NOD32 + Latest Starforce "Driver"

@13thHour:
The major problem (for you) is, that this forum is more than just gamers forum and there are people with more knowelege. I bet they will distinguish the truth.

Oh, and btw. I do not work for Security Technologies.
I work for Protection Technology.
This just shows your whole attitude to the subject.
You cannot even spell the firm name propely, not even saying about digging into tenchnical parts ))

 

I hope you have a better reply waiting in the wings aside from "you can't spell" because you're in a glass house throwing stones. Bolding added to quote by me.
I would personally like to see the premature CD/DVD drive failure question/issue addressed as well as the IDE speed reduction questions. I am not saying these issues are necessarily concrete, but a precursory investigation on my part into the entire issue has not revealed any real response by the Starforce folks as of yet. I just don't think a plain and simple "the people complaining are criminals..." type answer counts. I'd much rather see the actual issues that have arisen addressed.

 

That brings up an interesting point. The April '06 edition of Computer Gaming World published findings from their tests; the presence of Starforce drivers did cause the step down process from DMA to PIO mode of a DVD drive on a Window XP system - confirming reports by an ever growing multitude of concerned customers. As 13thHouR stated, this brought about the Dennis Zhidkov response. Which, in my eyes, was not a very responsible comment.

Also, lets add PC Gamer editor-in-chief Greg Vederman and his personal experience with these drivers:

Sources: http://next-gen.biz/index.php?option=com_content&task=view&id=2445&Itemid=2
and PCGamer Magazine, April 2006 N.A. Edition

For the record. I take interest in this thread because I am a NOD32 customer and I'm very concerned with this issue. I have no ill will towards anyone. But I feel it is important for our opinions to be heard.

I've said enough for now, probably too much, but I'll let you guys reply.

 

All the SF problems could be discussed on our forums.
Personally i would like to clear up with 13thHour claims about SF protection being in MBR, partition tables and spreading through network drives.
I wish we could just focus on these claims.
What do you think about them?

 

Well that was a reasonable response, however you are more than welcome to come to www.r-force.org and register in the forums, you will see there is pro starforce section in which you can post in if you prefer.

As long as you keep the response civil, then other users will be civil with you.

Given the previous responses on the SF forums most people would understand why I am reluctant to have those conversations under SF control and obviously without having the authority of the forum owner here this board would not be a suitable place for this discussion.

If you come back to r-force you can even read the problems irot had with his Primary SATA system. BSOD with non plug and play error and with his authority I will post the PM's in which we worked together to get his OS back on the system without him losing the data from the other partitions.

Lets be clear about one thing, I did not ever describe SF as a worm I did however say that what occured is the result of the software going into panic when it can not isolate which is the primary drive.

Which is quite common response with this type of silent installation.

The one thing that I did find alarming in this entire scenario was SF's ability to load itself from other partitions and cause corruption of a clean install of XP (during the instalation process).

As you are aware if I was actually going after Star-force that I have enough information to have put SF out of business years ago. The issue here is the end user, and their ability to play games that they have legally purchased. (Without avoidable security risk, OS /Hardware failure).

 

Not making excuses, but my typing is not brilliant because I have to wear an appliance on my right wrist (It was completely shattered in a serious RTA several years ago). So please bear with me when I don't have the time to use a spell checker to check for typos.

There are two issues with premature drive failure.

Excessive usage and the continued PIO mode in XP.

The first is a certainty if you are an avid gamer its just basic statistics of always relying on the CD/DVD, the latter in fairness to SF has a number of variables involved thus its less easy to track.

I would have thought with Sage being Russian that he would be aware that there is two translations to English, thus they are known both as Protection & Security Technologies. However that is just getting into petty terms of a name in which ever language its presented in and this is not the place for silly flame wars with Sage386.

 

EDITED

As far as the removal tool is concerned. It doesn't fully remove every key in the registry.

I found entries in the following strings:

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet0001\ENUM\ROOT\LEGACY_SFDRV01

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet0001\ENUM\ROOT\LEGACY_SFHLP02

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet0001\ENUM\ROOT\LEGACY_SFSYNC02




My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SFDRV01

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SFHLP02

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SFSYNC02



My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\
ROOT\LEGACY_SFDRV01

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\
ROOT\LEGACY_SFHLP02

My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\
ROOT\LEGACY_SFSYNC02



I guess Starforce needs to fix this issue as well.

