# Forum in English  > Project performance  > Site  >  VirusInfo warns about false positive in CounterSpy spyware database

## NickGolovko

*VirusInfo, known Russian security portal, member of Alliance of Security Analysis Professionals, warns about false positive in CounterSpy database of rogue antispyware solutions*

It has come to our attention that an antispyware solution *XenAntiSpyware*, supported by Russian developer known as Xen, has been included to the database of *CounterSpy* as a rogue antispyware product. 

http://research.sunbelt-software.com...hreatid=180515

The author of the tool informed us that some users of his product tried to contact CounterSpy staff, providing certain proofs of false positive, but since 06 December, 2007 CounterSpy developers have been reluctant to remove the detection. At the moment XenAntiSpyware is still considered as an Elevated level threat.

Respectively the developer of XenAntiSpyware has applied for our investigation of the issue. VirusInfo experts have analysed the product and came to conclusion that in this case false positive is obvious. The results of analysis performed by security expert Oleg Zaitsev may be found below.

***

Distribution package: *xas_4.4.2_light.zip*, ZIP container, size 945258 bytes, MD5 = 350635A0FCA187F433D01C69762B2EB4. Contains folder XAS_4.4.2_Light, number of files in the folder and its subfolders - 17. 
Executable files: *XenAntiSpyware.exe*, size 1450496 bytes, MD5 = CF9848270938C3A2ED724F6069609E89; driver *xaf.sys*, size 9728 bytes, MD5 = 24BFEC28C4FE26E395936D6B2428EB62. 
Does not contain installer and uninstaller, declared as standalone software. File *license.txt* (1040 bytes, 8F7E975BD225269625E4BB4983296469) contains EULA in Russian language. Help file in Russian language *Help.chm* is also included. 
The product implies built-in script interpreter. Scripts are saved in *Scripts* folder with no encryption.
Executable file XenAntiSpyware.exe developed in Delphi, code protection and anti-debugging are not used. 
In case of running:
1. Registry access: key Software\XenAntiSpyware\Options (typical operation of saving settings in the registry)
2. Loading files: ver.dat, Scripts\Menu\*.script (files belonging to the tool)
3. System privileges: queries SeDebugPrivilege for its process (typical for applications that install drivers and perform operations with running processes)
4. Services and drivers: registers driver (name XenAntiSpywareFilter, executable file XAF.sys included to distribution package), *registration procedure is documented* 
5. GUI: displays GUI containing set of buttons for operating different functions of the tool. *No operations are performed without user's command*
6. Clicking button "System analysis" results in scanning autoruns elements and showing items that are thought to not belong to known legitimate software. *User should decide himself whether the items are dangerous*. Tool supports manual deletion of selected items and/or making a logfile. 
7. After exit the tool *cancels registration of driver XenAntiSpywareFilter*
8. Extended functionality: the tool can perform some typical operations such as unlocking Task Manager or Registry Editor, restoring Internet Explorer settings, deleting cookies and other private data. *The operations are performed by user's command*.
*General expert conclusion: no trojanware or spyware functions, no hidden install or imitation of virus activity, the information about system state is correct and does not contain false data. Freeware. No rootkits. No patching or substitution of system files.* 

***

The report disproves the following statements that are provided by CounterSpy staff:

"purports to scan and detect malware or other problems on the computer, but attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results... typically uses aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits" 

"may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability... may also collect, transmit, and share potentially sensitive data without adequate notice and consent"  

VirusInfo warns the community about the false positive of CounterSpy regarding XenAntiSpyware and sends an official address for CounterSpy staff, informing them about the issue. We expect XenAntiSpyware to be soon removed from CounterSpy database.

VirusInfo and Oleg Zaitsev, 15.12.2007

----------


## ScratchyClaws

As it was written in administration's section I wrote a few letters to that company.
Here it is. I think it's time to show it up.

*SunBelt*

Hi:

We will take another look at the program and decide whether or not to continue including it in our detections.

Best,

Eric L. Howes
Sunbelt Software

Hi:

Would you mind explaining what this installer is doing on your server?

http://xen.name/skp_setup.exe

That installer is currently being installed by trojan-droppers and used to trick users into coughing up money to fix obviously bogus threat warnings. In fact, the entire app is nothing more than a scam. What is it doing on your server and what role is your company playing in its distribution?

Eric L. Howes
Sunbelt Software

..
_I would mind asking you what skp_setup.exe has to do with XAS. Thosa are two different programs.
everything my company has to say is written here
http://virusinfo.info/showthread.php?p=160817
_
Hi:

It has everything to do with XenAntiSpyware because it speaks to the reputation of your company and your company's business practices. We are not de-listing XenAtniSpyware until you come up with a complete, honest, and straightforward answer as to what your company was up to with that file.

Eric L. Howes
Sunbelt Software



SunBelt wasn't the only company I was talking with... 

*Tenebril*

Hello,

Thank you for writing in.

I understand that you are mentioning “XenAntiSpyware” is not an Adware and it is similar to Hijack This.  Please correct me if I have misunderstood your query.

Please note that “XenAntiSpyware” is a rogue security program which will display fake threat messages to scare the user and to purchase their full version of the software.
We would recommend you not to install this application on your system and if it is installed already without your consent kindly remove this completely from your system.

Please visit the following link to justify the above statement,

http://research.sunbelt-software.com...hreatid=180515

Please feel free to write back to me if you need further assistance.

Looking forward to hearing from you.


Sincerely,

Peter
Technical Support Representative.
Tenebril Inc.
http://www.tenebril.com/support
[email protected]

_Did you test the program yourself? I'm telling you once again it's free it doesn' show any scary messages. I used it myself and my friends who work in famous antivirus companies tested it too. There's no scam at all.
I contacted  Sunbelt yesterday they said that this article you're refferring too could be a mistake.
Please check the programm yourself (it can be downloaded here http://xen.name/XenAntiSpywareEn_setup.exe) English version is a bit outdated but you won't understand anything in Russian one.
Also please provide me a screenshot which proves your words - *Please note that "XenAntiSpyware" is a rogue security program which will display fake threat messages to scare the user and to purchase their full version of the software.*

Looking forward to hear a tough reply._

Hello,

Thank you for writing in.

Please note that I have escalated this issue to our development team. They will surely look into this issue. Sunbelt and Prevx also added this application to their database.

I would appreciate your patience in this regard.

Looking forward to hearing from you.


Sincerely,

Peter
Technical Support Representative
Tenebril Inc.
http://www.tenebril.com/support
[email protected]

_that was a week ago, no answers since then..._


There was also a little note about the programm to the mega-security specialist who  found out that XAS is a spyware... because it looks like spyware

my message looked like this




> I am wondering why you think that a product is a clone of Trust Cleaner? Because they look alike? That's childish! after using some programs windows XP looks like Windows Vista, but they remain different right? Same here.
> Did you test the program yourself? Can you provide of screenshot of XenAntiSpayware asking to buy the license? The program is free!!!! If you didn't understand what's written in Russian, why didn't you try English version? It's a bit outdated, but it is more understandable...


it just didn't pass the pre-moderation.

None of the companys answered anything after I requested screenshots that prove their statements.

----------


## Sjoeii

Nice companies.
What a strange reactions

----------

