1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

your spycar ran over my dogma: test your anti spyware app

Discussion in 'Security and Privacy' started by charlesvar, 2006/05/10.

  1. 2006/05/10
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    http://blog.washingtonpost.com/securityfix/2006/05/your_spycar_ran_over_my_dogma.html

    This article is mostly about an app called spycar to test anti spyware applications, both free and paid.

    The most interesting paragraph in this article is this:
    Windows Defender doesn't come off well here at all:
    Don't use it and haven't installed it on any system, so can't make judgements on WD. Anyone using WD can run the spycar tests and comment please.

    Spycar test: http://www.spycar.org/Welcome to Spycar.html

    For the record, I ran the tests - they were all blocked by a resident process control app System Safety Monitor http://syssafety.com/ SSM intervened before Sunbelt's Kerio (on one OS) and ZA Pro on another OS, so I then disabled SSM and relied on Kerio and ZA Pro - both have behavior blocking capabilities, both blocked every attempt at changing browser settings and inserting registry entries and changing the Hosts file.

    I'd really be interested on results from users of various resident anti spyware apps :)

    Regards - Charles
     
  2. 2006/05/26
    Luckyjfl

    Luckyjfl Inactive

    Joined:
    2006/05/26
    Messages:
    4
    Likes Received:
    0
    spyware

    Hi Charlesvar,
    I use Zone alarm pro and avg pro. What in your opinion do you consider the best protection. Do you think , what am using is good or what.

    Look forward to you reply.
     

  3. to hide this advert.

  4. 2006/05/26
    Welshjim

    Welshjim Inactive

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    charlesvar--Most disturbing. I failed every Spycar test.
    I have AdAware, SpywareBlaster and Windows Defender installed. (Of course, a firewall and AV as well.)
     
  5. 2006/05/26
    Whiskeyman Lifetime Subscription

    Whiskeyman Inactive Alumni

    Joined:
    2005/09/10
    Messages:
    1,772
    Likes Received:
    37
    Running SpywareBlaster and Panda Titanium 2006. Before I could click on TowTruck the site died and I could not get back in. I had to Google Spycar TowTruck then click on the cached link to run TowTruck.

    Results.

    HKCU_RUN: Spycar change allowed
    HKCU_RunOnce: Spycar change allowed
    HKCU_RunOnceEx: Spycar change allowed
    HKLM_Run: Spycar change allowed
    HKLM_RunOnce: Spycar change allowed
    HKLM_RunOnceEx: Spycar change allowed
    IE-HomePageLock: Spycar change allowed
    IE-KillAdvancedTab: Spycar change allowed
    IE-KillConnectionsTab: Spycar test not performed
    IE-KillContentTab: Spycar test not performed
    IE-KillGeneralTab: Spycar test not performed
    IE-KillPrivacyTab: Spycar test not performed
    IE-KillProgramsTab: Spycar change allowed
    IE-KillSecurityTab: Spycartest not performed
    IE-SetHomePage: Spycar change blocked
    IE-SetSearchPage: Spycar change blocked
    AlterHostsFile: Spycar test not performed

    I will now run my normal scans to see if anything is detected. BRB. :)

    These are what was found after running TowTruck.

    Found in Temp folder.

    Temporary Directory 1 for hosts.zip folder containing HOSTS File 413 KB

    8A56EAB7.TMP

    CCleaner found all of the missing MRUs from SpyCar's .exe files.

    AdAware results.

    Name:Windows
    Category:Vulnerability
    Object Type:RegData
    Size:4 Bytes
    Location:...\policies\microsoft\internet explorer\control panel "Homepage" ()
    Last Activity:5-26-2006
    Relevance:Low
    TAC index:3
    Comment:
    Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section.

    Name:MRU List
    Category:Spyware
    Object Type:MRU FileReference
    Size:0 Bytes
    Location:C:\Documents and Settings\Don\recent\
    Last Activity:5-26-2006 4:00:00 AM
    Relevance:Negligible
    TAC index:0
    Comment:list of recently opened documents
    Description:Most Recently Used List.

