SAS review at Gismo's

[Huupi]

Hi Folks just read a review at Gismo's,he hit SAS to pieces,his conclusion "just crap",only cleaningrate is one of the best,....confused for now.

[Mrkvonic]

Hello,
A link would help...
Mrk

[lordpake]

Who's this "gismo", and more importantly why should I care about his tests?

[coldplay]

I would not put comments on SAS but who's this Gismo guy?

[Huupi]

It's Gismo Richards,the guy who reviewed the Sandbox,Hips app awhile ago,sorry can't find a link,google for it !

Way too vague a comment like that without a URL to reference such a statement. Post the link or give us a direction to review ourselves.

SAS is a top prize of the antispyware biz bar none, snags and blitzs rootkits such as gromozon/rustock variant and overall had an efficient identity database, plus the founder himself keeps on top of matters, answers posts, etc.

Let read the proof of that.

[SSK]

Deeplink to review article from this site.

Huupi, posting something like this without links, then telling us to "just google it..." is not very cool.

[fcukdat]

Quote:

Originally Posted by Huupi

Hi Folks just read a review at Gismo's,he hit SAS to pieces,his conclusion "just crap",only cleaningrate is one of the best,....confused for now.

Here's the dicussion created at SAS forums by this review>>>
http://forums.superantispyware.com/viewtopic.php?t=631

This might help but fwiw the testing model is somewhat contrived and limited

SAS is not HIBS or IDS software and niether claims to be so.SAS fails the eircar test model woefully because of this fact also,as always my advice to any so called *experts* testing it is not to throw POC tests at it but real malicious code in realtime.The results will be different of course

[Zimzi]

"...SUPERAntispyware (SAS) comes in a free version and a $29.95 Pro version. The main difference is the free has no real-time monitors and needs to be updated manually. The lack of active protection is a real minus. ..."

Is this guy serious?

[besafe]

It would be nice to see SAS reviewed against real malware. To see it's active protection put to the test. To test it's detection rate. You get my point.

However, I don't care for the argument that the program was designed to stop real malware. That seems kind of bogus. How would a piece of software be able to differentiate between a test exhibiting the behaviour of malware and real malware?

What I hear when I hear this argument is that the program has every signature known to man in it. But throw it a curveball and it isn't designed to handle it.

[SUPERAntiSpy]

Quote:

Originally Posted by besafe

It would be nice to see SAS reviewed against real malware. To see it's active protection put to the test. To test it's detection rate. You get my point.

However, I don't care for the argument that the program was designed to stop real malware. That seems kind of bogus. How would a piece of software be able to differentiate between a test exhibiting the behaviour of malware and real malware?

What I hear when I hear this argument is that the program has every signature known to man in it. But throw it a curveball and it isn't designed to handle it.

Great point - anti-spyware software should be tested against actual infections, not simulators as simulators are not real threats. Simulators can "simulate" theoretical threats, but are not representative of actual threats we see in the field, therefore our specialty/focus is not passing "tests", but rather catching, detecting and removing malware on users systems.

SUPERAntiSpyware is not a HIPS/ProcessGuard/Firewall/Intrusion Prevention system, nor have we every claimed it to be - SUPERAntiSpyware is designed to remove hard to detect and remove spyware, rootkits, etc. which we have proven over and over we can do in the field (users systems). SUPERAntiSpyware is also designed to co-exist with other anti-spyware and anti-virus products - can you run Norton and McAfee on the same system? Have fun

We focus on zero-day threats, and active threats from actual sites serving malware - will we get everything every day? No, and neither will any program. That's just the reality of the anti-spyware (anti-virus, etc) game - we receive and harvest literally thousands of samples per DAY - it is not possible to catch everything on a given day - for any program, ever. Anyone (or company) who tells you they can, is lying or is seriously uneducated in the actual anti-spyware/virus market.

I am not discrediting the test's author or putting down their tests, but the test they did is basically like saying "I drove my car in a lake and it sunk - you never know, roads may turn to water one day....." - it's just not the actual reality.

As a software author/designer/vendor I won't "cave in" to these tests and the requirements to block theoretical items and/or simulators or pile in features into SUPERAntiSpyware that will turn it into one of the bloated, resource hogging, CPU killing suites that we see emerging every day - it's not our market, nor target market - we realize no product will ever detect everything on a given day, so we have designed SUPERAntiSpyware with this in mind as when the other products fail, the user can turn to SUPERAntiSpyware as an alternative that may or will likely catch the threats the others missed. That said, if we miss something, the user has the option of running one of the many other excellent products that may catch what we missed.

