Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Introduction: The Spyware Detective

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion
View previous topic :: View next topic  
Author Message
Marius
Newbie


Joined: 21 Dec 2004
Last Visit: 31 Jan 2005
Posts: 4

PostPosted: Tue Dec 21, 2004 10:34 am    Post subject: Introduction: The Spyware Detective Reply with quote

Hi I am Marius Mailat.

I am the teal leader of the programming department in Fastlink2.
We have tried over the last months to solve some problems in our spyware engine and to release a commercial product. The last days we have launched The Spyware Detective and we are getting feedback from the users that helped us a lot in developed some new functionalities.

Our company has a product that was rebranded by other companies using our scanning engine. We have decided to market our own product and for this we will need some help. A well educated testers for our product can be found ony in such a forum.

Please if you are interested in stress-test our product please send an email to info@thespywaredetective.com. We will reward the betatesters with a 2 year license.

The spyware remover is named The Spyware Detective and is located at www.thespywaredetective.com

Thank you and regards,
Marius Mailat
Back to top
View user's profile Send private message
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Tue Dec 21, 2004 3:36 pm    Post subject: Reply with quote

Marius:

Thanks for posting here at Spyware Warrior. I've actually tested at least two re-branded versions of The Spyware Detective: AGuardDog Adware/Spyware Remover and, more recently, PC AdWare SpyWare Removal. Both of those rebranded clones were added to the Rogue /Suspect Anti-Spyware list:

http://www.spywarewarrior.com/family_resemblances.htm#12

Unfortunately, based on my testing of The Spyware Detective, your application will be added as well.

Let me lay out the problems I've encountered.

First, on a scan of my spyware/adware free system, your application (like the other two) generated several false positives. It flagged this standard Internet Explorer Registry key...

HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\itbarlayout

...as "TinyBar," which is not installed on this system. The above key is simply a standard IE Registry key that many programs modify. See these pages for more information:

http://www.jsiinc.com/SUBM/tip6300/rh6306.htm
http://www.jsiinc.com/SUBQ/tip8100/rh8134.htm

It also flagged this standard Windows Registry key...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage

...as "Alexa Toolbar," which also is not installed on this system. The above key does contain several subkeys (which adware and spyware can create), but the key itself is not evidence of spyware or adware.

I should note that I have pointed out problems with false positives to the vendor of AGuardDog in an earlier discussion on this forum:

http://spywarewarrior.com/viewtopic.php?t=7359

Second, a more serious problem lies with your scan engine, which appears to be completely inadequate and unsophisticated. I configured your app to scan three drives as well as the Registry and active memory. It finished in roughly 30 seconds -- which is unusually quick. This was with the "Deep Scan" option checked, mind you.

Suspicious, I unpacked a 35 mb archive of spyware/adware files that I used back in October while testing other anti-spyware applications to an empty drive. I then configured your application to scan the drive. Of 529 different files, The Spyware Detective recognized not a single one.

Still more suspicious, I reverted to my original three drive scan and fired up SysInternals FileMon, to check just what your application's scanning engine was doing. As it turns out, it was doing next to nothing. In its drive scan The System Detective was doing little more than checking the names of directories and the file names contained there-in, which explains the extremely quick scan times. It didn't even touch any of the files in the directories either to compare MD5 hashes or to do signature checking.

This kind of detection scheme is completely inadequate.

Third, however, even the definitions themselves are suspicious. The four definition files (located in \data of the program's installation directory) are unusually large, totaling almost 7.5 mb. Moreover, one can open them up in a plain text editor and observe the plaintext data (file names, directory names, Registry keys, et al).

Whenever I have encountered these kinds of definition files before, one of two things has turned out to be true. Either:

a) the definitions were ripped off from some other program (usually Spybot S&D or Pest Patrol);

...or...

b) the definitions were created by harvesting file names and Registry keys from the larger spyware information sites on the web.

Just what is the provenance of your definitions database? Was it created in house? If so, how? Did you purchase it online from a contractor of some sort? If so, from whom?

