Spycar

Discussion in 'ESET Smart Security v3 Beta Forum' started by The One, Sep 18, 2007.

Thread Status:
Not open for further replies.
  1. The One

    The One Frequent Poster

    Joined:
    Mar 6, 2007
    Posts:
    246
    Why is \ESS always failing the Spycar test?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hm, interesting. I don't see any sense in adding detection for these "test" utilities.

    Click here make Spycar try to drop a file and install a Registry key to execute it under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Click here to make Spycar try to drop a file and install a Registry key to execute it under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Click here to make Spycar try to drop a file and install a Registry key to execute it under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    Click here to make Spycar try to drop a file and install a Registry key to execute it under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Click here to make Spycar try to drop a file and install a Registry key to execute it under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Click here to make Spycar try to drop a file and install a Registry key to execute it under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    Internet Explorer Config Change Tests
    Click here to make Spycar try to change your default home page in IE
    Click here to make Spycar try to lockout users from changing the default home page in IE
    Click here to make Spycar try to change your default search page in IE
    Click here to make Spycar try to remove the Advanced Tab in your IE Internet Options Screen
    Click here to make Spycar try to remove the Programs Tab in your IE Internet Options Screen
    Click here to make Spycar try to remove the Connections Tab in your IE Internet Options Screen
    Click here to make Spycar try to remove the Content Tab in your IE Internet Options Screen
    Click here to make Spycar try to remove the Privacy Tab in your IE Internet Options Screen
    Click here to make Spycar try to remove the Security Tab in your IE Internet Options Screen
    Click here to make Spycar try to remove the General Tab in your IE Internet Options Screen
     
  3. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Yeah, the same happend when we were talking about leak tests, they don't care about them yet ESS detects the leak testing utilities as usafe tools, Interesting indeed that they don't think eicar as a Testint Utility in the same way of the leak tests and detect it with the unsafe tools, don't you think??
     
    Last edited by a moderator: Oct 24, 2007
  4. JeremyWW

    JeremyWW Registered Member

    Joined:
    Apr 13, 2005
    Posts:
    237
    What's your point exactly?
     
  5. ASpace

    ASpace Guest

    Eicar is something that ALL vendors have agreed on detecting - there must be something to verify that the AV software is actually working .
     
  6. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    My point exactly is that if Eset is not interested in "Testing Utilities" like Marcos seems to have stated then why detect Leak Testing utilities?? are they not Testing Utilities aswell??
    Don't you see the contradiction there?? I know I do.
     
  7. JeremyWW

    JeremyWW Registered Member

    Joined:
    Apr 13, 2005
    Posts:
    237
    I don't see that it's anything to be concerned about, no. There are standard tests like Eicar, and leak tests for firewalls that are universally used as 'benchmark' tests, but there are many others that I guess don't fall into that category. I'm far more concerned about Eset's performance according to the official industry testing 'bodies', than whether they include signatures for every single testing utility that's been dreamt up.

    Eset's performance historically is hard to knock, and well proven. Research it yourself.
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Marcos has said that ESET has added signatures for leaktests in order to catch via heuristics unknown malware which share similarities with leaktests (code injection, substitution of files, etc)
     
  9. JASTECH

    JASTECH Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    38
    Well I dl the file or tried to and ESS caught it and terminated the connection. So I tried to open another Eicar file that was compressed and ESS cleaned it and sent it to Quarantine. So I would say koodos to ESET!!!
     
  10. oldshep

    oldshep Registered Member

    Joined:
    Dec 19, 2006
    Posts:
    139
    I'm not sure how this thread got OT onto "EICAR" when the OP refers to "SPYCAR" - a completely different test utility.

    In any event, I tried a couple test runs on my system:

    1st with all security apps running, the OS firewall in my ZA Antispyware (a type of HIPS) successfully blocked all Spycar test programs as shown below:
    Spycar Scoring
    HKCU_Run : Spycar change blocked
    HKCU_RunOnce : Spycar test not performed
    HKCU_RunOnceEx : Spycar test not performed
    HKLM_Run : Spycar change blocked
    HKLM_RunOnce : Spycar change blocked
    HKLM_RunOnceEx : Spycar test not performed
    IE-HomePageLock : Spycar change blocked
    IE-KillAdvancedTab : Spycar change blocked
    IE-KillConnectionsTab : Spycar change blocked
    IE-KillContentTab : Spycar change blocked
    IE-KillGeneralTab : Spycar change blocked
    IE-KillPrivacyTab : Spycar change blocked
    IE-KillProgramsTab : Spycar change blocked
    IE-KillSecurityTab : Spycar change blocked
    IE-SetHomePage : Spycar change blocked
    IE-SetSearchPage : Spycar change blocked
    AlterHostsFile : Spycar change blocked

