Spy Sweeper acting up, or is there a very real danger ?

Discussion in 'other anti-malware software' started by Fly, Jul 18, 2008.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I use the latest version of the Spy Sweeper (Webroot), the version without antivirus.

    It has an 'internet communications shield' which is supposed to protect you from dangerous websites/things, such as drive-by downloads. (In the past, it has more than once protected me against 'drivecleaner').

    However, today I was blocked when I typed www.xe.com, a very mainstream website. I don't recall the exact message. I did NOT shut down the internet communications shield, but it seemed like I could see the exchange rates, I don't know if they were current or correct.

    Later, when I tried to access Yahoo, the internet communications shield protected me against ad.yieldmanager or ad.yieldmanager.com. At first glance, it looks like an ad related issue, but I was not blocked by the advertisement shield (which I also use), but by their internet communications shield. Other than that, I could access Yahoo.

    Something similar happened to me when I tried to access another mainstream website.

    Nothing like this has ever happened to me before.

    So, what's going on ? Is this dysfunctionality of the Spy Sweeper, or was I protected against real (not just ad displays) threats ? If the latter was the case, people need to be very aware of the situation. Not just people who use the Spy Sweeper.

    I submitted a ticket to Webroot, but they have a habit of being slow, and sometimes they don't respond at all, or give a completely irrelevant 'answer'.

    Therefore I'm just posting this here. If it's not Webroot dysfunctionality, people have a very real reason to be concerned.

    Btw, McAfee's SiteAdvisor rated all those websites GREEN, but that doesn't mean much. It's more like: if it lights up as RED, stay away from it.
     
    Last edited: Jul 18, 2008
  2. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    Maybe your Spy Sweeper is protecting you from cookies or something...
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    your antispyware is blocking advertisement in real time and blocking cookies probably.i have a program(antispyware app)it blocks thesame as your plus more webtrends,yieldmaster,207,zedo all those plus more and see it in the log file of the program.they get block without interfering you daily work.:D
     
  4. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    It does have a tracking cookies shield, but only the internet communications shield alerted me.
     
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    It would at least be a change in functionality. Ads used to be blocked by the common ads shield (but not always!). In the past the internet communications shield protected me against things like drive-by downloads (like Drivecleaner), I'm not saying is not working properly, but it's easy to get worried if the internet communications shield starts popping up all over the place, without at least a notification of a change in functionality.
     
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    After a few more experiences, it seems like it's a change in functionality.

    A notification should at least have been appropriate, and would also save the support department some time and effort.
     
  7. SoCalReviews

    SoCalReviews Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    282
    Location:
    Los Angeles, CA
    When I was using Spy Sweeper I had to disable some of the shields so that I could access common web sites. After version 5.x and later the program became too heavy and complex. It did a decent job at detecting and blocking spyware or traces of adware (most often tracking cookies) but the program was causing incompatibilities with other software and causing system lockups, slowdown, etc.. More than a year ago I replaced SS with SAS Pro as my main ASW application and haven't looked back. If you are already running a number of security programs for layered protection (AV, FW, HIPS) then you should consider a much lighter ASW program.
     
    Last edited: Jul 18, 2008
  8. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Hmmm im running the free version with shields up right now and i notice no slowdowns infact pretty neat adblocker. BTW is there a trial in the free version or is realtime protection endless? I know cleanup is isnt free so.
     
  9. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    I to have it doing it to me also.We both are seeing and getting the same thing
     
  10. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    The behaviour in question is gone again !

    I get the impression that some pretty nasty business is happening right under our eyes, but I don't know who's responsible for it.

    As mentioned earlier, ad.yieldmanager.com in particular caught my eye.

    To put it simply, I've been messing around with my system, trying only the windows firewall and the latest version of Counterspy (eliminating the rest), and Counterspy caught an ad.yieldmanager cookie !

    I did read some threads about ad.yieldmanager being spyware/adware that was an infection on one's system, so I tried a number of things and what I mentioned in the previous paragraph.

    Now, with that McAfee Virusscan Plus 2008 (I know, I've been saying I would get rid of it, but I havent' found anything better, I'm not sure anyway) and The Spy Sweeper 5.5.7, the .NET building I haven't been able to find any ad.yieldmanager cookie, nor did the Spy Sweeper reveal what it revealed earlier.

    So there is a LOT of tracking going on, but I'm not sure who's responsible for that/what. (Who's in bed with whom !)

    It really pisses me off.

    I suppose the Spy Sweeper exposed 'by accident' ( :rolleyes: ) some spying that's going on. If anyone has some not too technical suggestions, your advice is welcome.
     
  11. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    ad.yieldmanager.com and others

    Please don't put this in a privacy thread, since this question is not primarily related to privacy, but more about tracking and the functionality of software.

    The (ad) shields in the Spy Sweeper block a lot, but not everything.

    Part of my security setup: McAfee Virusscan Plus 2008 (I'm not proud of that, but it's a temporary thing), Spy Sweeper 5.5.7 (version without antivirus).

    In the 2008 version of McAfee you don't have to download .NET seperately, from what I understand it's in the McAfee code, completely or partially.

