locked
Why is SpywareBlaster targeted as a "conflict item"? RRS feed

  • Question

  • As far as I know, the only time SpywareBlaster runs is when it is executed manually, usually for the purpose of updating its list of over 9600 known malicious websites.  These are entered into the "Restricted Sites" section of the Registry, and the list can be viewed (and added to) by going to Internet Options / Security / Restricted Sites.  Thus, it runs about 1 minute, once a month, on my computer.

     

    How is this a conflict with WLOC?

    Or, is WLOC fronting for an IE problem? -- namely, that adding that many sites might burden IE.

     

    Does Microsoft have issues with these websites being named malicious?

     

    Why would Microsoft not want to help users avoid problems caused by drive-by downloads from these miscreants?

    --
    Greg Kirkpatrick
    Microsoft Small Business Specialist
    MCP, MCTS-Vista, MCITP-Vista

    Tuesday, February 26, 2008 1:20 AM

Answers

  • Greg,

     

    You might want to do a check for updates in SpywareBlaster, they just released the 4.0 version which over a year after release finally fully supports Vista.

     

    http://www.wilderssecurity.com/showthread.php?t=201952

     

    I checked before and after the upgrade on my old Windows 2000 Pro box and also confirmed that the old version didn't contain a Digital Signature, while the new version's primary and update executable both do. This is a major issue with both Vista and OneCare and is likely one of the reasons OneCare was flagging SpywareBlaster as incompatible.

     

    I suggest you download and try the new version with OneCare, it's possible it might be supported. If it isn't I'd think that this version at least has a chance of being compatible, since it supports the standards that Microsoft has been pushing on a number of fronts for over three years now.

     

    I suspected the lack of a Digital Signature might be part of the incompatible issue with several of the applications flagged lately, especially with the new Service Packs for both Windows Vista and XP about to release and likely to strengthen these requirements. Note that Spybot Search & Destroy has been digitally signed for well over two years, so it's not really a hardship for anyone providing a widely distributed application.

     

    OneCareBear

     

     

    Sunday, March 2, 2008 5:12 AM
    Moderator

All replies

  • Greg, this is part of the larger answer we are awaiting regarding specifically what programs are considered to be conflicting and why.

    I agree that Spyware Blaster should *not* be considered conflicting - based on my use and knowledge of the product.

    I'll leave this thread unanswered as it differs from the two active threads for McAfee Site Advisor and AdAware 2007.

    -steve

     

    Tuesday, February 26, 2008 1:27 AM
    Moderator
  • You are incorrect as are all who believe that the effects of SpywareBlaster cause no overhead. As with anything that maintains a list, as the list grows so does the overhead required to search through the list. The entries you are mentioning are not generally affected by the normal and recommended use by an individual of adding sites manually to these lists through the normal use of Internet Explorer.

     

    In an attempt to find a simple method to protect users from malicious sites, several early protection applications took to using the same tricks often used by malware of adding to these registry entries in a semi-automated fashion. Though this seemd a good idea and worked effectively for a while, it has eventually begun to cause too much overhead and or other issues with many anti-malware applications that use different approaches to protect the abuse of these same registry entries.

     

    There have also been significant issues discovered recently with a combination of Internet Explorer 7 and Outlook 2003 and large numbers of Restricted Sites entries that cause a large delay in the message display operation of Outlook. Though this has been basically explained, last I knew there wasn't a solution, so it's possible this is the reason that SpywareBlaster is considered in conflict.

     

    Regardless of whether this is the specific reason, with my experience both here and in the Spybot Search and Destroy forums, where I'm an Advisor, I've seen the results of many non-effective combinations of anti-malware or settings that weren't really designed to work cooperatively. Though it's nice to believe that they all can be made to operate together, simple analysis of many quickly prove that this isn't actually true.

     

    The use of ActiveX 'kill bits' is known to be effective as a way to disable those ActiveX applications you don't wish to havve running. Both Restricted sites and cookie blocking are also known manual techniques. Unfortunately, the design of these features within the Windows operating system were made at a time where a few dozen entries were all that were expected. Blaming these designs for the effects of malware bloat and the misuse of these registry entries as anti-malware protection simply shows a lack of understanding that they were never intended to scale to such levels.

     

    When I moved to OneCare, I specifically took the position of removing all such ancient protection systems from my PC, in fact beginning fresh with a newly installed copy of Windows XP. Unless you are prepared to look at OneCare as your primary protection with other online or on demand only scanners and tools as backup, I think you're wasting your time with any protection suite.

