Spyware Warrior

[Vesper]

After reading Eric Howe’s impressing test of spyware scanners, I just had to try Giant. It downloaded and installed as expected, I configured and ran a scan, being 99,6% sure that my PC was clean. After scanning more than 100.000 files, it gave this report –




Strange. I use The Ultimate Troubleshooter (TUT), and don’t expect any connection to Grokster. The file wiseupdt.exe is TUT’s update manager (made by Wise Solutions Inc,I believe). Of course I loaded TUT and clicked update. The update duely arrived, with an apology for being delayed by hurricanes Charley, Frances and Jeanne. No extra adware, no nothing. After following Giant’s advice and quarantining wiseupdt, said file was gone. No more updates. OK, Giant makes it easy to un-quarantine, no big deal.
Is ASProtect an activity logger? Well, yes. According to the maker it - among other things – gives the ’possibility to create evaluaton (trial) versions, that limit application functions based on evaluation time and the number of runs left.’ OK, but a dangerous key logger? Hardly.
The only evaluation prog on my machine at this time is ... yes, Giant Antispyware. Would it flag and offer to quarantine part of it’s own download? Improbable. Perhaps ASProtect is a remnant from an earlier trial, now uninstalled.
Today I ran Giant again. It told me that my Firefox start page was hijacked by CoolWebSearch. I’ve never had to fight CWS before and was delighted. Great.
Damn, the start page came up in pristine condition. Giant had flagged an obscure file named beb5c739d01 reciding in the cache, that was all. Searching the web for beb5etc gave no useful info.
I’ll keep using Giant until the evaluation period expires, but so far I’m not impressed.
Please note! This is just a couple of random experiences, and can in no way be compared with Eric Howe’s tests. Giant is new and may have teething trouble. Second thoughts – I’ve seen strange results with every other antispyware scanner too. Computer programs can’t substitute for brains.
_________________
Salud y pesetas y amor...

[eburger68]

Vesper:

As you surmised, it does indeed appear that GIANT is having some "teething problems" with minor false positives. I encountered one or two the first time I tested a few weeks ago. Those were obviously cleaned up by the time I re-tested this past weekend.

Others have reported false positives -- see this thread at Wilders, where one user also reports encountering the ASProtect false positive (ASProtect is an executable packer). GIANT support reportedly responded very quickly and adddressed the problem:

http://www.wilderssecurity.com/showthread.php?t=47699

So, as I've said elsewhere, GIANT is certainly one to keep an eye on -- very promising. I'm not sure that I'd recommend it as a replacement for the usual, more established anti-spyware applications just yet.

Eric L. Howes

[webmedic]

Well actually I run a small shop and I had some spyware on a system recently that would not be removed even if I did it all under safe mode and giant got rid of it.

I'm rather impressed it will even kill and supress services and background programs from running and then delete and gut them off of your system. It is rather impressive to watch after fighting with a system and doing hand cleaning for about 3 days.

I do need ot keep an eye on the false positves I guess but I really have nothing bad to say about this program considering how eficient it is at removeing even hard things.

[wyrmrider]

I agree 100%
Much better than hand cleaning
On one system last week reduced what would have been hand cleaning by around 80 percent this is after 3 Av scans, as-aware- spybot- webroot and a trojan scanner
just watch the false positives

and no domsday adverts

wyrmrider

[webmedic]

After using it again and watching what was going on a little closer I can say so far at least other than the hosts file it does not seem to be giving any false positives. Accept as mentioned on the hosts file. I did notice that they updated thier deifinition files also so maybe they are getting that fine tuned better. After all the def files are what amkes it as long as the scanning engine does what it is supposed to do the definition files are what really determines how many it can find.

[wyrmrider]

It found some things in Hosts and also some uninstallers and auto updaters must be heuristics

Those who removed DAP with HJT or just uninstalled should run GIANT to clean up (most) of the crap and trails

I have not tried the latest release

I do not have any friends with dirty systems that I know of
(just a minute the phone is ringing)

Wyrmrider

I might mention that this tool can help take some of the load off of our GREAT TECHS.