    Name:MRU List
    Category:Spyware
    Object Type:MRU RegReference
    Size:-
    Location:...\currentversion\explorer\comdlg32\lastvisitedmru\
    Last Activity:
    Relevance:Negligible
    TAC index:0
    Comment:list of recent programs opened
    Description:Most Recently Used List.

    Name:MRU List
    Category:Spyware
    Object Type:MRU RegReference
    Size:-
    Location:...\currentversion\explorer\comdlg32\opensavemru\
    Last Activity:
    Relevance:Negligible
    TAC index:0
    Comment:list of recently saved files, stored according to file extension
    Description:Most Recently Used List.

    Panda log entries.

    Suspicious operation 05/26/06 15:36:26 Blocked Application: C:\DOCUMENTS AND SETTINGS\DON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\O5UF01UZ\TOWTRUCK[1].EXE - Operation: Changes to Internet Explorer settings detected.
    Suspicious operation 05/26/06 15:36:21 Blocked Application: C:\DOCUMENTS AND SETTINGS\DON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\O5UF01UZ\TOWTRUCK[1].EXE - Operation: Changes to Internet Explorer settings detected.
    Suspicious operation 05/26/06 15:22:10 Blocked Application: C:\DOCUMENTS AND SETTINGS\DON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\AN61E987\IE-SETSEARCHPAGE[1].EXE - Operation: Changes to Internet Explorer settings detected.
    Suspicious operation 05/26/06 15:21:43 Blocked
    Application: C:\DOCUMENTS AND SETTINGS\DON\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CPA3C9UZ\IE-SETHOMEPAGE[1].EXE - Operation: Changes to Internet Explorer settings detected.
     
    Last edited: 2006/05/26
  6. 2006/05/26
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
  7. 2006/05/26
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi Jim,

    Not supprised.

    In your case, I don't know how important it is for you to either change or add to what you have - your brain is the most important component, and that you have :)

    This issue though is that its simply not enough to have the old style anti-malware techniques, meaning siqniture definitions, these days. What's needed IMO is default deny instead of black lists, which is the principle that anti-malware apps have operated on for years.

    If I'm not mistaken, you use ZA free version which is an excellent firewall. I would however in the absence of any other behavior blocking app or an AV that was strong on hueristics, use the pro version. It is a learning curve in the beginning because the ultimate judge of legitimate behavior is you.

    I think you also use NAV2005 which I just got rid of beause I got tired of its Rube Goldberg construction - tired of problems with LU - tired of an AV that adds a half backed frewall which even if you shut it down, still runs the processes for it - tired of once a week updates unless you download 4 - 5 MB's or more worth of sigs, their so called intelligent updtate. Otherwise it was fine :rolleyes:

    Regards - Charles
     
  8. 2006/05/26
    Welshjim

    Welshjim Inactive

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    charlesvar--Thanks for your comments.
    For many years I have been proud that Gibson's Shields Up shows me completely stealthed. Still does.
    Yes, I run NAV 2005 from SystemWorks Premier. NAV and Ghost are the only programs I install from SystemWorks 2005. (LiveUpdate often provides updates to Trusted Applications--which I have regarded as a "deny list' in reverse--and Worm Protection.)
    I often get short popups from Norton telling me that certain changes to my Registry (which I requested) have been allowed. I always assumed this meant I would get a message if something not on Norton's Trusted Applications List tried to install.
    I also run a HOSTS file (mostly populated by MVPs.org), a Restricted Sites list (mostly populated by IESpyAds) and have blocked third party cookies in Privacy tab Sites. The Internet Sites|Custom Level settings in IE have ActiveX blocked.
    I ran Full Systemscans with NAV, Windows Defender and AdAware after the Spycar test. Nothing reported. Note my AdAware scan report differs from what Whiskeyman reported.
    I did find some files in TIF, Recent and Prefetch associated with Spycar. I have deleted them. (They would be deleted on reboot anyway.)
    I will have to study what you have said a little further.
    In the meantime
    1) What is it that ZA Pro will add that I do not already have? Does it have heuristic firewall protection that ZA Free does not? Is there such a thing as a heuristic firewall? Or do you mean some other aspect of ZA Pro, such as the AV, uses heuristics more effectively than NAV? av-comparatives.org's site does not address this issue and does not rate ZA's antivirus program, which I thought was EZTrust.
    2) What is Spycar doing to penetrate my defenses that every hacker cannot be doing tomorrow?
    3) What is Spycar suggesting? It seems to be a heuristic firewall.
     
