Media Discovers Spyware

Greetings, buddy! I was kinda hoping you'd see this, and the entire purpose of that bit at the end was to show the extreme silliness that it's all come down to. Like a certain reviewer who also sells toner ink and charges by the pound.

HOW much nonsense have you and I been through over the years with people taking these so seriously? Heh. What amazes me about it all is that we went out of our way to indicate that the whole thing was a JOKE (I shoulda done flash animations that said "***PARODY***" but silly me, I expected people to GET the joke) ...

It was one of those rare moments in the middle of the night where one of our "lookouts" had taken their collection and grabbed a bunch and run them through each of the products and was QUITE upset that after all of his work in sending off copies to everybody, EVERYBODY ... and we happened to be first out of the gate with all of his toys. Now he's angry with ME of course, but that's another story.

THANK YOU for "getting it." There hasn't YET been ONE review in all these years that have been done by anybody who even REMOTELY understands the innards of these things. Nor the sacrifices of the volunteers who give us submissions in addition to our own trolling work without any recognition for their efforts. As though they OWE us something for their good works. And as you well know, the longer you're in this, the better network you build of customers and volunteers who give you a "heads-up" to malicious sites.

You and I are dinosaurs, mate ... we're that "lost generation" of "competitors" who work with one another and SHARE with one another for a higher good. I kinda enjoyed the "did you send us the samples?" Heh. Can't say I remember any from those folks ... but that's the way some of them in this "industry" see it. You remember the episodes a few years ago with "give me your samples, I'm a student, you OWE me and I'm going to compete with you." We don't need to name names, just sit back and enjoy the chuckle.

About two hours after my contact did the test, all of those who released that day had MUCH higher "scores" (except the major AV's, but they got them by yesterday evening). And in a sick way, I accomplished what *I* had wanted to as well ... for those who hadn't released an update in WEEKS, suddenly Saturday brought EVERYBODY new definitions.

So go ahead and spank me, it worked. Didn't sell any software, but sure lit a fire under the slackers. My work here is done.

 

Maybe your article Kevin suffers from what scientist have apparently discovered about the human mind and its interpretation of wording...
..................................
An Interesting Thing About The Human Mind


I cdnuolt blveiee taht I cluod aulaclty uesdnatnrd waht I was
rdgnieg.
The phaonmneal pweor of the hmuan mnid Aoccdrnig to a rscheearch at
Cmabrigde Uinervtisy, it deosn't mttaer inwaht oredr the ltteers in a
wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteer be in
the rghit pclae.
The rset can be a taotl mses and you can sitll raed it wouthit a
porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by
istlef, but the wrod as a wlohe. Amzanig huh? Yaeh and I
awlyas thought slpeling was ipmorantt!

....................................

Jesting aside i too misunderstood your article and felt that bocleans reputation is enough said anyway.The funny thing is though (and im speaking persoanlly of course) is many of us that defend one AT/AV against another usually have all of them anyway
bye
ellison

 

Oh if you only understood the mindsets of some in this (ahem) "industry" ... the "we must ALL be getting RICH" doing this. Heh. Uh, no ... back when Wayne, myself, the Otis-Vigil brothers and a few others decided that SOMEBODY had to do something about the newly-emerging "backdoors," we all expected to be done with this in WEEKS once the AV's figured it out. They never did.

And back in those days, 50 trojans in a *YEAR* was "woof!" Now we're doing more than 50 of these baskets a DAY! I really respect Merijn ... HE figured it OUT! There really WAS no way to win, doing this as a "hobby" ... the WORLD landed on his shoulders with an overload that he just couldn't do. And he was smart enough to REALIZE it at the time. He bailed, got out alive! Heh.

What is borne out though in this little exercise is that it really DOES require an awful lot of time, an awful lot of work, and an awful lot of resources, knowledge of your adversaries (the malware people, suddenly I feel the need to clearify each phrase, grin) and a LOT of bandwidth to do cleanups for specific items. Even MORE work when you have to clean up AFTER an infection rather than stopping one ... it's EXPENSIVE.

