Spyware Warrior

[mikey]

Are the anti-malwares going to far?

Examples;

Giant/MAS targets VNC, WinPCap, etc.

Spybot targets some of the Nirsoft admin tools I use and classifies them as 'malware'.

These are actually common legit use wares. Any 'malicious' use of them would generally be redilly apparent to even the novice. I find it even more puzzling as there are litterally hundreds of other tools around who are much more easily abused.

Is this a trend?

Is it a good one?
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[paperghost]

Ive seen WinpCap flagged by quite a few apps in the past - and wasnt MAS flagging IE itself as a rogue element some days ago?

I'd say that last one was more due to bugs than being over the top though!

I think as more malware builds on (and looks more similar to) legit apps that are already out there, definition files are going to have a hell of a time differentiating between the two. As we can see, its already starting to happen.

Many scanner apps are twitchy around things like VNC already, and i can only see thing getting worse.

[Hat]

I'd say it's erring on the side of caution. I'd rather the scanner give me a couple false positives and have potentially more actual hits (through heuristics and whatnot) than have a dumbed down scan which returns less false positives but potentially less hits as well. Nevertheless, you can always tell the scanner to ignore those certain false positives, so I don't think it's too big of a problem if you actually check and see what you're deleting before you remove it. The only real problem with false positives as I see it is unexperienced/novice users who just assume that everything that shows up in the scan is bad.

[Scaramouche]

The problem is that often these programs are innocent but there are situations where they aren't. WinpCap is used in certain trojans and commercial keylogger software. WinVNC is an incredibly useful app but only if you know it's installed (otherwise it's probably useful for someone else).

The way we're doing it currently is placing things like WinpCap on a 'suspect' list which is explained as "this software isn't in itself bad but if it was installed without your knowledge it could represent a risk."
_________________
---
My comments represent my own opinions and research.

[paperghost]

[mikey]

I keep getting these ethical pains in the back of my neck.

These outfits have all been historically benificial to the IT and Sec communities. So now we want to throw the 'malware' stigma on those honest legit brothers in the cause of a better web?

As I look thru the directory at all the tools I use regularly, I find it hard not to find any that can't be modified or used straight up in a malicious way. I even have tools deved by MS themselves that can very easily be abused. Shall we target all the hundreds or thousands of products that could 'POSSIBLY' be abused?

I know of many other home grown protocol stacks besides WinPCap. I don't see them targeted. I've got dozens of admin tools onboard right now that aren't targeted...most of which are much more susceptible to abuse(remote access).

Seems to me that it would make more sense for the anti-malwares to spend more resources deving definitions for all the REAL malwares that are as yet still undetected instead of maligning honest participants in making the web better.

BTW If I were Nirsoft, I'd already be looking for legal remedies.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[paperghost]

problem is, nearly all apps out there will throw out stacks of false positives - so left with the choice of a total novice either deleting something essential or at least being forewarned in some fashion that the app flagged may not be dangerous but they should maybe pop over and see what all the fuss is about, is really the option we can go with until a solution is found.

After all, how many removal tools have left you screaming blue murder because it flagged something innocent but didn't even bother to mention that the app involved could be innocent?

[mikey]

I've tried to look at this from every angle but still come up with the same thing. It would be one thing to make a massive effort to detect all 'possible' threats but what I see here smacks of pure predjudice toward a very select group of entities.

Besides, like I said, the anti-malwares seem to have their hands full just trying(failing) to keep up with REAL malwares.

It just don't smell right to me.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[Scaramouche]

I agree that it's not just to smear an innocent application with the same brush (or at least somewhere near the same brush in our case). The problem is that the anti-spyware community isn't aware of an exploit using these applications until one occurs. You say there are several stack implementations that could be abused which aren't targetted. The problem is they likely won't be until they are abused.

Unfortunately this seems to be a combination chicken and egg problem mixed with plain pragmatism.
_________________
---
My comments represent my own opinions and research.

[mikey]

Well, if this does become a trend, especially with what I perceive as borderline slanderous targets, then I forsee a day when techs will need to be extra cautious about removing any used yet inert diagnostics from clients machines after service so that the tech won't hear the client say "You infected my sys."