I should add that the other two applications in this family (AGuardDog Adware/Spyware Remover and PC AdWare SpyWare Removal) both exhibited the same behavior and problems.

Given the several serious questions surrounding this application and its rebranded clone versions, I cannot recommend their use. Moreover, The Spyware Detective will be added to the Rogue/Suspect Anti-Spyware list.

Regards,

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
3162
Honorary Site Admin


Joined: 31 Mar 2004
Last Visit: 04 May 2009
Posts: 4452

PostPosted: Tue Dec 21, 2004 4:45 pm    Post subject: Reply with quote

Eric,
As always, very thorough and Applause
_________________
Proud member of the Chest Zipper Club!
Back to top
View user's profile Send private message
Marius
Newbie


Joined: 21 Dec 2004
Last Visit: 31 Jan 2005
Posts: 4

PostPosted: Wed Dec 22, 2004 1:59 am    Post subject: Reply with quote

Hi Eric.

First thank you for analyze. I was expecting that you wait for my response and then add the application, if it is the case to the "suspect list".

I will like to talk about the things you pointed here and explain them.

As a application that is in the Release Candidate phase is normal to have some problems. That is also why I have came here asking for help in testing.

The 2 false positive is our mistake and were be fixed during this day. We do not encourage the false positive and we do not advertise through the false positives. Is a problem that we are glad we were informed. The release is still marked as RC5 but has now some other fixes added too, fixes made also because of the 2 new testers came from this site. A warm thank you to them and to Eric.

Quote:

Second, a more serious problem lies with your scan engine, which appears to be completely inadequate and unsophisticated. I configured your app to scan three drives as well as the Registry and active memory. It finished in roughly 30 seconds -- which is unusually quick. This was with the "Deep Scan" option checked, mind you.


You have to choose the drives you want to scan. Otherwise the scan engine will scan only the registry/cookies. So basically if you choose a drive or two like in this screenshot:

http://thespywaredetective.com/test/1.jpg

you are not having this problem. And then the scan is scanning the whole drives. No scanner can do a full scan in 35 seconds.

Quote:

Suspicious, I unpacked a 35 mb archive of spyware/adware files that I used back in October while testing other anti-spyware applications to an empty drive. I then configured your application to scan the drive. Of 529 different files, The Spyware Detective recognized not a single one.


You can choose the directory you want to scan and you can choose exactly that directory. I cannot say that our product is unique and unbeatable. We are working on bring the database to a good level. We have one researcher who is working exclusive on this.


Quote:

Still more suspicious, I reverted to my original three drive scan and fired up SysInternals FileMon, to check just what your application's scanning engine was doing. As it turns out, it was doing next to nothing. In its drive scan The System Detective was doing little more than checking the names of directories and the file names contained there-in, which explains the extremely quick scan times. It didn't even touch any of the files in the directories either to compare MD5 hashes or to do signature checking.


I am sorry but you analyse is wrong. I will explain you technically who our engine works:

- the engine is making a full system scan going on directories and look for filenames
- for each filename checks the DB to see if the file exist
- if the file exist in the DB then the MD5-s (can be more) in the DB are compared with the found file MD5. So we do not calculate EVERYTIME the MD5 only when a file is recognize.
-for cookies we use text search and filename patterns
-for registry we use regvalue and regkeys

Quote:

Third, however, even the definitions themselves are suspicious. The four definition files (located in \data of the program's installation directory) are unusually large, totalling almost 7.5 mb. Moreover, one can open them up in a plain text editor and observe the plaintext data (file names, directory names, Registry keys, et al).


Are large indeed cause of the XML format. Packed the whole setup is lower then 2.4 Mb. We are thinking of compress the files in the distribute version for keep the space more smaller. Because the XML format is not a compressed one we have this size.

Quote:

Just what is the provenance of your definitions database? Was it created in house? If so, how? Did you purchase it online from a contractor of some sort? If so, from whom?


