I'm trying to find out If either or both these are malware of some sort or not? As there has been a lot of debate about them on the bbr forum.

http://www.dslreports.com/forum/remark,17231332

Wilders has threads on both with recent doubts about the Kau antivirus.

http://www.wilderssecurity.com/showthread.php?t=153532

mvdu posted "BOClean says it is malware" and metallicakid15 "yup it has a variant of zlob i think"

Spymove antivirus

http://www.wilderssecurity.com/showthread.php?t=153528

Hav any antivirus vendors investigated these yet? and what are the anwsers?

Tia


StevieO

SpyMove (http://www.softpedia.com/get/Antivirus/SpyMove.shtml) got 100% Clean Softpedia's Award. But I would never try nor recommend to try them.

@ TheTOM_SK

You are right they are not always correct, as in this case.


mvdu was also right they are both picked up by Boclean

185165

Making further enquiries to nsclean they had this say about them.

Quote on spymove

"Complained about not finding a piece of its own stuff, then filled the entire screen with absolute crap (including the traybar so there was no way to make it go away and it autostarted too)

Let's call both "crapware" rather than malware ... neither does what they claim to do and the second one there covers the entire screen (including traybar) and won't close"

Quote on kau

"Kau didn't work"

I did ask and do have permission from them to post this information.

Why do no other antivirus etc vendors pick up on these, particually when spymove is very destructive ?


StevieO

nsclean will not be delisting spymove and kau as they have confirmed to me these are not false positives. They are both undesirable programs, one does not work properly, and the other completely takes over a users desktop. Attempting to click your way out of the mess it creates is both time consuming and does not have much if any effect.

There are other problems with them too, but I think you will agree those reasons alone are sufficient to exclude them from anyone trying to run them. Most home users would be highly inconvenienced and not know what to do, business users can also live without the annoyance this may cause.

Both those programs are promoted as an antivirus, but fail miserably to live up to the claims made for them. Call them what you will, but unwanted they definately are due to all the problems they cause.

If other vendors decide to ignore these then i think that's a mistake, and does not do their customers any favours in doing so. What would users do and use to eliminate these if they downloaded and ran them ? Not their previous antivirus, if they had one as this would have been uninstalled to make way for one of these. And not one of these either, so where would that leave them ?


StevieO

Both tested by another very clever guy and confirmed as nothing but rubbish.

http://forum.sysinternals.com/forum_posts.asp?TID=8820&PN=1

The sooner more people find out to stay clear of these the less problems and clean ups will be needed.


StevieO

-{ Quote: "Why do no other antivirus etc vendors pick up on these, particually when spymove is very destructive ?" }-
I've only looked at KauAV, in the past and just now again.

There's quite simply nothing wrong with that program in itself, and it does work btw.

I will check out the other program later, more important stuff to attend to at the moment.

Edit: Oh, and indeed, no AVendor is flagging KauAV.

@ Schouw

Thanks for your interest in these.

You said quote -{ Quote: "I will check out the other program later, more important stuff to attend to at the moment.

Edit: Oh, and indeed, no AVendor is flagging KauAV." }-BOClean is indeed flagging both kau and spymove, unless you don't consider them an AVendor ?

Your check with kau is at odds with what nsclean says, and also another very experienced and highly respected programmer EP_X0FF who tested both on si. http://forum.sysinternals.com/forum_posts.asp?TID=8820&KW=spymove

We hope to see the results of your tests very soon.


StevieO

-{ Quote: "
BOClean is indeed flagging both kau and spymove, unless you don't consider them an AVendor ?
" }-

They are not an AV Vendor. And the probably included this because Spanner posted a thread at DSLR where he claimed that they contained codec (zlob) trojans what was/is of curse utter ********. He stored a few mediacodec files on his desktop in a folder "W" and when he was trying to download this 2 programs TO THE DESKTOP FOLDER the AV Monitor (Driver) got an event to scan this path upon write event and detected the mediacodec there. Hey could have downloaded Microsoft Office - if stored to the same path it would also show the mediacodec / zlob infected which actually has NOTHING but really NOTHING todo with the downloaded file since it existed BEFORE the download there.

