the machine. On the second machine I went straight to SuperAntiSpyware and it cleaned the machine on the first pass. I was hooked and bought the Pro version and installed it alongside MSE on all three of my own machines. I still run it on my machines. I now have a Windows 8 machine, spybot does not work on it. Malwarebytes does. I am waiting to see if SuperAntiSpyware comes out with a Windows 8 version. When they do I will install it as soon as I can. They earned my support by doing an excellent job. I always keep a recent disk image of my machines to make a cleanup easier, but have never had to use the image on any of them.

Reply | Quote

I had the opportunity last year to clean two machines (my brother-in-law”s and a friend”s machine). Both were badly infected by a malware program. On the first machine I ran Spybot, then Malware Bytes to no avail. I ran both on startup before windows starts and it still was there. Finally I ran SuperAntiSpyware and it cleaned the machine. On the second machine I went straight to SuperAntiSpyware and it cleaned the machine on the first pass. I was hooked and bought the Pro version and installed it alongside MSE on all three of my own machines. I still run it on my machines. I now have a Windows 8 machine, spybot does not work on it. Malwarebytes does. I am waiting to see if SuperAntiSpyware comes out with a Windows 8 version. When they do I will install it as soon as I can. They earned my support by doing an excellent job. I always keep a recent disk image of my machines to make a cleanup easier, but have never had to use the image on any of them.

As of October 2012, Super Antispyware’sForums state:

“The new version is compatible with Win 8.” This has been my experience with Windows 8 Pro.

As an adjunct to MSE, I’d count SAS as about as good as Malwarebytes. The choice is yours.

-- rc primak

Reply | Quote

Installed EMET beta on Win 8×64 machine. Tried switching from good site in Opera to IE10 (InIE on my toolbar). EMET threw up endless error boxes and wouldn’t let IE open. So much for that (for now at least).

Agree with Bob about SAS Pro, both its operation and compatibility with Win 8. Been many months since I had MB on my machine, but for years SAS Pro has done better for me (in Win 7 too). Drives me crazy when someone on a forum insists on an MB run, that it’s the only valid one. But then with Win 8 I haven’t had need for that.

Reply | Quote

Been many months since I had MB on my machine, but for years SAS Pro has done better for me (in Win 7 too). Drives me crazy when someone on a forum insists on an MB run, that it’s the only valid one.

It’s been my experience with various free versions of SAS that it’s more prone to false positives than MBam’s quick scan is therefore MBam is quicker and safer for the uninitiated to setup correctly and run (no cookies scanned for etc.), then select all to remove than SAS.

It’s about “first, do no harm”, similar to Combofix, which is updated so frequently that ‘bad’ versions do sometimes slip through the net, which really shouldn’t be used by less experienced users except under careful guidance.

Reply | Quote

With SAS Free, false positives range from user preferences not to delete tracking cookies to programs such as the Nir Sofer Utilities which are harmless but whose behaviors are similar to malicious hack tools. User perception will influence with SAS, MBAM and MSE whether or not false positives are really that much of a problem.

I always try to make my own decisions about any malware warning or flag. I have learned to recognize typical false positives. In my experience, all good anti-malware programs err on the side of caution, and flag too much rather than allow anything truly harmful to slip through. These cautions apply especially to deep or full file scans.

False positives — this is what Ignore Lists are for.

-- rc primak

Reply | Quote

False positives — this is what Ignore Lists are for.

That’s fine for the likes of us who can recognise them as such.

How would you rate a file that scored “Detection ratio: 22 / 46” in VirusTotal?

33854-VTtest

Reply | Quote

I just noticed a recent comparison of MBAM and SAS: http://www.techsupportalert.com/best-free-adware-spyware-scumware-remover.htm

Discussion

Top of the list is Malwarebytes Anti-Malware Free (MBAM). MBAM is a top notch and reputable product. A fairly lightweight download (just over 10 MB) and simple installation means this is not a burdensome product. In my testing, even when the PC was severely infected with many nasties running, it started without any problem and scanned and removed those nasties effectively. The interface is very simple, the scans are very fast and detection is first class. A reboot to complete cleaning was still required for some malware, though this is a minor inconvenience, and required by most programs of this type. The only downside is it has no portable version, and if there is no working network connection in the infected PC you won’t be able to download the latest virus definition updates.

Second is SUPERAntiSpyware (SAS). Once upon a time this was a good product but recent releases have not been up to the mark. The interface is simple, updates are speedy but it still installs a start-up item which doesn’t actually do anything at all. The scan speed is twice to thrice that of MBAM and the detection is less than half of it. The removal also left a lot to be desired. It left a few nasties running even when it showed them as removed. SAS also requires a reboot to complete the removal process. The upside is, it has a portable version which will help with the removal of infections from computers without a working network connection. I hope version 5 brings improvements.

