Spy Sweeper 4.5 - False Positives

Discussion in 'Computer Security' started by null, Nov 8, 2005.

  1. null

    null Guest

    I run several spyware and keylogger detection programs that I've been
    relatively satisfied with (Spybot S&D, Adaware, SpyCop (strictly for
    keyloggers) and for haha's I decided to download a free trial of Spy
    Sweeper since I've been reading many glowing reviews of this software.

    It "detected" my computer as having the "Golden Eye" key stroke
    monitor installed because a file named "unins000.exe" exists under a
    program folder named URL Helper.

    After doing some extensive research, I discovered that none of files
    indicating an active infection with this keystroke software exist.
    Namely, for starters:

    AGSeyApp.exe: This is the main spyware file.
    GEHP.dll: This is the Spyware.GoldenEye helper .dll file

    No other indications of an infection exist as well - including
    modified registry keys, etc. You can read this all for yourself by
    checking the following link on Symantec's Security Response site:

    http://securityresponse.symantec.com/avcenter/venc/data/spyware.goldeneye.html

    I would suppose it is safe to conclude that this is simply a failure
    of Spy Sweeper to correctly detect the actual files indicating an
    infection, but instead, just finding an uninstall file that happens to
    have the same uninstall file name. Unless I'm missing something is my
    conclusion correct?

    It also incorrectly assumed I was infected with IOPUS Starr Pro simply
    because I had downloaded the setup executable and stored it in a
    folder without actually installing the app.

    Does anyone know the method by which Spy Sweeper attempts to detect
    infections - is it simply by the presence of a filename without
    verifying registry keys and other information that would have to exist
    for a true infection to be present?

    I emailed Spy Sweepers technical support for clarification and was
    simply told to reinstall. That alone tells me they don't have too
    many sharp tools in the shed when it comes to first tier tech support.

    Any comments and suggestions would be welcome.

    So far, I'm coming to the conclusion that this software isn't all it
    claims to be. Which brings up another point - how much are the rags
    like PC Magazine being paid off to give this an editors choice rating
    when it seems - even on the surface to be more smoke and mirrors then
    anything else.

    Regards,

    null
     
    null, Nov 8, 2005
    #1
    1. Advertising

  2. null

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, null wrote:


    >After doing some extensive research, I discovered that none of files
    >indicating an active infection with this keystroke software exist.


    That assumes that the tool you were using (probably some 'file manager')
    wasn't altered. It's not an uncommon trick in the UNIX world.

    >I would suppose it is safe to conclude that this is simply a failure
    >of Spy Sweeper to correctly detect the actual files indicating an
    >infection, but instead, just finding an uninstall file that happens to
    >have the same uninstall file name. Unless I'm missing something is my
    >conclusion correct?


    That is one of the mechanisms used to detect problems. Other techniques
    involve looking at the registry, or looking at the content of files
    searching for specific binary patterns. These all depend on the
    anti-malware author keeping up with the changes made by the malware
    author. If version 6.5687 is looking for a file named 'AAAAAAAA.AAA'
    and the malware author changes the filename to "AAAAAAAB.AAA', your
    version 6.5687 won't find it.

    >I emailed Spy Sweepers technical support for clarification and was
    >simply told to reinstall. That alone tells me they don't have too
    >many sharp tools in the shed when it comes to first tier tech support.


    Sorry, but that's an old joke about the standard corrective action for
    windoze systems - "reboot", "reinstall" or "reformat" for harder and
    harder problems. Imagine if that were acceptable actions in commercial
    or military airplanes which have _far_ more complex software today.

    >Which brings up another point - how much are the rags like PC Magazine
    >being paid off to give this an editors choice rating when it seems -
    >even on the surface to be more smoke and mirrors then anything else.


    Question for you - how much do you think it costs to get that (or any)
    magazine into your hands. Do you think that the cover price (which
    includes costs to the distribution mechanism and retailer) or the
    subscription fee (which includes the lower mailing cost instead) repays
    the publisher? If so, why are these magazines full of advertising? Do
    you think if product evaluation reports didn't dance around the facts,
    but actually reported that $PRODUCT_X is a steaming mountain of elephant
    droppings, they'd continue to have all those wonderful advertisements?
    Do you think that the evaluators would get advanced access to new
    products from the producer of $PRODUCT_X, so that their evaluation can
    be out to the readers when the new product is released? Compare the
    timeliness of evaluations in magazines with tons of ads verses the few
    magazines that don't accept ads, or free products from manufacturers.

    Well known, but little understood fact of life: If there are
    advertisements, the advertisers are the clients, and YOU are the
    product that the magazine (or newspaper, or TV show) is selling.

    Old guy
     
    Moe Trin, Nov 8, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike
    Replies:
    11
    Views:
    2,668
    Toolman Tim
    Feb 19, 2005
  2. ellis_jay

    Re: avg false positives

    ellis_jay, Aug 11, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    481
    ellis_jay
    Aug 11, 2005
  3. Nick

    False positive, false intrusion, false alarm

    Nick, Apr 23, 2006, in forum: Computer Security
    Replies:
    3
    Views:
    3,992
    Moe Trin
    Apr 26, 2006
  4. Heidi Manway

    Potential Software Conflicts and False Positives?

    Heidi Manway, Jan 19, 2007, in forum: Computer Support
    Replies:
    3
    Views:
    425
    Edwardo
    Jan 19, 2007
  5. Ralph Fox

    Xtra spam filter -- false positives.

    Ralph Fox, Jul 2, 2004, in forum: NZ Computing
    Replies:
    14
    Views:
    561
    Dave - Dave.net.nz
    Jul 5, 2004
Loading...

Share This Page