...and who knows what BrandX scanner is going to target next because no one now works from any set criteria/classification/standard.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[fcukdat]

can't get much closer to home than this

fao Scaramouche
ad aware se(personal) dose'nt like your 2005 software

[Scaramouche]

[fcukdat]

fao Scaramouche

http://www.lavasoftsupport.com/index.php?showtopic=58421&st=0&

may offer some insight.

[mikey]

[Scaramouche]

[mikey]

Well something seems to have stired up some FUD around here. Hello KellyC.

BTW I've been in contact with the Nirsoft dev. I don't know if he will or not but I encouraged him to participate here. If he does, I'm pretty certain a case can be made for appeal. I wonder if there will be any KellyCs from the other camps too.

It's unfortunate and sad to see when folks hide from issues rather than work out a solution. Barbaric is a word I find appropriate...too bad it applies to most.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[fcukdat]

fao mikey,

i don't think i'll will get a streight answer from lavasoft as to whether they are or are not false positives(imo possibly because of legalalities etc).

what is puzzling me is the difference of opinion between them and Eric L Howes.

as far as i am aware/concerned Eric has become a widely trusted independent benchmark in this industry.i think everyone reading this post would agree with that.

lavasoft are fully aware of Eric's delisting of zerospyware yet they still target it.if lavasoft know something that has slipped past eric why do they not draw his attention to it? and allow him review/update his input.



im not trying to say that lavasoft are acting unethically.to me their resignation from COAST clearly establish's them to be a trustable company and displays where their proirities/ethic's are as a antispyware company.their program is up there with the leading pack in this field.i would have no quarms about reccomending this progarmme to anbody.

[mikey]

This situation where anti-malwares use bogus targets forces another question to mind;

Do you suppose it's possible that even these 'legit' vendors are just trying to bolster the perception of doing more than BrandX. I see novice users all the time saying that one tool is better because it found X number of items that the other brand missed. In so many cases, all they really accomplished was to remove/disable something legit.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[Scaramouche]

I don't know if it's deliberate since you probably couldn't get consistent numbers out of the detections that way, it would only work if those apps were actually present (assuming you're talking about your original posting instead of lavasoft/zerospyware). There is a related way though that some apps increase their counts, by detecting carriers as spyware. If you dive into the results you'll see that they're given a low priority (by some apps) but the carrier files themselves are detected as spyware in the initial results count presented to the user. Depending on the carrier(s) this could be as much as 100-1000 extra 'hits' that A)aren't spyware B)the user usually isn't interested in removing and C)usually have their own relatively clean uninstallation routines anyway.
_________________
---
My comments represent my own opinions and research.

[mikey]

Hey Scaramouche, I'm looking for a ref as to when your product being falsely targeted was first reported to LS. I know it was many months ago but do you have a more definitive date?
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[Scaramouche]

Mikey -

I'm not 100% when they started classifying, though reports started trickling in from our customers around August of 2004. I made a posting on November 9, 2004 here: http://www.lavasoftsupport.com/index.php?showtopic=51429&hl= got a generic 'our r&d people are looking into it' response and then re-requested on November 30, 2004. Around that time I also sent an email to their general contact saying basically the same thing.

For those keeping track that means it's been about 4 months since I made my original request. (dramatic tone) 4 months of customer returns because 'ad-aware says you're a hijacker', 4 months of being refused to be listed on certain major download sites, 4 months of bad online reviews because 'zerospyware installs spyware'.

Lavasoft has not specified what exactly we have done wrong, they have not responded to our attempts to contact them to find out what we've done wrong, they have not published any criteria whatsoever for being a "possible browser hijack attempt" and do not include that information in their TAC, despite giving that detection a TAC rating of 3 (without explaining how this was derived). The link found within the application to explain what a Possible Browser Hijack Attempt is results in "There was no match found for this search". TAC Searches for ZeroSpyware, ZeroSpyware Lite, ZeroSpyware 2005, and FBM Software all return similar non-results.