    Last edited: 2006/05/27
  9. 2006/05/27
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi Jim,

    1) What is it that ZA Pro will add that I do not already have? Does it have heuristic firewall protection that ZA Free does not? Is there such a thing as a heuristic firewall? Or do you mean some other aspect of ZA Pro, such as the AV, uses heuristics more effectively than NAV? av-comparatives.org's site does not address this issue and does not rate ZA's antispyware program, which I thought was EZTrust.

    I meant ZA Pro. ZA Pro is w/o the AV component, ZA suite has the EZTrust AV and anti spyware.

    Pro's firewall is the same as the one in the free version. What Pro has as extra is Browser filtering, such as blocking of ActiveX scripts - java and vbs globally or on a per site basis, and rule making. With version 6.X added behavior blocking. If a process tries to execute, ZA intercepts it and asks permission. Do a search on ZA in this section with my username, I posted threads on v 6.X here last fall and responded to users.

    Basically, Sunbelt's Kerio has the same general capability.

    So does NIS, but in typical Symantec fashion, its obscure and difficult to control: http://www.windowsbbs.com/showthread.php?t=52980&highlight=NIS

    If you re read my first post, I use a Process Control app System Safety Monitor that intercepts executes, including OS calls. Had to disable that to allow ZAP and Kerio to do do their thing.


    2) What is Spycar doing to penetrate my defenses that every hacker cannot be doing tomorrow?

    Not hacking, hacking is a penetration of the firewall by unsolicited intrusions, this is inviting in unkowingly an execute thru the Browser. look at the malware that we deal with in the removal section, they enter thru the Browser. I know that you have ActiveX shut down, that's one way that malware enters, but most people, if they know what it is in the first place, have ActiveX enabled to the SP2 defaults, they rely on MS's ActiveX "certification" or some Anti Spyware app and their blacklists to protect them - not enough obviously.


    3) What is Spycar suggesting? It seems to be a heuristic firewall.

    Its not a firewall, its a series of executables that you invited thru the Browser and no securuty app was able to intercept it's actions.


    The only comment I'll make about NAV for now is that the Worm Blocker is a firewall that doesn't do anymore than any other firewall - its redundant.

    Regards - Charles
     
  10. 2006/05/27
    Welshjim

    Welshjim Inactive

    Joined:
    2002/01/07
    Messages:
    5,643
    Likes Received:
    0
    charlesvar--Thanks again for your further comments and the images.
    When I ran Spycar, ZoneAlarm Free gave me no popup messages as shown in your images. That could be a powerful reason to consider using ZAPro.
    But I came across this on PCMagazine's website where they offer a download of ZAFree
    "We expect more of ZoneAlarm because its Pro version is so powerful, but in truth the free version is a fine solution for many users. It won't block leak test techniques (my bolding), but malware applications will have a tough time attacking it directly. "
    Since I do block ActiveX by my IE Security settings it may be that ZA Pro will offer little extra outside of blocking tests such as Spycar.
    Concerning System Safety Monitor. I understand you turned it off to allow ZA Pro to function during the Spycar test. But does that mean the rest of the time, when you run System Safety Monitor, ZAP is not providing its popup warnings? That would seem to suggest I seriously consider SSS--perhaps more than ZAP. I see that SSS has been offered to the public only about three months.
    Going back to my question #3 above
    I should have just asked "3) What is Spycar suggesting? "
    I may have missed it, but I do not see they offer any solution to the problem they are warning us about.

