Antispyware apps vie for top spot

Antispyware apps vie for topspot

By Brian Livingston

Things are moving so quickly in the world of spyware that the major computer magazines should really retest all antispyware applications every three months or so. Fortunately, three new reviews have come out just in the past week to give us fresh results.

Nothing should surprise me any more, but this did: The three reviewers each picked a different antispyware app to receive the magazine’s top score.

InfoWorld Magazine lauded an integrated package from F-Secure, while ranking the well-known Sunbelt CounterSpy Enterprise only fourth out of 10 contenders. Network Computing, by contrast, found CounterSpy the best, rating the F-Secure product only fifth out of seven products. Meanwhile, PC Magazine gave the most points to, of all things, Microsoft AntiSpyware Beta.

Does this mean all three reviewers are wrong? Or are all three right?

F-Secure heads InfoWorld list

InfoWorld tested 10 corporate antispyware packages, which are designed to protect as few as five workstations up to thousands. These business-oriented versions, which cost about $20 to $30 per year in quantities of 100 seats, are not designed for home use. But good ratings for an enterprise-level product suggest that the same company’s single-user version might also be strong.

In the weekly magazine’s Sept. 19 issue, reviewer Keith Schultz gave the top score to F-Secure Anti-Virus Client Security 6. “It has the best real-time protection of any products in this roundup, stopping all attempts,” he says. The bundle combines antivirus, antispyware, and personal firewall protection.

InfoWorld’s ratings for F-Secure and the other contenders are:

• F-Secure Anti-Virus Client Security 6 (Score: 9.3/10.0)
• Webroot Spy Sweeper Enterprise 2.5 (8.8)
• LANDesk Secuity Suite 8.6 (8.7)
• Sunbelt CounterSpy Enterprise 1.5 (8.5)
• SurfControl Enterprise Protection Suite (8.3)
• McAfee VirusScan Ent. 8.0 w/Anti-Spyware (8.2)
• Trend Micro Anti-Spyware for SMB 3.0 (8.1)
• CA eTrust PestPatrol Anti-Spyware Corp. 5 (7.6)
• Eset NOD32 2.5 Antivirus System (7.2)
• Tenebril SpyCatcher 4.0 (beta, not rated)
 
CounterSpy rules at Network Computing

Only days later, CounterSpy Enterprise walked away with the Editor’s Choice award from Network Computing, which, like InfoWorld, has an invitation-only circulation.

CounterSpy’s “spyware detection and prevention were excellent,” says reviewer Christopher Beers, a systems operations manager for Time Warner Cable Broadband. “The number of unwanted running processes also was drastically reduced, more so than with the other products we tested.”

Network Computing’s Sept. 22 issue gives the following scores to the seven packages tested:

• Sunbelt CounterSpy Enterprise 1.5 (Score: 4.28/5.00).
• Trend Micro Anti-Spyware for SMB 3.0 (4.15).
• Webroot Spy Sweeper Enterprise 2.1 (3.85).
• McAfee VirusScan Ent. 8.0 w/Anti-Spyware (3.78).
• F-Secure Anti-Virus Client Security 6 (3.63).
• Lavasoft Ad-Aware SE Enterprise (3.00).
• CA eTrust PestPatrol Anti-Spyware Corp. 5 (2.70).

According to the magazine, seven other companies declined to participate in the testing: Determina, Eset, Microsoft, Omniquad, Panda, SurfControl, and Tenebril.
 
Free MS tool is cool with PC Mag

Rather than testing antispyware software for networks, PC Magazine goes to the other end of the spectrum, reviewing in its Oct. 18 issue three single-user utilities that are free of charge. (This article does not yet appear to be posted at PCMag.com.)

Microsoft’s AntiSpyware program, currently in beta testing, got the highest score, although that was merely 3.5 stars out of a possible 5.0. “We found it quite effective at removing spyware, but less so at blocking initial installations,” says lead analyst Neil Rubenking.

Microsoft’s flawed spyware blocking was enough, though, to beat out the other tested products, Ad-Aware SE Personal and Spybot Search & Destroy. The free versions of those two products offer no real-time protection at all.

PC Magazine’s tepid ratings for the latter two utilities shows the sad decline of these products, which a year or two ago could slay almost any adware or spyware in circulation:

• Microsoft Windows AntiSpyware (beta, Score: 3.5/5.0)
• Lavasoft Ad-Aware SE Personal 1.06 (3.0)
• Spybot Search & Destroy 1.4 (2.5)

My advice: pay a little and get the best

Although Microsoft AntiSpyware didn’t get an Editors’ Choice award, its top score in PC Magazine implies an endorsement. That’s unfortunate.

As I reported on July 14, Microsoft’s malware detector no longer recommends that end users remove adware by Claria, 180Solutions, WhenU, and many others.