Sorry for the rant when all you wanted was the date but I'd kind of put it in the back of my mind and hadn't fully re-asessed how damaging and wrong-headed this classification has been.
_________________
---
My comments represent my own opinions and research.

[mikey]

I seemed to have rubbed salt into the wound. Sorry, but I completely understand the stigma...hence my original topic. I'm glad to see you voice the feelings tho. Perhaps folks will take notice of the damage caused.

Thx for the ref.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[webwatcher]

I'll take it a step further.

I agree that the anti-spyware companies have a responsibility for integrity when it comes to what they identify, and how they identify it. this issue is becomming bigger every day as spyware vendors are trying to blur the lines on the definitions to remove themselves from lists.

There has also been a strong tendancy in this industry to rely on counts as measure of an applications value. Many of the anti-spyware applications including the favorites have hapily identified empty folders as spyware components in big red letters.

A big part of the problem is the current lack of standards in the industry and ,prepare yourself for a hugely controversial topic,
the biased endorsement of freeware applications in this space.

Let's face it Spybot and Adaware are not that good. yep you heard me right. There are several reports from tests performed by PC magazine, pc world, about.com that indicate that both these products catch half to 2/3 'rds the spyware of some of the top (non-free except for MSAS) applications in this category. Also both products have been known to have several published false positives, and little in the way of support or a vendor dispute cycle.

I used to use adaware also when it first came out, was the best and only tool of its type. Kudos. But times change. The product isn't up to snuff, and the company isn't up to snuff as evidenced by the problems they have had dealing with these issues. Computer security has a value. I like free stuff as much as the next guy. IF IT WORKS. But there is an overemphasis on the free factor in these forums. I see post after post where people will say this use this because its free. Shouldn't it be use this because it works just as well AND its free? What are we really after here fixing and protecting our systems or saving a few dollars?

As far as Eric Howe's tests, and ratings go. It was a nice start and an applaudable effort in the early days. But the ratings and criteria are not up to snuff. The criteria for trusted applications and for rogue spyware are not rigerous. Why is it that Adaware with several known false positives, including recently aluria, Spybot, and Zerospyware is a trusted application. Then Zerospyware was once listed as rogue because of some false positives in their freescan product which did not remove anything. My point is not to defend one or the other. This is simply not and objective criteria.

Objective criteria do exist in the virus world. Here is how they look:

This is the standard to pass the checkmark certification:
For a product to be certified to Trojan Checkmark, Level One, the product must be able to detect all trojans in the West Coast Labs trojan test suite. The product should not cause any false alarms (based on testing against the West Coast Labs false alarm test suite).

Here is one from ICSA lab
Detect 100% viruses listed on the current In The Wild List.
Detect 100% viruses listed in the ICSA Labs Common Infectors Test Suite
Detect 100% of ICSA Labs Polymorphic Test Suite
Detect 90% of the ICSA Labs Virus Collection
Products achieving ICSA Labs certification will not cause any false alarms. The False Alarm tests will be conducted against the ICSA Labs False Positive Test Suite.

According to these standards Adaware and Spybot WOULD NOT PASS.

Why is there any debate about whether or not Zerospyware is a false positive. It's obviously false. First of all no one even knows what a potential browser hijacker is, and lavasoft doesn't bother to explain it. As Scaramouche pointed out you can change the links and it still comes up detected. And this is a commercial product that is sold in major retail stores, by gateway tech support, and backed by live 24/7 support. Why would they hijack your browser? Also no other anti-spyware detects them as spyware. this is a false alarm any way you look at it. Apply this simple test at home. And certainly not the first from a company that is listed here as a trusted anti-spyware. Trusted? not according to castlecops vote where over 64% of the users polled don't trust it. Install the application. Does it hijack your browser. No. does it include any mechanism in the registry areas that are associated with browser hijacking (this isn't hard to spot. you can't hijack IE through mystical means there is a software connection that must be made) no. 4 Months with no answer and no forum to address this issue. Absolutely inexusable.