But if they are working with a real newbie it should be done under supervision just like HJT or any other powerfull tool

Wyrmrider

[3162]

I sent an email to GIANT a few days ago, and received this reply today.
Thought you might like to see it.

This was my initial email content:

[herbalist]

That research center is a nice site. Bookmarked that one. Should come in quite handy.
Got the same problem for trying it. Nothing to test it on that needs cleaning at the moment.
Rick

[3162]

Rick, I have lots of neat stuff on file here, to test it. I'll keep you posted when I get a few minutes.

I replied, basically asking them again to post here, into this Topic.

We'll see ...
_________________
Proud member of the Chest Zipper Club!

[anewman]

Hi everyone,

I just wanted to introduce myself to all forum members as I have done in the email/post above. I am one of founders of GIANT Company as well as the current lead developer for the GIANT AntiSpyware desktop version as well as the GIANT AntiSpyware engine (scan/clean).

Over the course of the last few weeks, since the product release, we have been following quite closely the posts from this site as well as the various other security forum sites. Although I try to reframe from putting in my two cents, I must say that the feedback from everyone has been truly positive (the negative comments even more so) and extremely helpful to improving the product.

One point many people have been touching on is the fact that there have been a number of false positives. We have done a ton of research on all the mentions of it and have been trying to respond as rapidly as possible to verify, test and remove any such FPs as fast as possible. I'm not sure if anyone paid attention but we have actually released 16 definition updates sine the product release, September 10th. As more SpyNet data comes in, and is properly analyzed you will see updates increasing to a daily level in the next month or so (if all goes well).

In addition, I strongly encourage your ongoing feedback on the downfalls of the product so we can fix them as fast as possible.

Speaking of the threat data, I know there has been a number of questions or speculation on how the data is generated and updated. I'll try to explain it very briefly. One thing I would like to mention is the fact that we are publishing all this data online through the SpyNet research site http://www.giantcompany.com/antispyware/research/ please feel free to take a look.

The spyware scanner and cleaner work using two methods; 1, and most obvious is a huge database of known spyware threat signatures as well as friendly signatures; 2, through an intelligent based system that employs a number of techniques. These techniques range from how a process or library is loaded or integrated into one of the various windows or application auto-start integration points.

As far as the signature database, we are currently pushing 200,000 signatures, and based on incoming SpyNet data this is growing daily. Again, please feel free to browse the SpyNet website, we publish every single signature for all cataloged threats as well as statistics on all SpyNet data. Also, I know others have wondered why the updates are so quickly downloaded even though the database is so large, is because we employ delta based signature updates. So, most signature downloads usually average between 10 to 80k (and they are downloaded compressed). In addition, the signatures are basically just MD5 hashes or GIANT genetic fingerprint hashes. The GIANT genetic fingerprint hashes are something we have been developing for a few years now (and we are pretty excited about them), what they are are probability hashes of a file based on the file's binary data and structure. Using a base fingerprint of any binary file (dll, exe, etc.) we can make a 99.9999% accurate prediction if another file, even if it is a different file size or has a different MD5 hash is the same as the file we are testing against. It does this using an algorithm that compares the date and structure.

The second way the scanner works is based more on a built in intelligent algorithm. Basically what occurs here is if the scanner detects an underlying process or library (running or dormant) we can then gather all related data that is attached or belongs to that file. For instance if we detect through a hash or finger print that a file is a COM object, we can then look into the library that is loaded or into the parent process what functions it is consuming, what additional process it consumes, how it was instantiated, what registry keys it owns and how it integrates into either windows or an application (such as a BHO, Protocol filter, ShellExecuteHook, etc.). I just wrote a little information about this on the research that might be of interest: http://www.giantcompany.com/antispyware/research/doc_howto_spywaremanifests.aspx

(Please forgive me for rambling on here...)