Reply | Quote

I just noticed a recent comparison of MBAM and SAS: http://www.techsupportalert.com/best-free-adware-spyware-scumware-remover.htm

Well, second-best ain’t bad. But seriously, I constantly evaluate my security baseline, and the recent slide of SAS has not escaped my notice. It’s only a second-opinion scanner for me anyway, but it still catches a lot of real threats which MSE misses. MBAM is still on my list, and I do use it on Windows XP in addition to SAS. The two programs find different types of stuff, so I don’t think of one or the other, but run both.

I too hope that a new version will bring significant improvements to SAS.

-- rc primak

Reply | Quote

No views on #14 Bob?

Reply | Quote

No views on #14 Bob?

I don’t understand Post #14. Super Antispyware was not in the list of engines tested. :confused:

But in any event, I will not argue that SAS couldn’t use an upgrade to its scanning engine. I think a new and substantially revised SAS version is in the works now. Which is more than I can say of MSE. MBAM recently underwent a face-lift and major upgrade. So I expect MBAM to outperform SAS for now. But not forever.

Remember, a Virus Total score of 22/46 is in the middle of the possible range. I personally don’t submit anything there. There are problems when running the Command-line versions of certain scanners. It’s not the same as running the full versions. And False-Positives cannot be resolved by concensus votes. Either the item detected is malicious, or it is not.

That’s also the problem with Advanced Predictive Heuristics. You can never really know what is malware until the malware actually does something harmful. And by then, it’s too late. Since malware can be very sensitive to machine identity and IP Address, the problem cannot be resolved using laboratory “test beds” or “honey pots”.

So, how do I know, based on anybody’s Predictive Heuristics, whether or not their predictions are reliable? I can’t know. It’s impossible. It’s the Halting Problem. All Predictive Heuristics suffer from this issue. And it is unresolvable, according to my latest readings on the subject (today).

Similar problems exist in all disciplines, and heuristic methods do not reveal with certainty what the outcomes would be if we ran actual real-world tests and saw whether actual Internet-connected computers actually got infected from the suspect programs or pieces of code. And none of these methods can predict with any degree of certainty, whether this program or code will infect my computer today.

I have stated before in The Lounge that I do not trust Predictive Heuristics. I have seen “Threat Ratings” from PrevX, Threatfire and older versions of Malwarebytes, as well as Sophos Rootkit Detector. Not to mention HIPS Firewalls from ZoneAlarm and Comodo. I trust no Ratings System, and even less the “crowd-sourced” “reputation services” which are in vogue these days. Yes, The Crowd can be wrong — dead wrong. Just watch Who Wants To Be A Millionnaire for a week and you’ll see just how wrong a crowd can be.

Nonetheless, I do use Hitman Pro, which like VirusTotal, uses Command-line scanning engines and relies on concensus and crowd-sourcing to make its determinations. It’s nice to know what the concensus is, even though I often ignore that concensus (like with Nir Sofer’s utilities, which are constantly flagged as Hackerware). I just never let Hitman Pro remove anything SAS or MBAM doesn’t flag. And I won’t pay for something (removal) which I can do manually myself for free, or with actually free scanners or other truly free utilities. Did I mention I prefer totally free software?

So, while your graphic does show a disagreement among scanning engines about the safety of a code sample, I don’t see what your point is with regard to whether or not SAS has slipped in its effectiveness in detecting and removing malware. The connection seemed strange to me when I first saw the post, and I thought it best to leave well enough alone and ignore the post, as I don’t understand what point you were trying to present there.

A more appropriate post would be the results of recent independent lab testing (or references) showing that indeed, SAS has slipped in its effectiveness, and give readers an opportunity to check out the results and decide for themselves which AV/AS product(s) to trust and use.

For myself, I find SAS to be adequate as an adjunct to other AV products when used as a second-opinion scanner. Malwarebytes also serves in this role on my Windows XP laptop, alongside of MSE and SAS. Avast last I tried it could not live within the 512MB of System RAM on that laptop, so I can’t dump MSE, even though I’d really like to. MSE has slipped lately, too.

I’m not really disagreeing with you. I just want better examples, more to the point.

FWIW, when two scanners disagree, and a third scanner makes no recommendations, unless I know the program to be harmless, I let it be removed. Unless there are reports in my online readings of a notorious false-postitive, such as when MBAM some time ago flagged a vital Windows System component as malicious, and taking its Threat Rating too seriously would have bricked the computer. That one almost got me, but I distrusted the Predictive Heuristics (it was in the mid-range of the scale, possibly 44 percent or so), and I did some Web research which revealed the false nature of that Threat Rating. So much for Predictive Heuristics! This was not an isolated instance, either.

-- rc primak

Reply | Quote