    On the second test, I disabled the ZA Antispyware and only two of the tests were blocked:
    Spycar Scoring
    HKCU_Run : Spycar change allowed
    HKCU_RunOnce : Spycar change allowed
    HKCU_RunOnceEx : Spycar change allowed
    HKLM_Run : Spycar change allowed
    HKLM_RunOnce : Spycar change allowed
    HKLM_RunOnceEx : Spycar change blocked
    IE-HomePageLock : Spycar change allowed
    IE-KillAdvancedTab : Spycar change allowed
    IE-KillConnectionsTab : Spycar change allowed
    IE-KillContentTab : Spycar change allowed
    IE-KillGeneralTab : Spycar change allowed
    IE-KillPrivacyTab : Spycar change allowed
    IE-KillProgramsTab : Spycar change allowed
    IE-KillSecurityTab : Spycar change allowed
    IE-SetHomePage : Spycar change blocked
    IE-SetSearchPage : Spycar change allowed
    AlterHostsFile : Spycar change allowed

    The IE-SetHomePage test was blocked by SAS and the HKLM_RunOnceEx was blocked by Nod32. You of course may find different results with ESS.

    Perhaps the moral of this story is that you need a good hips to pass these tests.
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    A reminder that the thread does concern Spycar but as it relates to the ESS product. It is not however about other non Eset programs and their respective Spycar results.

    Bubba
     
  12. oldshep

    oldshep Registered Member

    Joined:
    Dec 19, 2006
    Posts:
    139
    I figured that the reaction of Nod32 to these tests would be informative as many have stated that the detection of Nod32 is similar if not the same as EAV 3.0. If I am wrong in that then please pardon me all to hell for posting.
     
  13. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina

    I am sory you think that way, If Spycar can change My IE home page what makes you think real malware can't??
    I have run all the tests and I am terrified with Esets performance (not that I would change it) but so that you now Spybot can stop most of the tests with it's resident module -Teatimer- and it is a free program!! so why can't Eset?? why don't they care?? Eset -as good an antivirus it is- it's not so great with spyware as much as you would like it to be, it let's a lot of programs mess with the registry and that is NOT good for a security program. At least ESS -which is a Suite and not a standalone program- should incorporate some kind of protection against this threats.
     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I am not aware that Eset refers to ESS as a suite but instead describes ESS as having "next generation of ESET's anti-virus engine with a personal firewall and anti-spam". In order for ESS to deal with testing items like Spycar they would need to re-tool and add a behavior blocker would they not ?
     
  15. ASpace

    ASpace Guest

    Well , real malware can't because it will be detected . And here is the big difference between these tests and the real threat:

    The test will ONLY change your homepage
    The threat will change your homepage , will try to spy you , will try to take over your resourses , will display nasty advertisement , may turn your PC upside down

    The test won't ignite you :thumb:
     
  16. JASTECH

    JASTECH Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    38
    I am sorry for my post of the Eicar then, since it was mentioned in one of the threads above my response I thought it good to post my results. So I guess there is a need for Spybot? Or what is the best free one? Thanks, JAS
     
  17. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Still I value my home page so I think Eset should be prepared to stop that kind of behavior from any software; remember what could be considered friendly to some is not to others, adn I don't consider friendly that some software changes my home page or loads itself on startup or so many other behavior it should ask permision for.
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    NOD32 stops malware. Anything that is not malware, and is detected, is called a false positive. Sure, some antivirus products will add signatures to detect these harmless test programs into their databases just so they don't have to deal with these kind of complaints from people like you. And off their unsuspecting users go, happy with the false peace of mind that being able to detect this harmless test program means their product will be able to detect actual threats. Sorry, but no.
     
  19. ASpace

    ASpace Guest


    Ah ... perhaps I'll get a slap from Moderators ... but ... Please , point me to three computer programs you know which does nothing else but change your IE settings without your knowledge .

    Please , point me to three programs you know which does nothing else but just add some stupid files on your system without your knowledge.
     
Thread Status:
Not open for further replies.