Spyware infestations rank among the top problems both administrators and end users have to grapple with today. In any environment that isn’t locked down against such threats, spyware proliferates and must be removed either by hand or one of many utilities designed to clean an infected system. Because the problem is so widespread, users and admins alike can choose between a number of different freeware and low-cost applications to combat the problem.
Two of the most effective solutions are Lavasoft’s Ad-Aware and Spybot -Search & Destroy, both of which are available as free individual-user editions or may be purchased in bulk for multiple desktops. These programs have proven popular because each has functions the other does not, making them highly complementary in certain circumstances.
Lavasoft’s Ad-Aware was one of the first spyware cleaners and remains one of the best by dint of being both simple and effective. The basic single-user version can scan a system in a variety of ways (i.e., registry only, specific drive or folder, etc.) and can catch over 36,000 different programs — including keyloggers, dialers, browser start-page changers, trojan horses, tracking cookies and ad software. Ad-Aware’s biggest plus is its relative simplicity: Most scanning and cleaning can be done with a couple of clicks, so it doesn’t require a great deal of user intervention or training. It also tends to find a slightly broader selection of spyware than Spybot, but each will sometimes miss programs the other will catch. The more advanced version includes proactive blocking through a program called Ad-Watch, which can unload unwanted process modules on the fly and prevent known spyware from injecting itself into the system at all.
Spybot-S&D, by Patrick M. Kolla, is somewhat more complex but also that much more powerful. If Ad-Aware is a box-cutter, then Spybot is a Swiss army knife. It doesn’t just scan for spyware, for which it catches about 24,000 different programs similar to those caught by Ad-Aware, but it also includes a number of proactive spyware-blocking tools and functions. For instance, the HOSTS file, a common point of hijacking for many spyware programs, can be locked or unlocked. Or, the user can see a list of all the browser helper objects (BHOs) currently installed in Internet Explorer. BHOs are another common vector for spyware, although Windows XP Service Pack 2 now allows a user to inspect and disable BHOs in Internet Explorer. As a concession to end users who don’t want to deal with the full interface, Spybot-S&D can be launched with many of its advanced options hidden, and simply used as a spyware scanner.
Another crucial distinction between these two programs is licensing. Spybot’s single biggest asset in this regard is that it is free software, supported by donations and volunteers, so there is no licensing cost for deploying it throughout an organization. This makes it the best choice for both emergency use and long-term deployment, although you may need to take time to educate users about the best way to use its power. Ad-Aware is free for individual and provisional use (i.e., single machine, test only), but if you want to deploy it across multiple machines in an organization you’ll need to purchase the appropriate number of licenses. A final and crucial point that needs to be made about spyware is that its proliferation is ultimately the result of inattention to secure software design, and using additional software to block it isn’t the best answer. A third-party product is only a temporary fix for the system’s own security. In a big organization, the best defense against spyware (and other vulnerabilities) is always going to be a hardened system. Adding a spyware cleaning application as part of a standard software package shouldn’t constitute a solution, but a stopgap measure until the system(s) in question can be properly hardened, by installing Windows XP SP2 or switching to a non-IE browser, and so on. Some third-party antivirus programs, like the ones offered by Symantec, now include anti-spyware tools as part of the package. But again this should not be seen as a substitute for good practices.