     

    The idea of multiple scanners as protection is archaic and ineffective, as the numbers of people showing up in malware removal forums with multiple mismatched scanners and multiple malware infections to go with them has shown. Unless the multiple applications are truly designed to work together and/or operated by someone with a complete understanding of each applications purpose, design and potential interaction, multiple applications are far worse than one simple to use application that the user can understand.

     

    This is why I became involved with OneCare in the first place, after seeing that the plethora of targeted and even useful applications were simply too complex and confusing for all but the most technical user. The only hope for the masses is to produce a suite that is a combination of effective applications, each designed to work in cooperation with all of the others. Nothing can stop everything, since malware is constantly evolving, but the most important fundamentals of patching the OS, and having current, simple to understand antimalware are far more effective than all the other tools put together.

     

    Try running a handful of users this way, especially the non-technical ones and keep the tools in a kit you use yourself when you suspect a problem. Once all of the management overhead and potential conflicts are gone, the effectiveness of this approach quickly shows through.

     

    OneCareBear

    Tuesday, February 26, 2008 6:13 AM
    Moderator
  •  OneCareBear wrote:

    You are incorrect as are all who believe that the effects of SpywareBlaster cause no overhead. As with anything that maintains a list, as the list grows so does the overhead required to search through the list. The entries you are mentioning are not generally affected by the normal and recommended use by an individual of adding sites manually to these lists through the normal use of Internet Explorer....

     

    There have also been significant issues discovered recently with a combination of Internet Explorer 7 and Outlook 2003 and large numbers of Restricted Sites entries that cause a large delay in the message display operation of Outlook. Though this has been basically explained, last I knew there wasn't a solution, so it's possible this is the reason that SpywareBlaster is considered in conflict....

     

    No, I'm not incorrect.  What I said was that I did not believe that SpywareBlaster was in conflict with WLOC.  I also said that I believed that WLOC was fronting for an IE problem, namely, that having nearly 10,000 items in the Restricted Sites list might indeed cause overhead.

     

    This is an IE problem, not a WLOC concern.  As such WLOC should not be redflagging SpywareBlaster.  Instead, a Windows Update should provide the user with an alert at IE startup, which explains the problem, offers a solution (clearing the Restricted Sites list), and offers a way to ignore the alert.  After all, uninstalling SpywareBlaster does not clear the Restricted Sites list -- it merely removes the tool which would add more items to it.

     

    As for me, I accept this kind of overhead, just as my wife (who drives less than a mile to a grocery store) accepts the extra time it takes to buckle and unbuckle her seatbelt.  Her left shoulder is still sore, a year later, from the impact of a 40 mph rear collision to her stationary car (waiting at a stoplight), but she's alive, and so is my 8-year-old son.  You might suggest that the passive restraints (airbags) would have been sufficient for such a short trip, but they didn't deploy.  Both of them share the protection I have on my home computer, and they trust me to keep them from Internet harm.  

     

    Yes, I'm running a machine with much more processing power and memory than most, to help with the overhead, and yes, most users do not have that luxury.  As time passes, though, people are being encouraged to buy more and more equipped machines, especially to be able to effectively run the newer operating systems (Vista and Leopard), which themselves have more overhead.

     

    Unlike you, I refuse to rely on WLOC and the constantly redesigned IE for my protection, and unlike you, I do still believe that layered protection is better, as long as the multiple anti-malware scanners are not in direct conflict with each other.

     

    If I go for a year without other anti-malware programs alerting me to problems, using them following WLOC, then I'll consider dropping them.  That's not likely to happen, since, as you've said:

     

     OneCareBear wrote:

    ...Nothing can stop everything, since malware is constantly evolving...

     

    --
    Greg Kirkpatrick
    Microsoft Small Business Specialist
    MCP, MCTS-Vista, MCITP-Vista

    Tuesday, February 26, 2008 1:47 PM
  • Greg, I'm leaving this thread unanswered because we're all speculating.

     

    Note that OneCare *is* designed to be concerned about system performance and optimal PC health, so it would not surprise me to find out that the warning is for that very reason and not actually a conflict.

     

    My problem with the way that the list has grown is that the warning is generic. Tell me *why* the co-existence of these programs might be a problem and offer me the ability to ignore the warning and accept the consequences if the only consequence is the potential for hindered performance.