The reason seems to be that these programs do display an OK button in a vague dialog box before they’re installed. Clicking this button supposedly binds you to the adware’s end-user license agreement. Microsoft wants above all for EULAs to be seen as legitimate, no matter what may be in them.

Antispyware is so important that it’s a category of software you shouldn’t expect to get for free. The cost is a mere $20 per year for the personal version of CounterSpy, and its enterprise version runs as low as $11 per year for 1,000 seats (including first-year support). F-Secure’s bundle costs only a little more: about $30 per year per 1,000. To prevent the theft of your banking passwords or your very identity, $1 or $2 a month is well worth paying.

Because these products are complex, it’s understandable that different, respected reviewers often come up with different results. For this reason, I read as many reviews as I can before reporting in the Security Baseline, which appears below, that any particular product is "top-rated." When serious reviewers differ, I list whichever product earns the largest number of positive results.

In the case of antispyware utilities, the personal version of CounterSpy has been top-rated by both Laptop Magazine and PC World. In addition, the enterprise version has earned the top rating from three major magazines: eWeek, Windows IT Pro, and now Network Computing.

For these reasons, CounterSpy remains the champ in the Security Baseline’s antispyware category. If and when some other product wins more ratings, that product will take the throne.

ZoneAlarm copes with complexity

I reported last issue that Zone Labs had released an updated 6.0 version of its product line, including ZoneAlarm Pro and ZoneAlarm Security Suite. Version 6.0.667 (Sept. 6) was said by Zone Labs representatives to correct install problems with version 6.0.631 (July 21). This was confirmed by several ZoneAlarm users who frequent the company’s online user forum.

Since that time, I’ve received more than 100 e-mail messages about this, some from ZoneAlarm users who had no problems or easily corrected them, others from unhappy customers who are still experiencing show-stopper headaches.

In a telephone interview, ZA product marketing manager Jordy Berson confirmed that 6.0’s novel "operating system firewall" and its new antispyware capabilities could conflict with other security products. "Because we just released this brand new technology, we’re seeing issues with vendors that we’re working out," Berson says. Fortunately, most ZA users aren’t bumping into these conflicts, he added, saying the number is similar to previous "point-oh" rollouts.

The problems readers are running into seem to fall into four broad categories. Berson provided me with detailed responses to try to resolve ZA user’s complaints:

1. ZoneAlarm allegedly reduces a 3GB Windows swap file to 2GB.

Berson: “Our developers and QA [quality assurance] can’t think of how we would affect the file in this way. Could it be another factor on these computers? If these users contact support, we would certainly be happy to continue investigating the cases, though.”

2. Two readers say ZA cuts their cable download speeds almost in half.

Berson: “While it’s true we have some performance slow-downs, we’ve never seen anything of this magnitude. We have a performance testing lab dedicated to monitoring performance in all kinds of conditions. We do see consistent, slight drops in performance due to the extra processing the firewall does to monitor traffic and protect the computer. But it’s very slight — and generally not noticeable by customers.”

3. ZA repeatedly reboots one reader’s PC when PrevX is also running.

Berson: “The OS firewall goes where other firewalls don’t in order to offer the kernel-level protection and advanced security it does. … The combination of this new, powerful technology, and a world where software can be written to various standards by so many different companies, unfortunately can result in compatibility issues such as these. Fortunately, the issues seem to hit a very small number of our users, but we are still taking the issues seriously and correcting things with other vendors as quickly as possible. Until fixes occur, a user can turn the OS firewall off or consider not running the conflicting product.”

4. ZA, bundled with CA EZ Armor, rewrites HTML and truncates it at 256 KB.

Berson: “Our privacy feature does modify HTML code in order to strip out advertisements and other unwanted content. This is a very simple and low-impact operation that, inasmuch as we’ve seen so far (in 3+ years of operation with no fundamental code changes), wouldn’t have the effect this user is describing. If this customer writes to support, we can try and hone in on the problem.”

For my part, I’d like to emphasize that you should never have two real-time scanning operations — such as a software firewall, antivirus, or antispyware — running at the same time. Enable only one program in each category. It’s fine to let two or more programs periodically scan your hard drive for spyware. But schedule each app to run its disk scan at a different time of the day.

Berson encourages everyone who’s having problems with ZoneAlarm to get help through the company’s support page at ZoneLabs.com/tsform. But he went much farther than that.

Berson invites any reader of the Windows Secrets Newsletter who doesn’t get a solution from support to send e-mail to him personally at JBERSON AT ZONELABS DOT COM. Now that’s what I call going the extra mile to help customers.

Complete descriptions of the problems described above, including remarks about problems that were successfully resolved, are in the paid version of today’s newsletter, below.