[Perman]

Hi, folks: Any commericial product including cyber software, has to meet consumer's(not customer's) needs, and these consumers will then become customers. I personally involve development work of consumer products, after each new product's debut, the big boss demands to see those feedbacks that can turn his stomach upside down. He would not bother those expected compliments. According to him, harsh criticisms can often tell him what we have missed, and are the area for future improvements. This Gismo guy does have some credentials and IMO, his report does carry some weights and merits. It is so easy to brush aside this type of criticism, but next time when you recollect your thoughts, they will hunt you down. Face any sort of criticism, from left or right, deal with it, and make necessary changes. Maybe, just maybe he has voiced the consumers' needs, not SAS existing customers' views. Being humble will take you for an extra mile ahead. Have a great one.

[steve161]

We have heard many tales of security software spending time defeating leak tests or virus tests, that one may wonder if it means anything nowadays. Eicar will not BSOD my system. It would be irony if a good anti-malware scanner would not only detect these tests but, as a safety measure, wipe your hard drive: You know, just to be safe.

[Zimzi]

Quote:

Originally Posted by Perman

... Face any sort of criticism, from left or right, deal with it, and make necessary changes. Maybe, just maybe he has voiced the consumers' needs, not SAS existing customers' views. Being humble will take you for an extra mile ahead. ...

Totally agree with you Perman and hope that Nick will read this becouse, as you already know:

Don’t shoot the messenger (except Windows Messenger) who brings the bad news (unless he caused it)!

My little critic of SAS (official website) for this day is:

Under the "Threat Research", for "Trojans" stands:

"The following trojans are not safe to have running on your computer."

For "HiJackers" also:

"The following browser hijacker applications are not safe to have running on your computer."

etc.

OK, I do not speak English well but these formulations still sound a little bit silly to me. Is there any trojan, worm, hijacker etc. that is safe to have running on my computer?

[zapjb]

Quote:

Originally Posted by SSK

Deeplink to review article from this site.

Huupi, posting something like this without links, then telling us to "just google it..." is not very cool.

100% agree SSK.

[KDNeese]

All I can say is that I clean people's computers on a regular basis, and SAS has saved me a lot of work in manual removal. It is one of the best cleaning tools I have used. In fact, I have used several of what are considered the best anti-trojan/malware programs (Spysweeper, CounterSpy, AVG Antimalware, etc) and while the others are very good, SAS has been my best tool for cleaning the real nasty infections. Like SAS's slogan says, they don't just remove the easy ones, but the hard ones as well. I have subscribed to Gizmo's newsletter for some time, and it can be very helpful for the most part, but I have to differ with him on this one. In real life, SAS is an outstanding app.

[besafe]

Quote:

Originally Posted by KDNeese

All I can say is that I clean people's computers on a regular basis, and SAS has saved me a lot of work in manual removal. It is one of the best cleaning tools I have used. In fact, I have used several of what are considered the best anti-trojan/malware programs (Spysweeper, CounterSpy, AVG Antimalware, etc) and while the others are very good, SAS has been my best tool for cleaning the real nasty infections. Like SAS's slogan says, they don't just remove the easy ones, but the hard ones as well. I have subscribed to Gizmo's newsletter for some time, and it can be very helpful for the most part, but I have to differ with him on this one. In real life, SAS is an outstanding app.

Well, I don't think that you two are really in disagreement. You are saying that SAS is a great removal tool. I don't think that Gizmo argued or even tested this.

What I really feel that Gizmo is saying is that SAS is not all that great at preventing malware infection.

[fcukdat]

Quote:

Originally Posted by besafe

Well, I don't think that you two are really in disagreement. You are saying that SAS is a great removal tool. I don't think that Gizmo argued or even tested this.

This is exert from his short report

""But what of the free version of SAS? Well, this is going to provide even less protection than SAS Pro as it has no real-time monitors. I'm also reluctant to recommend the free version even as an on-demand scanner as SAS's failure to detect any kind of archived or packed malware may lead users to a false sense of security.""

Now take the next part of his report
""However, SAS has developed an excellent reputation for the removal of an existing spyware infection. I have not tested this aspect myself but if you do find yourself stuck with a difficult to remove spyware infection, it is certainly worth trying.""

An observation, a software does not acquire an excellent reputation without being able to walk the walk.The fact is if SAS was as bad as his report suggests it would have been *exposed* by now in the support forums not the exact opposite

Quote:

What I really feel that Gizmo is saying is that SAS is not all that great at preventing malware infection.

