Показано с 1 по 3 из 3.

VirusInfo warns about false positive in CounterSpy spyware database

  1. #1
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1840

    VirusInfo warns about false positive in CounterSpy spyware database

    VirusInfo, known Russian security portal, member of Alliance of Security Analysis Professionals, warns about false positive in CounterSpy database of rogue antispyware solutions

    It has come to our attention that an antispyware solution XenAntiSpyware, supported by Russian developer known as Xen, has been included to the database of CounterSpy as a rogue antispyware product.

    http://research.sunbelt-software.com...hreatid=180515

    The author of the tool informed us that some users of his product tried to contact CounterSpy staff, providing certain proofs of false positive, but since 06 December, 2007 CounterSpy developers have been reluctant to remove the detection. At the moment XenAntiSpyware is still considered as an Elevated level threat.

    Respectively the developer of XenAntiSpyware has applied for our investigation of the issue. VirusInfo experts have analysed the product and came to conclusion that in this case false positive is obvious. The results of analysis performed by security expert Oleg Zaitsev may be found below.

    ***

    Distribution package: xas_4.4.2_light.zip, ZIP container, size 945258 bytes, MD5 = 350635A0FCA187F433D01C69762B2EB4. Contains folder XAS_4.4.2_Light, number of files in the folder and its subfolders - 17.
    Executable files: XenAntiSpyware.exe, size 1450496 bytes, MD5 = CF9848270938C3A2ED724F6069609E89; driver xaf.sys, size 9728 bytes, MD5 = 24BFEC28C4FE26E395936D6B2428EB62.
    Does not contain installer and uninstaller, declared as standalone software. File license.txt (1040 bytes, 8F7E975BD225269625E4BB4983296469) contains EULA in Russian language. Help file in Russian language Help.chm is also included.
    The product implies built-in script interpreter. Scripts are saved in Scripts folder with no encryption.
    Executable file XenAntiSpyware.exe developed in Delphi, code protection and anti-debugging are not used.
    In case of running:
    1. Registry access: key Software\XenAntiSpyware\Options (typical operation of saving settings in the registry)
    2. Loading files: ver.dat, Scripts\Menu\*.script (files belonging to the tool)
    3. System privileges: queries SeDebugPrivilege for its process (typical for applications that install drivers and perform operations with running processes)
    4. Services and drivers: registers driver (name XenAntiSpywareFilter, executable file XAF.sys included to distribution package), registration procedure is documented
    5. GUI: displays GUI containing set of buttons for operating different functions of the tool. No operations are performed without user's command
    6. Clicking button "System analysis" results in scanning autoruns elements and showing items that are thought to not belong to known legitimate software. User should decide himself whether the items are dangerous. Tool supports manual deletion of selected items and/or making a logfile.
    7. After exit the tool cancels registration of driver XenAntiSpywareFilter
    8. Extended functionality: the tool can perform some typical operations such as unlocking Task Manager or Registry Editor, restoring Internet Explorer settings, deleting cookies and other private data. The operations are performed by user's command.
    General expert conclusion: no trojanware or spyware functions, no hidden install or imitation of virus activity, the information about system state is correct and does not contain false data. Freeware. No rootkits. No patching or substitution of system files.

    ***

    The report disproves the following statements that are provided by CounterSpy staff:

    "purports to scan and detect malware or other problems on the computer, but attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results... typically uses aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits"

    "may make unwanted changes to your system, such as reconfiguring your browser's homepage and search settings. These risks may install advertising-related add-ons, including toolbars and search bars, or insert advertising-related components into the Winsock Layered Service Provider chain. These new add-ons and components may block or redirect your preferred network connections, and can negatively impact your computer's performance and stability... may also collect, transmit, and share potentially sensitive data without adequate notice and consent"

    VirusInfo warns the community about the false positive of CounterSpy regarding XenAntiSpyware and sends an official address for CounterSpy staff, informing them about the issue. We expect XenAntiSpyware to be soon removed from CounterSpy database.

    VirusInfo and Oleg Zaitsev, 15.12.2007
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    28.06.2005
    Адрес
    Darkness of Moscow
    Сообщений
    2,754
    Вес репутации
    1749
    As it was written in administration's section I wrote a few letters to that company.
    Here it is. I think it's time to show it up.


    SunBelt

    Hi:

    We will take another look at the program and decide whether or not to continue including it in our detections.

    Best,

    Eric L. Howes
    Sunbelt Software

    Hi:

    Would you mind explaining what this installer is doing on your server?

    http://xen.name/skp_setup.exe

    That installer is currently being installed by trojan-droppers and used to trick users into coughing up money to fix obviously bogus threat warnings. In fact, the entire app is nothing more than a scam. What is it doing on your server and what role is your company playing in its distribution?