As far as applciations which could be used for malicious intent. Way to broad to include as spyware. These should be identified clearly as potential vulnerabilities. The very essence of anti-spyware is to deal with complex security issues (far more complex than virus). If an anti-spyware application doesn't provide clear fair descriptions of what it finds, then it does not properly serve its purpose. I think that all of the anti-spyware applications are going to have to slowly re-align here as current market expecations are encouraging them to find as much as possible.

From our tests, Zerospyware, Microsoft (and sunbelt.. same code), and Spysweeper generally come closest to passing the criteria I outlined above. That's pretty much it. Even here there needs to be more scrutiny about false positives and false alarms. As given stringent criteria some of these applications would fail as well.

As part of the security community we can help change things by enforcing rigid standards. Do not tolerate false alarms. Do not tolerate fuzzy definitions of spyware or malware, and expect the closest possible ot 100% removal from your applications. Further we shuold ask which applications do the best job of remeidating spyware issues? Which have the most features included and prestened in the easiest manor? What support do they have for Zero-day spyware? How clear and thorough are their definitions of spyware and other categories?

Whether an application is Free is not and should not be a factor.

[wyrmrider]

http://spywarewarrior.com/viewtopic.php?t=11296&highlight=wyrmrider

as mentioned above
a test with this weeks definitions still found 14 zerospyware hits

Wyrmrider

[mikey]

Periodically, LS feels it necessary to restructure their support forums. Among other things, it allows them to clean up all those pesky threads that they see as a bother and unworthy of their exalted attention or perhaps throw a bad light on certain subjects. (book burning)

Since I know this trait so well, I have made a practice of caching threads I find pertinent.

Just to keep the record straight and since the link above no longer works; http://www.voiceofthepublic.com/lsb6/LavasoftSupportBoard67.htm



webwatcher, while I agree in principal to much of what you say, I would point out and be willing to debate and demonstrate the fact that no one on this planet has yet to produce a feasible working model of a methodology for benchmarking applications of this type. IOW those so called tests that are published are absolutely worthless with the exception of subjection. Just like the rogue sites do, I can make a test say whatever I want it to just by limiting my samples.

A proper sampling alone would require a very large team to process and of course before the results are even published, the entire control set has evolved and mutated. Also, test beds will never be able to reflect the random complexity of user installed wares...a very large factor in F/Ps.

Ref; http://www.spywarewarrior.com/viewtopic.php?t=8148
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[Scaramouche]

Well this is interesting.

They've removed the entire Suggestions and Bug Reports forum, not just my thread. I did a search for ZeroSpyware and only came up with this: http://www.lavasoftsupport.com/index.php?showtopic=61402 . This of course, could simply be an innocent mistake of reorganization (such as what happened to Eric's original WhenU posting) but I'm guessing it isn't.

I'm not even angry, indignant or shocked anymore. I'm just tired. I have never seen such a lack of transparency, such an unwillingness to listen or discuss, such a desire to censor.

EDIT-Thanks for the copy Mikey. Fcukdat; didn't you say you had a copy as well? I can't seem to find mine.
_________________
---
My comments represent my own opinions and research.

[Roshi229]

excelant topic!!

and not to get off topic but only slightly here for a sec...

1. when trying to catch someone who is trying to outsmart you you must play ahead of the game or be left playing catch-up forever. I'll be the first to offer that some very underhanded tactics may indeed be used to either A) stay "ahead of the game" or B) make it look like one is ahead of the game. This is the nature of the beast for which we ride. If you can't accept that sometimes we're going to get bitten, it's time to.