Soul

 

That would be nice, but so far none have.

There's no such stop code.

Right, you said they use "multidropper techniques". Luckily, for the ill informed, McAfee is listing a multidropper as a recent threat and provides a definition:

(http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=138656)

There's big claims about evidence, but with nothing to back them up other than what appears to be a handful of mis-used and made up terms. sage386 was correct in post #26 of this thread, folks around here do know better, and you've done little to show that you have any technical understanding of the things you speak of... although you are obviously good at spinning and twisting words, which does create a bit of doubt about your intentions and motivations.

If you were as genuine as you try to present yourself to be, you would have worked with them to get the issue resolved, rather than posting their request for such on your webpage as a mockery. If you really had tried to present evidence of vulnerabilities and been denied (which that posted PM clearly shows you were not), then you would have followed the proceedures laid out by the security community to have the vulnerability confirmed and fixed and/or responsibly disclosed.. instead you've turned the whole thing into what is very obviously a "witch hunt" against StarForce. If you're going to pose as a security researcher, then act like one.

What the members of this forum are going to be more concerned with is the confusing of the term rootkit. Rootkits are a very real and dangerous threat that are often surrounded by confusion and hysteria, and cutting through that kind of confusion and hysteria around any security subject is a good part of what this forum is here for.

 

Actually 13thHouR has done tests. Those of you here saying you want facts should be bright enough to do the tests on your own. I may not be, but many of you here are.

As far as Starforce's reputation is concerned, I don't take anything coming from that group as fact. I don't need to go into the details as to why.
The latest Stardock incident is in deed disturbing.

I was affected directly with hardware failure, as I know you already watch my post's closely on this topic so that's not any thing new.

And I have countless others who have had drive issues as well.

Why would these problems be made up?

They are factual. What isn't factual is what comes from Starforce.

 

There's no question that lots of people have had bad drives, but optical drives are not always built to last, especially these days. What has yet to be shown is that there is any link between Starforce and those hardware failures.

I've been playing StarForce protected games for quite a while now and haven't noticed any ill effects.. even on my SATA drive In fact I've had a lot more drives die around me on systems that never had StarForce installed. Drives die. IDE ports go. It happens, and it happens frequently.. with or without StarForce drivers on your system.

I'd like to see some proof of that. So far he's just spouted a lot of made-up (other times just mis-used) jargon that display very little technical aptitude. I've got a small network here, and no drivers are automatically installing across it, lol.. the very idea is absurd in the absence of vulnerability exploiting worms.

 

@ Soulcommander - Although those should be innocuous remainders, remove should mean remove. It doesn't matter the vendor.

@ midfingr - As for the link that you provided, perhaps you should have included the accompanying paragraph, which states...

Are the other observations by the editor germane? Of course. Software incompatibility that yields compromised performance needs to be addressed. However, extrapolating from that to some of the perfectly absurd claims that have been made regarding StarForce stretches all credulity and simply compromises whatever valid points you may have. In your haste to heighten the impact and make the case, you end up sacrificing whatever valid ground was there under your feet.

As for your comments elsewhere, you are certainly entitled to have an opinion. I've already noted that if you have a complaint regarding my moderation, feel free to raise this with the site admins. However, in a quiet moment you should probably take some time to reflect on what has been asked in this thread - and it is an explicit delineation of technical facts (or direct links to the technical analysis), not simple claims that the facts exist out there for anyone wishing to search them out or perform their own physical investigation.

As for some of the other statements you make in the thread noted above, basically they are incorrect. I do not represent any company in any capacity at this site, nor do I blindly gloss over deficiencies when they are clear, as they were in the case with Galactic Civilizations II

You and I clearly disagree on what does and does not constitute objective evidence, among other things.

Blue

 

Lets resolve this yet again:

BSOD= Blue screen of death. (I guess the newbie’s are not aware of old school terms, my apologies)

The references to CGW, in the first instance on the UK publication, they do make some rather ambiguous comments. However on the later publication in the United States they are very concise about the PIO mode issues and actually quote me word for word.