The newer folks in this (heh) "industry" where success is measured in single thousands of dollars per month if you're good, to maybe $20 in "contributions" for "open source" ... hell, look at how little time the one kid who *IS* "Firefox" has to fix things these days now that he's got a PAYING job at Google?

Only advice I can offer is what keeps me from going completely loopy having to spend MY life in a sewer so other people don't HAVE to ...

"NEVER take life too seriously, and BEWARE of those who do." Moo.

 

There is a danger that you might be mistaken for the "boy who cried wolf".

 

Kevin yep, one of the issues that Michael (Happy Bytes) has recently highlighted is the distinct lack of people with the knowledge to perform proper tests on anti-malware software - ie. you basically have to be an fulltime analyst+developer in the first place to know all the angles of attack that can be tested otherwise they're just skimming the surface, so I can understand you wanting to do your own review ... but reviewing ourselves?!? No wonder you gave yourself an A ...

Anyway go have your twenty minutes in the naughty corner and I look forward to catching up with you soon

Cheers,
Wayne

 

What I've seen is that there are people who might just want to go there. The test results WERE real, but the compatriot's POINT was "reaction time" ... how FAST his contributions resulted in detection. That part was very real to him. A few hours later, the results obviously changed. What he presented was a "snapshot."

One of the things "reviewers" hold important (beyond the number of "skins" that can be applied to any program for kewlness) is "currency" or how quickly things are updated. Back even a few months ago when CWS and IST tended to release new stuff once a week or even less frequently, and trojans, bots and other malware were infrequently released, maybe going without an update for a few days, even a week was OK for some. When 900 were released in 2-1/2 days and MANY "vendors" never did a release at ALL on many of those days, NOR until AFTER we "published," it becomes an issue.

The lesson that needs to be drawn however, is that we've never played this game. Other vendors rate BOClean as "inferior" because it doesn't have a shell menu entry. Reviewers gain credibility with bad research, incorrect information and entirely wrong comprehension as to what they're testing or how. And many "comparisons" out there accepted as fact are even further off base than the parody we made of an unhappy associate who actually tested this for himself and handed us the results.

In retrospect, the joke backfired as far as I see it ... I was just surprised that with all the "disclaimer" surrounding it that there's folks who didn't see the point that nobody has EVER done a competent review, taking each product on its own merits, or recognizing WHY certain products don't fit the mold and determining its purpose.

Then again, this is why a GOOD anti-malware is measured by the pound. SOME products serve a different purpose and were never intended to fit in a 5 pound bag. Apples and oranges. And yet, reviews are regarded as fact because of the complications of what many of us do, and yet guided by a 30 year old mindset as to what they SHOULD do. Ah well ... if I *must* I'll have to remember to use smaller words next time.

 

Kevin, sorry but I seriously don't believe you at all. You want to make us believe that you risked your and your companies reputation by posting such a test just to wake up some competitors to do their job?

Also, you say your goal has been achieved... What's the reason for the (now outdated) test results to be still there?

Sorry but this doesn't look like a joke to me... You are just trying to get your head out of the bolt. If it really was meant to be a joke, it's a VERY bad one and you seem to like walking on very thin ice.

Some other comments...

I intentionally wrote this because I knew you would react like that - you are just trying everything to discredit me and my post.

I think you are confusing something here. You have been using your internal file scanner as an example for a typical file scanner and come to the conclusion that they fail to detect most of the malware and that BOClean is the ONLY solution to detect them.
I heavily doubt your internal file scanner has the same power as for example KAV, TDS, ewido and many others.

See above... I meant the file scanner you are using for internal preselection. I never wrote that your product has a file scanner.

To the best of my knowledge, we didn't. We would know when a single person submits that many samples ("lately several hundred daily").
All of our top submitters received at least a free license and we even know most of them personally, not a single one of them would EVER do such a test.