To send us more information about Windows security software, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

New digital cameras produce new reviews

By Vickie Stevens A number of new camera models have been introduced this month by major manufacturers, including Sony, Casio, and Canon. New cameras mean new reviews, and this week we have five. It’s camera showdown time! Other new releases for this fall include a crop of new MP3 flash players and DVD drives.

		ULTRA-COMPACT DIGITALCAMERAS Sony awarded T3’s Best Buy The editors at T3 Magazine review five of the newest and smallest cameras on the market. Two models tie, receiving the magazine’s highest rating (the Sony Cyber-Shot, photo at left, and the Samsung Digimax). But only the Sony comes away with the Best Buy award. Sony Cyber-shot DSC-T7 (Best Buy, Score: 5.0/5.0) Samsung Digimax i5 (5.0) Link to all ratings and full review
		DIGITALCAMERAS Synch names favorites in digicams The editors at Synch Magazine try out 10 digital cameras, ranging from expansive D-SLRs to ultra-compact models. The mag doesn’t give numerical scores in its reviews, instead pointing out the best aspect of each unit so you can pick the one that fits your particular needs. Canon PowerShot SD450 (Best for feeble eyes) Link to all ratings and full review
		DIGITALCAMERAS Canon ranked highest by Digital Photography Digital Photography Magazine delivers a hands-on review of 16 of the latest digital camera offerings available. Canon’s newest digital SLR receives the highest rating among the variety of cameras tested. Canon Digital Rebel XT (Score: 9.4/10.0) Link to all ratings and full review
		DIGITALCAMERAS Four cameras get special recognition PC Magazine compiles a list of all-time favorite digital cameras, for those looking to upgrade to a full-featured, high-quality model. Four cameras take the lead, bearing Editors’ Choice awards in three feature-specific catagories. Canon EOS 20D (D-SLR, Editors’ Choice, Score: 5.0/5.0) Nikon D50 (D-SLR, Editors’ Choice, 5.0) Panasonic Lumix DMC-FZ30 (Superzoom, Editors’ Choice, 4.0) Canon PowerShot SD500 Digital Elph (Ultra-compact, Editors’ Choice, 4.0) Link to all ratings and full review
		POINT-AND_SHOOT DIGITALCAMERAS New Casio takes over top spot The editors at PC World Magazine put new point-and-shoot cameras through a battery of tests. The new 7.2-megapixel Casio Exilim and the HP Photosmart come out ahead of the pack. Casio Exilim EX-Z750 (Best Buy, Score: 4.0/5.0) HP Photosmart R717 (Best Buy, 4.0) Link to all ratings and full review
		DVDWRITERS Plextor DVD wins PC Pro lab tests New-model DVD drives now offer dual layer support and write speeds of 16X. PC Pro Magazine puts 12 new DVD drives to the test to find out whether these products can deliver on their promises. Plextor PX-740A (Labs winner, Score: 6.0/6.0) Lite-On SOHW1693S (Value, 6.0) Samsung SE-W164 (Recommended, 5.0) Link to all ratings and full review
		FLASH MEMORY MP3PLAYERS Three-way tie among CNET’s player picks The new Apple iPod Nano joins the crowded top spot in CNET’s latest flash MP3 player review. Along with the iPod, the Cowon iAudio and the Samsung Yepp earn praise from the editors. Apple iPod Nano (Editors’ Choice, Score: 8.3/10.0) Cowon iAudio U2 (Editors’ Choice, 8.3) Samsung YEPP YP-T7X (Editors’ Choice, 8.3) Link to all ratings and full review —————— For non-U.S. sources of information on a product reviewed above, enter the model name into a search box at one of the following links: Canada / U.K. / Elsewhere The Index of Reviews summarizes only head-to-head comparative tests by respected industry reviewers, not individual ratings of single products. Vickie Stevens is research director of WindowsSecrets.com.

Readers debate ZoneAlarm pros and cons

By Brian Livingston

My readers are reporting both that the new ZoneAlarm 6.0 family of products is working fine for them and that serious incompatibilities can occur.

As part of this issue’s top story, above, I quote ZA product marketing manager Jordy Berson that only a minority of users are experiencing problems. He says they’re no more prevalent than during previous “point-oh” releases of Zone Labs’ admittedly complex products.

That’s probably correct, but if ZoneAlarm is making your PC, say, repeatedly reboot, it’s not very comforting just to know that most other users aren’t feeling your pain.

In the comments below, I’ve included some positive experiences as well as several negative ones people have reported with ZoneAlarm’s new version 6.0 products. Please see Berson’s comments, above, for Zone Labs’ technical responses.

