Recently a colleague received a message from his Norton Anti-Virus software that he had a specific piece of spyware (SAHAgent) on his computer. He was running several anti-spyware programs, so this was disturbing. Even more disturbing, he could neither find the infection via a manual search, nor could he get information from Symantec on how to eliminate it.
About then, he fortuitously got an e-mail from the folks at Firetrust, makers of the wonderful can’t-live-without-them MailWasher and Benign (http://www.firetrust.com/) recommending an anti-spyware package made by someone else, called Spyware Doctor (http://www.pctools.com/spyware- doctor/). Our colleague downloaded and installed the software, ran the update, and then did the scan. It found, and eliminated, the offending piece of software that had been plaguing him!
Filled with enthusiasm, he called us, and we shelled out our money and bought a copy. When installed, it blocked the tracking cookies associated with using AOL Instant messenger, alerting us every time AIM tried to install the cookie, as well as cookies from Microsoft’s BCentral.
When we did run a scan, it didn’t find anything wrong, which was fine with us, but it did reveal a teeny issue. When we ran the scan, our firewall, Outpost (http://www.agnitum.com/products/outpost/) detected that the scan had modified the memory of several running processes, and cut off their access to the Internet. A typical message said, “Network access for navpw32.exe was blocked because its memory was modified by another process.” Since navpw32 is needed for us to get e-mail, a re-boot was necessary.
Now, we don’t know why the scan modifies the memory of other processes, and, in fact, the people at Spyware Doctor don’t know either. We are certain that it is unintentional and benign. And we know that three other programs we run (Oxygen Phone Manager II, and BigFix, and Acrobat writer) do the same thing. If we weren’t running Outpost we would never have known, and if you aren’t using Outpost you will never know. We are delighted that Outpost does this, as it could be important if this were a malevolent attack.
Does this mean that we won’t use Spyware Doctor? Not at all. What we did was make sure we installed all the updates, then ran an original complete scan, then reboot. We then scheduled regular automatic updates in the middle of the night. And when we plan to do our daily reboot we do a quick scan, then we do our reboot. When we do our weekly cleanup we run another complete scan before the reboot.
We like to think that between the folks at Outpost and the folks at Spyware Doctor someone will figure out what is going on and how to make it stop. In the meanwhile we are perfectly delighted to have the protection offered by each of these programs, and are perfectly willing to deal with the minor inconvenience of running the scan just before we plan to reboot. We recommend Spyware Doctor to those concerned about spyware.