Discussion in 'ESET Smart Security v3 Beta Forum' started by The One, Sep 18, 2007.
Why is \ESS always failing the Spycar test?
Hm, interesting. I don't see any sense in adding detection for these "test" utilities.
Click here make Spycar try to drop a file and install a Registry key to execute it under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Click here to make Spycar try to drop a file and install a Registry key to execute it under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Click here to make Spycar try to drop a file and install a Registry key to execute it under HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Click here to make Spycar try to drop a file and install a Registry key to execute it under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Click here to make Spycar try to drop a file and install a Registry key to execute it under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Click here to make Spycar try to drop a file and install a Registry key to execute it under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Internet Explorer Config Change Tests
Click here to make Spycar try to change your default home page in IE
Click here to make Spycar try to lockout users from changing the default home page in IE
Click here to make Spycar try to change your default search page in IE
Click here to make Spycar try to remove the Advanced Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Programs Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Connections Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Content Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Privacy Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the Security Tab in your IE Internet Options Screen
Click here to make Spycar try to remove the General Tab in your IE Internet Options Screen
Yeah, the same happend when we were talking about leak tests, they don't care about them yet ESS detects the leak testing utilities as usafe tools, Interesting indeed that they don't think eicar as a Testint Utility in the same way of the leak tests and detect it with the unsafe tools, don't you think??
What's your point exactly?
Eicar is something that ALL vendors have agreed on detecting - there must be something to verify that the AV software is actually working .
My point exactly is that if Eset is not interested in "Testing Utilities" like Marcos seems to have stated then why detect Leak Testing utilities?? are they not Testing Utilities aswell??
Don't you see the contradiction there?? I know I do.
I don't see that it's anything to be concerned about, no. There are standard tests like Eicar, and leak tests for firewalls that are universally used as 'benchmark' tests, but there are many others that I guess don't fall into that category. I'm far more concerned about Eset's performance according to the official industry testing 'bodies', than whether they include signatures for every single testing utility that's been dreamt up.
Eset's performance historically is hard to knock, and well proven. Research it yourself.
Marcos has said that ESET has added signatures for leaktests in order to catch via heuristics unknown malware which share similarities with leaktests (code injection, substitution of files, etc)
Well I dl the file or tried to and ESS caught it and terminated the connection. So I tried to open another Eicar file that was compressed and ESS cleaned it and sent it to Quarantine. So I would say koodos to ESET!!!
I'm not sure how this thread got OT onto "EICAR" when the OP refers to "SPYCAR" - a completely different test utility.
In any event, I tried a couple test runs on my system:
1st with all security apps running, the OS firewall in my ZA Antispyware (a type of HIPS) successfully blocked all Spycar test programs as shown below:
HKCU_Run : Spycar change blocked
HKCU_RunOnce : Spycar test not performed
HKCU_RunOnceEx : Spycar test not performed
HKLM_Run : Spycar change blocked
HKLM_RunOnce : Spycar change blocked
HKLM_RunOnceEx : Spycar test not performed
IE-HomePageLock : Spycar change blocked
IE-KillAdvancedTab : Spycar change blocked
IE-KillConnectionsTab : Spycar change blocked
IE-KillContentTab : Spycar change blocked
IE-KillGeneralTab : Spycar change blocked
IE-KillPrivacyTab : Spycar change blocked
IE-KillProgramsTab : Spycar change blocked
IE-KillSecurityTab : Spycar change blocked
IE-SetHomePage : Spycar change blocked
IE-SetSearchPage : Spycar change blocked
AlterHostsFile : Spycar change blocked
On the second test, I disabled the ZA Antispyware and only two of the tests were blocked:
HKCU_Run : Spycar change allowed
HKCU_RunOnce : Spycar change allowed
HKCU_RunOnceEx : Spycar change allowed
HKLM_Run : Spycar change allowed
HKLM_RunOnce : Spycar change allowed
HKLM_RunOnceEx : Spycar change blocked
IE-HomePageLock : Spycar change allowed
IE-KillAdvancedTab : Spycar change allowed
IE-KillConnectionsTab : Spycar change allowed
IE-KillContentTab : Spycar change allowed
IE-KillGeneralTab : Spycar change allowed
IE-KillPrivacyTab : Spycar change allowed
IE-KillProgramsTab : Spycar change allowed
IE-KillSecurityTab : Spycar change allowed
IE-SetHomePage : Spycar change blocked
IE-SetSearchPage : Spycar change allowed
AlterHostsFile : Spycar change allowed
The IE-SetHomePage test was blocked by SAS and the HKLM_RunOnceEx was blocked by Nod32. You of course may find different results with ESS.
Perhaps the moral of this story is that you need a good hips to pass these tests.
A reminder that the thread does concern Spycar but as it relates to the ESS product. It is not however about other non Eset programs and their respective Spycar results.
I figured that the reaction of Nod32 to these tests would be informative as many have stated that the detection of Nod32 is similar if not the same as EAV 3.0. If I am wrong in that then please pardon me all to hell for posting.
I am sory you think that way, If Spycar can change My IE home page what makes you think real malware can't??
I have run all the tests and I am terrified with Esets performance (not that I would change it) but so that you now Spybot can stop most of the tests with it's resident module -Teatimer- and it is a free program!! so why can't Eset?? why don't they care?? Eset -as good an antivirus it is- it's not so great with spyware as much as you would like it to be, it let's a lot of programs mess with the registry and that is NOT good for a security program. At least ESS -which is a Suite and not a standalone program- should incorporate some kind of protection against this threats.
I am not aware that Eset refers to ESS as a suite but instead describes ESS as having "next generation of ESET's anti-virus engine with a personal firewall and anti-spam". In order for ESS to deal with testing items like Spycar they would need to re-tool and add a behavior blocker would they not ?
Well , real malware can't because it will be detected . And here is the big difference between these tests and the real threat:
The test will ONLY change your homepage
The threat will change your homepage , will try to spy you , will try to take over your resourses , will display nasty advertisement , may turn your PC upside down
The test won't ignite you
I am sorry for my post of the Eicar then, since it was mentioned in one of the threads above my response I thought it good to post my results. So I guess there is a need for Spybot? Or what is the best free one? Thanks, JAS
Still I value my home page so I think Eset should be prepared to stop that kind of behavior from any software; remember what could be considered friendly to some is not to others, adn I don't consider friendly that some software changes my home page or loads itself on startup or so many other behavior it should ask permision for.
NOD32 stops malware. Anything that is not malware, and is detected, is called a false positive. Sure, some antivirus products will add signatures to detect these harmless test programs into their databases just so they don't have to deal with these kind of complaints from people like you. And off their unsuspecting users go, happy with the false peace of mind that being able to detect this harmless test program means their product will be able to detect actual threats. Sorry, but no.
Ah ... perhaps I'll get a slap from Moderators ... but ... Please , point me to three computer programs you know which does nothing else but change your IE settings without your knowledge .
Please , point me to three programs you know which does nothing else but just add some stupid files on your system without your knowledge.
Separate names with a comma.