Spy Sweeper 4.5 - False Positives

Discussion in 'Computer Security' started by null, Nov 8, 2005.

  1. null

    null Guest

    I run several spyware and keylogger detection programs that I've been
    relatively satisfied with (Spybot S&D, Adaware, SpyCop (strictly for
    keyloggers) and for haha's I decided to download a free trial of Spy
    Sweeper since I've been reading many glowing reviews of this software.

    It "detected" my computer as having the "Golden Eye" key stroke
    monitor installed because a file named "unins000.exe" exists under a
    program folder named URL Helper.

    After doing some extensive research, I discovered that none of files
    indicating an active infection with this keystroke software exist.
    Namely, for starters:

    AGSeyApp.exe: This is the main spyware file.
    GEHP.dll: This is the Spyware.GoldenEye helper .dll file

    No other indications of an infection exist as well - including
    modified registry keys, etc. You can read this all for yourself by
    checking the following link on Symantec's Security Response site:

    http://securityresponse.symantec.com/avcenter/venc/data/spyware.goldeneye.html

    I would suppose it is safe to conclude that this is simply a failure
    of Spy Sweeper to correctly detect the actual files indicating an
    infection, but instead, just finding an uninstall file that happens to
    have the same uninstall file name. Unless I'm missing something is my
    conclusion correct?

    It also incorrectly assumed I was infected with IOPUS Starr Pro simply
    because I had downloaded the setup executable and stored it in a
    folder without actually installing the app.

    Does anyone know the method by which Spy Sweeper attempts to detect
    infections - is it simply by the presence of a filename without
    verifying registry keys and other information that would have to exist
    for a true infection to be present?

    I emailed Spy Sweepers technical support for clarification and was
    simply told to reinstall. That alone tells me they don't have too
    many sharp tools in the shed when it comes to first tier tech support.

    Any comments and suggestions would be welcome.

    So far, I'm coming to the conclusion that this software isn't all it
    claims to be. Which brings up another point - how much are the rags
    like PC Magazine being paid off to give this an editors choice rating
    when it seems - even on the surface to be more smoke and mirrors then
    anything else.

    Regards,

    null
     
    null, Nov 8, 2005
    #1
    1. Advertisements

  2. null

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    That assumes that the tool you were using (probably some 'file manager')
    wasn't altered. It's not an uncommon trick in the UNIX world.
    That is one of the mechanisms used to detect problems. Other techniques
    involve looking at the registry, or looking at the content of files
    searching for specific binary patterns. These all depend on the
    anti-malware author keeping up with the changes made by the malware
    author. If version 6.5687 is looking for a file named 'AAAAAAAA.AAA'
    and the malware author changes the filename to "AAAAAAAB.AAA', your
    version 6.5687 won't find it.
    Sorry, but that's an old joke about the standard corrective action for
    windoze systems - "reboot", "reinstall" or "reformat" for harder and
    harder problems. Imagine if that were acceptable actions in commercial
    or military airplanes which have _far_ more complex software today.
    Question for you - how much do you think it costs to get that (or any)
    magazine into your hands. Do you think that the cover price (which
    includes costs to the distribution mechanism and retailer) or the
    subscription fee (which includes the lower mailing cost instead) repays
    the publisher? If so, why are these magazines full of advertising? Do
    you think if product evaluation reports didn't dance around the facts,
    but actually reported that $PRODUCT_X is a steaming mountain of elephant
    droppings, they'd continue to have all those wonderful advertisements?
    Do you think that the evaluators would get advanced access to new
    products from the producer of $PRODUCT_X, so that their evaluation can
    be out to the readers when the new product is released? Compare the
    timeliness of evaluations in magazines with tons of ads verses the few
    magazines that don't accept ads, or free products from manufacturers.

    Well known, but little understood fact of life: If there are
    advertisements, the advertisers are the clients, and YOU are the
    product that the magazine (or newspaper, or TV show) is selling.

    Old guy
     
    Moe Trin, Nov 8, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.