Text 6247, 243 rader
Skriven 2005-03-27 11:57:42 av mark lewis (1:3634/12)
Ärende: counterspy "review"
===========================
well, this is my first "review" type of thing so please bear with me... i've
not gone about being very scientific with it, either... i just downloaded,
installed and ran the scan on this daily-use box... this message is rather on
the "long" side... i remember seeing the line count around 240 while i was
writing it but reformatting done by my software will shorten that a bit...
the box:
this box is a celeron 300a with 256 meg of ram running win98se on a 30gig
harddrive... there is no modem... only a network card and a sound card... the
motherboard is an intel 440bx-2... definitely nothing fancy and pretty far
behind the curve of today's machines... this system was set up and installed
Dec 21, 2000... it has seen a lot of use over these last 4 years...
downloading:
getting counterspy wasn't so hard... i just had to give them a name and an
email address... of course i created and used a new sneakemail address... "just
in case" ya know ;) once this was done, i was carried over to the page where i
could download the 13Meg installer... the version of counterspy their
downloaded pushed to me was v1.0.29 which i tacked on to the filename since
they were sending a "plain" filename, counterspy.exe... i stored it on my
machine as counterspy-1.0.29-EVAL.exe since i was not getting the full
registered version or a license key...
installation:
once the installer was received, i ran it after saving my registry and checking
the registry's current startup locations and several other key sections... the
installer created three new registry keys in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"sunasDTServ" = "C:\Program Files\Sunbelt Software\CounterSpy
Client\sunasDTServ.exe" ["Sunbelt Software Inc."]
"Default" = (no data)
"sunasServ" = "C:\Program Files\Sunbelt Software\CounterSpy
Client\sunasServ.exe" ["Sunbelt Software Inc."]
and one new registry key in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
"Default" = (no data)
i suspect that those "Default" blank ones are coding errors... they were not
there before running the counterspy installer... after the reboot, the
sunasDTServ key had been converted to all caps... the other two keys stayed the
same and the key in the RunOnce section had been removed...
initial update:
when the system reloaded, there was a counterspy icon in the system tray and
another one on the desktop... i clicked the one on the desktop to open the
program so i could run my first scan...
upon opening, there was a box that popped up in the lower right corner of the
screen that said that it was updating the spyware definitions... at this point,
the software firewall started popping up alerts as the counterspy updater
attempted to access the internet... it was allowed access to 127.0.0.1:8080
which is my filtering proxy and then it also wanted access a UDP ports... the
UDP port appears to be used to send back ACKs as each block of downloaded
material comes in... for those old timers, yeah, kinda like xmodem ACKs each
block ;)
i left the system to run its download for a bit... due to my slow connection,
it took a while... during this time, i tried to do a few other things but the
counterspy updater had a tight grip on the system... it hadn't even redrawn its
own window after i had ok'd the firewall's popups...
i am unable to determine exactly what the updater downloaded... i should have
taken a snapshot of the install directory before allowing the update to take
place... there are several files in the install directory that contain
timestamps consistant with the updater's execution... one of those files is
3Meg in size...
initial scan:
after the updater finished, the program appeared to simply close. i double
clicked on the desktop icon again and was greeted with the counterspy splash
box and then their "first time execution wizard" which set the defaults and
wanted to try updating a second time... i had to clear another UDP port thru
the firewall for this... after that, i simply kept clicking NEXT until the
wizard was completed... then i ended up at a screen where i could execute the
initial system scan... i selected to run a full deep scan on the entire system
and added a checkmark to the box to scan the entire drive... then i started the
process and watched as counterspy went to work...
after some 4000 files, counterspy said that it had found something it calls
NetAware and says that it is surveillance related... i ran into problems at
this point because i tried to use the mouse and click on this item to see what
it was and to see if counterspy would allow me to look at details while it was
running... when i clicked on this item, i saw a box popup and then disappear...