2. Def. files - how old school is this. this puts us behind the times. we're not out thinking those who are trying to outwit us. Personally i don't have the answer, if i did - well i would be rich, but that's another story. lets just ponder here a for instance of the future, if you don't mind.
Starting with the past we have detect - disect - remove - prevent. does this sound a bit like chasing our tails? does to me and here's why -

if a virus and/or malware has not been created we have no need to defend against it

current practaces state that a virus and or malware can not be defended against until it has been created

once a virus and or malware (henseforth refered to as "it" as i'm tired of typing) has been detected it is disected and ripped apart so that it can be added into my new Def. files update.

it doesn't exist - no prevention

it is created - it does damage

we are outsmarted by it until we outsmart it - Def. files updated

round and round it goes.....

ahhh but to bring back topic 1.
if you are to stay ahead of the game then you must be of the first to know of new releases.... HOW!!

be big, very big. have lots of hands looking everywhere for new releases of "it"

be big + have your customers send back info to update you and what IT is, what IT has become, and what IT is doing...

lets hope this happens by choise of the end user...

ok ok ok, i've been long winded to outline what we all already know, ROSHI! WHAT'S THE BLOODY POINT???

how can we get past this game of chasing our tails while these IT's scum, slime, dirtbags write more games for us to chase?

hmmm if i don't want to add a line to my host file every time i find a naughty site i would need something capable of scanning the site before i get it - somthing that thinks logicaly perhaps, or maybe it's much simpler. a naughty site is bound to have certain key elements that set it aside. a key word, a layout - many many of them look very alike. i can spot an Art page vs a naughty page from a mile away by the header....

THE POINT ALREADY.....

a pro-active scan. a tool that supliments the def. files by looking for key signs of malware... how i do not know. but i do know enough about very very basic code to know that any action you try and take looks similar no matter how you do it. 1 + 1 will always = 2 even if you throw in a little twist... 1 +1(1)=2 ... hey if you still follow me, maybe you've got what it takes... i've got a lot to learn before i wrap my brain around this one...

sorry if it's too far off topic.

up late again,
Ken

[herbalist]

Ken,
Your statement about definitions and/or reference files being old school is definitely true. With the exception of heuristics, which has a long way to go before it's truly reliable, the present methods do operate in the past tense. I will however disagree with your one statement:

[mikey]

[fcukdat]

[clearhythm]

[fbmDavid]

Hi all,

Prepare for a very long post on this intriguing topic. In the interest of disclosure, I work at FBM Software, the makers of Zerospyware.

I agree with mikey that it is extremely difficult to come up with objective test criteria for determining the overall capabilities of anti-spyware applications. But we can derive much better tests and criteria than currently exist. This industry badly needs an independant association that can perform the sort of large scale tests required. At the FBM offices we have a large threat research team that performs extensive testing using several automated tools that we have built in-house to try to prevent false positives. The testing environment is complex to say the least. We employ a combination of dedicated ghostable machines and networked virutal pc's with custom tracking tools that allow us to see every file and registry key tracked during spyware installations, as well as integrated packet sniffers that allow us to watch where these apps connect. We also run tests against machines that are cumulatively loaded with thousands of trusted applications to test for false positives. These applications are derived from our Spyware-net initiative which has been running for several years, where our user base can opt-in to report unknown applications, and detected spyware to our servers. We get over 2 million reports per day that are automatically sorted with trend analysis tools. We also test every potential spyware installer against at least 7 of our competitors and use tools that automatically coallate the logs and highlight the discrepencies. From this setup we have a fairly good sense of how the different applications fare with both detection and false positives. Of course we can't really publish these results without appearing biased. But we can contribute our testing environment, criteria and tools to an indepedant certifying organization, as well as our collected spyware infection vectors. We are in early discussion with some candidate organizations regarding this now. These approaches can help move us closer to objectivity with application ratings in this industry.

But there is another problem. The criteria problem. And this is much harder for us to tackle. Since the time we started in the anti-spyware space we have struggled with spyware counts. We don't believe for instance that tracking cookies are spyware components, but many of our competitors do. Many of our competitors also indicate applications that may carry spyware AS spyware. If we take a more conservative and accurate approach then we risk suffering from consumer perception, or misperception. Here is a typical customer support contact that we receive every day.
------
I have been using zs for a couple of months. Quite recently I have also downloaded Spy Bouncer. Today this software detected spyware which your tool did not find namely claria/gain 3 items, domain hijacker 8 and kazaa 1.
Can you please explain.
--------

False positives from our competitors, overinflated counts, agressive defintinitions of spyware are issues we have to answer to our customers. And the sad fact is that most of our customers are not very patient, and tend to see things in black and white terms. Even worse reviewers make the same mistake. Basically the best way to win is to have the highest count, regardless of what is counted.