Anyway as I stated here previously this is not case of proving either way if problems exist. They do period.

The issue here is relating to Security Software developers quoting the PR information from a company that has a seriously bad reputation relating to;

1. Failure to correct bugs.
2. Almost zero customer service. (Part of the package is supposed to include tech support for the customer’s end users).
3. Those that try to resolve problems with them get called, liars, beginner level hackers, they are being paid by there rivals through to be Pirates and bootlegging crime lords.

Just to satisfy a few dissenters here, without stepping into areas that would conflict with Copyright laws and so called reverse engineering clauses.

SF uses an overly complex process of drive spin speed, data transfer rates etc to isolate if a specific disk is a genuine pressed disk or a CDR/DVDR /RW.

As some of you may already know Windows XP is a tad over sensitive about I/O errors on IDE based CD/DVD R/RW drives.

http://www.microsoft.com/whdc/device/storage/IDE-DMA.mspx

As you may also be aware it is possible to modify registry entries to reduce this sensitivity, however this compromises stability elsewhere. In this respect the very nature even in controlled lab conditions with a perfect crisp new disk . SF's complex authorisation process has the potential of triggering DMA step down. However in the real world of mass produced pressed disks, low grade media (As used by lot of publishers) and normal wear and tear. This goes from a probability to as close as a surety as you can get.

I would state at the time of the ridiculous challenge, made by Security Technologies (Read the wording of the rules and clause and you will see why I call it ridiculous) They where denying that even this simple issue of DMA step down occurs and then went on to blame Microsoft. Partially because of liability and partially because there is no permanent workaround other than reinstalling your IDE controllers.

The more serious issue with this actually relates to recent CD/DVD R/RW drives and there inability to cope in XP version of PIO mode for any extended period of time. In many instances the drives firmware misinterprets this as a grossly over burned disk and rapidly shoots the laser into it mounting casing (This occurs so quickly that the fail safe cut out is not able to stop it). The obvious consequences of this repeatedly happening is that the nylon worm gear becomes damaged. Resulting in the inability to calibrate the lasers position correctly (Drive failure).

In respect of increased usage (Permanently having to have the game disk in the drive, with repeated authorisation processes), this will cause premature termination of the life cycle of the drive. (Dramatic increase in usage= dramatic reduction in expected life cycle, its simple statistics)

These are just a couple of a long list of issues relating to the Starforce Virtual IDE protection drivers.

I don't think I need to reiterate the security issues of Running a hardware and software blocker (That is what SF essentially is) in Ring 0 (Core level access) and granting authority to Ring 3 (User level access). If I do need to reiterate that here then basically I would be extremely concerned for the end users of Security Software associated with Dev's that may be members of these forums.

As Ring 0 compromises are Basic Security issues that have been around for many years.

Obviously if this was a closed environment that we where chatting in I would be considerably more specific as to the issues, but given that this can be read by the public and that in many cases there are no fixes for these issues other than to remove SF. It would be very irresponsible to post such data.

Those requesting such information publicly clearly do not work in the Software Security industry.

 

This is a very specific issue, at no time did I ever call it a worm, to quote my article here: http://r-force.org/modules.php?name=News&file=article&sid=46

What the issue in question relates to is that of a partitioned primary SATA Drive, and software panic when the SF cannot isolate which is the primary drive.

It is a very common issue with this type of silent stealth install, where the software cannot ask the end user "Which drive do you wish to install to". Given that SF is primarily an IDE based protection, is not surprising that on many setups that it misinterprets the nature of SATA/SCSI drives. Especially since in its very nature it is setup to block access to Virtual drives.

This is pretty basic and common sense stuff to any programmer and I really should not have to explain this if the end reader is qualified to a suitable level to make use of the content of the posts.

 

"Blue Screen" is an informal term used to describe a stop error. So, again.....

Nor did I say that you did, I only said what you are proposing is absurd in the absence of one. I stated quite clearly that you (mistakenly) said that it uses multidropper techniques.

Not really, the installer runs in userland and would just ask Windows were the system root is.. Windows likes it's drivers installed in all the same place: %windir%\sytem32\drivers\. That's where it installed on my machine, and I've never seen otherwise. Surely you should know this.