    I hope you do not think I am just nitpicking, but Spycar implies a serious problem. If the problem is real, I want proper protection.
     
  11. 2006/05/27
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    hi Jim,

    But I came across this on PCMagazine's website where they offer a download of ZAFree
    "We expect more of ZoneAlarm because its Pro version is so powerful, but in truth the free version is a fine solution for many users. It won't block leak test techniques (my bolding), but malware applications will have a tough time attacking it directly. "


    Did it stop Spycar? The issue is not whether ZA free can protect itself, but whether it can protect the system. This test attack is not a firewall attack. Its a Browser attack.


    Concerning System Safety Monitor. I understand you turned it off to allow ZA Pro to function during the Spycar test. But does that mean the rest of the time, when you run System Safety Monitor, ZAP is not providing its popup warnings? That would seem to suggest I seriously consider SSS--perhaps more than ZAP. I see that SSS has been offered to the public only about three months.

    ZA suite would not be my choice. NOD and KAV are far better than CA that ZA uses and I've read that ZA's Anti Spyware is anemic - can't cite the sources at the moment. Don't like suites in principle - only as strong as the weakest part.

    I've used versions of SSM for something like three years now, before the latest Kerio and ZAP versions, far more powerful with a small footprint. Since it has the ability to control some aspects of the OS, my preference.


    I may have missed it, but I do not see they offer any solution to the problem they are warning us about.

    I like the fact that Spycar isn't huckstering a solution - just a test of your security.

    Regards - Charles
     
  12. 2006/05/27
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi Jim,

    Since I do block ActiveX by my IE Security settings it may be that ZA Pro will offer little extra outside of blocking tests such as Spycar.

    Didn't fuly answer your question about using the pro versions of ZA & Kerio. I've made this point before in passing, but I'll it make again.

    Both filter or control the Browser's actions such as blocking ActiveX and scripts globally or per site, both have rule making capabilty, globally or per site, such as blocking an IP address or constricting an application to a specific Port, and more. These do not have anything to do with behavior blocking that we've been discussing and that an app like SSM just doesn't do.

    So, along with an AV, the most bang for the security buck is a Firewall like these.


    Since I do block ActiveX by my IE Security settings

    One hole :) anything that gets past that, what's there to stop it?

    This is what this test is really about, the premise is, lets pretend that Spycar got past whatever preventative measures you have.

    Regards - Charles
     
  13. 2006/05/27
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi All
    I am running "Webroot Spy Sweeper" I was alerted to all the HKEY's and prompted to take action.
    All the IE's changes were allowed except "set home page and set search page" these two were blocked.
    I did the test with my MSN browser (Don't know if that would make a difference with the IE changes or not?)
    Is spy sweeper supposed to stop the IE changes? or is that another program? I have All the protections checked on spy sweeper.
    Geri
     
  14. 2006/05/28
    James Martin

    James Martin Geek Member

    Joined:
    2003/05/15
    Messages:
    2,655
    Likes Received:
    79
    Here are my results...

    Spycar Scoring
    HKCU_Run : Spycar change blocked
    HKCU_RunOnce : Spycar change blocked
    HKCU_RunOnceEx : Spycar change blocked
    HKLM_Run : Spycar change blocked
    HKLM_RunOnce : Spycar change blocked
    HKLM_RunOnceEx : Spycar change blocked

    IE-HomePageLock : Spycar change allowed
    IE-KillAdvancedTab : Spycar change allowed
    IE-KillConnectionsTab : Spycar change allowed
    IE-KillContentTab : Spycar change allowed
    IE-KillGeneralTab : Spycar change allowed
    IE-KillPrivacyTab : Spycar change allowed
    IE-KillProgramsTab : Spycar change allowed
    IE-KillSecurityTab : Spycar change allowed

    IE-SetHomePage : Spycar change blocked
    IE-SetSearchPage : Spycar change blocked


    I am running...