We have a researcher, in in-house researcher who is adding the definitions. The work on the definitions is not an easy stuff (as you know better). We have fixed an adjective for the middle next year to be comparable with other projects like Lavasoft, Spybot, Giant Spyware.

Quote:

Given the several serious questions surrounding this application and its rebranded clone versions, I cannot recommend their use. Moreover, The Spyware Detective will be added to the Rogue/Suspect Anti-Spyware list.


I am sorry you take this decision before you received my response. I can only hope my response will change the situation. I know you are a busy person but believe me any opinion that will help us in extend the functionalities will help us. If you have time and you are kind enough I can send a test registration key for more tests.

regards,
Marius Mailat
Back to top
View user's profile Send private message
Marius
Newbie


Joined: 21 Dec 2004
Last Visit: 31 Jan 2005
Posts: 4

PostPosted: Wed Dec 22, 2004 2:02 am    Post subject: Reply with quote

I forgot in the above post to say that PC AdWare SpyWare Removal and AGuardDog Adware/Spyware Remover are legitime rebrand versions.

They are though versions that at some point differes in functionality and deifnitions as each of the company is going is her own direction. Both use the same scan engine derived from The Spyware Detective.
Back to top
View user's profile Send private message
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Wed Dec 22, 2004 6:16 am    Post subject: Reply with quote

Marius:

You wrote:

Quote:
First thank you for analyze. I was expecting that you wait for my response and then add the application, if it is the case to the "suspect list".


Given that I've encountered rebranded versions of this application before and tested them (with very similar results), and given that the application is already being advertised and listed all over the Internet -- see for example:

http://www.shareup.com/The_Spyware_Detective-download-25928.html
http://www.filehungry.com/index.php?action=viewitemdetails&id=36432
http://www.hotlib.com/products1.php?id=20288
http://www.goodfiles.com/viewapp.asp?app=encryption__security/the_spyware_detective.xml

...there was no good reason for me to withhold adding it to the Rogue/Suspect Anti-Spyware page. Moreover, none of the answers you've provided to the specific issues I've identified is sufficient to change my decision.

As is explained on that page (see http://www.spywarewarrior.com/rogue_anti-spyware.htm#de-listed ), I have de-listed applications, but only after the vendors involved made substantial changes to their applications and (when necessary) advertising.

Quote:
The release is still marked as RC5 but has now some other fixes added too, fixes made also because of the 2 new testers came from this site.


If this is still a release candidate, then why is your web site up for public use, why is your store open for business, and why is the application being listed all over the internet for download?

Quote:
You have to choose the drives you want to scan. Otherwise the scan engine will scan only the registry/cookies. So basically if you choose a drive or two like in this screenshot:

http://thespywaredetective.com/test/1.jpg

you are not having this problem. And then the scan is scanning the whole drives. No scanner can do a full scan in 35 seconds.


Sorry, but I did configure the drives to be scanned properly. See this screenshot from one of my tests last night:

http://www.spywarewarrior.com/pics_pub/the-swd-2.jpg

Moreover, FileMon indicated that the application was scanning the drives, but using an inadequate detection scheme.

Quote:
You can choose the directory you want to scan and you can choose exactly that directory. I cannot say that our product is unique and unbeatable. We are working on bring the database to a good level. We have one researcher who is working exclusive on this.


"Not...unique and unbeatable" must surely be the understatement of the year. Zero of 529 is nothing short of abysmal, and the spyware/adware being scanned were some of the most well known and prolific applications currently on the Net. By contrast Ad-aware, Spy Sweeper, and Spy Subtract managed to find the vast majority of the spyware/adware on the test drive when I scanned that drive last night with those standard anti-spyware applications.

Quote:
I am sorry but you analyse is wrong. I will explain you technically who our engine works:

- the engine is making a full system scan going on directories and look for filenames
- for each filename checks the DB to see if the file exist
- if the file exist in the DB then the MD5-s (can be more) in the DB are compared with the found file MD5. So we do not calculate EVERYTIME the MD5 only when a file is recognize.
-for cookies we use text search and filename patterns
-for registry we use regvalue and regkeys


Nothing you've said here contradicts what I reported observing. I said that "The System Detective was doing little more than checking the names of directories and the file names contained there-in," a claim which you've essentially confirmed. You simply maintain that had the application recognized a file name it would have performed additional analysis. But in my test it never got beyond the simplistic file name/directory name matching, which is a huge problem given that many adware/spyware applications are changing file names frequently and even using randomly named files.