-{ Quote: "Your check with kau is at odds with what nsclean says, and also another very experienced and highly respected programmer EP_X0FF who tested both on si. http://forum.sysinternals.com/forum_posts.asp?TID=8820&KW=spymove" }-
Well the ClamAV engine can't scan into RAR archives, as he found out himself.

Website - that's marketing and not really that relevant.
We care mostly about the file(s) and its behaviour, that's the main factor.

It would seem that for a while now (more) people care only about detection, not if this detection is actually accurate/justified or not. A worrying trend imho.

And now I'll go back to working on my Virus Bulletin paper. :)

@ Inspector Clouseau

Semantics apart, let's call BOClean an anti malware product then. And it flags both spymove and kau as malware, even though nsclean has said they are more crapware than malware. When it detecs something you get a message which says malware as in the screen shots from before. Other people i've spoken to have also confirmed that BOClean flags these two when they downloaded both files and that's without any codec in sight. So whether there was a codec or not in that w folder you referenced doesn't make any difference as it does detect both of them. They have also been confirmed by nsclean as crapware and not false positives, and even worse by EP_X0FF.

@ Schouw

You say that marketing is not really that relevant. I think there is a big difference between marketing and what EP_X0FF on the si thread called lies. The detection of both and classed as crapware etc by both nsclean and worse by EP_X0FF is actually accurate and justified. Both of them have described what those two av's do and do not as claimed, and don't forget the desktop etc mess caused.

I find it hard to comprehend why anybody would support spymove and kau in any way, after those tests and confirmations by very knowledgable people. I would expect avoidance, or caution to be advised at the very least ?


StevieO

Again, I'm only talking about kauav here.
-{ Quote: "Other people i've spoken to have also confirmed that BOClean flags these two when they downloaded both files and that's without any codec in sight." }-
I think Mike is saying is that NSClean added detection for kauav after Spanner reported it contained Zlob.(with the Avira detection)
-{ Quote: "You say that marketing is not really that relevant. I think there is a big difference between marketing and what EP_X0FF on the si thread called lies." }-
So when a user receives a file s/he should go to the 'associated website' - whatever that is - to see what it does? Sure, the website is not totally irrelevant, but it certainly does not make or brake detection. What if the website goes down or gets changed?
-{ Quote: "The detection of both and classed as crapware etc by both nsclean and worse by EP_X0FF is actually accurate and justified." }-
'crapware' - that doesn't sound like a real malware category to me.
-{ Quote: "and don't forget the desktop etc mess caused." }-
What desktop mess?
-{ Quote: "I find it hard to comprehend why anybody would support spymove and kau in any way, after those tests and confirmations by very knowledgable people." }-
There are two senior anti-virus researchers replying in this thread and no AVendor is detecting this stuff.
Are you saying the AV industry is not knowledgeable? I think that at least one analyst from all those companies would have flagged it in one way or the other if there were something 'malicious'.
Perhaps NSClean should take a second, better, look at kauav.

The anti-malware industry should refrain from blindly adding detections for programs.

@ Schouw

Nsclean added detection for kau after testing it themselves, again after reports to them it may have been a false positive, they have not excluded it from the definitions. If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks.

If anyone goes to theese 'associated websites' to see what they do or do not, they will be faced with hardly any information on the products or the companies. What little there is not credible as EP_X0FF proved. Your average joe would not know these are products to be avoided from looking at those websites and ones like them, so are more likely to download and run them than we are. As there are more average joes around it follows that there are likely to be many problems ahead.

You did say that you would check out spymove later, and when you do you should find that desktop mess etc it makes, as nsclean did.

Just because crapware isnt classed as malware doesn't mean it's somthing that anyone should be downloading and running. It should also not be defended, on the contrary everyone should be advised to avoid them.

Nsclean considers they are doing people a favour by halting the running of two products that are of little if any use. Not to mention saving them from having to clean up after as well.

