Spymove & Kau antivirus ???

I'm trying to find out If either or both these are malware of some sort or not? As there has been a lot of debate about them on the bbr forum.

http://www.dslreports.com/forum/remark,17231332

Wilders has threads on both with recent doubts about the Kau antivirus.

https://www.wilderssecurity.com/showthread.php?t=153532

mvdu posted "BOClean says it is malware" and metallicakid15 "yup it has a variant of zlob i think"

Spymove antivirus

https://www.wilderssecurity.com/showthread.php?t=153528

Hav any antivirus vendors investigated these yet? and what are the anwsers?

Tia


StevieO

 

SpyMove got 100% Clean Softpedia's Award. But I would never try nor recommend to try them.

 

@ TheTOM_SK

You are right they are not always correct, as in this case.


mvdu was also right they are both picked up by Boclean



Making further enquiries to nsclean they had this say about them.

Quote on spymove

"Complained about not finding a piece of its own stuff, then filled the entire screen with absolute crap (including the traybar so there was no way to make it go away and it autostarted too)

Let's call both "crapware" rather than malware ... neither does what they claim to do and the second one there covers the entire screen (including traybar) and won't close"

Quote on kau

"Kau didn't work"

I did ask and do have permission from them to post this information.

Why do no other antivirus etc vendors pick up on these, particually when spymove is very destructive ?


StevieO

 

nsclean will not be delisting spymove and kau as they have confirmed to me these are not false positives. They are both undesirable programs, one does not work properly, and the other completely takes over a users desktop. Attempting to click your way out of the mess it creates is both time consuming and does not have much if any effect.

There are other problems with them too, but I think you will agree those reasons alone are sufficient to exclude them from anyone trying to run them. Most home users would be highly inconvenienced and not know what to do, business users can also live without the annoyance this may cause.

Both those programs are promoted as an antivirus, but fail miserably to live up to the claims made for them. Call them what you will, but unwanted they definately are due to all the problems they cause.

If other vendors decide to ignore these then i think that's a mistake, and does not do their customers any favours in doing so. What would users do and use to eliminate these if they downloaded and ran them ? Not their previous antivirus, if they had one as this would have been uninstalled to make way for one of these. And not one of these either, so where would that leave them ?


StevieO

 

Both tested by another very clever guy and confirmed as nothing but rubbish.

http://forum.sysinternals.com/forum_posts.asp?TID=8820&PN=1

The sooner more people find out to stay clear of these the less problems and clean ups will be needed.


StevieO

 

I've only looked at KauAV, in the past and just now again.

There's quite simply nothing wrong with that program in itself, and it does work btw.

I will check out the other program later, more important stuff to attend to at the moment.

Edit: Oh, and indeed, no AVendor is flagging KauAV.

 

@ Schouw

Thanks for your interest in these.

You said quote

BOClean is indeed flagging both kau and spymove, unless you don't consider them an AVendor ?

Your check with kau is at odds with what nsclean says, and also another very experienced and highly respected programmer EP_X0FF who tested both on si. http://forum.sysinternals.com/forum_posts.asp?TID=8820&KW=spymove

We hope to see the results of your tests very soon.


StevieO

 

They are not an AV Vendor. And the probably included this because Spanner posted a thread at DSLR where he claimed that they contained codec (zlob) trojans what was/is of curse utter bullshit. He stored a few mediacodec files on his desktop in a folder "W" and when he was trying to download this 2 programs TO THE DESKTOP FOLDER the AV Monitor (Driver) got an event to scan this path upon write event and detected the mediacodec there. Hey could have downloaded Microsoft Office - if stored to the same path it would also show the mediacodec / zlob infected which actually has NOTHING but really NOTHING todo with the downloaded file since it existed BEFORE the download there.

 

Well the ClamAV engine can't scan into RAR archives, as he found out himself.

Website - that's marketing and not really that relevant.
We care mostly about the file(s) and its behaviour, that's the main factor.

It would seem that for a while now (more) people care only about detection, not if this detection is actually accurate/justified or not. A worrying trend imho.

And now I'll go back to working on my Virus Bulletin paper.

 

@ Inspector Clouseau

Semantics apart, let's call BOClean an anti malware product then. And it flags both spymove and kau as malware, even though nsclean has said they are more crapware than malware. When it detecs something you get a message which says malware as in the screen shots from before. Other people i've spoken to have also confirmed that BOClean flags these two when they downloaded both files and that's without any codec in sight. So whether there was a codec or not in that w folder you referenced doesn't make any difference as it does detect both of them. They have also been confirmed by nsclean as crapware and not false positives, and even worse by EP_X0FF.

