In chatting with some end-users about computer malware, some of them expressed the opinion that registry cleaners – software utilities that clear up Windows registries and remove temporary Internet files – can be a good replacement for an antivirus solution and can make their computer faster and safer. So, we decided to test one to see what these products really do. We tested the one these users suggested, though we will not mention the name here.
The first thing to be reported is that when we tried to access the tool’s website to download it, WOT (Web of Trust, in Firefox) reported it as “poor reputation.” This is not necessarily our opinion as we had not tested the product yet, but we find that it is important to mention.
What we report here is for the benefit of those end-users who, being outside the computer security industry, may not have the time to find out the true benefits of such applications and may live with the illusion that their computers are protected by using them.
There seems to be an important misunderstanding on what such products can do. If you check their websites carefully, nowhere does it say that they are an antivirus. All they claim is that they will clean up your PC and make it faster. The first part of the claim is possible, and not necessarily difficult. In fact, cleaning up your temporary Internet files is something that any user can do without too much effort. Cleaning up the registries is a bit trickier and one can break the operating system if one is not careful. But, it is still feasible to do it on your own.
We took a laptop with Windows Vista Business, SP1 and all available updates before SP2. The computer came with some trial licenses for applications such as Napster and had some manufacturer software installed.
We ran the scan a first time, and the software reported 587 registry issues that needed solving. In total, it showed we had around 14,000 “issues” that needed fixing (most of them temporary files that were just taking disk space). We did not ask the software to fix those issues, as it would have required purchasing a license.
We ran the scan a second time, and the numbers were drastically different. Note that between the two scans nothing had happened and nothing had changed. The scans were run consecutively, and we were not using the laptop to do anything else except run the scans for this study. The second time, the scanner found about 10% fewer registry errors and, overall, about 5% fewer issues.
So one must wonder: did the laptop fix itself in the few minutes while we were running the scan? Or did those files disappear? Or are these results unreliable?
Unsatisfied with the results, we allowed the laptop to download and install SP2. When this was done, we ran the scan again, three times consecutively:
- The first scan reported 254 registry errors and, overall, 14,764 issues.
- The second scan reported 211 registry errors and 11,200 issues.
- The third scan reported 230 registry errors and 11,157 issues.
All this is very interesting and informative. First of all, did Microsoft fix about 300 registry issues just by installing the SP2? We are guessing that it is possible, though we remain deeply skeptical (not about Microsoft fixing the issues, but about the issues existing in the first place). If so, why is it that every scan yielded different results? The unreliability of the results is quite suspicious.
For us to consider the scans reliable, we would like to have seen the same results every time, but we didn’t. Analyzing the list of “issues,” aside from the vast majority being temporary Internet files that merely take up disk space and cause no harm, the list of registry issues often pointed to applications that had been removed from the computer. Uninstall procedures don’t do a good job at cleaning up after themselves. Registries remain “dirty,” and it is possible that this may influence the speed of a computer.
As a last test, we intentionally put malware on the computer. The malware we copied is called Email-Worm.Win32.NetSky.d by Kaspersky Labs. It is a well known worm, which has been around since 2004. (Click here for more information.) No antivirus product would ever miss this threat on a computer. Since it appeared that the scanner only checks certain well-determined areas of the disk, we even copied the file into various directories that are scanned by the tool. The scanner completely ignored the content of the file and in not a single case did it realize that the malware was a serious threat. Of course, a real worm will not install itself in a place where any scanner could remove it, so we can safely assume that the scanner would not have found it.
At this point, the conclusion on the subject is fairly simple. This particular scanner is not a means to protect a computer. It might be a means to fix the registry and, in so doing, might be able to clean up parts of a Trojan, but this is an after–the-fact solution. It is not necessarily useless, but it certainly is not what users should do to protect their computers.
The best protection still lies with a good antivirus product, set to update the signatures at least every hour, possibly more often. If it sounds like paranoia, consider that we have seen situations where more than 300 variants of the same threat were released during the same day. That is a new variant every five minutes! Products that clean your registry and delete your temporary files can protect your privacy and maybe make your computer faster. And, indeed, that is all they actually claim to do. In addition to the one we tested, we checked the web page and license of a number of others, and none of them seems to claim malware “protection.” That is not what they are designed to do. To stay safe, users need to ensure the operating system updates are installed as soon as available, automatically, and their anti-virus software is always running properly and has up-to-the-minute signatures. Nothing else today can protect a computer better.
This leads to the discussion about Trojans and how hard it is to protect a computer against them. We will discuss that topic another time.