I am positive that most average joes would prefer that their anti product included spymove and kau in their definitions to save them from any mess or crapware problems etc. If other vendors decide not to include things like this, then people can choose alternatives.


StevieO

-{ Quote: "Just because crapware isnt classed as malware doesn't mean it's somthing that anyone should be downloading and running. It should also not be defended, on the contrary everyone should be advised to avoid them." }-
Last time: There is _nothing_ wrong with kauav _and_ it's free.
Especially seeing as it's free I really don't understand why it's being detected.
I wouldn't have any problems running it on my own machine.

Unless you can come up with any real proof(of your own), I think this discussion is over. You are only repeating the words of other people.

@ Schouw

kau is free, so are lots of things not everyone would want, and they get detected. I am very surprised to hear you say, you wouldn't have any problems running it on your own machine. Based on the others who tested it I wouldn't, or advise anyone else to.

Alright let's forget about kau what about spymove you said you would test, and as you asked "what mess " ?


StevieO

-{ Quote: "@ Schouw

Nsclean added detection for kau after testing it themselves, again after reports to them it may have been a false positive, they have not excluded it from the definitions. If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks.
" }-

StevioO, basically you're telling Schouw (by the way Schouw and me we know each other personal so it's not just that we did meet last week here in this forum) that i'm unable to analyze files. Thats a huge claim. Especially based on the fact that some other vendor who's not even a certificated AV vendor adds some files into detection were 2 people with a long antivirus background, even from 2 different companies telling you that this file IS NOT MALICIOUS AT ALL. What do you expect? That every antivirus company makes now a press release stating that BOCLEAN is wrong? Excuse me, but we have other, more important things to do!

The funny thing is that the program in question is even OPEN-SOURCE. Yes. The package includes the sourcecode as well. And one more thing... If i wouldn't had taken a look at it, do you really think i would post at DSLR that this detection is not correct? Then i would probably just add it to detection and we would have a signature false positive. And it is not even "Scumware". It detects same as ClamAV does since it uses clamav engine and signatures.

StevieO, if you think Schouw and me are wrong why don't you apply for a job in the AV industry? We would be glad to learn from from you. :ouch:

-{ Quote: "I'm trying to find out If either or both these are malware of some sort or not? As there has been a lot of debate about them on the bbr forum.

http://www.dslreports.com/forum/remark,17231332

StevieO" }-

I'm surprised by you StevieO.

Didn't you see who started that topic at dslreports?
That was the infamous SpannerITWKs who is banned here. You should know better than to believe what he says. :)

I just don't want anyone to install or run faulty or useless products advertised with false or misleading claims, when there are better alternatives even free. If after reading the warnings by EP_X0FF etc on the two av's especially spymove, anyone still wants to run them they can. I would like to hear what happened, but i will not be doing it.

@ Inspector Clouseau

I did not say you or schouw were unable to analyze files. You have chosen not to include kau and spymove. It has been shown that they are more crapware than anything else by EP_X0FF and nsclean. So why would anyone defend them, and schouw said he would not mind running kau on his pc. If you look at EP_X0FFs tests on system internals it shows what he found to be wrong and useless with both av's. Still no test on spymove which was promised by schouw ? I think if you test that you might have a different view of it.

Certificated by who, some av club etc ? So unless a vendor subscribes to some club, they are not to be believed or may not have more skills and knowledge than others, is that what you are saying ? I think nsclean may have more malware background than some others put together, and EP_X0FF is very well respected a talented programmer also. Maybe a press release should be issued stating others are wrong to defend crapware, as proven in the si thread by EP_X0FF. I'm not looking for career I have a very good one thank you. I don't believe you are wrong to say they are not malware but at least spymove in particular should avoided due to the problems it causes.

Devil's Advocate

I believe the people who have gained lots of knowledge and have proven experience in their specialist fields, some who have a longer background than most if not all others. Someone who might have been banned for something does not mean they are unable to quote those good sources of information and share and discuss them on another forum. I did give the link to the bbr thread right at the start didn't you see it ? I've heard that you have been warned more than once for posts you have made! I did give the link to the bbr thread right at the start didn't you see it ? I did so i know what is in there.


