Main Menu

Login



Support Virus.Org

Help support Virus.Org by donating.
Donating allows us to keep this site free and pay the running costs of all our services.
Is Microsoft AntiSpyware That Good (Maybe Not) PDF Print E-mail
Written by Editor   
Tuesday, 11 January 2005 20:11
Well it seems this new beta of the Microsoft AntiSpyware software is not that hot when it comes to identifying spyware. After a little tip off we decided to do some checking into how MS AntiSpyware beta actually detects spyware.
If you copy say C:WINNTSYSTEM32NOTEPAD.EXE to C:WINNTSYSTEM32NOTPAD.EXE and do a quick scan from MS AntiSpyware, guess what happens. It seems for some reason it thinks Notepad has just become the ItEye Remote Administration Tool (RAT), just take our little example below:



It seems that this may not occur when running on all versions of the Windows Platform, however we have been able to verify on English versions of Windows 2000 and some versions of Windows XP. In fact any file renamed to this and is placed in %sysdir% triggers the error.

It seems that Microsoft AntiSpyware does not always verify possible false alarms using a signature, and will rely on the simple location based check. This location check is quite valid, however a purely location based check for a rogue file it not adequate by itself.

We havent attempted to try this trick with other possible pieces of Spyware or Malware, so this could be purely isolated to the detection process for the ItEye RAT.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Google! Live! Facebook! Technorati! StumbleUpon! Yahoo!
Last Updated ( Thursday, 14 September 2006 23:09 )