@ Schouw

You say that marketing is not really that relevant. I think there is a big difference between marketing and what EP_X0FF on the si thread called lies. The detection of both and classed as crapware etc by both nsclean and worse by EP_X0FF is actually accurate and justified. Both of them have described what those two av's do and do not as claimed, and don't forget the desktop etc mess caused.

I find it hard to comprehend why anybody would support spymove and kau in any way, after those tests and confirmations by very knowledgable people. I would expect avoidance, or caution to be advised at the very least ?


StevieO

 

Again, I'm only talking about kauav here.

I think Mike is saying is that NSClean added detection for kauav after Spanner reported it contained Zlob.(with the Avira detection)

So when a user receives a file s/he should go to the 'associated website' - whatever that is - to see what it does? Sure, the website is not totally irrelevant, but it certainly does not make or brake detection. What if the website goes down or gets changed?

'crapware' - that doesn't sound like a real malware category to me.

What desktop mess?

There are two senior anti-virus researchers replying in this thread and no AVendor is detecting this stuff.
Are you saying the AV industry is not knowledgeable? I think that at least one analyst from all those companies would have flagged it in one way or the other if there were something 'malicious'.
Perhaps NSClean should take a second, better, look at kauav.

The anti-malware industry should refrain from blindly adding detections for programs.

 

@ Schouw

Nsclean added detection for kau after testing it themselves, again after reports to them it may have been a false positive, they have not excluded it from the definitions. If the Mike you talk about is Inspector Clouseau then he is mistaken in what he thinks.

If anyone goes to theese 'associated websites' to see what they do or do not, they will be faced with hardly any information on the products or the companies. What little there is not credible as EP_X0FF proved. Your average joe would not know these are products to be avoided from looking at those websites and ones like them, so are more likely to download and run them than we are. As there are more average joes around it follows that there are likely to be many problems ahead.

You did say that you would check out spymove later, and when you do you should find that desktop mess etc it makes, as nsclean did.

Just because crapware isnt classed as malware doesn't mean it's somthing that anyone should be downloading and running. It should also not be defended, on the contrary everyone should be advised to avoid them.

Nsclean considers they are doing people a favour by halting the running of two products that are of little if any use. Not to mention saving them from having to clean up after as well.

I am positive that most average joes would prefer that their anti product included spymove and kau in their definitions to save them from any mess or crapware problems etc. If other vendors decide not to include things like this, then people can choose alternatives.


StevieO

 

Last time: There is _nothing_ wrong with kauav _and_ it's free.
Especially seeing as it's free I really don't understand why it's being detected.
I wouldn't have any problems running it on my own machine.

Unless you can come up with any real proof(of your own), I think this discussion is over. You are only repeating the words of other people.

 

@ Schouw

kau is free, so are lots of things not everyone would want, and they get detected. I am very surprised to hear you say, you wouldn't have any problems running it on your own machine. Based on the others who tested it I wouldn't, or advise anyone else to.

Alright let's forget about kau what about spymove you said you would test, and as you asked "what mess " ?


StevieO

 

StevioO, basically you're telling Schouw (by the way Schouw and me we know each other personal so it's not just that we did meet last week here in this forum) that i'm unable to analyze files. Thats a huge claim. Especially based on the fact that some other vendor who's not even a certificated AV vendor adds some files into detection were 2 people with a long antivirus background, even from 2 different companies telling you that this file IS NOT MALICIOUS AT ALL. What do you expect? That every antivirus company makes now a press release stating that BOCLEAN is wrong? Excuse me, but we have other, more important things to do!

The funny thing is that the program in question is even OPEN-SOURCE. Yes. The package includes the sourcecode as well. And one more thing... If i wouldn't had taken a look at it, do you really think i would post at DSLR that this detection is not correct? Then i would probably just add it to detection and we would have a signature false positive. And it is not even "Scumware". It detects same as ClamAV does since it uses clamav engine and signatures.

StevieO, if you think Schouw and me are wrong why don't you apply for a job in the AV industry? We would be glad to learn from from you.

 

I'm surprised by you StevieO.

Didn't you see who started that topic at dslreports?
That was the infamous SpannerITWKs who is banned here. You should know better than to believe what he says.

 

I just don't want anyone to install or run faulty or useless products advertised with false or misleading claims, when there are better alternatives even free. If after reading the warnings by EP_X0FF etc on the two av's especially spymove, anyone still wants to run them they can. I would like to hear what happened, but i will not be doing it.