Contrast, again, with Ad-aware, Spy Subtract, and Spy Sweeper, each of which carefully inspected the files on the target drive.

Quote:
We have a researcher, in in-house researcher who is adding the definitions. The work on the definitions is not an easy stuff (as you know better). We have fixed an adjective for the middle next year to be comparable with other projects like Lavasoft, Spybot, Giant Spyware.


That objective is simply not realistic with only one researcher. And, as we've seen, you have quite a ways to go.

Quote:
I am sorry you take this decision before you received my response. I can only hope my response will change the situation.


Marius, you didn't wait before putting your web site up, opening your store, and causing your application to be listed all over the internet for download. And you certainly didn't wait before allowing your application to be rebranded and sold by others.

If you would like to send me registration key for further testing, you can send it to:

eburger68@myrealbox.com

For now, though, The Spyware Detective will remain listed on the Rogue/Suspect Anti-Spyware pages.

Regards,

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Marius
Newbie


Joined: 21 Dec 2004
Last Visit: 31 Jan 2005
Posts: 4

PostPosted: Wed Dec 22, 2004 6:53 am    Post subject: Reply with quote

Thank you for your response.

I am worried about your response. In this state of the development you put our application in a bad category. Even if we were fair and we admit the problems.

We fixed very fast the errors with the 2 false positives. We have tried even to go beyond that and ask the researcher to update the last definitions to provide ASAP a new version.

I have never tried to mislead someone in buying a bad application. We have incorporate functions in hope to protect better the application. You will say that this is to commercial orientation. Is not.

I am a technical guy. And as developer I will respond to your words:

Quote:

Given that I've encountered rebranded versions of this application before and tested them (with very similar results), and given that the application is already being advertised and listed all over the
...there was no good reason for me to withhold adding it to the Rogue/Suspect Anti-Spyware page. Moreover, none of the answers you've provided to the specific issues I've identified is sufficient to change my decision.


I need for you to change the post as it does not reflect the truth.

Quote:
false positives work as goad to purchase (1);


Having a bug in the detection (and this bug removed as soon we were informed) does not make us a liar company trying to construct false positives. I am sure you are agree with me that the software does not create hundreds of spyware results, does not install any spyware and does not intentionally give spyware results.

The problem was solved and all the problems we will look in to it as soon the reports are coming.

> flawed, inadequate detection scheme (1);
As a programmer I am totally disagree with you. Our searching is based on MD5 signatures. A better search then the MD5 signatures cannot be reached (maybe using CRC but will be the same thing). For this we have establish the algorithm that is a standard algorithm.

Other companies can choose to make first a MD5 check and then see if finds a match. Ok This idea is ok and applicable for a deep scan. In this way the scanning will be slower and will handle the spywares that changed the names.

Our search engine is based on the first engine rules. Since the discussion is going in the direction of you making technically comments on a code that works I would like to suggest me a better method if you know.

Quote:
As is explained on that page (see http://www.spywarewarrior.com/rogue_anti-spyware.htm#de-listed ), I have de-listed applications, but only after the vendors involved made substantial changes to their applications and (when necessary) advertising.



I was surprise and I still am about the evolution. Trying to make a product I was really hopping for more help and support. I can accept criticism and as you saw I have made the changes you asked. We do not use any affiliate advertising so we do not promote the application using weird affiliate programs. We also very clear offer our support for our users.

Quote:
If this is still a release candidate, then why is your web site up for public use, why is your store open for business, and why is the application being listed all over the internet for download?


We have submitted to the search engines after the preliminary test and the beta tests. We have fixed most parts of the application problems and we were ready for selling.