    McAfee and Doubleclick share data. No doubt that's why I sometimes see ads that have something to do with McAfee. The Ads shield in the Spy Sweeper blocks some ads, but certainly not everything. I don't really care about SEEING ads, it's the tracking that bothers me. I get the impression that the Spy Sweeper sometimes blocks ads 'from McAfee', accompanied by 'error messages' that suggest DNS involvement (word 'dns' in the 'error message').

    When accessing a website, I sometimes see (example: Yahoo), for a very brief moment, connections being made (not sure if they are succesful or not),
    ad.yieldmanager.com, Google (ads) and such. Http connections, you really need a keen and quick eye to see them. (I also have 'opted out' on Yahoo's tracking of me outside the Yahoo network, 'web beacons'/'web bugs' issue.)

    I did a clean reinstall (fortunately I had an image from a fresh Windows XP service pack 2 plus updates without McAfee and the Spy Sweeper), and Counterspy was able to detect an ad.yieldmanager(.com?) cookie. No ad.yieldmanager software present, as suggested in numerous posts on the internet.

    While I can't be 100 % sure, it seems that some of what I mentioned two paragraphs earlier does actually track me and is responsible for displaying ads.
    A brief error/change in functionality of the Spy Sweeper made me more aware of this.

    I'm not sure about what this means, or what could be done (without taking extreme measures) to stop this tracking. I suspect that at least some tracking is succesful, but it's hard to be sure. I've also read that the '.NET building' blocks A LOT, but not stuff from Microsoft/McAfee/Doubeclick, that group can actually follow you very well in the '.NET building')

    I know this is a lot of text, feel free to comment and share insight.
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Re: ad.yieldmanager.com and others

    I think that you've mixed several things together that aren't really related to each other. McAfee and .NET probably don't have anything to do with your underlying observation (and stated reason for concern), which I believe is the connections being made to "other websites" when visiting a specific website.

    Let's focus on [noparse]www.yahoo.com[/noparse] and the [noparse]ad.yieldmanager.com[/noparse]. That does happen and it has nothing to do with any ad/spyware being on people's PCs. The main yahoo.com webpage has a image tagged link to a resource at [noparse]ad.yieldmanager.com[/noparse]. If you load the Yahoo! page in your web browser and then view the page source, you'll see it right in there - a 1x1 pixel webbug, used for Ads and statistics counting by Yahoo.

    No opt out at Yahoo will change that webpage's source code. No cookie blocking on its own will prevent a connection to [noparse]ad.yieldmanager.com[/noparse] when accessing the Yahoo! page. The page has that access programmed right into it.

    The only way to block that is to prevent connections to either [noparse]ad.yieldmanager.com[/noparse] itself or to block it as a third-party image. Firefox, for example, has a setting to only load images from the originating website (not any linked third-party images contained in the page code). Someone with that set, who visits yahoo.com, will not connect to [noparse]ad.yieldmanager.com[/noparse].

    Another way to specifically block [noparse]ad.yieldmanager.com[/noparse] would be to block that site/domain in your firewall, proxy, or even using a Hosts file to black hole that site.

    In any case, this is just one example of how websites frequently contain links to third-party websites. It's very common when visiting one site to also connect to Ad sites, statistics / analytics sites, hit counters, and so on. googleanalytics is a very common third-party site that many people include in their webpages. Those needing Ad revenue will include links to third-party Ad servers.

    Browser settings & add-ons like NoScript for Firefox, software firewall & privacy software settings, DNS services like OpenDNS, a Hosts file... these are various tools available to block these "excess connections". If you block the connections, then no tracking of this kind is possible.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: ad.yieldmanager.com and others

    Going directly to ad.yieldmanager.com url in the page code, with my cookie settings in Opera configured to Prompt, I can see the attempt to set a cookie:

    ad.yieldmanager-prompt.gif
    ___________________________________________________

    With cookies set to load as specified in Opera's Server Manager (list of my stored cookies), this cookie will not download.

    If you set your firewall to prompt for the browser, you can view each connection.

    I decided to watch the yahoo.com page load and used IE. Here is a connection for doubleclick:

    ad.yieldmanager-dblclk.gif
    _________________________________________________

    When the page completed loading, the ad.yieldmanager cookie did not download:

    ad.yieldmanager-cookies1.gif
    _______________________________________________

    Looking at the page code, I see that ad.yieldmanager is associated with selecting Yahoo to be the default homepage:

    Code:
    var rmImage = new Image();
    rmImage.src = "http://ad.yieldmanager.com/pixel?id=115235&t=1";
    alert("Your home page is now Yahoo!\nThe home button of your browser goes directly to Yahoo!");
    
    So I clicked to select the home page:

    ad.yieldmanager-homepage.gif
    ____________________________________________________


    Soon the connection out to ad.yieldmanager alerted. Note the rm in the "connect to" description. It matches
    the identifier in the main page code. And the cookie is downloaded:

    ad.yieldmanager-cookies2a.gif
    ___________________________________________

    You might try this to see if you get the same results.

    Using Opera, I have a yahoo mail account and I store permanent yahoo.com and yahoo.mail.com cookies, but the browser does not permit any other cookies, including 3rd party cookies to download. Tracking by 3rd party cookies can't take place, if I understand how that works.


    ----
    rich
     
    Last edited: Jul 21, 2008
Thread Status:
Not open for further replies.