Clean install resolves e-mail problem

Reader Richard Hovey writes that he was able to fix a thorny problem (with a little encouragement from some of us here at Windows Secrets HQ):

• “I began downloading the new version and then discovered that it’s the one I already have installed over the previous version. Since then, I’ve been unable to get my POP3 e-mail using Outlook without disabling ZA. I only get a message saying the connection to the server was interrupted, 0x800CCCOF. …

  “I have just finished uninstalling Ver …667 (the /clean switch would not work with the uninstall of this version) and successfully reinstalled it from the same download used a week or so ago. There appears to be no conflict with my e-mail now. Thanks to Brian and you [research director Vickie Stevens] for this help.”

Can ZA really reduce a fixed-size swap file?

Reader Wes Dansro has experience with ZoneAlarm changing his swap file size, which is something Zone Labs officials say isn’t a normal function:

• “ZoneAlarm appears to alter the size of the Windows swap file. I did a clean install of windows XP SP2. My machine has 2GB RAM, so I set the swap file to the Windows recomended 3070MB.

  “All is fine with the system. Windows firewall is on and performace is great. Then I install ZA suite 6.0.667 and the swap file gets cut to 2047MB and performance goes to heck. I have duplicated this on other systems.

  “I contacted tech support at Zone Labs and they told me that there is nothing in the code to change the swap file size. I wrote back and offered documention, but they ignored my offer and did not write back. I am thinking of going back to Norton.”

Software firewall conflicts with VPN

Robert Miller finds that ZoneAlarm and Cisco virtual private networks don’t play well together:

• “I keep testing various security suites for my use and my company’s use. To date, none have provided a safe operating environment that I feel comfortable working in — I agree that something is better than nothing.

  “For normal, non-VPN activity, all seem to work well, except McAfee, which is a total dog. I have not tried CA’s eTrust, mainly because I do not feel that I can trust CA and I know of people who have used it and did not like it.

  “My main issue with Norton is that it would cause my system to randomly blue-screen (Windows XP) when accessing various resources on my company’s VPN (Cisco VPN). This was readily reproduced when accessing our Microsoft Visual Source Safe databases. A friendly problem report to Norton elicited a worthless response.

  “I tried ZoneAlarm Security Suite about a month ago and found my VPN connections would not work when the ZoneAlarm firewall was active. A check of the Zone Alarm knowledge base showed that this is a known condition and the answer is to turn off the firewall when connected through a Cisco-based VPN. It seems that parts of the Cisco VPN and ZA firewall are based on the same technologies and they are not able to be active at the same time (simple, short version). Since I spend much of my time attached to a VPN (most are through Cisco) this made the Security Suite not a viable purchase.

  “Besides, who wants to manually disable and enable their firewall each time they make a VPN connection?

  “I have an antivirus solution running already (that part of Norton stayed, as I had already paid for it), and I religiously run CounterSpy along with SpyBot.

  “I like ZA Security Suite, but not at the cost of having to disable the firewall each time I use my VPN — which means it would be off 99.9% of the time.

  “I use the Norton Suite on all of my other systems (four other systems), but I am considering changing over to ZA when the current subscriptions run out.”

In my office, I use a WatchGuard hardware firewall. This supports a VPN so I can securely log on to my Windows 2003 Server from hotel rooms when traveling.

Personal firewalls tend to conflict with VPN software, so I turn off ZA when I have the VPN going. To protect my laptop from evil port scans, I enable XP SP2’s built-in Windows Firewall before starting the VPN session. Windows Firewall is just one-way, but that’s enough to protect a laptop against intrusions from outside. I then reverse the process after closing the VPN, so ZA’s two-way firewall can again protect me against any sneaky Trojans that might try to call out.

‘Stop all Internet activity’ stops intranet, too

A reader named Bob writes in with what I believe is a reasonable feature request for the folks at Zone Labs:

• “Since you seem such an ardent ZoneAlarm fan, thought I’d drop you a note about one large shortcoming in the program.

  “If you use it to disconnect from the Internet by using either ‘Engage Internet Lock’ or ‘Stop All Internet Activity’ (the two seem to perform identical functions), it does so using brute force by disabling the entire TCP/IP stack. This means that it also stops all communication on the internal network — no filesharing, no printing to a network printer. This is just dumb. I’ve posted to their forum and asked tech support, and there seems to be no way around this.

  “Well, actually, there is a way, but it’s both cumbersome and inefficient. You have to install the obsolete, slow, chattery NETBEUI protocol on every machine, and you have to have a print server that supports the protocol as well. The problem with that is that NETBEUI never shuts up, constantly spewing meaningless traffic on the network, slowing everything down.

  “A product this mature should easily be able to disconnect from the Internet while allowing ‘trusted’ intranet traffic to keep working.”