    Eric L. Howes
    Sunbelt Software

    ..
    I would mind asking you what skp_setup.exe has to do with XAS. Thosa are two different programs.
    everything my company has to say is written here
    http://virusinfo.info/showthread.php?p=160817

    Hi:

    It has everything to do with XenAntiSpyware because it speaks to the reputation of your company and your company's business practices. We are not de-listing XenAtniSpyware until you come up with a complete, honest, and straightforward answer as to what your company was up to with that file.

    Eric L. Howes
    Sunbelt Software



    SunBelt wasn't the only company I was talking with...

    Tenebril

    Hello,

    Thank you for writing in.

    I understand that you are mentioning “XenAntiSpyware” is not an Adware and it is similar to Hijack This. Please correct me if I have misunderstood your query.

    Please note that “XenAntiSpyware” is a rogue security program which will display fake threat messages to scare the user and to purchase their full version of the software.
    We would recommend you not to install this application on your system and if it is installed already without your consent kindly remove this completely from your system.

    Please visit the following link to justify the above statement,

    http://research.sunbelt-software.com...hreatid=180515

    Please feel free to write back to me if you need further assistance.

    Looking forward to hearing from you.


    Sincerely,

    Peter
    Technical Support Representative.
    Tenebril Inc.
    http://www.tenebril.com/support
    [email protected]

    Did you test the program yourself? I'm telling you once again it's free it doesn' show any scary messages. I used it myself and my friends who work in famous antivirus companies tested it too. There's no scam at all.
    I contacted Sunbelt yesterday they said that this article you're refferring too could be a mistake.
    Please check the programm yourself (it can be downloaded here http://xen.name/XenAntiSpywareEn_setup.exe) English version is a bit outdated but you won't understand anything in Russian one.
    Also please provide me a screenshot which proves your words - *Please note that "XenAntiSpyware" is a rogue security program which will display fake threat messages to scare the user and to purchase their full version of the software.*

    Looking forward to hear a tough reply.


    Hello,

    Thank you for writing in.

    Please note that I have escalated this issue to our development team. They will surely look into this issue. Sunbelt and Prevx also added this application to their database.

    I would appreciate your patience in this regard.

    Looking forward to hearing from you.


    Sincerely,

    Peter
    Technical Support Representative
    Tenebril Inc.
    http://www.tenebril.com/support
    [email protected]

    that was a week ago, no answers since then...


    There was also a little note about the programm to the mega-security specialist who found out that XAS is a spyware... because it looks like spyware

    my message looked like this


    I am wondering why you think that a product is a clone of Trust Cleaner? Because they look alike? That's childish! after using some programs windows XP looks like Windows Vista, but they remain different right? Same here.
    Did you test the program yourself? Can you provide of screenshot of XenAntiSpayware asking to buy the license? The program is free!!!! If you didn't understand what's written in Russian, why didn't you try English version? It's a bit outdated, but it is more understandable...
    it just didn't pass the pre-moderation.

    None of the companys answered anything after I requested screenshots that prove their statements.
    Последний раз редактировалось ScratchyClaws; 19.12.2007 в 12:05. Причина: Добавлено
    At this very moment, your eternal soul may be less than twenty miles from the burning fires of hell. If you go to hell, be sure - you'll be there forever... (c, Primal Fear, Devil's ground)

  3. #3
    External Specialist Репутация Репутация Репутация Репутация Аватар для Sjoeii
    Регистрация
    27.11.2007
    Сообщений
    149
    Вес репутации
    65
    Nice companies.
    What a strange reactions
    Just a security fanatic

Похожие темы

  1. true or false?I do not know what to think........
    От andreea в разделе Malware Removal Service
    Ответов: 0
    Последнее сообщение: 10.07.2010, 14:52
  2. Firewall: False хорошо это или плохо?
    От versed в разделе Межсетевые экраны (firewall)
    Ответов: 0
    Последнее сообщение: 11.08.2009, 22:57
  3. Анализ CounterSpy, производитель Sunbelt Software
    От Geser в разделе Тестирование
    Ответов: 7
    Последнее сообщение: 15.02.2008, 13:43
  4. False-Positive ?!
    От Rene-gad в разделе Ложные срабатывания
    Ответов: 1
    Последнее сообщение: 01.03.2007, 11:40
  5. False Positive или нет?
    От CKYHC в разделе Помогите!
    Ответов: 3
    Последнее сообщение: 25.10.2006, 16:04

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00835 seconds with 19 queries