The one last point I would like to make is about SpyNet. Instead of just telling you about it here, please feel free to read another page I created on the site that has some good information (hopefully not too marketing oriented). http://www.giantcompany.com/antispyware/research/about_spynet.aspx

So, I really hope that this is somewhat informative. All of us at GINAT really appreciate the ongoing negative and positive feedback everyone has posted and please, keep it up. You don't know how great this data is in order for us to constantly improve the software.

As far as the technical support aspect goes, we recently added the live support feature and are trying to keep up as best as possible with the incoming questions. We currently only have 3 people trained to deal with the technical questions so please just bare with us as we ramp up.

If anyone has any questions at all, please feel free to send them to my inbox at antispyware[at]giantcompany.com. I'll try to read and respond to them as fast as possible while coding fixes and changes at the same time If you have general product support questions and need a reply in a hurry just send them to support@giantcompany.com or check out live support on the site.

Thanks everyone,
Andrew

[TeMerc]

Well, after reading all I have been reading about how good this app is, I finally decided to DL a trial version for evaluation.

Here is the log generated:

[3162]

[matt_d_walker]

I bought it. I have been really pleased with them. I think also their support is really superior to anything else I have used. I am not sure if any of you got caught up in that Ad Aware upgrade fiasco, but it was hell. With the Giant guys, I fire off an e-mail and get a friendly response, or I go to their site and chat live with the support. In one of the earlier version, I noticed a small bug and wrote to them. They were very thankful to know about it and did not just dismiss it or get defensive.

I am growing fonder of them day by day, and I think they are going to be the leaders. The Spynet thing really got me because with so many variants being released, it seems like a great way to keep up on those.

Matt

[TeMerc]

3162, the infected file was successfully quarenteened. No troubles. Will play more later tonite, when I'm on for a couple of hours.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

[3162]

No prob. However:

[herbalist]

anewman,
Thank you for taking time to post here. It's very much appreciated.
Please do not apologize for rambling. A thorough and thought out response is not rambling.
I do have one question for you. What criteria has to be met before a program is included in your detections? You specifically mentioned HotBar in the reply to 3162s e-mail and stated you've been following the discussions here, so I'm assuming you've seen that topic, here and elsewhere. What those who write/maintain choose to target or not to target is just as important as the programs abilities to remove the targeted items. Could you provide some info regarding this?
Thanks in advance.
Rick

[anewman]

Hi herbalist,

Great question. We actually have a number of criteria that we use to determine whether or not to list a product as a threat. The criterion is comprehensive, however we do not use a scientific means per say. A product could be considered malware if it violates its piracy policy or EULA, displays advertising outside the application without the user’s consent, bundles other malware, downloads or installs additional products without consent, hijacks web browser settings, alters any security settings, makes Internet connections to transmit or receive data from a remote server without the user consent. Basically a ton of items like that are used to determine if a product should be listed as well as how the product is classified. In addition every product we plan on listing is researched and compared to what others online have to say about the product and what types of experiences they have endured while using the product. In many cases we have contacted the vendor to get additional information, but as you know most illegitimate malware companies won’t respond. Also, we have created an online vendor dispute form http://www.giantcompany.com/antispyware/research/vendors.aspx to aid in this process. We have actually removed some products based on speaking with vendors as well as escalated other products status based on discussions with them.

In addition, we have developed a comprehensive classification system to further help users decide if the product should be removed or possibly even questioned for removal.

After we decide to list a product as a threat, we then classify it using a number of criteria. Each of these criteria change the way the threat is presented to the user as well as the advice the product gives to the user once detected. The classifications that are feed into the threat data is; 1. The risk the threat poses to the end user, low to server; 2. The threat category and type; 3. Advise, which is remove, keep or special.