One of the top rated commercial anti-sypware applications that we compete with overcounts spyware componetns by a factor of 4-5. That is the same application or dll will be counted as 4-5 different spyware applications. We have discovered several known and serious false positives with this application as well. No one has ever mentioned these issues in reviews.

So in short the lack of objective testings standards and criteria combined with agressive marketing and defintions of many well regarded competitors, creates and environemtn where truth is not only very subjective, but relatively uninmportant. It basically pays to count everything possible as spware. Empty folders, harmless cookies, applications or components that could be used by other applications for possible spyware activities.

We don't want to play this game. Ultimately it hurts our customers, even if they don't know any better. Combating this is not easy though. It involves extensive press tours, the creation of a very labour intensive process to desrcribe our criteria for nearly every component found, and a push to create a consortium of trusted industry representatives to help regulate this industry. You will be hearing a lot from us on this topic in the next month or so, as we prepare to launch a spyware information portal to bring many of these issues to light. We will also be attending an important first meeting of a consortium in London with the top anti-spyware and security vendors that will be holding initial talks to deliberate these issues, and hopefully to derive common criteria for how we define spyware and malware. We will be attending a similar private meeting in San Francisco, which will also be attended by top press and government officials to discuss these topics. If this thread is still alive I will try to relay some of the feedback from these very important meetings.

A note to the conspiracy theorists out there. There are so many real security issues out there that there is absolutely no need to invent any, trust me on this. Its a challenge to expand fast enough to deal with the issues. Spyware is a big industry, and unlike virus attacks of the past they are financially motivated. Read this. Spyware is a multi-billion dollar industry. There is a tremendous amount of money to be made by exploiting the computers of the masses. Now add this: the PC user base is rapidly expanding world wide. Millions of new novice pc users are joining the internet every day. We face several challenges now with new spyware approaches. Rootkits are our latest challenge. The problem is worse than many of you imagine. We try to help customers every day that encounter problems that nothing is solving. From the issues we have encountered we have a list of features to ad that require us to provide application updates every few weeks for the next 2 years.

Regarding Microsoft, I've heard the complaints, and theories about Microsoft and security. I simply don't agree. I've worked with many of the top developers and executives from the SQL server team and have a tremendous amount of respect for Microsoft, and the extremely talented people they hire, or aquire , to run the company. They are a worthy competitor, and for the consumers sake I welcome their entry into the security market. That being said. This is a difficult battle, and one that requires focus. We will see if they are capable of keeping up with the changes, agility, and speed of development that we predict will be required to stay on top of this issue. Also they will face internal marketing challenges regarding their strategy here. Already they have positioned MS antispyware as part of their windows genuine certification program and will be requiring XP SP2 as a minimum for this product. While I understand why they are doing this I don't agree that this is right for the consumers. I would also like to see microsoft fix some of the issues with the OS that make it so difficult for us to protect our customers form security threats. There are several key OS components that require serious re-design to meet the challenges of a connected and wireless computing world. I fear that Longhorn will miss the mark on these issues by a mile, with a hunch that the security issues we are facing today simply weren't anticipated when they designed this system. I also don't believe that microsoft has any need to create their own security holes to make money patching them. With an estimated 45 million lines of code in Windows XP, my guess is they have plenty of security issues to deal with, without creating any.

We believe the issue for consumers is the usability of their computers and awareness of what is running on them. PC users computers are a battleground for companies, or individuals trying to profit from every possible exploit they can find. Our challenge is to clearly identify the value and purpose of each application running on our customers PC's and to highlight any that could concern them. As this industry matures integrity and trust for anti-spyware vendors will become increasingly important, and the resources required to properly do the job will be much greater. Already many of the false positives, and improper detection issues , that we are seeing from anti-sypware vendors are a direct result of the inability of these vendors to keep up with the volume and complexity of the problem, as well as an interest in maintaining high spyware counts. Taken to the extreme, some vendors have taken a shortcuts and intentionally inflate counts to appear more effective. What is even worse is that some of the rogue anti-spyware applications actually install spyware. As has been noted on this forum and several other forums. The question will be who can the consumer trust?