     

    -steve

     

    Tuesday, February 26, 2008 5:25 PM
    Moderator
  • Greg,

     

    The problem is more of an operating system issue being aggravated by Internet Explorer, but no patch will ever be able to fix it. This would require a complete rewrite of portions of IE, the operating system and other programs that take advantage of these registry entries, so it's virtually guaranteed it will never happen due to the disruption it would cause. These registry entires are totally ineffective for antimalware protection anyway since they can easily be changed by any software running on the PC, and all that's required is to toggle the value to change the meaning between blocked/allowed or different zones.

     

    The problem with these entries being used in this way is that it is incompatible with the way most modern security applications handle them, which is by monitoring them for possible malicious activity. This simply aggravates the overhead effects further, and since it's possible for malware to add to these registry entries just like SpywareBlaster does, it absolutely necessary to monitor them. This was all exposed during the early beta of Windows Defender, when Defender went nuts over the mass addition of items to these registry keys by applications like SpywareBlaster.

     

    The confusion here is that there is a difference between layered security and overlapping security, which is what exists in this case. Overlapping applications are what creates conflicts, while a layered approach uses multiple non-overlapping techniques that work in a complimentary fashion. Though this situation is relatively obvious, others are often more subtle, making it difficult to even identify the cause of issues.

     

    This is why I've chosen to simply remove all other application based protection and modularize my layered approach using a hardware firewall. OneCare is responsible for the protection of the endpoint (PC) and performs this with its various complimentary modules of antivirus, antispyware, software firewall and others.

     

    OneCareBear

    Tuesday, February 26, 2008 11:03 PM
    Moderator
  • I respectively agree to disagree. 

     

    Why then is Spybot Search & Destroy, which adds hundreds of items to the HOSTS file (BOOTDRIVE:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS) not included in the "conflict" list?  Why should adding sites to the Restricted Sites list be deemed "creating a conflict", when that is permitted to other products?

     

    Onecarebear, I have read over a thousand of your entries among these forums and newsgroups [somebody, please, explain to me the difference between a forum and a newsgroup] -- but until now, I have not had a major disagreement with you.  I do now. 

     

    I will NOT choose to "simply remove all other application based protection and modularize my layered approach using a hardware firewall".  There is no such thing as a "hardware firewall", and WLOC is not part of any such "hardware firewall" claim, anyway.  All routers which claim to have an embedded "hardware firewall" have software running internally (which, like any software, can be corrupted, comprimised, or circumvented). 

     

    WLOC is a software combination antivirus/antispyware/firewall, which is proving to be as porous as similar products from Symantec (Norton) or McAfee or Trend Micro or ZoneAlarm or Kaspersky.

     

    I have been charging a flat rate of $125.00 to repair an infected computer, but I have contemplated raising that rate by $25 or $50.  For you (and others who rely primarily or solely on WLOC), the rate will be $200, shipping charges extra.  Good luck.

    --
    Greg Kirkpatrick
    Microsoft Small Business Specialist
    MCP, MCTS-Vista, MCITP-Vista
    Wednesday, February 27, 2008 10:04 AM
  • Greg, you can purchase a hardware firewall appliance. They are just not common and usually not cheap. You are correct that most routers that claim to have firewall capabilities are simply a NAT device. And, yes, a hardware firewall is nothing more than a "smart" device that is running a dedicated managed firewall.

     

    -steve

     

    Wednesday, February 27, 2008 5:46 PM
    Moderator
  • Greg,

     

    You might want to do a check for updates in SpywareBlaster, they just released the 4.0 version which over a year after release finally fully supports Vista.

     

    http://www.wilderssecurity.com/showthread.php?t=201952

     

    I checked before and after the upgrade on my old Windows 2000 Pro box and also confirmed that the old version didn't contain a Digital Signature, while the new version's primary and update executable both do. This is a major issue with both Vista and OneCare and is likely one of the reasons OneCare was flagging SpywareBlaster as incompatible.

     

    I suggest you download and try the new version with OneCare, it's possible it might be supported. If it isn't I'd think that this version at least has a chance of being compatible, since it supports the standards that Microsoft has been pushing on a number of fronts for over three years now.

     

    I suspected the lack of a Digital Signature might be part of the incompatible issue with several of the applications flagged lately, especially with the new Service Packs for both Windows Vista and XP about to release and likely to strengthen these requirements. Note that Spybot Search & Destroy has been digitally signed for well over two years, so it's not really a hardship for anyone providing a widely distributed application.

     

    OneCareBear

     

     

    Sunday, March 2, 2008 5:12 AM
    Moderator
  •  OneCareBear wrote:

    You might want to do a check for updates in SpywareBlaster, they just released the 4.0 version which over a year after release finally fully supports Vista.