As far as the risk, I guess that is somewhat explanatory and based on what we discovered during product testing. The category is kind of unique. And actually plays off the risk level in determining how sever the threat is presented to the user and what the recommendations are. We have also created a number of categories that deviate from traditional antispyware software. This includes a three major categories, potential privacy risk, adware bundlers and enablers. Although most products in these specialized categories are not your typical threats, the user should be ware of them. In addition, any threats within these categories display special advise information as simply telling them to remove or keep them is just not enough, or even fair to the product.

For instance, products in the potential privacy risk category, are generally not considered spyware however, the end user should really read the privacy policy or EULA. Since most users do not read in full a EULA, we simply bring it to their attention and point out exactly what in the EULA or privacy policy they should be aware of. Products like the Alexa toolbar fall into this category.

Adware bundlers are another category of interest that we felt should be brought to the user’s attention. Products in this category are not spyware or malware themselves but do install, or required to be installed in order to properly function, third party malware products. Typical products in this category include applications like GameSpy Arcade, Popular Screensavers and common P2P file sharing apps like Kazaa, Depending on whether or not the product requires the bundled spyware to remain installed, or will run without, we alert the user before they make a decision to remove the product. The idea here is to inform the user that the product has potential issues or is questionable.

Lastly, the Enabler category. This category is very unique in that products in this category are not malware and are usually third party products that have absolutely no relationship to the malware products that use them. For instance, the popular dev tool used by many socket developers, WinPCap falls into this category. By itself, or integrated into a number of legitimate programs is a great product. However, because of the product’s licensing terms as well as its powerful set of features is used by many malware programs. So, we use a simple logic to determine if we should alert the user if the enabler is discovered. In many cases each enabler has a list of known legitimate application that use the enabler. If the enabler is discovered and none of these legit applications are seen on the computer, we alert the user and provide comprehensive advise and information as to what the product is and what malware type functions can be performed with it.

As far as Hotbar goes, I have actually not been following the pots about it too closely. I’ll talk to research team this weekend and get some extended details to post about it. My two cents on it is that it is not really spyware, however is a potential privacy risk as well as presents a number of adware related properties. I see we list it as a low risk adware. This generally means that we don’t consider it full-blown adware as it does not display popup ads or other ads outside the application itself. However, based on some data we collected as well as Hotbar’s own privacy policy it should be considered and potential removed. My main concern with Hotbar is that it does capture URL information sent in query strings, both GET and POST, that can easily contain personal information as it is very common that such information is passed as such. From the privacy policy: “SOME INFORMATION COLLECTED BY THE HOTBAR SOFTWARE IS PERSONALLY IDENTIFIABLE, SUCH AS NAME AND EMAIL ADDRESS. THIS PERSONALLY IDENTIFIABLE INFORMATION IS STORED SEPARATELY FROM THE INFORMATION ABOUT THE WEB PAGES YOU VIEW AND THE DATA YOU ENTER IN SEARCH ENGINE SEARCH FIELDS AND THE TWO TYPES OF INFORMATION ARE NOT CORRELATED OR LINKED.” To be honest, that alone concerns me .

Hope this helps. Anyway I guess I need to start coding again, Please feel free to keep up the great questions.

Andrew

[wawadave]

anewman wellcome here. and so far i find this informative!
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[herbalist]

anewman,
That was one of the most comprehensive answers I've received to that question. I very much appreciate it and your taking time to do so.
Thanks
Rick