Cable download speeds drop to 2400 Kbps

Reader Donald Stimson is one of two readers who’ve conducted extensive experiments and found that ZA seems to cut sharply into their cable-based Internet access:

• “I have found that ZoneAlarm significantly affects my cable Internet download speeds. With the latest version of ZoneAlarm (free edition) installed, my downstream connection speed is around 2400 Kbps. With ZoneAlarm uninstalled (not just made inactive), my downstream speed is around 4500 Kbps. I have high speed cable Internet service from Comcast in the Seattle area.

  “Apparently, this has been an issue with ZoneAlarm since version 4.5. See this message thread.

  “I’ve done some searching in regards to this issue, and it’s unclear how many users this problem affects. I don’t know that ZoneLabs can reproduce it. There may be some kind of conflict with other software on my system and those others for whom the problem exists.

  “To tell you the truth, I would never have known I had a problem had I not done a speed test on www.broadbandreports.com to see what speed I was actually getting in order to compare to a rival DSL high speed offer. After seeing a lower speed than I expected, I went in search of why. So, I doubt that the casual user would ever notice if they were only getting about 50% of the bandwidth they should be getting.

  “Note that this is different than the ‘overhead’ that I think you are referring to. This is not a marginal decrease in bandwidth, and it is not normal or intended. It is also not experienced by everyone. It is a signficant enough issue that I think ZoneAlarm users (and those who recommend its use) should be advised of it and how they might check whether or not they are affected.

  “I have reluctantly switched over to the McAfee personal firewall, since my ISP offers it free of charge.”

Privacy checking affects HTML of Web pages

Reader Burton Strauss finds that ZoneAlarm’s privacy-protection features are having more of an effect on HTML pages than he’d prefer:

• “I know you are high on ZA, but it has some real problems with large pages, at least in the version CA packages with EZ Armor (which appears to be 5.1?).

  “In order to perform privacy checking, ZA does an ‘invisible’ rewrite of Web pages, adding a pre- and post-amble to every page.

  “When they are done, it looks something like this:

  <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd”>
  <HTML>
  <HEAD>
  …
  <script language=”javascript” src=”http://127.0.0.1:4037/js.cgi?pcaw&r=18467″></script>
  …
  </head><body link=”blue” vlink=”blue”>
  …
  <script language=”javascript”>postamble();</script>
  </BODY>
  </HTML>

  “Quite apart from the issue of running an unexpected ‘Web server’ on every host, the internal buffer is only 256KB or so. Now I know that 256K is a big Web page, but in my case it’s an automated xvert of a large FAQ. Anyway, these large pages just tracelessly get truncated, with bad results (hangs, chopped pages, bad markup), which are most frequently blamed on the browser.

  “Turn off ZA (EZ Armor), pages are fine. Turn it on, pages die. I know where the blame lies… Neither CA nor ZA has shown any interest in fixing these. ZA because I’m not their customer and CA because it’s not their code…”

For even more on ZoneAlarm, see Michael Horowitz’s Computer Gripes page.

Readers Hovey, Dansro, Miller, Bob, Stimson, and Strauss will receive gift certificates for a book, CD, or DVD of their choice for sending me comments that I printed.

Resurrect your deleted files and photos

By Woody Leonhard

Of all the Windows tricks I’ve encountered over the years, the following tip has saved so many of my friends, so many times, that it deserves a permanent spot in the Windows Secrets Hall of Fame.

Believe it or not, if you accidentally delete pictures in a digital camera, Windows can help you get them back. The method isn’t entirely foolproof. But if you’ve just deleted your son’s first birthday party pics, and you didn’t keep a backup, there is hope. Best of all, the photo-undelete utility I like best doesn’t cost a penny.

Simple ways to screw up your pics

Have any of the following things ever happened to you?

• You were looking through the pictures on your camera, probably trying to zoom or rotate one of them, when you accidentally hit the wrong key and deleted the picture. Ooops.
• You had to adjust a few camera settings, the phone rang, you dove to pick it up, and in the process you somehow managed to re-format the disk.
• You transferred all of the pictures from your camera to your computer, and the computer’s hard drive conveniently turned belly-up.

Don’t tell anybody, but I’ve blown away pics all three ways. In the course of a week.

Where photos go when they die

Cameras don’t have fancy file systems. They use plain, old, simple FAT — the File Allocation Table that was pioneered in the original version of DOS, about a hundred years ago. (Rumor has it that Bill Gates hisself wrote much of the code for FAT.) Camera FAT works with memory cards much like DOS FAT worked with floppy disks and, later, those gigantic 2 MB hard drives.

While FAT has few redeeming social values, one of its great virtues lies in the way that it deletes files. Er. Um. Actually, in the way it doesn’t delete files. Cameras (via FAT) divvy up their memory card space into fixed-size chunks. When you take a picture, the camera grabs enough unused chunks of the memory card to hold the picture, transfers the picture from the camera’s computer to the card, and marks the chunks of memory as being “in use.” Easy.