So an unknown person (we still do not know who the person is) has run 19.000 samples in just a few hours? Generously assumed the person spent 10 hours testing 19 scanners, each with 100 samples...
That would make out ~ 32 samples a minute without any further evaluation of the log files etc.
Could you please explain how that works, I'm very interested!

In general when you post the results of a test you should be SURE how the test has been done...

 

In response to Kevin's last post.

I agree.

I have often wondered why so much credence has been given to the ATs review by the inkjet salesman.

Nowhere have I seen anyone querying his qualifications to carry out such a test.

They are about as useful as the crap tests done by Nautilus.

 

I'd go back and do some reading. Sorry for the near "ad hominum" but you're making stuff up here, buddy. 900 samples the person had, they grabbed 100 of them and tried to split them up to do their own test. WHERE did anyone say "accredited?" WHERE did anyone say SERIOUS? I can understand an apparent "competitor" getting shrill, but the person assures me that they did it, those were the results at the TIME they did them and WE said that the results were "heavily biased" in an ever so obvious "tongue in cheek" means as an illustration of "test was done, everybody draw into a circle, it's story time."

Hey, we're deficient too ... we don't have a right click context menu in BOClean. None! You see, none of this was ever ABOUT Ewido ... it was about the ZEROS! And those who didn't once update within the entire "window" of samples if someone really has to draw a serious angle to that. If a VENDOR publishes a comparison, or a "test," is there ANYONE who would take it SERIOUSLY? Apparently so.

No offense, but PLEASE do read the rest of the thread. It might be enlightening.

 

Ve haf vays of making you see ze joke

 

Since I was the one that brought Nautilus tests on the foreground I'll refrain myself a bit...

As far as I know Nautilus is the only one who publicily posted tests done with various antitrojans. His tests are outdated now, obviously... but all the rest of the tests I saw only had a few samples (just like Kevin's test). that doesn't mean it is the best testing that was done...not exactly but it makes still the only testing done publicily shown.

At the end those tests were a gimmick, that's true but still a lot of effort went into it I guess.

 

They'll NEVER take me alive! I *insist* on (music swells) ... the COMFY CHAIR! Our methods are five (three, sir!) ...

One hasn't truly lived until they've debated kinky .386 ASM instructions with "Deth Vegetable." Now if ONLY cDc did trojan reviews ... oh wait, they did!

http://www.cultdeadcow.com/tools/bolinks3.html

What a long strange trip it's been.

 

We still haven't seen any of them nor do we know anything about the person...

There could have been MANY other ways to take care of them.
We haven't done and never released such a test in the past in I highly doubt we will ever do.

Yes, sad but true. That's exactly why I can't stand such tests and reacted like I did because I know there are a lot users out there who actually do believe in such tests! Not everybody (I would even say about 95% of the PC owners) is an expert and has the time and desire to hang around in boards like this to be well informed. There is a reason why so many vendors publish their own tests. Switch on your TV, watch some commercials and you'll know what I mean

 

I *must* agree with you ... of ALL the "reviewers," Nautilus came the closest of ALL to "getting it." But as he'll tell you himself, his own expectations of what would happen along with his test protocol MODIFIED the outcome because he was trying to get through his testing rather than letting things work in a more "real world" sense. And I'm personally STILL angry a bit with him for publishing our databases for "ne'er-do-wells" to abuse - had he done that in the US, it could have been jail time. What was done was highly illegal. I'll let others debate the moral questions.

But we DID what he wanted done in 4.12 even though it caused a performance hit having to constantly modify data to work with a heavily encrypted database. It slowed things down with those extra CPU cycles, but after a LOT of work, we managed to bring the performance back up to 4.11 levels when 4.12 was finally released. So definitely my buddy earns the "pain in the arse" award from us as "best of the best."

But his methodologies made us ALL crazy because BOClean wasn't designed to be tested in the manner in which he tested, and thus he got some INTERESTING results from it. So I guess we're even. Heh.