    * Spyware Blaster
    * Spybot
    * Ad-Aware (Free)
    * Ewido (free)
    * AVG (free)
    * System Suite 5's Firewall (Sygate)
    * WinPatrol (free)

    WinPatrol was responsible for all of the blocked applications.
     
  15. 2006/05/28
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi Geri,

    MsnExplorer uses IE as a shell, so any IE setting would be in effect.

    But that's not whats being tested, as I wrote to Jim, this test assumes that Spycar got past the Browser and is attempting the changes.

    Regards - Charles
     
  16. 2006/05/28
    charlesvar

    charlesvar Inactive Alumni Thread Starter

    Joined:
    2002/02/18
    Messages:
    7,024
    Likes Received:
    0
    Hi James,

    WinPatrol did really well in blocking the changes to the registry and to the IE settings.

    So far, I haven't read about any malware that attempted to change IE's tabs.

    SpywareBlaster is designed to screen you from getting to this stage, as would SpyBot if you were running that realtime.

    Three stages to the malware "game ":

    Preventing it getting on in the first place - this is where realtime Anti-Spyware apps and Browser settings come into play.

    Once its on, preventing it from doing damage - this is the Spycar tests.

    Getting it off and reversing any damage - this is where scanners such as Ad-Awre, Spybot, Ewido, etc come into play.

    Of course, reality is different, usually a mixture. A lot of Anti-Spyware apps have behavior blocking capabilities of one sort or another. Its just that no one of them has it all of course.

    My point in my respones to Jim is that once something gets thru all the layers, then behavior blocking backstops the others. Since nothing is perfect, that isn't either, and no one should be under any illusion that they have the perfect solution.

    Regards - Charles
     
  17. 2006/05/28
    James Martin

    James Martin Geek Member

    Joined:
    2003/05/15
    Messages:
    2,655
    Likes Received:
    79
    Hi Charles,

    I hate that WinPatrol did not block all of the tests, but I'm glad that it caught as many as it did.

    Out of curosity, I wrote to Bill P. (The maker of WinPatrol) and invited him to check out the Spycar site for himself.

    Here is what he said in return...

    Hi James,

    Thank you for your support of our WinPatrol program and for giving me the tip on Spycar. This is the first I've heard of it and will investigate further when I get a chance.

    It's possible that WinPatrol wouldn't have alerted you to all the registry changes which test programs often make. We have defined a particular set of high risk registry changes which are common to all malware. Typically, these are only the registry entries which directly impact your system. For instance, a program may register a DLL with Windows but unless there's some way to launch that DLL we won't care.

    Generally, when folks have done registry comparisons WinPatrol does well, but we don't try a brute force attempt at blocking any possible changes. We wouldn't be much help if we ended up slowing down the system more than the malware you're trying to be protected from. Some programs like Norton use overkill and end up doing more harm.

    I'm pleased that even our free version seemed to catch things so well but test programs can be very deceptive. For instance, the real-time monitoring in our PLUS version may not be triggered by changes from a test program, but would catch a real life infiltration. See http://www.winpatrol.com/rid.html for details. I will check out their methodology and see if improvements are in order for WinPatrol. WinPatrol 10 is close to release so it's good timing.


    Thanks again,
    Bill Pytlovany

    ------------------------------------------

    FWIW, my version of WP has a delayed response time before alerting the user of changes on their system. The Plus (paid) version has true, real time protection.

    Edit: As far as Spware scanners go, should they be used before Towtruck is activated?
     
    Last edited: 2006/05/28
  18. 2006/05/28
    Whiskeyman Lifetime Subscription

    Whiskeyman Inactive Alumni

    Joined:
    2005/09/10
    Messages:
    1,772
    Likes Received:
    37
    I would suggest running any anti-malware programs before and after running TowTruck. I should have but didn't. Panda actually blocked some of TowTrucks cleaning actions. I also forgot to recheck some blocking actions of my programs because I wanted to change my IE setings. Once I have made sure that all traces of Spycar are removed I will test it again and run scans before and after.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.