it took me a few times to realize that i had to click and hold so as to keep
the box up... unfortunately, there wasn't as much detail in the box as i'd have
liked to see... specifically the filename of the suspected infestation...
trouble:
after i had read what was in this box, i doubleclicked on the name and watched
as the program crashed and windows popped up its standard "application fault"
box... shrugging our shoulders, i cleared that box off the screen and restarted
counterspy... this time i left it to do its thing and went to watch a few shows
on television...
the results:
after some 3 hours 40 minutes, counterspy completed the initial full system
scan... it said that it had found three spyware products...
recommended action: quarantine
spyware name: NetAware (Surveillance)
threat level: [ELEVATED]
recommended action: ignore
spyware name: Weatherbug (Low Risk Adware)
threat level: [LOW]
recommended action: quarantine
spyware name: Find Protected (Potentially Dangerous)
threat level: [ELEVATED]
the first result is pointing to a shortcut that i had created on my desktop to
access one of our network shares for ease of use... the filename is
c:\windows\desktop\shortcut to files.lnk
here is what counterspy says about this result...
==========
NetAware
Type: Surveillance
Level: Elevated
Author: Infiltration Systems
Description: NetAware is a monitoring tool that logs
and records all shared file activity on your computer
or network.
Advice: This is a high risk threat and should be
removed or quarantined as to prevent harm to your
computer or your privacy.
About Surveillance: [blank]
==========
there is nothing dangerous about this link and counterspy
completely missed the other three shortcuts to additional
network resources on the desktop that were created at the same
time and in the same manner... false positive - strike 1...
the second result, weatherbug, i expected... weatherbug installs minibug...
minibug retrieves the advertisement skins for the weatherbug application
interface...
here is what counterspy says about this result...
==========
Weatherbug
Type: Low Risk Adware
Level: Low
Author: WeatherBug
Description: Minibug is an adware that displays ads
on to your computer.
Advice: This is a low risk adware application and
will not cause direct harm to your computer,
removing it is not required. However, it is strongly
recommended that you review this application's End User
License Agreement (EULA) as well as review the
application's privacy policies.
About Low Risk Adware: Low risk adware is an adware
application that is designed to potential show
advertisements via popups. However, this type of adware
program is installed with the user's knowledge and
conforms to the programs EULA which is usually presented
to the user prior to download and during installation. A low risk adware
program will not transmit personal or identifiable information.
==========
we'd already neutered minibug by simply blocking its access to
the internet from the firewall...
the last result appears to be another case similar to the first result. this
time, it is looking at the unrar.dll file that comes with antivir from
free-av.com... antivir uses this dll to look inside archives for virus infected
files...
here is what counterspy says about this result...
==========
Find Protected
Type: Potentially dangerous utilities/tools
Level: Elevated
Author: AKS-Labs.
Description: Find Protected is a softare designed to
search for password protected files on local disks and
across a network. With Find Protected you can located
MS Office password protected files and popular password
protected archives, such as WinZip and WinRar. Also,
you can find some encryption systems, such as PGP Disk.
Advice: This is a low risk application and will not
cause direct harm to your computer, removing it is not
required. However, it is strongly recommended that you
review this application's End User License Agreement
(EULA) as well as review the application's privacy
policies.
About Potentially dangerous utilities/tools: [blank]
==========
ok? you can do this with most any archiver and some scripting... no big deal...
false positive - strike 2
at this point, i simply closed counterspy as i didn't want to do anything with
what it had found...
counterspy's interface looks nice and decently thought out... i've not gone
tripping around in it other than just to do the scan of this system to see what
it was finding...
overall, counterspy appears to be a good package... is it worth the
registration fee? i can't really say... that's one of those subjective
things... i've not had any problems with the freeware antispyware tools that
i've used for several years... i find them to be quite adaquate for the job and
i've not gotten any false positives from them... just because something costs
money or is commercial doesn't make it better (or worse) than something that is
free or costs less...
)\/(ark
* Origin: (1:3634/12)
|