• United States



by Dave Gradijan

Windows Defender Fails to Protect Microsoft Vista from Spyware

Jan 26, 20073 mins
CSO and CISOData and Information Security

Users who put their faith in Vista’s new security features and Microsoft’s Windows Defender antispyware product may find themselves under attack from spyware all the same, according to the results of a study by Webroot, a leading antispyware vendor and Microsoft competitor.

On Thursday, the company released the results of what it claimed was a two-week study of Windows Defender that showed the product missed 84 percent of a sample set of 25 spyware and malicious code samples. The programs that slipped by were a mix of spyware, Trojan horse programs and keyloggers. While many were not Vista compatible and simply crashed, others were able to install on Vista systems, said Gerhard Eschelbeck, chief technology officer at Webroot.

Technical staff in Microsoft’s security business unit weren’t able to respond to requests for comment on Webroot’s claims.

Eschelbeck identified variants of common malware programs like DollarRevenue Trojan, PeperTrojan and Playboydialler that made it by Windows Defender. Some of the variants were recently released, though others dated back to 2006, he said. Of the four programs Windows Defender did stop, most were non-malicious adware, he added.

“We wanted to validate the strong claims out of the industry that Vista was going to be a security solution for everybody and everything,” Eschelbeck said.

Webroot picked the malicious code samples from tens of thousands of samples collected on its Phileas spyware scanning network. Webroot’s Spy Sweeper product spotted all of the samples.

When asked, Eschelbeck acknowledged that 25 samples was a tiny fraction of Webroot’s database of tens of thousands of malicious code samples. He also acknowledged that it may be possible for Microsoft or other competitors to pick samples of malicious code that would evade Webroot’s Spy Sweeper product, given advanced knowledge of how Spy Sweeper’s detection features worked.

“Nothing’s impossible,” Eschelbeck said.

The purpose of the study wasn’t to make invidious comparisons between the two products, Eschelbeck said, but to raise questions about the detection capabilities and management of the Windows Defender product as Microsoft expands its profile as an enterprise and consumer security software vendor. “It’s important to leave the interpretation up to individuals,” he said. “People need to make their own conclusions about it.”

Eschelbeck said Microsoft updates Windows Defender’s spyware definitions weekly—far too infrequently for the fast-moving malicious code scene.

Webroot, which is venture-funded, was an early pioneer in the antispyware software space and is one of the leading sellers of antispyware software to consumers. However, the company’s prospects have been hurt by Microsoft’s entry into the desktop and enterprise security business and the company’s decision to offer Windows Defender as a free download.

The Webroot study is just the latest in a salvo of company-sponsored studies that seek to undermine the credibility of competing security products.

In September, a Microsoft-sponsored study by 3Sharp compared antiphishing toolbars by Google/Firefox, AOL, EarthLink, Geotrust, McAfee and others and found the Internet Explorer antiphishing technology the most accurate. The Mozilla Foundation fired back in November with a competing study by SmartWare that found the Firefox antiphishing technology better than that of Internet Explorer. A subsequent independent study by Carnegie Mellon concluded that few of the available antiphishing products are very reliable.

-Paul F. Roberts, InfoWorld