When you tell your camera to delete a picture, it doesn’t really delete anything. It just changes the first character of the file name to a reserved character that signifies, in effect, “the next time you need a chunk of memory, you can use all of the chunks that used to belong to this picture.”

File-undelete programs take advantage of the fact that the data — your picture — isn’t actually deleted until the camera needs to re-use the space on the memory card. With a bit of luck, you can even recover pictures that you took a long, long time ago.

How to get your pictures back

Step 1. Don’t use the camera! More precisely, don’t use the memory card that holds the pictures. Every time you use the memory card — on some cameras, every time you stick the memory card back in the camera — you stand the chance of over-writing some of your old pictures.

Step 2. Go to the SnapFiles Restoration site and download the latest version of a program called Restoration. While Restoration isn’t the fanciest file-undelete program on the block (see the next section for that), it works very well, and it’s 100% free. (My thanks to Brian Kato for giving away such great software!) Restoration doesn’t have an installer — it’s a simple, zipped .exe program. If you have a key disk, it’s well worth schlepping Restoration around as part of your emergency bag of tricks.

Step 3. If the card is still in the camera, connect the camera to your PC in the usual way (probably through a USB port). If the card is out of the camera, buy or borrow a card reader, stick the card in the reader, and connect the reader to your PC. You can pick up good quality multi-format card readers for much less than $10, at any computer store.

Step 4. Double-click the downloaded file, which will have a name similar to Rest2514.exe. Restoration asks for a location to place a folder such as REST2514, which will contain all of the program files. In the Extract To dialog box, click Reference and choose a good location (such as c:Program Files). Then click OK.

Step 5. Find the folder you extracted, then run Restoration.exe. For example, if you extracted to c:Program Files, you need to run the following program:

“c:Program FilesREST2514Restoration.exe”

Step 6. Follow the on-screen instructions to find and recover the deleted files.

You always have other options

Restoration only restores one file at a time — which can be terribly time-consuming if you deleted all the pictures on that fancy new 2 GB card. Restoration can also be a bit snarly to work with, particularly because of its bare-bones interface. I know of two good alternatives to Restoration, but they’re both pricey:

File Scavenger from QueTek has a vastly superior user interface, although there’s no way to view files before undeleting them. That’s particularly vexing because cameras have such clever methods for naming files — it’s hard to choose between, say, Img000213.jpg and Img000214.jpg when you don’t know which picture is which. The free demo version of File Scavenger will only recover files up to 64 KB in size, which is much too small for testing with camera photos. The paid version runs $45.

Recover My Files Data Recovery from GetData Software clearly takes the top spot on the undelete heap. With a full-fledged user interface, including previews, Recover My Files even lets you burn recovered files directly to CD or DVD. The demo version lets you see your pictures, but doesn’t let you save them. The full Recover My Files runs $69.95. It’ll undelete files on just about any imaginable kind of storage medium. If you want the camera-only Recover My Pictures version, it’s just $29.95.

Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.

Symantec report errs on Firefox security

By Chris Mosby

Symantec recently released volume eight of its semiannual Internet Security Threat Report. That report, among other things, stated that Mozilla Web browsers are potentially more vulnerable to attack than Microsoft’s Internet Explorer.

Symantec based this assessment solely on the number of browser vulnerabilities that’ve been disclosed so far in 2005. The report claimed out that there were almost twice the number of “vendor-confirmed” vulnerabilities for the Mozilla browsers, compared with IE in the same time period. The report also asserted that more of the Mozilla vulnerabilities were high-risk than the holes that are currently known to exist in IE.

Let’s compare oranges with oranges

In my opinion, this report is completely misleading. It doesn’t say how many Mozilla flaws have been fixed, versus the corresponding number of flaws that were fixed or unfixed in IE during the same time frame. It also makes no mention of all of the vulnerabilities that have been discovered for IE through this year, let alone the ones that Microsoft has still not patched.

I find it very simplistic that Symantec merely counted some raw numbers and misjudged Firefox as though the figures were comparable. If you look at Symantec’s own online list of security advisories, there’s no mention of Mozilla products at all. But there are plenty of entries for Microsoft software.

Firefox vs. IE, by the numbers

To look fairly at Firefox 1.x security, compared to IE 6.x security, you need to go farther back than just 2005 to date. Some IE vulnerabilities, after all, go back as far as two years, but still remain unpatched by the Redmond software giant.

Using the Secunia Web site as a source, here are some graphs that give a bigger picture of browser security than the Symantec report did. [Editor’s Note: A new IE flaw, rated "moderately critical" by Secunia, was acknowledged this week by Microsoft and does not appear in the figures below. –Brian L.]