@ Inspector Clouseau

I did not say you or schouw were unable to analyze files. You have chosen not to include kau and spymove. It has been shown that they are more crapware than anything else by EP_X0FF and nsclean. So why would anyone defend them, and schouw said he would not mind running kau on his pc. If you look at EP_X0FFs tests on system internals it shows what he found to be wrong and useless with both av's. Still no test on spymove which was promised by schouw ? I think if you test that you might have a different view of it.

Certificated by who, some av club etc ? So unless a vendor subscribes to some club, they are not to be believed or may not have more skills and knowledge than others, is that what you are saying ? I think nsclean may have more malware background than some others put together, and EP_X0FF is very well respected a talented programmer also. Maybe a press release should be issued stating others are wrong to defend crapware, as proven in the si thread by EP_X0FF. I'm not looking for career I have a very good one thank you. I don't believe you are wrong to say they are not malware but at least spymove in particular should avoided due to the problems it causes.

Devil's Advocate

I believe the people who have gained lots of knowledge and have proven experience in their specialist fields, some who have a longer background than most if not all others. Someone who might have been banned for something does not mean they are unable to quote those good sources of information and share and discuss them on another forum. I did give the link to the bbr thread right at the start didn't you see it ? I've heard that you have been warned more than once for posts you have made! I did give the link to the bbr thread right at the start didn't you see it ? I did so i know what is in there.


StevieO

 

SteviO, aka spanner i tell you what:

You bring Kevin here to make a PROFESSIONAL STATEMENT (not like the usually bullshit without any fundamendal technical background) WHY he thinks KAU is malicious. And an answer like "because spanner submitted it as malware" simply doesn't count. I would be very interested in hearing his oppinion on this. HERE AND NOW, before this drama continues. Do you guys really think that 2 different av people, one from kaspersky and myself from frisk posting BULLSHIT here just to entertain people?! You do have an option: You bring kevin here to post WHY it is MALICIOUS and is flagged as a TROJAN or you simply stop talking in this way that Kevin knows it better because he included it into detection. And the major credit for this whole drama goes of course to spanner.

 

Guys, I really hate to break in on a truly wonderful World War XXI -- SKIP WARS III THROUGH XX! -- but I need to interrrrrupt just long enough to ask The Inspector if I may have an F-Prot update? And while I'm here, is Kau AV better than Abacre AV? I know, Abacre is very light with respect to system resources. Also, I'm lost in this debate. Is the topic, "Spymove is better than Kau," or "Trojans have feelings too!"?

Dave/2.148975642 - Z^2 = BaRf/8 or is it E = mc^4? (Einstein knew, I forgot.)

 

@ Inspectr Clouseu

If you were replying to me you spelt my name wrong? In case you were i'll say this. I can't force anyone here or anywhere, if they feel like it and have time that is up to them. Unlike you and others who seem to have lots of spare time to post on forums, nsclean are more concerned with using that time getting work done to better protect their clients.

Neither he or EP_X0FF have said kau or spymove are malicious, i've repeatedly made that clear, to most people! So why do you keep saying that? I don't think you can have properly looked at EP_X0FFs test on si and seen what he had to say on them ? So any bs isn't coming from them or me. Entertaining matter of opinion! We can all post offensive language and comments directed to people if we wanted to, it does not help though.

Go test spymove and by that i mean run it on a real pc not just analise it.


StevieO

 

Please excuse me, but you are the very last person on this earth who tells me what i have to do! That said have nice day and welcome on my ignore list

 

One last comment: Are you trying to bullshit around here? Take a look at your own screenshots posted here: https://www.wilderssecurity.com/showpost.php?p=879695&postcount=3 and tell me WHAT they say! And if you do have a problem to draw a conclusion between Malware and Malicious maybe this helps: http://en.wikipedia.org/wiki/Malware

 

Those programs are not malware. Detecting such things as malware would be a false positive. So you should not complain about why other vendors do not include detection for those, but you should complain to the vendors which detect those to fix their products.

 

<sarcasm title="ignore if you can not bear it">
Hmm, yeah. Sure. Of course you must be right.

Mike just sits in front of me here in the office and he is of course wrong as always. Since he has only some years of experience in malware research he must be mistaking. Also other people here in this thread certainly have no idea at all, since they also have only a few years experience in the AV industry.

So to summarize again: you are right, everyone else (let me count ... 3 identifyable professionals in malware research) are wrong because you say so ...

Please apply at all security companies, you are urgently needed in all of them ...
</sarcasm>

So, your claims are only backed by results of third party software? Not by own analysis? Excuse me? ... as a hint, there is a freeware disassembler (IDA Free) available, since I have to assume you don't have the tools at hand which we have available in our virus labs ...

 

Wrong! 4 not 3 - you forgot yourself and you make the coffee tomorrow morning for this mistake!