Spyware Warrior

[eburger68]

Hi All:

I was recently supplied a complimentary license for Enigma's SpyHunter, allowing me to test it more fully than Suzi and I have been able to up until now.

As Suzi noted in a recent blog entry ( http://www.netrn.net/archives2/000639.html ), SpyHunter does seem to recognize a lot of spyware/adware programs. Moreover, our testing has not uncovered the same proclivity for false positives that so many other dodgy anti-spyware applications demonstrate. The big question, of course, was how well SpyHunter would acquit itself at removing spyware and adware.

TEST DESCRIPTION

To put the full version of SpyHunter to the test, I installed the latest version of Grokster, a P2P app notorious for bundling a heavy load of spyware/adware:

http://www.download.com/3000-2166-10237041.html

I was not disappointed in the least. The grokstersteup.exe stub downloader installed an impressive array of crapware on my test system:

* 411Ferret
* AdRoar
* Altnet/BDE
* BroadCastPC (BTV)
* Claria/Gator/GAIN
* Cydoor
* Marketscore/Netsetter
* MySearch/MyWay
* Topfivesearch.com (browser hijack)
* Topsearch (note: not completely installed)
* VX2/ClientMan
* WebRebates/TopMoxie
* WebSearch

After all applications had finished downloading and installing I rebooted to ensure that the installations were in a relatively stable state. I then ran a series of scans with a variety of anti-spyware programs, including SpyHunter. These scans were divided into three rounds:

Round 1 - Before SpyHunter (no removals)
* HijackThis!
* Ad-aware SE Personal
* Spy Sweeper 3.0
* Spybot S&D 1.3

Round 2 - SpyHunter (scan & remove)
* SpyHunter

Round 3 - After SpyHunter (scan & remove)
* HijackThis! (no removals)
* Ad-aware SE Personal
* HijackThis! (no removals)
* Spy Sweeper 3.0
* HijackThis! (no removals)
* Spybot S&D 1.3
* HijackThis! (scan & remove)

In Round 1, I scanned with several standard anti-spyware applications to scout out just what had been installed on the system. Note that I performed no removals in Round 1, letting SpyHunter have the first crack at removing spyware/adware in Round 2.

In Round 2, I ran a complete system scan with SpyHunter and let it remove everything it found (save one minor false positive).

In Round 3, I scanned again with the same anti-spyware applications as in Round 1. This time, however, I let these anti-spyware applications perform removals to clean up items that SpyHunter had left behind.

I should note at this point that I have archived scan logs, screenshots, installed files, and even the spyware/adware installers used in this test.

I should also note that I installed SpyHunter after Round 1 and completely uninstalled it before Round 3 to ensure that none of the other scanners picked up SpyHunter itself in their scans. The version of SpyHunter installed was 1.5.83 (the latest version available). After installing SpyHunter, I used the program's live update facility to download the latest definitions available (def.dat, 3.13: 8/20/04).

Testing was performed on a P4 1.8 Ghz system w/ 512 mb RAM, Windows 2000 w/ SP4, Internet Explorer 6.0 w/ SP1, and Microsoft Office 2000.

TEST RESULTS

What follows is a summary of SpyHunter's performance in removing the spyware/adware installed by Grokster.

SpyHunter located and completely (or substantially) removed:

* Claria/Gator/GAIN
* Topsearch

SpyHunter completely missed and did not remove:

* 411Ferret
* AdRoar
* Cydoor
* MySearch/MyWay
* Topfivesearch.com (browser hijack)

SpyHunter's handling of the remaining adware/spyware applications was spotty at best -- and troubling.

* Altnet/BDE
- removed most files & Registry keys
- failed to kill two processes

* BroadCastPC (BTV)
- removed a key .exe
- missed an auto-start entry & two other .exe's

* Marketscore/Netsetter
- removed only two Registry keys, incl. an auto-start entry
- failed to kill a key process; left an .exe & .dll

* VX2/ClientMan
- removed an .exe & some Registry keys
- failed to remove a .dll
- missed an .exe

* WebRebates/TopMoxie
- removed one key .exe & an auto-start entry
- missed everything else

* WebSearch
- removed one key .exe & its auto-start entry
- failed to kill the associated process; .exe returned
- missed another .exe & an IE context menu item

In fairness, Ad-aware, Spy Sweeper, and Spybot Search & Destroy all failed to identify and remove 411Ferret. Moreover, MyWay/MySearch is a controversial or debatable application that not all anti-spyware scanners target.

Nonetheless, SpyHunter's performance left much to be desired. One recurring problem was that SpyHunter would attempt to remove and quarantine files, only to be thwarted because it had failed to kill the associated running processes or unload the associated .DLLs from memory. In such cases, the spyware/adware installations remained substantially intact, waiting for the next network connection to update and/or re-download.

Still worse, SpyHunter missed several critical spyware/adware items completely, including the browser home page hijack and search page hijack by Topfivesearch.com.

Needless to say, users who purchased SpyHunter in the hopes that it would remove the spyware/adware bundled with this popular, well-known (and notorious) P2P file sharing application would be sorely disappointed at SpyHunter's poor performance. At the very least they would be forced to seek out other anti-spyware scanners to remove the majority of the spyware/adware left on their systems by SpyHunter, as I was for this test.

It should also be noted that SpyHunter is severely lacking in other areas as well. The application is not very configurable and does not produce a standard plain text scan log (though it does generate a list of items backed up to quarantine). Moreover, the scanning is somewhat slow (though not the slowest I have encountered).

CONCLUSION

All in all, SpyHunter turned in a disappointingly mediocre performance with this load of bundled spyware/adware.

As Suzi noted in her blog entry, Enigma has ended the most objectionable of its online advertising practices and even unloaded all the deceptive "spybot" domains (which were promptly picked up by Paretologic for XoftSpy). Given these changes, I have added the following note to the Rogue/Suspect Anti-Spyware page (see http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note ):

[Nick]

I am surprised no one has responded to this.

It will be a long time before I ever use Spyhunter. Perhaps Enigma is moving to a new product now and doesn't care about Spyhunter anymore.
_________________
Nick's Security Ticker