# Ôîðóì íà ðóññêîì ÿçûêå  > Àíàëèòèêà  > Òåñòèðîâàíèå  >  SpyCatcher

## Çàéöåâ Îëåã

Òåñò ñäåëàí ïî ïðîñüáå Tra1toR.
Íà÷àëî òåñòîâ - â õîäå èíñòàëëÿöèè ìíå î÷åíü íåïîíðàâèëîñü òðè ôàêòà:
1. îáúåì èíñòàëëÿöèè 11.6 ìá - äëÿ àíòèñïàéâåðà îáúåì áîëåå 3-5 ìá êàê ïðàâèëî íîíñåíñ.
2. Ïîñëå óñòàíîâêè àíòèøïèîí ïðîÿâèë êà÷åñòâà øïèîíà - ïîëåç â Èíåò, ïðîâåðèë ñîåäèíåíèå çàïðîñîì ê 
filename=test-inet-conn.exe&path=test-inet-conn.exe è çàòåì ñòàë ïåðåäàâàòü êàêèå-òî äàííûå î èçó÷àåìîì ÏÊ, íàïðèìåð:



> POST http://data.tenebril.com/ldb2/registration.php HTTP/1.0
> Content-Type: application/x-www-form-urlencoded
> User-Agent: SCX registration
> Host: data.tenebril.com
> Content-Length: 156
> Pragma: no-cache
> firstName=aa&
> lastName=bbb&
> productFamily=SpyCatcher&
> ...


ß ââåë èìÿ aa, last-name = bbb è email = [email protected]  , íî ÷òî-òî íå ïðèïîìíþ, ÷òîáû ÿ ïðîñèë ïåðåäàòü ýòè äàííûå â õîäå ïåðåçàãðóçêè.
Äàëåå åùå èíòåðåñíåå - îáìåí âèäà:



> POST http://proclist.tenebril.com/tools/mplissafe-vt.php HTTP/1.0
> Content-Type: application/x-www-form-urlencoded
> User-Agent: SpyCatcher Signature Check
> Host: proclist.tenebril.com
> Content-Length: 52
> Pragma: no-cache
> filename=smss.exe&path=\SystemRoot\System32\smss.e  xeHTTP/1.0 200 OK
> Date: Tue, 29 Nov 2005 07:01:59 GMT
> Server: Apache/2.0.40 (Red Hat Linux)
> ...


Îïÿòü-æå âîïðîñ - ÿ íå ïðîñèë ÷òî-òî êóäà-òî ïåðåäàâàòü, ýòî ïåðåäàëîñü â õîäå ïåðâîé ïåðåçàãðóçêè ñàìî. Òàêèõ POST ïðîøëî øòóê 5, íå ìåíåå òîãî. Äàëåå òàêîé îáìåí øåë ñ çàâèäíîé ðåãóëÿðíîñòüþ - ñêàæó ñðàçó, ÿ î÷åíü íåëþáëþ ïðîãðàììû, êîòîðûå ÷òî-òî òàì áåç ñïðîñà êîìó-òî ïåðåäàþò.
3. Ñóðïðèçû íà ýòîì íå çàâåðøèëèñü - îêàçàëîñü, â ïðîäóêò âñòðîåí UserMode RootKit. Çà÷åì ðóòêèò àíòèñïàéâåðó (òåì áîëåå ñòîëü ïðèìèòèâíûé) - çàãàäêà, íî êîíôëèêò ñ ðóòêèòîì îò Sony ïîêàçàë, ê ÷åìó ïðèâîäèò óñòàíîâêà "ëåãàëüíûõ" ðóòêèòîâ. 
Îáúåì áàçû ñêàíåðà - 89604 ñèãíàòóðû. Êîìïëåêò ñîñòîèò èç ñêàíåðà ñ áîðòîâûìè óòèëèòàìè, ìîíèòîðà è øåäóëëåðà.
Ñêàíèðîâàíèå òåñòîâîé êîëëåêöèè (ïî êîòîðîé ëåòîì ãîíÿëèñü äðóãèå àíòèñïàéâåðû) - ñêîðîñòü ñêàíèðîâàíèÿ îêîëî 1000 ôàéëîâ â ìèíóòó, âîò ðåçóëüòàò ïî ïðîìàõàì:
AdvWare 967
Adware 2
Backdoor 433
Constructor 1
Dialer 444
Downloader 1
Email-Flooder 1
Email-Worm 31
Exploit 12
HackTool 2
Hoax 1
IM-Worm 6
Net-Worm 25
P2P-Worm 3
Porn-Dialer 2
Porn-Downloader 1
PornWare 0
PSWTool 1
RiskWare 3
Spy 341
Trojan 208
Trojan-Clicker 64
Trojan-Downloader 813
Trojan-Dropper 85
Trojan-Proxy 38
Trojan-PSW 32
Trojan-Spy 500
Virus 22
Worm 3
Îáùåå ÷èñëî ôàéëîâ: 4042
------------
Ò.å. èç 4528 îí ïðîïóñòèë 4042, ïîéìàë òàêèì îáðàçîì 486 ôàéëîâ, ÷òî ñîñòàâèëî 10.7%. Ïðîïóñêè ðàâíîìåðíî ðàñïðåäåëåíû ïî âñåé êîëëåêöèè ...
Ïðè òîì, ÷òî òîò-æå DrWeb CureIt íà ñåé ìîìåíò âûáèâàåò áëèçêî ê 90% îò äàííîé êîëëåêöèè (ïðè ðàçìåðå â òðè ðàçà ìåíüùå è îòñóòñòâèè èíñòàëëÿöèè) âûâîä î÷èâèäåí ....