StevieO

SteviO, aka spanner ;) i tell you what:

You bring Kevin here to make a PROFESSIONAL STATEMENT (not like the usually ******** without any fundamendal technical background) WHY he thinks KAU is malicious. And an answer like "because spanner submitted it as malware" simply doesn't count. I would be very interested in hearing his oppinion on this. HERE AND NOW, before this drama continues. Do you guys really think that 2 different av people, one from kaspersky and myself from frisk posting ******** here just to entertain people?! You do have an option: You bring kevin here to post WHY it is MALICIOUS and is flagged as a TROJAN or you simply stop talking in this way that Kevin knows it better because he included it into detection. And the major credit for this whole drama goes of course to spanner.

Guys, I really hate to break in on a truly wonderful World War XXI -- SKIP WARS III THROUGH XX! -- but I need to interrrrrupt just long enough to ask The Inspector if I may have an F-Prot update? And while I'm here, is Kau AV better than Abacre AV? I know, Abacre is very light with respect to system resources. Also, I'm lost in this debate. Is the topic, "Spymove is better than Kau," or "Trojans have feelings too!"?

Dave/2.148975642 - Z^2 = BaRf/8 or is it E = mc^4? (Einstein knew, I forgot.)

@ Inspectr Clouseu

If you were replying to me you spelt my name wrong? In case you were i'll say this. I can't force anyone here or anywhere, if they feel like it and have time that is up to them. Unlike you and others who seem to have lots of spare time to post on forums, nsclean are more concerned with using that time getting work done to better protect their clients.

Neither he or EP_X0FF have said kau or spymove are malicious, i've repeatedly made that clear, to most people! So why do you keep saying that? I don't think you can have properly looked at EP_X0FFs test on si and seen what he had to say on them ? So any bs isn't coming from them or me. Entertaining matter of opinion! We can all post offensive language and comments directed to people if we wanted to, it does not help though.

Go test spymove and by that i mean run it on a real pc not just analise it.


StevieO

-{ Quote: "Go test spymove and by that i mean run it on a real pc not just analise it.


StevieO" }-

Please excuse me, but you are the very last person on this earth who tells me what i have to do! That said have nice day and welcome on my ignore list :ouch:

-{ Quote: "Neither he or EP_X0FF have said kau or spymove are malicious, " }-

One last comment: Are you trying to ******** around here? Take a look at your own screenshots posted here: http://www.wilderssecurity.com/showpost.php?p=879695&postcount=3 and tell me WHAT they say! And if you do have a problem to draw a conclusion between Malware and Malicious maybe this helps: http://en.wikipedia.org/wiki/Malware

Those programs are not malware. Detecting such things as malware would be a false positive. So you should not complain about why other vendors do not include detection for those, but you should complain to the vendors which detect those to fix their products.

-{ Quote: "If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks." }-<sarcasm title="ignore if you can not bear it">
Hmm, yeah. Sure. Of course you must be right. ::)

Mike just sits in front of me here in the office and he is of course wrong as always. Since he has only some years of experience in malware research he must be mistaking. Also other people here in this thread certainly have no idea at all, since they also have only a few years experience in the AV industry. ;D

So to summarize again: you are right, everyone else (let me count ... 3 identifyable professionals in malware research) are wrong because you say so ... ;D

Please apply at all security companies, you are urgently needed in all of them ...
</sarcasm>

So, your claims are only backed by results of third party software? Not by own analysis? Excuse me? :wacko: :gack: ... as a hint, there is a freeware disassembler (IDA Free (http://www.datarescue.be/idafreeware/freeida43.exe)) available, since I have to assume you don't have the tools at hand which we have available in our virus labs ...