I still stand by my words though - the only one who can TRULY test anti-malware is someone who DID it for a living, KNOWS what is supposed to happen and what is NOT supposed to happen. I'd be happy to be gainfully epmployed by ZDNET or whoever, name yer price. At least I'd have weekends OFF! (grin)

 

Thanx Kevin...what about "Behaviour" Detection? You can see it with your own eyes that this is the way it has to go...
Isn't this whole "explanation" on your website (and your first post) merely a complaint so to speak about the direction programs are obliged to follow and memory scanning isn't the holy grail anymore?
Just a question, feel free to answer

/edit: don't get me wrong, a good memoryscanner is imperable

Andy

 

Hi all,

Lots of topics being discussed. My own views:

1) The "prevention business" in any industry is very tough. For example, medical doctors make lots more money "attempting to cure" as opposed to "attempting to prevent". Human beings are much more responsive when there is actual "pain". So I understand MS is going into the "curing" business, instead of cleaning up the problem at its roots. I wish them well, but my appreciation goes to companies like DiamondCS, NSClean, Kaspersky, Ghost Security, Ewido, etc. Thanks guys. I know it is tough work, but I hope you get (got) something out of it. (At least you got lots of Karma points. )

2) I was involved for many years in attempting to develop "fair benchmarks" for various types of database management, network, and client/server software. No test would ever satisfy anyone, because there were too many variables to consider and these were changing all the time. It always seemed like as soon as a test was planned, it was already obsolete. So good discussion of test results (any test) seems to be worthwhile, but I do not think any person or group of people can or ever will come up with the "right" testing suite. It doesn't seem possible. Certainly, I do not think it is worthwhile criticizing people who perform tests. Discussion of the tests themselves usually provides the most useful information.

3) The original paper made some interesting historic points. There certainly is a lot of pressure on software vendors to make money, especially if they are backed by outside venture capital, and making money on free software is next to impossible. Thus, there is a trend to imbed free software with "information gathering" capabilities. Without making judgement about this trend, it seems to exist. Certainly, any discussion concerning "embedded information gathering monitors", in security software is relevent and can be considered pertinent to this forum. I know of at least two widely followed "free" versions of security tools that do this.

I have lots of tools on my system that have proved very handy over the years. Not only for myself, but for my friends also who are quite happy that they didn't have to re-format their disk and lose their system because of infections. Thanks to everyone who worked to provide me with the the information about these tools, the tools themselves, and the help in understanding how to use these tools effectively.

Rich

 

Excellent post Rich! We should all be greatful for all these experts providing us more security...

 

Dunno if you've been around long enough to remember "Dr Solly" ("Dr Solomon's AV") but he and I went back and forth on this years ago and still stay in contact to this day (and he's JUST as much fun as ever in his old age, heh). He tried "heuristics" in the more classical sense and gave it a Bronx cheer. He spent a few misguided years doing "esoterics" and "behavior" based "heuristics" ... that's the reason why we're friends, because from the very beginning, BOClean was "behavior based" rather than "file based" in its design.

Our whole PURPOSE as a design was to function as a complete "hands off, set it and forget it, walk away" solution for seas and seas of desktops in Boxotopia corporate glass rooms. Something you could just "put out there" and go back to talking about golf in the cube farm.

So we didn't include "scanning" because that involved human interaction. To *OUR* customers (corporate, government, institutional "IT") they didn't want the users to even *SEE* us (invisible icon, no windows, no "alerts", INVISIBLE!) while our thing ran in the background and just biffed any malcontents without uttering a peep. And our "invisibility" in our "this is what you put on DAD'S computer so he doesn't call at 11 wondering what's wrong with the porn sites, heh.

What Dr Solly and I both realized was that rather than the NORMAL behavior of "scanner people" in taking a file, dumping it into an MD5 hash kettle and adding the MD5 to a "signature base" ... "if MD5=; THEN ALERT ELSE IGNORE" is how TOO many "detectors" work. And when there's memory stuff, TOO many "detectors" say, gee, let's scan THIS file ... we do it differently.