----------

Íàäîåëî áûòü æåðòâîé? Ñòàíü ïðîôè ïî èíôîðìàöèîííîé áåçîïàñíîñòè, ïîëó÷àé ñàìóþ ñâåæóþ èíôîðìàöèþ îá óãðîçàõ è ñðåäñòâàõ çàùèòû îò âåäóùåãî ðîññèéñêîãî àíàëèòè÷åñêîãî öåíòðà Anti-Malware.ru:

----------


## orvman

Ìäà. Èíòåðåñíî, à ïðîãðàììà ïëàòíàÿ?
Åñëè äà, òî íåóæåëè åñòü ëþäè êîòîðûå çà íåå åùå è ïëàòÿò?
*Çàéöåâ Îëåã*, ó ìåíÿ ãðîìàäíàÿ ïðîñüáà. Åñëè áóäåò âðåìÿ, ïðîòåñòèðîâàòü Spyware Doctor. ß áû ñàì ýòî ñäåëàë, íî êîëëåêöèè êîäîâ ó ìåíÿ íåò. À íàñ÷åò Spyware Doctor ìíîãî ëåñòíûõ îòçûâîâ õîäÿò, ãîâîðÿò äî 95% ëîâèò. Âîò è õîòåëîñü áû ïîñìîòðåòü íà äåëå.
http://www.pctools.com/spyware-doctor (~5,5Mb)
Çàðàíåå ñïàñèáî.

----------


## Geser

> ãîâîðÿò äî 95% ëîâèò


Î÷åíü ñìåøíî  :Smiley:

----------


## Tra1toR

ÿ òàê è äóìàë ïîëíîå ã))
ñåäíÿ âå÷åðîì ñäåëàþ ñâîé òåñò ïî AVZ ÷èñòî íà spyware )

----------


## Tra1toR

orvman SC express áåñëïòàíûé

----------


## orvman

*Tra1toR* 


> SC express áåñëïòàíûé


 ßñíî.
*Geser* 


> Î÷åíü ñìåøíî


http://forum.five.mhost.ru/showthread.php?t=2479



> PC Tools Spware Doctor (the winner) achieved 94/88/66 (detection/removal/blocking),


 À òåñòèðîâàíèå ïðîâîäèëîñü íå êåì-íèáóäü, à PC Pro magazine (http://www.pcpro.co.uk/), íî ýòî Åâðîïà.
Âîò è õîòåëîñü áû, ÷òîáû *Îëåã* ðåàëüíî ïðîòåñòèðîâàë. Âîò òîãäà ìû è ñäåëàåì ñàìè äëÿ ñåáÿ âûâîäû, êàê ýòî â ðåàëüíîñòè áûâàåò.
Çàìåòüòå, ýòî áûëî áû î÷åíü ëþáîïûòíî ïîñìîòðåòü ðåçóëüòàòû.