-{ Quote: "
(let me count ... 3 identifyable professionals in malware research)
" }-

Wrong! 4 not 3 - you forgot yourself and you make the coffee tomorrow morning for this mistake! :D

-{ Quote: "Wrong! 4 not 3 - you forgot yourself and you make the coffee tomorrow morning for this mistake! :D" }-Nah, I'll come especially late so I am not tempted to make the coffee :P ;D

-{ Quote: "I just don't want anyone to install or run faulty or useless products advertised with false or misleading claims, when there are better alternatives even free." }-
I don't see why any AV Scanner should flag such software - or flag software that cause problems in general. That doesn't make sense.
I don't really understand what the problem is - why it should be flagged.
There are so many "rogue" programs out there, but you really can't call them malware - just a bad program you should uninstall.

KAU Antivirus is as much as dangerous as flyshit on your monitor. If you flag this then you also should detect ClamAV itself and rotten bananas & apples in the kitchen as malicious as well. Regarding the other program - if you start including programs into detection because they do not detect things which they claim then we should right now start to include a few other newcomer AV solutions: Let's start with comodo, then UNA Antivirus and oh yes - Kaspersky missed this particular trojan just lets included them as well :gack: Heck is it really so difficult to understand that AV programs are designed and supposed to flag MALICIOUS software? Why should we flag innocent applications?

I think AV's must flag Microsoft Windows;D , it is real crapware.

I think they should add a new categorize called innocent programs that dont do what they say on the tin IMO;D
lodore

@ Inspector Clouseau

So you think it is alright for you to say first quote -{ Quote: "You bring kevin here to post WHY it is MALICIOUS and is flagged as a TROJAN" }- but when I ask you to run spymove not just analise it you don't like it? Nobody was telling you what to do why do you think that?

Once again you missed things that people wrote? You should know that BOClean alerts with a message saying malware when it detects something, maybe you didn't know that? but i explained that before. If you continue to misread or miss what people write, and then reply as if they have said something different we are not at fault so no bs on our part it's coming from others. I don't know if it's lazyness on your part, or because you are not english?

Who wants flyshit on their monitor? It might be not be dangerous but you still have to spend time cleaning it up. Maybe starting to include a few other av's might be a good idea like you said, see my screenshot for some clues on those av's that are still not detecting a gromozon file from months back. Recognise any names in the list?

~removed imageshack imaged which is against our policy to post....Bubba~

@ ibk

I have explained more than once about BOCleans message alert on detection of something, it happens to say malware, in the version before it said trojan. Malware covers more ground than just saying trojan that is why it was changed. And I have explained more than once why spymove and kau are detected, because they are either of little or no use or mess up your desktop. However you look at it they are not something anyone would want to run or keep, unless they like useless products? So detecting and removing them saves people from having to delete them manually if they are stupid enough to download and run them.

@ hurzelpurzel

You are now misreading or misquoting me? You quoted -{ Quote: "If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks." }- This is what I really said and was talking about.

(Nsclean added detection for kau after testing it themselves, again after reports to them it may have been a false positive, they have not excluded it from the definitions. If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks.) So you are also wrong there not me. Once again they are not included because they are malware but because of the reasons said before which you missed as well.

You also missed that i have said more than once spymove and kau are not malware, just useless. So writing lines about someones credentials was pointless and proves nothing, except some people do not read very well whatever status they might have or think they have or others imagine they have.

@ miekiemoes

Some people prefer not to have to have problems or spend time cleaning up especially companies, even if individuals do not mind.


StevieO

Your last post makes you a perfect Forum Troll, that's all i have to say to this.
Please explain to me why BOCLEAN says it's malware if they say it isn't? Or better question how can they be unsure if it is malware or not? I say it now for the very last time - both of the programs are NOT malicious. And KAU Antivirus is not even a Rogue Software! It uses ClamAV Engine and Signatures and is OPEN SOURCE. Have u ever seen a open source rogue antivirus program?! And if you say that it is "scumware" then you basically make this conclusion also to ClamAV. I'm not impressed by ClamAV myself, but this doesn't make it a rogue software! It does not even make it useless, since it is for a linux machine a reasonable protection at least for catching a lot of annoying email worms.