Yes, if certain things happen, it's pretty damned likely that we've got us a "BUSHBOT" ... but my own interpretation of "behavior-based" is a little stranger. The same old faces that gave us the trojans of yore are making the ISTbars of today. "behavior-based" in addition to the easy pickings of Visual basic always putting "Projserver" in the same spot in a file also provides insights into the minds of the authors ... and they ALL want to put SOMETHING in their code that says THEY did it.

I've always found it easier to detect future "variants" by getting to know the authors of the code. Don't need to know WHO they are as much as "this guy does this, that guy does that" ... that's why we have such a small number of actual database entries and such a large number of VARIANTS which don't require definition because "it's HIM again."

So I s'pose it all depends on how one defines "behavior" ... sometimes the smartest definitions AREN'T computer-generated. (grin)

 

LMAO Kevin

True, we all know you count your defs differently No prbs with that and thanx again for the clarification.
best wishes,

 

And you are not the only one to do it differently... But I have to agree, many do it this way and we also don't like that... However, I would never call higher quality signatures combined with a memory scanner "behaviour based" detection

Yes, indeed very strange

 

hmmmmmmmm.....Now it seems ....if one follows the various links to tests.
There is always someone to say the tests are crapola....biased, unqualified,
don't mean a thing, not a big enough samples...etc.
In other words....not to believe any of them.
Then who are we to believe....the makers of the products, or the testers?
That leaves the average user, in quite a state.
Could it be.....there is B.S. on both sides of the fence at times?
The fearmongering you see on some sites...."Only my product will defend
against this test" Of course only their product will beat that test.
It should....because ....THEY MADE THAT TEST.

I like reading ALL tests....because if you notice, the cream does seem to rise
to the top, the same ones at the top all the time...unless they are completely loaded ones.

So what I do personally...is toss out half out what the zealots and fanatics say....and most of what producers claim.
Try to read between the lines of the tests....read what average users of
certain products have to say...test a lot,,, in other words....sift thru quite
amount of " " to find a program I'm comfortable with, and I think will give
me a reasonable amount of protection.

P.S. I agree with Fish....That Kevin is doing a "Song and Dance" routine
about it being all a joke.

 

Hi Kevin,

Thanks for the additional information on how BOClean works.

Rich

 

Most of them are, only a handful aren't, be they vendor tests or "independent". That's the issue. I came across this site that for all appearances looked like it was an educational site. Lots of information about malware, then it descended into a rather deceptive test (which, BTW, Fish we were not notified about). In this test a comment was made about our software not having a "right click to scan file" option, when the author of the test *knows full well* that BOClean does not scan files. I'm sure you know all about this.

I wouldn't call it a joke, although we presented it humorously (sometimes you laugh, then you think). I feel it's to make a point, just like the person who did it wanted to make.

 

Hi Nancy....Could you address this part of statement too

hmmmmm.....Now it seems ....if one follows the various links to tests.
There is always someone to say the tests are crapola....biased, unqualified,
don't mean a thing, not a big enough samples...etc.
In other words....not to believe any of them.
Then who are we to believe....the makers of the products, or the testers?

What I meant by Tests....was from kids experimenting and posting their
results.... talented amateurs...to the bigger testers. All seem to get bad mouthed.

Does it mean if one's fav program does good...they're good....or vice versa.

Again....What other criteria do we have, as average users to judge a product
other than the producers own claims.

Most of us read movie reviews....we may not always agree with the reviewers
but it gives us an idea...whether or not to spend money to see the movie.

I use the tests as guide lines...to get a general idea how a product fares, reading other users opinions and my doing my own process of eliminating
what is smoke and what is mirrors.

 

What about the experiences of other users of the software, who have real-world examples of efficacy? That would be the best, and given the number of forums available, there's plenty of information to draw upon. All of these tests are contrived. What did you think of the example given in my last response? (you said you read all the reviews) Is that not deceptive?