You keep saying that to get out of explaining your made-up and nonsensical jargon. How convenient for you.

 

This thread is turning into just a platform to try and belittle each other. It needs to stop NOW or this thread will be closed.

bigc

 

Blue.
You're dancing around the question. So here it is again. Yes, NOD32 will protect users from these drivers - or - No, it will not. If you can't answer that question. Please direct me to someone who can. This is the 'Official Eset NOD32 Antivirus Forum', is it not?

 

No, the question was answered. See his post #10 in this thread. Here's a quick way to get to it: https://www.wilderssecurity.com/showpost.php?p=710201&postcount=10.

If for some reason that doesn't satisfy you, you could always e-mail Eset directly and ask them.

 

No it hasn't. Blue quite clearly stated: "...I do not represent any company in any capacity at this site..."

Fine. E-mail for an answer. Thank you.

 

Probably would be better to close it, because the current comments in response to legitimate tech issues are just getting silly. I suppose it does not help having the Security (Protection) Technologies Troll.......er I mean Admin here.

In case you want it for future reference he is known as Sn0rlax, robust physique, Einsensteiner & sage386 and is well known for trolling forums.

I will drop out of this conversation whilst we have those types of persons here as nothing productive can be achieved with all these Starforce employee's trying to start flame wars.

Should you need any further details relating the the technical and Security Problems created by Starforce Virtual IDE Protection drivers (Not Safe'n'Sec as mentioned by one poster here) then feel free to come to www.r-force.org

 

Agreed 13th. This is obviously not a place to discuss these issues. In addition, my future investment into NOD32 is now in very serious question. As for the for the rest, knock yourselves out and post away.

I'm out too.

 

To be courteos I will answer this before I go....

Yes an old school term for a system halt on an error, what is actually Generated "System Halted due to; Possible non plug and play driver error".

Its quite simple to understand really, let me explain it in smaller syllable words for you.
1. No non plug and play error,
2. Add starforce.
3. Non plug and play driver error.
4. Guess what Starforce adds?

Oh yes it's a Non plug and play Virtual IDE driver.

OK so obviously it required more detailed diagnosis, but given the sequence of events, it did not require to much hunting to isolate the culprit.

Excuse me, since when has it been absurd for Silent (stealth) install applications to go into 'software panic' when they cannot isolate the drive that they are supposed to install to?

SF is on a forced install, if it cannot isolate the Primary drive is will install itself to any drive available. That is not uncommon its just yet another technical bus that needs to be resolved.

"userland" and you jump on me about BSOD , anyway getting back to the matter at hand, Yes in an Ideal World the driver just installs to where ever Windows tells it. However we do not live in an ideal world. Parts of this driver uses undocumented system calls, straight forward root interrogation would announce its existence.

I would remind you that until recently, It was deemed by most software companies as violation of Copyright law to even list the games that used SF. Thus SF have never been in the business of announcing to the end user that it was being used. Hence the silent install that slips after you reboot at the end of your session.

How many average users do you know, that would know how to go into device manager, show hidden devices, then even know that the listings for Starforce Virtual IDE Protection driver actually could be the cause of there system instability?

OK so its not exactly hidden if you know how to make it visible, but it also not in plain view either.

This drivers sole intention is to block certain types of Hardware and software. It actually does not do it very well, it messes about in the ATAPI subsystem (Which they still deny even with the ATAPI listings presented right under their noses). It screws with the filters section of the registry. Which generates a whole series of errors from code 7 through to Code 41.

Basically your assumption of no software panic is based upon the SF Virtual IDE driver actually being stable. Quite simply its not even 65% stable.

The Nonsensical jargon as put it was being used, Quite possibly when you where still in Kindergarten. I am sorry if I do not announce specifics of Security threats on open forums, but not all of us are that irresponsible.

If you want to comment further then please come to r-force.org an do so. As this is not the place for these type of comments, but I would ask that you keep your responses there within a civil manner.

 

Oops sorry about that I nearly missed this very civil post before I left.

I honestly wish they where as easy to work with as they are over Safe'n'Sec. Ok so I don't like that software either but I wont deny that they actually sort out the issues with that.

