Webroot: Vista’s Defender stops only 16% of spyware

Microsoft challenges the study, saying it is confident in Windows Defender

Users who put their faith in Vista's new security features and Microsoft's Windows Defender antispyware product may find themselves under attack from spyware all the same, according to the results of a study by Webroot, a leading antispyware vendor and Microsoft competitor.

On Thursday, the company released the results of what it claimed was a two-week study of Windows Defender that showed the product missed 84 percent of a sample set of 25 spyware and malicious code samples. The programs that slipped by were a mix of spyware, Trojan horse programs, and keyloggers. While many were not Vista compatible and simply crashed, others were able to install on Vista systems, said Gerhard Eschelbeck, Chief Technology Officer at Webroot.

Eschelbeck identified variants of common malware programs like DollarRevenue Trojan, PeperTrojan, and Playboydialler that made it by Windows Defender. Some of the variants were recently released, though others dated back to 2006, he said. Of the four programs Windows Defender did stop, most were non-malicious adware, he added.

"We wanted to validate the strong claims out of the industry that Vista was going to be a security solution for everybody and everything," Eschelbeck said.

Webroot picked the malicious code samples from tens of thousands of samples collected on its Phileas spyware scanning network. Webroot's Spy Sweeper product spotted all of the samples.

When asked, Eschelbeck acknowledged that 25 samples was a tiny fraction of Webroot's database of tens of thousands of malicious code samples. He also acknowledged that it may be possible for Microsoft or other competitors to pick samples of malicious code that would evade Webroot's Spy Sweeper product, given advanced knowledge of how Spy Sweeper's detection features worked.

"Nothing's impossible," Eschelbeck said.

A Microsoft representative challenged the study’s finding, saying the company was confident in Windows Defender's ability "to make the user’s computing experience a safer one."

The company also noted that Vista was "the most secure version of Windows to date" and that the operating system, "includes fundamental architectural changes that will help make customers more secure from evolving threats, including worms, viruses, and malware.

“These improvements minimize the operating system’s attack surface area, which in turn improves system and application integrity and helps organizations more securely manage and isolate their networks."

Eschelbeck said the purpose of the study wasn't to make invidious comparisons between the two products, but to raise questions about the detection capabilities and management of the Windows Defender product as Microsoft expands its profile as an enterprise and consumer security software vendor. "It's important to leave the interpretation up to individuals," he said. "People need to make their own conclusions about it."

Eschelbeck said Microsoft updates Windows Defender's spyware definitions weekly -- far too infrequently for the fast-moving malicious code scene. Eschelbeck also warned that malicious code authors would soon adapt to the architectural changes in Windows Vista that stopped many of the malicious code samples that got past Defender from working.

Microsoft, in its e-mail statement, noted that "no operating system is 100% secure" and that users should employ a defense in depth strategy involving software updates, a firewall, and anti-virus/anti-spyware program, "whether a Microsoft or third party solution."

Webroot, which is venture-funded, was an early pioneer in the antispyware software space and is one of the leading sellers of antispyware software to consumers. However, the company's prospects have been hurt by Microsoft's entry into the desktop and enterprise security business and the company's decision to offer Windows Defender as a free download.

The Webroot study is just the latest in a salvo of company-sponsored studies that seek to undermine the credibility of competing security products.

In September, a Microsoft-sponsored study by 3Sharp compared antiphishing toolbars by Google/Firefox, AOL, EarthLink, Geotrust, McAfee, and others and found the Internet Explorer antiphishing technology the most accurate. The Mozilla Foundation fired back in November with a competing study by SmartWare that found the Firefox antiphishing technology better than that of Internet Explorer. A subsequent independent study by Carnegie Mellon concluded that few of the available anti-phishing products are very reliable.