Next thing is we are not speaking here about detection of gromozon. Don't try to change the topic now after you found out that it's not so easy to fool technical oriented people with your ******** here.

1. it does not fall in the category of malware, as it is NOT malicious. This means: it can not be called malware (because it is NOT malware).
2. antitrust
3. Do not understand what this discussion is all about. I would understand it if you were saying some products deliberatly do not protect you against a new rootkit or real malware. But all this typed words for discussing about the detection of a clean unknown product is silly and useless. maybe some software removes such threads automatically from forums because its considered useless and messes up forums... would save peoples from having to read such posts and to shake their heads :P

-{ Quote: "I find it hard to comprehend why anybody would support spymove and kau in any way, after those tests and confirmations by very knowledgable people. I would expect avoidance, or caution to be advised at the very least ?" }-Hmmm? No one supported it, we just do not approve that someone tags software "crapware" at the same time relating it to malware. Who decides what is "crapware". I can imagine - and past has proven this partially is the case - that some company will love to tag the product of their competitor "crapware" ...

-{ Quote: "@ hurzelpurzel

You are now misreading or misquoting me? You quoted[...]" }-I quoted you, not myself: -{ Quote: "If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks." }-... I don't get which part of quoting you accounts for misreading or misquoting on my side :blink:
My post clearly says whom I quoted, your post says "Originally Posted by hurzelpurzel" while you quote me quoting you! ???

-{ Quote: "(Nsclean added detection for kau after testing it themselves, again after reports to them it may have been a false positive, they have not excluded it from the definitions. If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks.) So you are also wrong there not me. Once again they are not included because they are malware but because of the reasons said before which you missed as well." }-Jap, you wrote exactly: -{ Quote: "Nsclean added detection for kau after testing it themselves, again after reports to them it may have been a false positive, they have not excluded it from the definitions. If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks." }-... of which I quoted a part. And yes, "Inspector Clouseau" is the same as Mike to answer that question.

-{ Quote: "You also missed that i have said more than once spymove and kau are not malware, just useless. So writing lines about someones credentials was pointless and proves nothing, except some people do not read very well whatever status they might have or think they have or others imagine they have." }-It seems that this proves much more than you think. Sure, there is no rule about professionals being right per definitionem, yet you should also read more closely what others write ;) ... not only ask others to do so.

You said:
-{ Quote: "nsclean will not be delisting spymove and kau as they have confirmed to me these are not false positives. They are both undesirable programs, one does not work properly, and the other completely takes over a users desktop." }-... and yes, this clearly looks like you don't call it malware (which was your question in your very first post in this thread), but the problem is, that they are false positives in a software that calls itself "Full Spectrum Antimalware", since the name of the software detecting it implies it must be malware. If you wanted to flag everything one could call "crapware" there would be a lot more to detect, starting with programs that are unusable because the author(s) had no clue at all of GUI design - compatibility with visually impaired users would be one such criteria ... but where does that end?

To sum up: your very first post posed the question whether this is malware. It was clearly said it is not, yet you seem not be willing to accept this, which is clearly shown by the ongoing discussion in which you attempt to relativise your own previous statements. Period.

But since the discussion clearly shows we will not come to a consensus, I'll most likely not reply once more if you decide to base your response on ad-hominem statements again.

Cheers.

-{ Quote: "I'm trying to find out If either or both these are malware of some sort or not? As there has been a lot of debate about them on the bbr forum." }-This thread has gone around in a lot of circles, proving only that some members are simply stubborn, and won't give up an argument regardless of the clarity and expertise of the numerous responses provided to them.

As mentioned in the first post in this thread, there is a similar topic to this one over at DSLR (http://www.dslreports.com/forum/remark,17231332), which was closed with what I think is a very appropriate moderation note. So, with due deference to Wildcatboy, I'll quote him and close this thread here, too.

-{ Quote: "Yet another one of those posts worthy of deletion. But I'm going to keep this thread so people can decide whether certain members should be taken seriously or not." }-