[Vesper]

anewman – nice to see a representative from Giant on the forum.
After experimenting with your program for a while, I’ve drawn the conclusion that you have bitten off so much that you’ll have to chew for a long while. Your project is impressive and extremely ambitious.
Giant Antispyware is powerful, scans thoroughly and has andvanced tools. I like them, especially the System Explorers. But for a casual user they might be confusing or dangerous. How about a button labeled Expert Mode, and a warning?
The Security Agent gave me a problem. While installing nod32 Giant popped up a warning, saying that nod32 wanted to add to the LSP chain. Too bad I didn’t make a screen shot, but I seem to rember that I was given the choice of denying permission or scanning. To see what would happen I clicked scan. Nothing happened. The event log noted a blocked event, but pressing Reactivate item just gave me the answer – there are no blocked events.
To make it short, System Explorer reported nod32 with broken LSP, and nod couldn’t connect to the server for updates. LSPFix renumbered 18 items in the chain, Giant was satisfied and nod downloaded the latest update.
A fault in Giant? Unlikely. It’s not the first time I’ve had to reinstall a program a time or two to make everything right. Last week it was InCD that refused to work until I’d uninstalled, reinstalled and updated. The hardware/software environment of modern computers can be complex to the point of unpredictability. And don’t ask me why nod32 wanted to add to the LSP chain. Or did it? No idea, I haven’t come to LSPs in my curriculum yet.
Later today I’ll uninstall Giant, download again, reinstall and find a thing or three for Security Agent to ponder.
About Giant’s Spyware Research Center... No, I’ll leave it for now. I’d ramble on forever.
Keep your gaze on the horizon and work like hell, Giant. Best wishes!
_________________
Salud y pesetas y amor...

[matt_d_walker]

Under the options --> Settings --> General section, there are the follwoing selections:

User Modes:

- Knowledgeable User
- Novice User (Do not allow me to perform actions that can harm my computer).



That, to me, seems to be what you are looking for.

FYI, in that same section (General) is:

- Include technical information in selections details.

That provides some interesting stuff.

Matt

[iwod]

Can Giant Consider making it more memory friendly? It is using 20MB even when the GUI is closed.

[suzi]

iwod,

I hear you on that point. I have not been able to run it on my Win ME machine - it comes to a dead halt and the only thing I can do is C-A-D. And that's with nothing running in the background except AVG and Zone Alarm. If it would run on that computer, I'd purchase it because that's the computer I use to test apps and spyware. It needs some big guns to get rid of the junk I download for testing.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[webmedic]

Just curios but were can a find some of these testing programs. I'm looking for some that I can use for testing myself. I have an older machine that is perfect for this.

[wawadave]

m.e if left all on its own never conected to the net would still attack its self and crash and burn! lol
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

[suzi]

[3162]

Suzi, correct me if I am mistaken here, but are you saying that you test apps and spyware on a WinMe machine?


Second, I wish you would all hold off on GIANT until my trial expires in 4 days.
Then, and only then, will I give my opinions about the Trial Version.

webmedic, I have a series of clean installs here, for various versions of Windows. All of which have a backup on desktop, from which I can compare entries.
A lot of it is trial and error to resolve a particular infection, and write up a quick fix.
Here, right now, I can boot 98Gold, 98SE, Win2k, XP and XPpro, clean. I'm working on building more boxes for ME, XPOffice and ......
Shoot them all behind a Router and a hub, I feel fairly safe to load them with no protection, to do my updates. They never hit the Internet, other than for Updates to the OS.
All infections I test are placed on disk first.

Dave....LOL!
_________________
Proud member of the Chest Zipper Club!

[YourOldBuddy]

Hi guys/gals. 1st post.

Had a recent spyware outbreak because I didnt want to upgrade to SP2 and because of my Pornbrowsing addiction (lethal combination).

Anyway, after Adaware, SpySweeper, SpyBot, Perf.Process and X-Cleaner I was still infected. Tried running Giant Antispyware and NetCop and finally got whatever it was. I found out later that NetCop killed Adaware and WinAce without reason so I wont be trying that out again. I also noticed NetCop is not featured in a few places like www.spychecker.com where I dl'ed it from.

Still have 6 days left of the Trial Subscription but wont be subscribing because Im an unemployed sod, but until then Im very happy with it. Congrats on a job well done AnewMan.