You cannot wait now that every product will come here to be marked as "bona fide" by the forum.

I came here in hope that I can get good testers and also to have the opinion of people working daily with these problems.

Quote:
Sorry, but I did configure the drives to be scanned properly. See this screenshot from one of my tests last night:


Tested was made now in 4 different systems and now was done in less then 5 minutes for the 2 drives. Please recheck your tests again.

Quote:
understatement of the year. Zero of 529 is nothing short of abysmal, and the spyware/adware being scanned were some of the most well known and prolific applications currently on the Net. By contrast Ad-aware, Spy Sweeper, and Spy Subtract managed to find the vast majority of the spyware/adware on the test drive when I scanned that drive last night with those standard anti-spyware applications.


Making the comparison with these big products you leave no chance to me Very Happy. As I told you we cannot compare with them yet but we hope we can bring our knowledge and in time a better database. I will be glad if you point me to list of spywares (I will include in the email with the license the questions maybe you will give us a little hand on this).

Quote:

But in my test it never got beyond the simplistic file name/directory name matching, which is a huge problem given that many adware/spyware applications are changing file names frequently and even using randomly named files.


As I explain before depends on the scanning engine. We use this method. Is indeed interesting this approach of calculating the MD5 and then compare with the db MD5 but this will be effective for the cases when the filename is changing (for this cases we have redundant md5 for different files).

Quote:

That objective is simply not realistic with only one researcher



At this point this is the only way we can go. I do not trust an external contractor and I do not have any idea about a starting database for selling Very Happy .

[quote]Marius, you didn't wait before putting your web site up, opening your store, and causing your application to be listed all over the internet for download. And you certainly didn't wait before allowing your application to be rebranded and sold by others.
[quote]

I am not responsible for the other clone versions as they have their own way of dealing with the code. The version provided by the The Spyware Detective is the only one using our last code/db.

Quote:

If you would like to send me registration key for further testing, you can send it to: eburger68@myrealbox.com


regards,
Marius Mailat
Back to top
View user's profile Send private message
eburger68
SWW Distinguished Expert


Joined: 23 Jun 2004
Last Visit: 18 Nov 2008
Posts: 575
Location: Clearwater, FL

PostPosted: Wed Dec 22, 2004 8:54 am    Post subject: Reply with quote

Marius:

You wrote:

Quote:
I am worried about your response. In this state of the development you put our application in a bad category. Even if we were fair and we admit the problems.


Given that you're already advertising and selling a product on the internet that you yourself admit is still in the development stage (and still seriously flawed), it was entirely fair and appropriate for me to list your product on the Rogue/Suspect Anti-Spyware page. The purpose of that page is to warn users about sub-standard anti-spyware applications that ought to be avoided, and your application clearly fits the bill.

Quote:
I have never tried to mislead someone in buying a bad application. We have incorporate functions in hope to protect better the application. You will say that this is to commercial orientation. Is not.


Stop mischaracterizing what I said. I never accused you of deliberately misleading anyone, nor did I ever characterize your actions as "too commercial." What I've said is that application is flawed and that by your own admission you elected to start advertising and selling it while it was still in the development phase. That is inexcuable.

Quote:
I need for you to change the post as it does not reflect the truth.


What's not the truth? Please, do tell. The passage of mine that you're responding to makes several claims:

1) I've tested the re-branded clones with similar results -- for evidence, see:

http://www.spywarewarrior.com/family_resemblances.htm#12

2) You are advertising and selling the application on the internet -- not only did I provide example links to support that claim, you YOURSELF admit to doing as much below:

Quote:
We have submitted to the search engines after the preliminary test and the beta tests. We have fixed most parts of the application problems and we were ready for selling.


There are no untruths there.

Quote:
Having a bug in the detection (and this bug removed as soon we were informed) does not make us a liar company trying to construct false positives.


Again, stop misreporting what I wrote. I never accused you of deliberately using false positives to sell your product, nor did I ever describe you as "a liar company."

Quote:
You cannot wait now that every product will come here to be marked as "bona fide" by the forum.


