Users who put their faith in Vista’s new security features and Microsoft’s Windows Defender anti-spyware product may find themselves under attack from spyware all the same, according to a study by anti-spyware vendor Webroot.
The company released the results of what it claimed was a two-week study of Windows Defender that showed the product missed 84% of a sample set of 25 spyware and malicious code samples. The programs that slipped by were a mix of spyware, Trojan horse programs, and keyloggers.
While many were not Vista compatible and simply crashed, others were able to install on Vista systems, says Gerhard Eschelbeck, chief technology officer at Webroot.
Technical staff at Microsoft’s Security Business Unit weren’t able to respond to requests for comment on Webroot’s claims.
Eschelbeck identified variants of common malware programs like DollarRevenue Trojan, PeperTrojan, and Playboydialler that made it by Windows Defender. Some of the variants are recently released, although others dated back to 2006, he says. Of the four programs Windows Defender did stop, most were non-malicious adware, he says.
“We wanted to validate the strong claims out of the industry that Vista was going to be a security solution for everybody and everything,” Eschelbeck says.
Webroot picked the malicious code samples from tens of thousands of samples collected on its Phileas spyware scanning network. Webroot’s Spy Sweeper product spotted all of the samples.When asked, Eschelbeck acknowledged that 25 samples was a tiny fraction of Webroot’s database of tens of thousands of malicious code samples. He also acknowledged that it may be possible for Microsoft or other competitors to pick samples of malicious code that would evade Webroot’s Spy Sweeper product, given advanced knowledge of how Spy Sweeper’s detection features worked.
“Nothing’s impossible,” Eschelbeck says.
The purpose of the study wasn’t to make invidious comparisons between the two products, Eschelbeck says, but to raise questions about the detection capabilities and management of the Windows Defender product as Microsoft expands its profile as an enterprise and consumer security software vendor. “It’s important to leave the interpretation up to individuals,” he says. “People need to make their own conclusions about it.”
Eschelbeck says Microsoft updates Windows Defender’s spyware definitions weekly — far too infrequently for the fast-moving malicious code scene.
Webroot, which is venture-funded, was an early pioneer in the anti-spyware software space and is one of the leading sellers of anti-spyware software to consumers. However, the company’s prospects have been hurt by Microsoft’s entry into the desktop and enterprise security business and the company’s decision to offer Windows Defender as a free download.
The Webroot study is just the latest in a salvo of company-sponsored studies that seek to undermine the credibility of competing security products.
In September, a Microsoft-sponsored study by 3Sharp compared anti-phishing toolbars by Google/Firefox, AOL, EarthLink, Geotrust, McAfee, and others and found the Internet Explorer anti-phishing technology the most accurate. The Mozilla Foundation fired back in November with a competing study by SmartWare that found the Firefox antiphishing technology better than that of Internet Explorer.
A subsequent independent study by Carnegie Mellon concluded that few of the available anti-phishing products are very reliable.