Many tech's have tried to work with Security (Protection) Technologies to resolve issues with Starforce, however hwne an issue arrises which they don't like (As it could only be resolved by binning SF and starting again) there response is to call those people "Beginner level hackers" and post bad comments all over the net about them.

Now most peeps are aware of how much I have bent over backwards to make sure the end users get work arounds to issues. Security (Protection) Technologies even quote my workarounds in their own forums, but yet again when I presnet something they do not like because of what it implies, this is their response.

http://www.star-force.com/forum/index.php?showtopic=796

and the further responses here.

http://r-force.org/modules.php?name=News&file=article&sid=44&mode=&order=0&thold=0

That is how they treat people who try and help their end users.

You can even look back up through this thread relating to Sage386's comments here.

He was invited to come over to r-force forums and discuss the issues but so far he has declined.

At the moment this is a financial issue, Safe'n'Sec is pocket change compared to what SF contracts are worth with Games Publishers.

Publishers are now dumping SF because of.

1. Stability issues.
2. Drive failure issues.
3. OS corruption issues.
4. Financial liability that they will face should there be a class action.
5. The PR nightmare.
6. Security (Protection) Technologies not observing the contractual agreements for end user support.

I never had any desire to put Security (Protection) Technologies out of business, but by their own actions
SF is now a sinking ship.... (mostly because they just would not listen)

 

I not only tried but I went even further! I conducted a Starforce Investigation along with Ubisoft last year. I saw how Starforce tries to help, then with nothing more to fix the customers problem they do no respond to emails. Ubisoft saw these as well as every one of them was forwarded to them. I experienced this treatment as well.

I might add their (SF) tech support wasn't very good.

One instance they name the guys drive in question as a totally different drive and the customer corrects the tech several times.

I will give SF credit on some cases they did managed to resolve a few minor issues. But most were never resolved.

Also posting on their forums is something I reported on to Ubi as well.

Posts being closed when the tech could not solve the problem, rudeness to Ubi Customers as well as other customers, posts being deleted and many other instances.

Yes its true SF has done some very Damaging things to the gaming public. Not only in drive failures but also in the PR department.

Thus is the reason not to trust SF ever. There is nothing in my mind that can ever pull Starforce out of the deep dark hole they dug for themselves.

Again as far as proof is concerned. Do the damn tests yourselves. CGW did and found the truth.
Look around on the net too.
Look for people reporting problems.

Starforce did destroy my drive prematurly...The 16th burn and the drive failed.

What did I see happen first?

1. After the install of Silent Hunter III I noticed other games not running properly. Choppy video opening sequence on BF1942

2. While playing SHIII BSOD and auto rebooting....Never happened before on any other game or App I have installed.

3. Time out errors pointing to my CDRW drive. (replaced IDE cable) did not resolve the issue.

4. Fast spin up on CD's and long spin times as well after the install of SHIII

5. Finally when trying to burn a CDR, a complete drive failure occured on a Plextor drive. 16 total burns on a new drive.

Sent drive into Plextor and I was told that the drive looked prefect but they didn't know what made the drive fail.
I also spoke to Robert Resovich who is Plextors Head lab person in the Americas.


Also Starforce knows there are issues with some drives. I have seen emails leaning towards this.

 

Actually it was you that jumped on me. I wasn't disputing your usage of the term BSoD, I was reffering to the error code the BSoD generates.

I'm stating that the stop code (blue screens generate stop codes to tell you what the problem is) doesn't exist. Either they tell you the filename or say 'unknown driver', preceeded by what caused the driver to crash (IRQL_NOT_EQUAL_OR_LESS, etc.).

In order to find out physical information on the disk, access the MBR (including the partition table), etc., it would have to first install a driver. Maybe if you're on Win9x, but with the NT architecture user mode processes have no direct access to hardware. An installer runs in user mode.. the things you propose would need to run in kernel mode. These things just don't work the way you're asserting.

Rather than resorting to insults, why not present information to the contrary? It would only help your case, these kind of insults do not.

You're the one slinging insults. I'm sorry that you're insulted by my saying that you're making things up, but I've given references. If you feel the need to correct me, then by all means do so.. show some references to back up your claims. We need something more substantial than your word, which doesn't seem to hold up.