VirusInfo, known Russian security portal, member of Alliance of Security Analysis Professionals, warns about false positive in CounterSpy database of rogue antispyware solutions
It has come to our attention that an antispyware solution XenAntiSpyware, supported by Russian developer known as Xen, has been included to the database of CounterSpy as a rogue antispyware product.
The author of the tool informed us that some users of his product tried to contact CounterSpy staff, providing certain proofs of false positive, but since 06 December, 2007 CounterSpy developers have been reluctant to remove the detection. At the moment XenAntiSpyware is still considered as an Elevated level threat.
Respectively the developer of XenAntiSpyware has applied for our investigation of the issue. VirusInfo experts have analysed the product and came to conclusion that in this case false positive is obvious. The results of analysis performed by security expert Oleg Zaitsev may be found below.
Distribution package: xas_4.4.2_light.zip, ZIP container, size 945258 bytes, MD5 = 350635A0FCA187F433D01C69762B2EB4. Contains folder XAS_4.4.2_Light, number of files in the folder and its subfolders - 17.
Executable files: XenAntiSpyware.exe, size 1450496 bytes, MD5 = CF9848270938C3A2ED724F6069609E89; driver xaf.sys, size 9728 bytes, MD5 = 24BFEC28C4FE26E395936D6B2428EB62.
Does not contain installer and uninstaller, declared as standalone software. File license.txt (1040 bytes, 8F7E975BD225269625E4BB4983296469) contains EULA in Russian language. Help file in Russian language Help.chm is also included.
The product implies built-in script interpreter. Scripts are saved in Scripts folder with no encryption.
Executable file XenAntiSpyware.exe developed in Delphi, code protection and anti-debugging are not used.
In case of running:
1. Registry access: key Software\XenAntiSpyware\Options (typical operation of saving settings in the registry)
2. Loading files: ver.dat, Scripts\Menu\*.script (files belonging to the tool)
3. System privileges: queries SeDebugPrivilege for its process (typical for applications that install drivers and perform operations with running processes)
4. Services and drivers: registers driver (name XenAntiSpywareFilter, executable file XAF.sys included to distribution package), registration procedure is documented
5. GUI: displays GUI containing set of buttons for operating different functions of the tool. No operations are performed without user's command
6. Clicking button "System analysis" results in scanning autoruns elements and showing items that are thought to not belong to known legitimate software. User should decide himself whether the items are dangerous. Tool supports manual deletion of selected items and/or making a logfile.
7. After exit the tool cancels registration of driver XenAntiSpywareFilter
8. Extended functionality: the tool can perform some typical operations such as unlocking Task Manager or Registry Editor, restoring Internet Explorer settings, deleting cookies and other private data. The operations are performed by user's command.
General expert conclusion: no trojanware or spyware functions, no hidden install or imitation of virus activity, the information about system state is correct and does not contain false data. Freeware. No rootkits. No patching or substitution of system files.
The report disproves the following statements that are provided by CounterSpy staff:
"purports to scan and detect malware or other problems on the computer, but attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results... typically uses aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits"
"may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability... may also collect, transmit, and share potentially sensitive data without adequate notice and consent"
VirusInfo warns the community about the false positive of CounterSpy regarding XenAntiSpyware and sends an official address for CounterSpy staff, informing them about the issue. We expect XenAntiSpyware to be soon removed from CounterSpy database.
VirusInfo and Oleg Zaitsev, 15.12.2007