It has been a few weeks since the last update, and the A/S team needed some work to do so we decided that we should release build 615 to the web. Actually, we wanted to correct an issue found with the signature update mechanism and we wanted to get an updated build out there this week. Starting in the next hour or so, beta testers will be able to download the updated build from the web (http://www.microsoft.com/spyware) or wait for the automatic update to the software. Also addressed in this release is an improvement on how Windows AntiSpyware beta provides information to the user about processes running on a PC. Because of a limitation in the installer, users will have to reboot as soon as they update the package. We are working on reducing the reboot requirement for beta 2. We have been testing this new build for about a week now and it does resolve the signature update issue. Please post to the newsgroups if you see any issues or have any comments on this new build.
It's 7/19 @ 9:49 AM on the East Coast. Tried to get the new download and am still getting 1.0.614.
Still getting error 101's all over the place when the installer is run using the SYSTEM account.
Sorry to refer to issues further back in the blog, but I just got here :-)
Firstly, cookies are potentially more dangerous than just "text files", given that by design (!) IE allows scripts to be hidden in them and run from them. A while back, there was a defect where this came to light; the fix was seen as preventing these from running in Local HD rather than Internet security zone, but there was "no problem" with scripts in cookies otherwise.
Secondly, as long as MSAS is dependent on MSI to install, it's far less useful in the context of interventions to clean up infected systems.
The prefferred approach there is to work "from orbit", i.e. without running the infected installation at all.
Spybot's already up to speed there, with a vendor-supplied plugin for Bart PE so that it can be used from a CDR boot, and it natively supports scanning relative to an inactive set of registry hives on the HD.
AdAware claims to have the smarts to scan across user accounts when installed and run from Safe Mode Command Only, and can also be run from a Bart CDR boot. When used with Paraglider's RunScanner plugin, it can scan relative to inactive registry hives on HD too.
In contrast, MSAS can't install from Safe Mode at all. You have to install it from the middle of the infected OS, ASSuming active malware will allow this, then you can run it from Safe Mode if it's survived the installation process and anything that might have hooked into shutdown. Folks have found obstacles to running MSAS from Bart CDR, too.
Commercial malware cannot be assumed to stay "polite" enough to be safely managed informally; many are active in Safe Mode, as it is. It may be worthwhile comparing notes with the Strider team, who have been exploring CDR-based malware management for a while now (though based on the largely-unavailable WinPE)