     

    http://www.wilderssecurity.com/showthread.php?t=201952

     

    I checked before and after the upgrade on my old Windows 2000 Pro box and also confirmed that the old version didn't contain a Digital Signature, while the new version's primary and update executable both do. This is a major issue with both Vista and OneCare and is likely one of the reasons OneCare was flagging SpywareBlaster as incompatible.

     

    I had to reinstall Windows Live OneCare, and I'm on the 15-day trial (I don't trust it), but I've just installed SpywareBlaster version 4.0 without OneCare complaining.  That was a good find, OneCareBear -- the notice in that forum was less than 30 hours old when you posted the link here.

     

    I have marked your post as an "answer" -- though I think Microsoft is still to blame for the heavy-handed approach to this issue.  Lack of a digital signature does not constitute "conflicting program" in my vocabulary.  Had the message been clear, accurate, and ignorable, this contretemps would not have occurred. 

    --
    Greg Kirkpatrick
    Microsoft Small Business Specialist
    MCP, MCTS-Vista, MCITP-Vista
    Sunday, March 2, 2008 6:40 AM
  • Hi Greg,

     

    Though I understand your and others feelings about this, I've watched from the sidelines as many security applications flounder, not following good basic rules of security put in place by Microsoft and others. When these get ignored for significant periods of time, like over a year after Windows Vista was released when beta versions of Vista were available to developers over two years before release, I find it difficult to defend even the most well intentioned developer.

     

    I am only indirectly involved in the battle against malware by my associations with OneCare and Spybot Search and Destroy. However, I watch the attempts to help people directly by many of the malware fighters and note carefully not only what helps, but also what doesn't and in fact contributes to the general confusion and lack of good standards.

     

    Not understanding or aiding what Microsoft is attempting to do is fine for the average Joe, but it's really not what you'd expect from an anti-malware developer who truly has their customer's best interests in mind. Since Microsoft has entered the anti-malware business directly, some have shown their true colors by attacking the very improvements Microsoft tried to place in its latest version of the OS. Others have risen to the challenge and produced new and better protection that raises the security bar for everyone. Those who simply do nothing are as bad in my mind as those fighting against Microsoft, since they contribute to a lack of security by their lack of action.

     

    I'm glad to see that Javacool has finally taken the initiative to improve their application to the standards provided by Microsoft. I hope they've moved it to a level that not only allows SpywareBlaster to be compliant with Windows Vista, but also to co-exist with OneCare if that's possible. If it's not ever going to be possible, then I'd like to hear that stated by both Javacool and OneCare, since that only helps to reduce the confusion of both their customers.

     

    OneCareBear

    Sunday, March 2, 2008 11:34 PM
    Moderator
  • Tonight, I had a Windows XP Home machine to rebuild.  I installed all the relevant Windows Updates.  Then I installed, in this order: Internet Explorer 7, Javacool SpywareBlaster 4.0, Spybot Search & Destroy 1.5.2, McAfee Site Advisor (free), Lavasoft Ad-Aware 2007 (1/25/08, free), and finally Windows Live OneCare (90-day trial). 

     

    During installation, OneCare reported Ad-Aware, and only Ad-Aware, as a conflicting program, and insisted that I click to allow OneCare to remove it, or click Cancel (which I knew from past experience would result in OneCare reversing its own installation).  I did neither, clicking Start / Turn Off Computer / Restart (actually, I used the keyboard equivalents: CTRL-ESC U R).

     

    When the computer restarted, Windows Live OneCare was installed and opened, and it showed up green for a few seconds, before finding Ad-Aware again and putting up the red beacon with the View List button to remove it.  McAfee Site Advisor, Javacool SpywareBlaster 4.0, and Spybot Search & Destroy 1.5.2 were not on the list.

     

    I don't like the way Microsoft went about it, but I'm not running things (nor am I likely to in the future).  I'm satisfied that two of the three programs I saw "in conflict" a month ago are no longer on the conflict list. 

     

    I don't see the need for Lavasoft to have something running "as a service" constantly, if it is not used until the GUI program is manually run (in the free version), and Lavasoft could rewrite Ad-Aware so that the service started and stopped with the (free) GUI program if that's needed.   I'm OK with the red beacon for now.

    --
    Greg Kirkpatrick
    Microsoft Small Business Specialist
    MCP, MCTS-Vista, MCITP-Vista

    Monday, March 3, 2008 5:57 AM