How about starting the Giant AntiSpyWare nagthread?

[webmedic]

[webmedic]

[suzi]

[halcyon]

Thank you for the Giant Anti Spyware trial.

It's been interesting, but not so encouraging as I've tried it.

It has detected 5 false positives, some of which were detected on file name / location -basis alone (i.e. no signatures at all).

This is somewhat disconcerting, considering two of the files were original Windows files and newbies don't always check what they clean.

Can you state what are the detection routines you use?

Are you planning to continue using file name / directory location based detection (without signatures)?

Also, as I understand you are an American company, so I must ask this, knowing the legal problems some other American companies have gotten from adware vendors:

What kind of legal defence have you set up to ensure that a disgruntled Adware/scumware vendor will not sue you out of existence with very expensive legal proceedings?

I'm all for getting rid of scumware, but the fact is that the US legislative system allows a company with deep enough pockets to put you out of your business, unless you have a well though out legal plan of action for situations like these.

If I were to be a paying customer, I'd of course like you to stay in business as long as possible and keep on improving your products and processes.

Regardless of my false positive encounters, I'm happy that you are offering this new product and building the open database of spyware.

And thank you again for offering a trial version of your program.

Friendly regards,
halcyon

[Stan999]

I have been running the trial for about 7 days now. Only 1 FP here which I find acceptable.

With the limited test results from: http://spywarewarrior.com/asw-test-guide.htm , plus the information in this thread and my own experience with the trial I find Giant AntiSpyware very impressive overall.
_________________
Stan Gunn
http://charterpipelinentx.net/
http://pub122.ezboard.com/fcharterpipeline9613frm1

[3162]

3 days left on my trial, and the first nag screen came up this morning asking if I wanted to purchase. I declined, with the full intention of simply letting it expire.

Since this machine stays on all day, I'll see later if there are any other nags which show up. I'm assuming at this point that they will only appear at boot.
_________________
Proud member of the Chest Zipper Club!

[mikey]

[halcyon]

Thanks for the welcome. Yes, you're completely right, I meant signatures, not heuristics. Mistake corrected as not to confuse more people

[mikey]

I saw John @ DSLR post a link pointing to a thread at GRC authored by one of my fav sec devs Robin Keir; http://news.grc.com/news.exe?cmd=article&group=grc.security.software&item=101481&utag=


==========
OT

In case you're wondering who RKeir is; He is one of the Foundstone devs and also the author of the best port scanner I know of as well as other products such as K9.

Refs;

http://www.foundstone.com/

http://keir.net/

http://www.keir.net/k9.html

Note: I would advise folks without advanced networking knowledge to beware of 'playing' with some of his tools. (those tools at Foundstone) Some can get you in trouble if you don't know 'what and how'.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

Spyware/Adware is NOT freeware, it costs all of us dearly.

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.
-

[iwod]

It funny that Giant does not allow me to Install Flashget....

And if i inistall it and click on get rid of the Spyware it will uninstall My app.

Even if i stop Giant and Install Flashget. The nest time i start my computer it will uninstall it for me "Without Warning" as well.....

So i will hold off for now.

[streetwalk]

It seems to me that there is a seemingly large amount of knee jerk jealousy creeping in against Giant anti spy . Comments by "voice of the public" in a glossy page put down . and Mr kerrs postings etc . I prefer the follow up to john2G by "Name Game" which is more to the point and a comment by Giant admin concerning Mr kerrs comment http://www.dslreports.com/forum/remark,11494888~mode=flat

No it is not a good read..it is a crap-on read for a guy who forgot K-9 project and what professional courtesy is still all about when you do test a trial version of a new product and how you then Help the developer who at many site has asked for input.

Giant Antispyware
anewman

Andrew

»spywarewarrior.com/viewtopic.php?t=6498

**************

Seems to me what goes around comes around.

»keir.net/bb/viewtopic.php?t=359

[mikey]