Not clear what's going on at Webroot scan site

Discussion in 'ProcessGuard' started by skbaltimore, Apr 26, 2005.

Thread Status:
Not open for further replies.
  1. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Hi. The other day I did a scan at Webroot's site and was shocked to see how many programs P.G. blocked. I wrote a ticket, got a response from Webroot, and feel like I know less now than before. Below are the copy/pastes of my initial support item, slightly edited, and Webroot's reply:

    My Ticket at Webroot: "This is with regard to your online scanner. I just ran an online scan, with Process Guard 3.15 Full Version activated. I have run other online scans (RAV and Trend Micro) with PG active without any problems. However, after Process Guard allowed spyaudit to execute, PG recorded 15 attempts by spyaudit to modify my program and/or system files. I would like an explanation as to why this has occurred..."


    Webroot's reply: "Hello, Our SpyAudit program is intended to make necessary changes to program files or executables where spyware is located or has been located previously so that they do not rewrite themselves under that file. Process Guard has always picked up our software as trying to "modify" system files, however, it is not modifying them, it is running an in depth examination and changing file extensions where spyware have created "hiding places" for themselves. If you would like any further information or have any further questions, please feel free to ask so that we can answer them and allow the software that you personally use to function properly without any issues. Thank you for your patience."

    What, exactly, might they be saying? That ALL the programs that SpyAudit attempted to change on my system had somehow been corrupted previously? Or that those programs are typical for programs that spyware targets, so SpyAudit was doing me the favor of protecting them for me? This is the first time I've run into anything like this, but Webroot states that this is common for Process Guard. I'd like some guidance here from P.G., since P.G. is what I use regularly. I was only at Webroot's site that one time. I don't want to over react here; but I just cannot imagine why Webroot's SpyAudit would feel the need to modify all those files (15 in all), or why I should not be concerned that they WOULD have all been modified had PG not intervened.

    NOTE: You can see a screenshot of what PG blocked on this thread, near the bottom:

    https://www.wilderssecurity.com/showthread.php?t=67392
    sk
     
    Last edited: Apr 26, 2005
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    AdAware, AntiHook, SpyAudit and lots of others use a "Modify" request of some sort - see this thread for the discussion about AdAware and this thread about AntiHook for the discussions about what's actually going on with that. Pete
     
  3. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Thanks. But I'm also curious as to what kind of response I get from Webroot, because I asked a similar question on that same ticket that you asked in your post: "How come other online scanners don't trigger the same response? Is SpyAudit doing something that different?" (you used Spybot S&D, vs. AA, by way of contrast).
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yeah, sorta - AA and SBS&D aren't "online scans", though.

    What it boils down to is that if you have a given program in PG's "Protection" list - and that program is protected from any attempt to "Modify" it - you'll get an alert from PG whenever one of the above-named programs (or any others) tries to do that.

    I still don't understand what it is that SBS&D does differently than the others, though (since it causes no alerts) - after all, it seems as though it, too, would need to "Modify" something if it found spyware.

    I dunno - suffice it to say that I don't use AntiHook (due to system conflicts) and that AA (as a far distant second-place choice to SBS&D) gets run last and seems to still work all right as long as it hasn't come upon any spyware (which it never does here).

    I'm not real big on online scans, either - there's too much crap to remove afterward, if you don't want it sitting on your HD.

    Sorry I couldn't answer your question any better. Pete
     
  5. controler

    controler Guest

    with most online scans you either need to download a mod or an active X control.
     
  6. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Here's a synopsis of the dialogue to date between me and Webroot:

    4-25-05: (sk) I just ran your online scan, with Process Guard 3.15 Full Version activated. I have run other online scans (RAV and Trend Micro) with PG active without any problems. However, after allowing spyaudit to execute, PG recorded 15 attempts by spyaudit to modify my program and/or system files. I would like an explanation as to why this has occurred...

    4-26-05: (Webroot) Hello,

    Our SpyAudit program is intended to make necessary changes to program files or executables where spyware is located or has been located previously so that they do not rewrite themselves under that file. Process Guard has always picked up our software as trying to "modify" system files, however, it is not modifying them, it is running an in depth examination and changing file extensions where spyware have created "hiding places" for themselves. If you would like any further information or have any further questions, please feel free to ask so that we can answer them and allow the software that you personally use to function properly without any issues. Thank you for your patience.