I will analyze and evaluate every program that is brought to my attention and make decisions based on the facts of the case. I did so in your case and provided you good reasons to justify my decision. All you've done so far is misquote and mischaracterize what I wrote and talk around the problems of your application. To top it off, you then ask me to fix your application for you.

Quote:
Tested was made now in 4 different systems and now was done in less then 5 minutes for the 2 drives. Please recheck your tests again.


I have re-tested, and I stand by those claims. As the screenshot should have indicated, I configured the scan exactly as you suggested.

Quote:
Making the comparison with these big products you leave no chance to me. As I told you we cannot compare with them yet but we hope we can bring our knowledge and in time a better database.


There was nothing unfair in the tests I ran or in the comparisons I made. Zero of 529 is pathetic -- inexcusable.

Quote:
I will be glad if you point me to list of spywares (I will include in the email with the license the questions maybe you will give us a little hand on this).


Try downloading Grokster. Everyone who's anyone in the anti-spyware industry knows about this one, as it will give you a good load of malware to analyze and test. Then try perusing my testing page for more information:

http://spywarewarrior.com/asw-test-guide.htm

Quote:
As I explain before depends on the scanning engine. We use this method. Is indeed interesting this approach of calculating the MD5 and then compare with the db MD5 but this will be effective for the cases when the filename is changing (for this cases we have redundant md5 for different files).


As I explained, the problem with your detection scheme is that it hinges on file name/directory name matches. If the file name/directory name scheme fails, the MD5s never come into play. Good anti-malware apps do a much more thorough job of analyzing files.

Quote:
Our search engine is based on the first engine rules. Since the discussion is going in the direction of you making technically comments on a code that works I would like to suggest me a better method if you know.


It is not my job to fix your application. You were the one who decided to cash in before getting your application right, and I'm under no obligation to fix your product for free after the fact. Hire the developers and researchers to do the job right. If you can't afford those developers and researchers, then find a new line of business. Whatever you do, stop making excuses for application's poor performance and stop suggesting that it is my job to ignore these problems and not report them to the users you want to sell your application to.

Quote:
I am not responsible for the other clone versions as they have their own way of dealing with the code. The version provided by the The Spyware Detective is the only one using our last code/db.


Yes, you are responsible. It's your code, and it was your decision to license that code (I'm assuming not for free) when, by your own admission, the underlying application is still in the development stage. Moreover, even now your own version of the application is available for download and purchase despite the fact that you admitted here that it's still a release canddidate.

If you want me to change what the Rogue/Suspect Anti-Spyware page reports immediately, then do the following:

1) take down your web site

2) take down the download file

3) inform the download sites and search engine sites that you submitted your app to that The Spyware Detective is not ready for general release and, thus, is not available for download and purchase.

Then fix the problems with your application. I received the license key from you and will be happy to re-test once you've overhauled the application. But I will not stand idly by while you push a garbage anti-spyware application on unsuspecting internet users.

Eric L. Howes
Back to top
View user's profile Send private message Send e-mail Visit poster's website
mikey
Malware Expert


Joined: 12 Feb 2004
Last Visit: 14 Aug 2014
Posts: 1073
Location: CenTex

PostPosted: Wed Dec 22, 2004 9:13 am    Post subject: Reply with quote

After seeing this thread, I just had to give it a look. The scan produced 4 hits...all false. However, I consider that to be an acceptable amount of F/Ps if the majority of nasties are actually targeted...that is, if they are addressed promptly and the updates don't habitually produce more.

At first glance, the tool seems rather stark in that there are no proactive or special features to mention. The scan itself is perplexing. I understand the premise of looking first to the known install points to quicken the scan. But many nasties are morphic now and they are impossible to detect in this manner. So I would guess that Eric is probably right on the mark with his findings. It would also explain why it missed my entire archive. If I had a key, I could test for all the necessary routines it takes to make a malware scanner functional in this day.
_________________
-

UbuntuStudio...community supported multi-media development optimization.

-
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Anti-Spyware and Security Software Discussion All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group