First, 70 vulnerabilities have been discovered for IE between January 2003 and September 2005 — 2.1 per month:

Compare that to the 24 Firefox vulnerabilities during the same time period. Since public beta releases of Firefox 1.0 weren’t widely available until mid-2004, that’s about 1.7 per month:

You can see that IE clearly has more vulnerabilities under its belt, even considering that it’s been around a lot longer. However, as I’ve said earlier, just these raw figures don’t mean anything.

The evidence adds up against IE

The next point the Symantec report examined was the severity of the browser vulnerabilities. Here are the numbers for IE:

At the time of this writing, 43% of the 69 vulnerabilities — almost half — for IE are rated by Secunia as highly to extremely critical (colored orange and red in the pie chart).

When you look at Firefox, the numbers tell a different story:

This information shows a clearer picture. Looking farther into IE’s checkered past — the one Symantec chose to ignore — it’s quite clear that the percentage for IE vulnerabilities that are highly or extremely critical is larger. It’s 43% for IE, compared to 29% for Firefox. In raw numbers, it’s 30 serious holes found in IE compared to 7 found in Firefox.

Even this comparison, however, still doesn’t reflect the relative safety of the two browsers as they stand today.

Which flaws got fixed is crucial

Finally, the raw numbers above are the only kind of information that Symantec used to support its comments about Firefox. These numbers are actually useless unless you also look at the number of vulnerabilities that each vendor has actually fixed. This is where the pieces of the puzzle finally come into place.

When you examine IE’s numbers, here’s what you find:

From this, you see that 19 of the 70 IE vulnerabilities (29%) don’t have a patch — and not even a partial fix or workaround. Of the 19, around 8 can be assumed to be risks that are highly or extremely critical (based on the percentages shown above).

Firefox is simply not as dangerous as Symantec would have you believe:

Now you’re seeing the real story. These numbers clearly show that only 13% of Firefox’s reported vulnerabilities are unpatched. This translates to only 3 unpatched vulnerabilities, and only one of those is in the highest risk category.

I don’t know about you, but from where I sit, Symantec’s comments about Firefox just don’t add up.

Don’t forget what we don’t yet know

On top of all that, there are vulnerabilities that have been discovered in IE, but the general public doesn’t have vendor confirmation of them yet.

eEye Digital Security publishes a list of vulnerabilities that the security firm found and has privately reported to the appropriate vendors. Looking at this rogue’s gallery of problems, you see several listings related to Microsoft. The oldest of these is for IE, it’s high severity, and it’s going on six months now without any kind of resolution. I wonder how long this hole will stay a secret (if it isn’t known to hackers already).

Given Microsoft’s last-minute cancellation of a patch scheduled to be released on Sept. 13 (unspecified incompatibilities were blamed), it makes you wonder how many more IE holes there are that we don’t know about.

The real question is this: Are hackers as much in the dark about these undisclosed vulnerabilities as we are? In my view, the risk of using Firefox is relatively low, but the risk of IE is very real.

Chris Mosby is a contributor to Configuring Symantec Antivirus Corporate Edition and is the Systems Management Server administrator for a regional bank. In his spare time, he runs the SMS Admin Store.

^

What's a girl to do with no patches?

By Susan Bradley

Normally, my second column of the month is my “clean up your patch details” column. (The first column of the month deals with the problems that beset us from Microsoft’s Patch Tuesday.)

Since this month started with a “no-patch Patch Tuesday,” I thought I’d be reduced to writing about fashion tips from the Emmys or discussing the season premieres of my favorite television shows.

Well, I’m happy (sad?) to say that I do indeed have "patch issues" to report on.

Patches get complicated for Exchange and SBS

Noncritical patches for Exchange 2003, described in KB article 888619, and Exchange 2000, KB 892986, were released via Microsoft Downloads on Sept. 23. For SBS 2003 boxes with Microsoft Update or WSUS (Windows Software Update Services), patching causes a couple of issues in some servers.

The first is that some servers stop some Exchange services and dodn’t restart them — even though Microsoft’s KB article states that the patch does not require a reboot.

The second interesting turn of events affects those SBS 2003 instances that have not yet deployed the full SBS 2003 SP1, but have deployed only the Exchange 2003 SP1 patch. On many of these machines, the new patch makes the system revert to needing the full domainusername when logging into Outlook Web Access. After reapplying the KB to these affected boxes, they revert back to their Pre KB 888619 behavior.

Now, in fairness regarding the rebooting issue, those of you who have Automatic Updates turned on at the server are doing yourselves a disservice, in my personal view. I don’t mind having workstations automatically deploy patches, or even install nonsecurity patches in an automated manner. But I’d rather that my servers, my domain controllers, and anything else that serves up data not deploy patches automatically. I’d rather know what patches are being installed.

As it was, we had to scrutinize Microsoft’s downloads site to confirm the patch that was being deployed and what it meant. Yes, the security bulletins are well documented, and the notifications are quite well done. But as we transition over to WSUS and Microsoft Update, choosing to automatically install practically everything will wind up getting us patches that are not security-critical but do have negative side-effects.