----------


## Çàéöåâ Îëåã

> *Tra1toR*  ßñíî.
> *Geser* 
> http://forum.five.mhost.ru/showthread.php?t=2479
>  À òåñòèðîâàíèå ïðîâîäèëîñü íå êåì-íèáóäü, à PC Pro magazine (http://www.pcpro.co.uk/), íî ýòî Åâðîïà.
> Âîò è õîòåëîñü áû, ÷òîáû *Îëåã* ðåàëüíî ïðîòåñòèðîâàë. Âîò òîãäà ìû è ñäåëàåì ñàìè äëÿ ñåáÿ âûâîäû, êàê ýòî â ðåàëüíîñòè áûâàåò.
> Çàìåòüòå, ýòî áûëî áû î÷åíü ëþáîïûòíî ïîñìîòðåòü ðåçóëüòàòû.


ß ïðîâåë òåñòû - îí ïðàêòè÷åñêè íå óìååò íè÷åãî ëîâèòü ... îêîëî 13%. Áåäà âñåõ ïîäîáíûõ òåñòîâ (êàê â PC Pro magazine ) - âûáðàííûå íàóãàä 50-100 îáðàçöîâ ... à äëÿ öåëîñòíîé êàðòèíû íóæíî 4-5 òûñ. ITW

----------


## Tra1toR

Êñòàòè âîò îòâåò ðàçðàáîò÷èêîâ, íà çàìå÷àíèÿ Îëåãà:

The size of SCX is due to a number of factors, not least of which is our help files, while have lots of screenshots.  The product group is aware of the size of our product and helped set requirement on us for the maximum allowable size.



The information you see transferred is not information about the user's PC.  It's the registration information that the user entered.  I think the user would expect that we'll send ourselves the registration information that we asked him to provide.



The second post you see there is a suspicious file check.  As SpyCatcher scans the user's machine, it does more than just compare the files against fingerprints.  It applies a set of heuristics to determine whether files for which we have no fingerprints are possibly "suspicious".  If it determines that it may have found a suspicious file, SpyCatcher sends some information about the file to a service we run that checks the file against a whitelist and applies another level of heuristics.



Finally, with regard to SC being a rootkit:  SC uses some techniques that are used by rootkits.  This isn't surprising, given the purpose of and capabilities of SC.  This is a risk that has to be managed, and the business group is aware of it.  It's different from the Sony incident because the rootkit-ness of SpyCatcher is integral to its function.  No one would be surprised (well, maybe not no one) that an anti-spyware or anti-virus tool uses rootkit techniques.  However, everyone was surprised that putting an audio CD into your CD-ROM drive installed a rootkit.

----------


## Tra1toR

Êñòàòè íàñ÷åò òåñòîâ ÿ ñêëîíÿþñü ÷òî !! íóæíî ïðîèçâîäèòü èìåííî íà óñòàíîâëåííûõ àäâàðå è èìåííî êàê îíè óäàëÿåò, à íå ïðîñòî áàçå, ïîòîìó ÷òî íàïðèìåð òîòæå SC åñëè çàïóñòèòü ìíîãèå âèðóñû áóäåò èõ äåòêòèòü êàê suspicious file, òîåñòü íóæíî ïðîâîäèòü 1. ñêàí ïî áàçå êàê îëåã 2. ñêàí óæå çàðàæåííîãî êîìïà  3. çàïóñê âèðåé äëÿ ïðîâåðêè ìîíèòîðà òîåñòü îáúåêòèâíî îòòåñòèòü íóæíî íåñêîëüêî ïàðàìåòðîâ, ïðåäëàãàþ âìåñòå ïðèäóìàòü òåñò è îòòåñòèòü íàèáîëåå ïîïóëÿðíûå adware

----------