    4-26-05: (sk) Pardon my ignorance, but frankly I'm less clear now than before I wrote the initial ticket. I can understand that SpyAudit would examine in depth certain files that spyware/malware targets. But what I don't understand is why SpyAudit would need to change any file extensions. Even more so, considering that SpyAudit does not remove or "fix" any problems it finds. In what way are in depth exams and changing file extensions related? Maybe if I understood that, I might not feel so concerned. It seems to me - since this has never happened on any other online scans - that SpyAudit uses a different methodology in conducting its scans than all the other online scanners, none of which have ever triggered that alerts that SpyAudit did.

    Let me just add that I am familiar with Webroot's history in fighting for internet privacy and security, and would certainly be among the sites that I would place in my "Trusted Sites", without question. But even at that, I am not comfortable with what I say happen during that scan, and so far, even with the first "Solution", I am still unclear. Hopefully, the next response will fill in the gaps for me.

    5-2-05: (Webroot) Hello,

    Our Spy Audit program is designed to actualy to a one time removal for the first scan based on the IP address which is why it does create thos changes to the files and folders in programs. Which is why we do use different methods to allow for our customers or potential custoemrs to physically see how our software operates and removes items from their computers that are harmful.


    5-2-05: (sk) Are you saying that the 15 programs that SpyAudit attempted to "modify" were all, or had at one time all been infected by spyware? Or just that those are the types of programs that spyware usually attacks?

    5-2-05: (Webroot) Hello,

    That is correct. The files that were changed at at some point a spyware program associated in that file. It may have moved to one of the other files, which is what most spyware is programmed to do so that it is not easily removable.


    5-3-05: (sk) OK, thank you for your responses. Without hard-clad evidence to the contrary, I cannot disprove your assertion that all the files that were targeted by SpyAudit were, at some point, affected by some spyware program or another. What I can say is that I have been running AdAware and Spybot S&D for as long as I've had this computer, in addition to running online scans regularly at TrendMicro and RAV. And at NO point did ANY of those programs or services indicate any spyware on my system. (Aside from some tracking cookies, which were deleted when clearing the IE cache.)

    So whether or not SpyAudit is so advanced that it picks up things that no other program or service can pick up remains the main question in my mind. (There is also the question of whether or not Process Guard "over-reacted" to SpyAudit's probe or not.) Unfortunately, the Internet is full of FUD-mongers who, in an endeavor to promote their own products/services overhype some aspect of a computer's functioning/vulnerability, then rush in to provide the remedy (i.e. THEIR product/service). Equally unfortunately, I am aware that you cannot totally "defend" SpyAudit, because to do so would be to provide information that could then be exploited by real perpetrators of spyware and viruses.

    So let me just conclude by saying that given the fact that SpyAudit stands alone on one side of the scale, and AdAware, Spybot S&D, TrendMicro, and RAV stand on the other side, (along with the above-mention propensity for companies to over-hype "threats" then rush in with their products/services to provide the "remedy") I am leary at best when it comes to what SpyAudit actually found on my system. And I am leary to say the least when it comes to SpyAudits's attempt to "modify" all the files it attempted, according to Process Guard, to change.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,058
    PG isn't the only program affected. I am a licensed Spysweeper user and I just switched to Outpost firewall, and geesh, almost everything was blocked because spysweeper modified them. Goodbye Spysweeper.
     
  8. spiff5000

    spiff5000 Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    49
    SpySweeper is doing exactly what it's supposed to do... scan live processes for spyware (which is why PG gave a 'modify' alert -- although that term means more to PG than just an unauthorized attempt to change a file).

    And if you installed Outpost without disabling the Active Shield functions in SpySweeper (which blocks modifications to frequently targeted files) then you caused your own problem.

    I've been using SS Enterprise since it was released last year and it has dramatically improved since then, both in performance and functionality. It is far more capable of blocking spyware than AA or SB.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,058
    You are right Spiff5000. To run Spysweeper you need to either turn off the active shields in Spysweeper or disable open component control in outpost. My final solution is to turn off open component control in Outpost, let spysweeper sit a few minutes, and then turn it off, and outpost component control back on. Not a bad solution in view of other security measures.
     
Thread Status:
Not open for further replies.