I would strongly recommend for your servers that, if you turn on Automatic Updates, you only choose to download them and not immediately install them.

Got BSOD? Get thee new drivers!

In the newsgroup that I hang around in, people often post a portion of an error message that we geeks refer to as BSOD — the Blue Screen of Death. The screen color is so intense that you don’t even need a picture to know what I’m talking about.

Many BSOD issues are hardware or software driver related. KB 905539 is no exception.

If you have a server running PCAnywhere and an affected version of Symantec Antivirus, you need to contact Symantec for new drivers. As I’ve stated before, I don’t like to download drivers from Microsoft Update. I much prefer visiting the vendor’s Web site for software or hardware driver updates (it’s safer).

Firefox isn’t perfect, but patches come fast

As I reported last issue, Firefox has come under fire (no pun intended) for having its own patched and unpatched security issues, as listed on the Secunia site. (See Chris Mosby’s analysis, above.)

If you haven’t updated to the 1.0.7 version of Firefox, which was released on Sept. 21, I’d strongly recommend you do so soon. See the Mozillazine discussion of the new release, which reportedly can be installed over previous versions without first uninstalling them.

Besides Firefox, I want to mention one other browser out there that many of us in the industry tend to gloss over. It’s called Opera. Its track record so far beats both Internet Explorer and Firefox in having few vulnerabilities. Even better, Opera has changed its policy and the browser is now available for free without ads. The fee to register and get rid of the ads was always a stumbling block for Opera. The new, unbeatable price opens the door for the scrappy underdog to join the browser wars without financial issues stopping its potential users.

False positives affect Spybot and ActiveX

One of the most annoying issues that a computer user has to deal with is when a piece of software that was working fine suddenly isn’t.

This week, we found that the Spybot antispyware program flagged the Microsoft Remote Desktop Active X control as spyware. This effectively disabled the control in your system.

To renable it, newsgroup poster JJDavidson points to the fix and to a Registry change that you can deploy easily. Sometimes the cure is indeed worse than the disease.

SP2 for Office 2003, SharePoint released

Microsoft released Service Pack 2 for Office 2003 on Sept. 27. This pack includes everything that was in Office 2003 SP1 and many other updates.

On the same day, SP2 for Windows SharePoint Services came out. This also incorporates SharePoint’s own SP1.

I’ll have the prognosis next issue if (when) problems with these packs come out. Woody Leonhard has already posted an instant analysis of the Office service pack, and it isn’t all smiles. For official information, see Microsoft’s download details page for Office 2003 SP2 and the problem reports in KB articles 906323 and 873125. Also see Microsoft’s page on SharePoint Services SP2.

Hacked MS Access files can infect you

A new technique that exploits a weakness in Microsoft Access can infect a PC that opens an infected file, according to a Sept. 28 warning by Harry Waldron, a recipient of Microsoft’s MVP (Most Valued Professional) award.

"It’s unusual to see an infected Microsoft Access document as a source for malware," Waldron says, while adding that the technique is not yet widely distributed. His bulletin doesn’t include links to new antivirus signature files, but Symantec says it started downloading signatures for the Trojan, named Backdoor.Hesive, on Sept. 28.

Beware of the latest Web scams

With first Hurricane Katrina, and now Rita, the Internet is rife with frauds and rip-offs. Be sure you donate responsibly. Check the “What’s New” page on the Snopes Web site for the latest urban legends, scams, and what not.

Being aware is your best protection on the Internet. I hope that, in some small way, this newsletter can help in that process as well. Feel free to send your comments by e-mail. I always welcome feedback on ways to make the newsletter better.

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

OkCupid plays free Internet matchmaker

OkCupid plays free Internet matchmaker
There are plenty of "find a partner" sites on the Web, such as Lavalife and Match.com. But OkCupid provides a wacky alternative, with services that it says will stay permanently free and an interview technique that produces outrageously intimate revelations from many of its members.

The site is based on those multiple-choice tests that seem to be wildly popular with bloggers, such as the How Much of a Virgin Are You? Test. A lot of blog-o-buzz arose this week over the new Politics Test, which plots you on a 2-dimensional graph.

Without any advertising, OkCupid has grown to 193,000 registered users in the past few months, according to the service’s Wikipedia entry (which sounds exactly like it was written by the founders themselves). After you’ve answered 500 questions, which is more fun than it sounds, you can submit your own, like member darkendstar (pictured at left with profile), who discloses that she has 15 piercings.

The service is the invention of four Harvard and MIT grads who previously built SparkNotes.com and sold it to Barnes & Noble. You just might find a match in your Zip or postal code — if you’re willing to answer a few simple questions. OkCupid