That is what Gizmo is saying,what he is proving is that SAS does not act as HIBS or target POC code.

What he has proven is he has not really tested it thoroughly against active malware code in realtime to validate his findings

[Kees1958]

Hi all

Gizzmo more or less uses the Karedjag method for testing HIPS programs for a spyware removal program. This is like testing a Ferrari Enzo on its off-road capabilities or a Citroën Deux Cheveaux on its dragster capabilities.

So I understand the 'hurt' feeling of the developer. He choose a niche market in which his program has a good reputation.

Stll the Kareldjag 'HIPS' test of Gizmo proves something:
A policy restriction application, like DefenseWall, GeSWall is way more effective than the average antispyware program and is as easy to use as the average AV/AS/AT. This is because they focus on the main weak point of XP-home: 95% of the users have administrator rights, while only 5% have the knowledge to handle these rights.

But we all have to know on which security aps we spend our money on. I corrected my mistake (yes I should have bought XP-Pro, but I did not know at the time), with software costing just the difference between Pro and Home, all others are freeware.

Our defense at the moment (besides a hardware firewall):
- PC1: GeSWall Pro, EQSecurity free (behavior blocking), Antivir free, only AV might pop-up which it did not for 1.5 years
- PC2: DefenseWall, DSA free (anti-executable), Antivir free, DW=100% quite, DSA popped during traing a lot, AV is also quite

My Son (PC2) has SAS for occasional on-demand scanning (problably after he has downloaded some questionable programs and feels insecure). I stopped using on demand scans after not having found a single thing in the last two years (using Ewido, SAS, Spywareblaster and Bitdefender). I stopped using the AV on PC-1 also. But my wife 'wanted' the AV back on it. It is not my PC so I put it on again. With her relative secure PC habits and the protection on it Antivir had not found anything in the last 1.5 year (after acquiring right management sanboxes). To me it proves that security is a state of mind.

Regards K

[Pedro]

Quote:

Originally Posted by fcukdat

Now take the next part of his report
""However, SAS has developed an excellent reputation for the removal of an existing spyware infection. I have not tested this aspect myself but if you do find yourself stuck with a difficult to remove spyware infection, it is certainly worth trying.""

That is what Gizmo is saying,what he is proving is that SAS does not act as HIBS or target POC code.

What he has proven is he has not really tested it thoroughly against active malware code in realtime to validate his findings

fcukdat, i understand your frustration, but allow me to point one thing:
He wrote in a way that you can understand, and disagree, by pointing out that he didn't test too much the scanning feature, or live malware.
He looks for defense solutions, thats the context of his review.
He also reviews a lot of programs, not just security wise. You got to understand, it's hard to get it all. Probably isn't familiar with SAS either.

You yourself have the liberty of disagreeing based on what he wrote alone.
That's what i like about it. He describes why he thinks this or that, you can choose another path based on what he wrote. That's how i read it, anyway.

[StevieO]

I'd be interested in knowing which RK was missed in Gizmo's test ? Even though it sounds like it was a static file he scanned, rather than an active one. Still we were informed way back in last year, that SAS is supposed to detect both these types of files.

Also i think the following points he raised are valid concerns.

"My lab test results [2] were less happy. SAS Pro failed to detect any of the five commercial keyloggers I tried and in fact couldn't detect any of the four different keylogging techniques used by keyloggers. It also couldn't detect process injection, nor process memory space violation, (two common malware techniques) nor could it detect the installation of a trojan server."

I am aware of several peoples praise for SAS in helping to clean up infected systems, which should be congratulated, and is no doubt very welcome, especially to those who allowed the mess to happen in the first place. But the emphasis should surely be on preventing those infections, rather than trying to clean up after the events.

I realise that the amount of malware surfacing every day now is staggering, so i've wondered why the definition updates for SAS is, more often than not, in seemingly low numbers ? The last update was larger than i've usually seen in a while though.

http://www.superantispyware.com/definitions.html

Of course having prevention actively running is the obvious choice, and even though limited free versions of any product are very welcome, they can't compete with full blown applications that do provide those functions.


StevieO

[SUPERAntiSpy]

Quote:

Originally Posted by StevieO

I'd be interested in knowing which RK was missed in Gizmo's test ? Even though it sounds like it was a static file he scanned, rather than an active one. Still we were informed way back in last year, that SAS is supposed to detect both these types of files.

Also i think the following points he raised are valid concerns.

