I ran the Rootkit Revealer on my Windows XP SP2 PC. It found two registry keys that were suspect but a quick search showed they were normal with the latest version of Rootkit Revealer. On a second run, immediately after a reboot, it found some additional files all dated post-reboot. The only old files it flagged were from Microsoft Defender and also appeared to be temporary files that were deleted during normal operations and are an indication of disk/file problems rather than spyware.

The scan also found several files in my Windows\temp directory. Rather than being spyware they all seemed to be temp files that were deleted. The timestamp on all of them was today and since the last boot. The discrepancy is probably due to a disk/file system problem rather than spyware. The message was “Visible in directory index, but not Windows API or MFT”.

I also scanned using Microsoft Defender and AVG Anti-Rootkit (both are available from my links page under Free Security Software). Neither found any spyware or rootkits.

Rootkit Revealer looks for rootkit type activity at a much lower level than the more user friendly scan tools which seem to look for specific rootkits. It’s then up to you to research it and see if it’s a rootkit. Rootkit Revealer also doesn’t include any rootkit removal tools. The SysInternal forums are still around and can be used to help decipher the scan results.

In early May Google published their Ghost in the Browser(pdf) report. The headlines from the report were that 10% of websites are dangerous. If this was an antivirus or antispyware vendore we could say they’re trying to sell software. But the report seemed like bad news for Google. As an Internet advertising business, which is where they make almost all their money, they need people to trust the Internet.

The on May 21st Google started a Oneline Security Blog and along with it the news that they had an anti-malware team which has been around for about a year. Their first post clarified the “1 in 10 dangerous websites” headlines:

Unfortunately, the scope of the problem has recently been somewhat misreported to suggest that one in 10 websites are potentially malicious. To clarify, a sample-based analysis puts the fraction of malicious pages at roughly 0.1%.

Google has also been flagging sites in their search results if Google thinks the site may be harmful. There are security vendors which also have products that flag potentially malicious sites so this isn’t unique. But it’s free and already built in. As the Google blog and report point out, a fact that a site may be dangerous could be unknown to the owner since in many cases these are legitimate sites that were hacked.

Then on Monday Google announced that they purchased Greenborder. Greenborder provides “safe surfing” software by running IE or Firefox in a virtual session which isolates it from the rest of the PC. This technology protects the PC from drive-by downloads. An interesting note here is that Greenborder no longer offers there product for download. They appear to have pulled it shortly before the announcement. They still support existing customers. So is Google planning to release a free version or include it in their toolbar?

I wonder what Symantec, Microsoft, McAfee and other vendors with online security products are thinking? It appears Google’s getting into their business, although in a vary focused way so far. Google’s cash cow is search, web security would just be a way to get people to trust, and use, their search and then click on their ads. It can’t be good news for security software vendors but is only going to help us.

From the article…

“We are looking closely at the methodology and results of the test to ensure that Windows Live OneCare performs better in future tests,” the Microsoft spokesperson told us, “and, most importantly, as part of our ongoing work to continually enhance Windows Live OneCare to ensure the highest level of protection and service that we can provide our customers.”  

BetaNews also reported that McAfee’s VirusScan Enterprise 8.1 flunked the test.

The February testing was done on Windows Vista. Virus Bulletin is a respected virus test organization. The test agains in the wild viruses. Their test procedure is documented here. As for software that past the test, Beta news reported they were…

…both CA’s Home and eTrust (enterprise) products, Fortinet’s FortiClient, F-Secure Anti-Virus, Kaspersky Anti-Virus 6.0 (which was added to the ZoneAlarm suite last November), Sophos Anti-Virus 6.5, and Symantec AntiVirus 10.2