Possible incompatibility with SpywareBlaster?

Hi. I'm using WSAC for some days now. On Monday, SpywareBlaster AutoUpdate notified me about new definitions, so I downloaded and applied them. To my surprise, there were 179 items in Restricted Sites unprotected. I reenabled all SpywareBlaster's protections and then again those 179 items were unprotected.

So as it was the first time I had this problem, I disabled all of WSAC shields and then tried again. Successful!

I checked WSAC quarantine and there were tons of registry entries about suspect web domains.

My question is: does WSAC interfere with SB protection and automatically quarantines its registry entries?

Thanks!

 

SB uses a SS&D-esque "put safe junk in the place that bad stuff could go and that's the best way to block it!" method of protection. That's like putting a fake burglar dummy at every window and door of your house with the idea that a real burglar will see the dummy and say "Oh, somebody else is already breaking in there, so there's no room for me to break in."

Obviously the downside is that real malware that wants to set things there will just delete the stuff SB puts there and put their own things there. I'll be honest, in 17 years in the security industry, I've always found this kind of "layer with junk" approach to be the worst way ever to try to offer protection since it both confuses better security software and really doesn't offer good protection.

So yes, as long as SB uses such faulty methodology to try to protect, other security software will likely remove it because it looks just like something bad.

 

As I understand it SB and SS&D just use blacklisting like any other software only in a different way, through the browser, to prevent malware from entering your computer, not to prevent malware that is already on your computer from doing things(well, except from SS&D's Teatimer.) They both need access to the browser to apply protection, so it's probably blocked by Identity Shield.

 

This is precisely what's happening. WSA is seeing the malicious websites being added to the registry and removing them which is to be expected. I think you might just be safer using WSA alone if this keeps happening - I don't see any possibility of working around it without affecting user security.

 

why just these and not countless others that SB has in there? There should be a better answer.

 

I took a peek at a lot of the ones that SB has in it and a good number of them are obsolete. I found some domains whose registration expired years ago or who now belong to government agencies who seized them from the criminals.

Some are also annoying more than actual threats. Bouncing the browser through fifteen pay clicks and popping 17 ads is annoying, but if it's never had malware on it or been used by malware for nefarious purposes, it's not really a threat.

Some may be the standard difference in detections between products. Probably WSA detects some things that SB doesn't and SB detects some things that WSA doesn't.

So some are explicable, and some may not be, but I can't examine everything in detail and I can only make guesses.

 

This is one of the problems behind services like SpywareBlaster and, might I add, the HOSTs file for similar purposes. To be effective, they need constant updating as many of the domains change or become obsolete.

Unless an iframe in a compromised 'good' website points directly to a domain listed in such blacklists, I doubt the more careful amongst us would come across such sites often. For this reason, I don't use SB or any compiled HOSTs file.

 

Hi,

Your reply raises this question:
Does your software really check exactly what is added? And I do mean exactly.

To me this sounds like as an analogy of:
Hey the scanner detects in the HOSTS file:
6.227.46.190 www.wilderssecurity.com
without making the difference between 6.227.46.190 and 127.0.0.1
while having 6.227.46.190 there is nothing wrong, and having 127.0.0.1 could be an issue if you want to go to this forum.

 

Define a software logic by which something can be checked in a way that will never get it wrong. "Could be an issue" means that it also could not. Consider: The entries that SB puts in could be put in PRECISELY the same way by a threat, but with a tiny tweak somewhere else, they work opposite a block and instead leave things wide open. Watch for that tweak and it's trivial to change the tweak to make it hide again. There are way too many ways that the same entry SB puts in can be put in identically with other things allowing abuse to make the entry even be close to safe.

Blocking should be done right, and the way SB does it is definitely not right.

Nothing is perfect, really, but some systems are inherently more flawed than others, and SB's is amongst those unfortunately. If WSA is able to easily demolish the "protection" that SB offers, what's to stop a piece of malware from doing the same?

 

Having it based on IP address can also cause problems. What if malware redirects a legitimate webpage to a different IP address entirely to steal user data? WSA tries to be overly cautious and will alert any redirection or entries related to malicious domains.

 

WSA has a known blacklist of suspicious domains as well as cloud lookups which change. We remove websites which are definitely dead (although some still remain if they're used by malware to attempt to download files) so there's likely to be some discrepancy between what we look for and what SB adds.

 

OK, thanks for your tips!

I think I'm keeping SB, there can't be much harm on having it updated.

I'll just disable WSAC temporarily when applying new updates, which just happens twice a month. It's not a big deal to do it.

Just wanted to be sure that those quarantined items where from SB and not anything else.

Thanks again for your fast answers!