"My lab test results [2] were less happy. SAS Pro failed to detect any of the five commercial keyloggers I tried and in fact couldn't detect any of the four different keylogging techniques used by keyloggers. It also couldn't detect process injection, nor process memory space violation, (two common malware techniques) nor could it detect the installation of a trojan server."

I am aware of several peoples praise for SAS in helping to clean up infected systems, which should be congratulated, and is no doubt very welcome, especially to those who allowed the mess to happen in the first place. But the emphasis should surely be on preventing those infections, rather than trying to clean up after the events.

I realise that the amount of malware surfacing every day now is staggering, so i've wondered why the definition updates for SAS is, more often than not, in seemingly low numbers ? The last update was larger than i've usually seen in a while though.

http://www.superantispyware.com/definitions.html

Of course having prevention actively running is the obvious choice, and even though limited free versions of any product are very welcome, they can't compete with full blown applications that do provide those functions.


StevieO

I believe the rootkit we didn't detect was the FU rootkit "example" - not an actual infection based upon the rootkit. SUPERAntiSpyware, as I have explained in several forums, does not focus on keyloggers - you would be suprised at the number of legitimate keylogging applications that are in-use today by employers, parents, spouses, etc. - those are not "harmful" to the computer - we do detect many of the PWS (PassWord Stealing) keyloggers that ARE actual threats and installed without permission or knowledge - there is a big difference in those items. Just as there are legitimate "rootkits" (kernel drivers) and harmful rootkits - there is a difference.

Again, we are not a behaviorial detection product - we don't just detect anything that injects into a process (there are many legit products that do this) , nor memory access, etc. We focus on THREATS.

The reason you don't see thousands of tiny defintions is that each one of our defintions represents a complex set of "instructions" that can detect and remove sometimes hundreds of variants of an infection with a single definition rather than having to have a "signature" for each piece of spyware/malware. If you compare the size of our database (physical size on disk) compared to most of the other anti-spyware/malware vendors, you will see our database is quite small in disk size in comparison, but yet we detect and remove hundreds of thousands of threats. Many of companies produce individual definitions for each variant of a threat - to me, that seems impractical and a waste of resources - that is my opinion only and I am not faulting the other companies for doing things they way they do - there are many great and successful products in the anti-spyware and anti-virus markets.

For example search for "SUPERAntiSpyware Scan Log" on Google:
http://www.google.com/search?hl=en&q...yware+Scan+Log

You will find over thousands of logs with detected threats posted in forums, blogs, etc. - if we didn't detect and remove hard to remove threats, surely millions of people would not be downloading our software.

I hear over and over how "we can't compete with full blown applications" and "it's better to prevent than clean up" - the reality here is that the "full blown" applications often MISS CRITICAL ITEMS and then the systems are INFECTED and HAVE TO be cleaned up - post infection.

To reiterate, there is no way for ANY APPLICATION to block EVERTHING on a given day, not matter how "full blown", "powerful", "popular" the application is - it just simply isnt' possible - that's where SUPERAntiSpyware shines - you can run it ALONG WITH other applications and suites, you can't run two of the "full blown" applications together - try running Norton and McAfee on the same system - it brings the system to its knees.

I ask you, what are users to do when the "full blown" applications we can't compete with fail and let threats through?

[Kees1958]

Hi Nick,

Without wanting to discredit your wonderfull application, my experience is that after installation of a policy right management application the average user does not get infected anymore, neither with virus or spyware.

By the way I agreed with the uselessnes of testing an antispy against a HIPS test set (see previous post), so that is no discussion to me. I think it is great that SAS provides a scanner for free.

Regards K

[SUPERAntiSpy]

Quote:

Originally Posted by Kees1958

Hi Nick,

Without wanting to discredit your wonderfull application, my experience is that after installation of a policy right management application the average user does not get infected anymore, neither with virus or spyware.

By the way I agreed with the uselessnes of testing an antispy against a HIPS test set (see previous post), so that is no discussion to me. I think it is great that SAS provides a scanner for free.

Regards K

Would you be willing to test your production system, with policy rights management, against a few infection sites?

I respect all user' opinions, and reviewer' opinions, my job is simply to make sure proper and factual information is being distributed in regards to our products and technologies.

[Kees1958]

Hi Nick,

Yup, PM me the links and I will let you know. I have done some scenic Internet driving so I am willing to take up that glove. I will test with SAS whether my pc was infected afterwards

About the second remark: as I have said before I agree: testing an antispyware ap against a HIPS test set does not provide factual information about the relative performance of SAS amongst peers.

Regards K