-
David
FBM Software

[herbalist]

David,
Welcome to Spyware Warrior.
Deciding exactly what the criteria is for an item to be targeted is right at the center of the problem, that and defining the terms themselves. It's too easy for the vendors of this stuff to claim
"Our software isn't adware or spyware",
when neither has a standardized definition.
Any system of classification is going to have to be designed with the consumers in mind, with the categories kept simple. Terms like spyware have been so misused that it's probably not realistic to use them. It means too many different things to different people.
If a term such as Surveillance software or surveillance-ware is used instead, it's function is still clear to the consumer and closes the "we're not spying" loophole. It's too easy to the distributors of the targeted material to say:
"We're not distributing spyware. Page 75, paragraph 16 of the EULA said we might collect such and such info."
Monitoring and collecting info is surveillance, whether an EULA mentions it or not. That would defeat their argument and still be clear to even an uneducated consumer.
If we're careful about the terms we choose, most, if not all of their "misrepresentation" arguments can be legally defeated and still be made clear to consumers.
One other mistake we have to avoid is the tendency to classify the targeted products/software into a single category. If the software has characteristics that could classify it as adware, surveillance-ware, and a trojan, put it in all 3 categories instead of creating new or sub-categories for it, or trying to determine a "primary" behavior for it. It would be a lot clearer to the typical consumer to hear that it's both adware and surveillance-ware instead of coining a new term for a category that covers both. We have to avoid any categories or classifications that come close to the "is it a virus or a worm?" type problem.
While an approach like this wouldn't solve all the problems, that kind of clarity would go a long way towards gaining the consumers trust. That in itself is a big part of what needs to be done, gaining their trust.
Rick

[fcukdat]

right people,im going out on a limb here but it's only a suggested theory after observing facts posted on security/privacy forum's over the past few months ...hopefully not too wide of the target but it is only a theory(which might be wrong )
this theory might go as far as to explain why Zerospyware have been enduring constant product harrassment by Lavasoft ad aware and why all subsequent attempt's at resolving this situation(F/P's)have failed so far.

facts-

1)recently ad aware has been generating F/P's,they are being reported openly and Lavasoft are reacting quickly by updating their definitions to stop the F/p's being generated again.
support reading-
http://www3.dslreports.com/forum/remark,12986560~start=0
http://www3.dslreports.com/forum/remark,13052734

2)since november 04 lavasoft have been informed about F/P's against zerospyware(14 critical detections as possible BHO with TAC level=3)and yet despite constant barracking on various forums the F/P's are not being addressed.

3) ian tucker of lavasoft has publicly stated on more than one occaision that ad aware dose not have Zerospyware in their targeted detections(core definitions).
support reading-
unfortunetly in the 'ash's of the bonfire' at the now disfunctional suggestions/bug reporting forum @lavasoft forums.

4)Zerospyware software has a function when the prog is uninstalled to open a product feedback window on the customer's machine.

The theory part 1-(fact)

Lavasoft are not deliberatly targeting Zerospyware but ad aware is deliberatly detecting Fact 4) and defining it as a possible BHO and then making the critical detections of it.

it is not a poss BHO and thus the detection's are F/P's.

The theory part 2-(supposition)

why have Lavasoft not acted quickly to undo these F/P's as has been seen recently elsewhere with other F/P's.

could it be possible that poss BHO detection process is not part of the core definition file of ad aware but part of the software programing itself.

in other word's in order to rectify these F/P's they would have to replace the whole software package and not just update the core definition file as with correcting other F/P's.

i'm not saying this is the case but i'm fielding it as a possible theory to explain recent events and Lavasoft's general unwillingness to sort out these F/P's
[/quote]
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[wyrmrider]

In case you missed it since it's in a stickie see the last several posts at

http://www.spywarewarrior.com/viewtopic.php?t=8084

Wyrmrider

good thoughts der dat