Hot:

I received a rather interesting spam the other day and it would seem to have included some well private details.  It looks like this email contains login information for various mail systems but I honestly did not follow up with it.  I figured it may be of interest to the owners of these sites so I’m posting it here rather than attempt to start tracking abuse emails for various domains.

Continue reading 'Spam with a bonus — ‘Oops’'»

Hot:

Received an email this week that looks like your typical spam and it comes with a DOC file attached to it. I included the md5 in the subject for ease of tagging and searching.

It is boring stuff, but it seems very familiar. I am sure this template of spam (if you will) has been sent to me before. Its subject says its from Ms. Cynthia Chalker (From Canada), but the reply to is a South African address, and it’s using msn.com/hotmail.com as the method of delivery (apparently).

And like it says, I have a winning notification that I have won the South African…something. But I have won. Phone number to call to claim my winning prize, and a DOC file attachment.

Obviously I have not won anything. This could be a very simple attempt to get you to call and give information away, or for them to convince you to charge your credit card for processing fees I am not certain.

Continue reading 'Unknown DOC file in email a7b207839f751a525f2328f3a07e7cb9'»

Hot:

I saw this comment today on a malware site and I normally read them to see how folks troll malware sites looking for blame.
Folks, malware is your problem, not anyone elses.  I am constantly reminded how people fail to understand that its their actions and choices that cause the infections, and today social engineering is a big reason.
Even malware experts are not immune from falling victim to their tricks.  Its been like this for years and outside of the increase in targetted attacks,
its still the #1 reason.

Continue reading 'Editorial: Understanding why Malware infects your PC'»

Hot:

Really? A FREE YEAR of Broadband?!? Nobody gives away a free year…

Recently I’ve received copies of a Phishing Attempt that looks like it’s from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a ‘real’ email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from “getting free internet for a year”. Whoopie! A years worth of internet from Shaw isn’t that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.

This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.

First off, I will advise of the RED FLAGS in this phishing attempt

#1- “A Free Year of Broadband” – This doesn’t make sense. Shaw has trademarks and service marks that it would use to advertise it’s broadband internet service. Only someone ignorant of Shaw’s trademarks would say this. It’s really unlikely anyone who really works for Shaw would make this error.

#2 – Canadian Law states that any ‘contest’ or ‘giveaways’ contain details of said event. In most cases it’s prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I’m in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag

#3 – The email that is seen in the From: header is not a normal Shaw correspondence email account.

#4 – The link clearly shows a ‘secure’ link, but in no way is it going to a ‘secure’ site.

#5 – Typical email headers (on email from Shaw) missing

So just upon a quick review of this email we can deduce that it’s not a valid email. To get more pertinent details I’ll analyze these email in detail. I won’t paste the email headers in entirety, any ambiguity will be displayed by ‘XXXXXXXX’, to avoid email harvesting, but I will show you what details were more noteworthy.

The return-path was interesting. One was:

apache@utel16.besthosting.com.ua

, the other one was:

nobody@omega.omc.net

This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.

None of the received headers would indicate anything unexpected here, “omega” even has SSL/TLS

enabled but verify set to no.

The header in one of the emails is very interesting:

Date: Thu, 08 Nov 2007 20:49:28 +0200

From: “Shaw Communications Inc.” service@shaw.ca

Subject: Win a year of free broadband

To: XXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.ua

MIME-version: 1.0

Content-type: text/html

X-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146

Date and time indicates a East European Time zone. I know Shaw doesn’t have any servers in Europe…

The X-PHP-Script header shows a very interesting detail of where this email came from. We’ll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.

The for address 82.208.212.146 is interesting as it resolves to:

whois -h whois.geektools.com 82.208.212.146 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’82.208.212.0 – 82.208.212.255′

inetnum: 82.208.212.0 – 82.208.212.255

netname: ITSOLUTIONSNET

descr: ITSolutions, Obrenoviceva 124 4/10

descr: 18000 Nis

descr: Serbia and Montenegro

country: CS

admin-c: IS1188-RIPE

tech-c: AZ919-RIPE

status: ASSIGNED PA

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

person: Ivan Stankovic

address: ITSolutions

address: YU

e-mail: i.stankovic@my-its.net

phone: +38118512796

fax-no: +38118512797

nic-hdl: IS1188-RIPE

source: RIPE # Filtered

person: Aleksandar Zakic

address: ITSolutions NET

address: CS

e-mail: a.zakic@my-its.net

phone: +381-63-222-361

fax-no: +381-18-512-797

nic-hdl: AZ919-RIPE

source: RIPE # Filtered

% Information related to ’82.208.192.0/19AS13091′

route: 82.208.192.0/19

descr: JP PTT Srbija

descr: PTT Srbija Net

origin: AS13091

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

Reviewing the other IP address of the X-PHP-Header gives us this info:

whois -h whois.geektools.com 213.186.117.120 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’213.186.117.0 – 213.186.117.143′

inetnum: 213.186.117.0 – 213.186.117.143

netname: UTEL-DC5

descr: Utel DataCenter networks. Colocation

country: UA

admin-c: UNOC-RIPE

tech-c: UNOC-RIPE

status: ASSIGNED PA

mnt-by: AS6877-MNT

remarks: INFRA-AW

source: RIPE # Filtered

role: Utel NOC

address: 101, Volodymyrska str.

address: 01033, Kyiv, Ukraine

phone: +380 44 2359001

fax-no: +380 44 2304560

e-mail: noc@utel.net.ua

admin-c: OLE-RIPE

tech-c: BES100-RIPE

tech-c: OLE-RIPE

tech-c: JIM-RIPE

tech-c: ALT-RIPE

tech-c: UHM-RIPE

nic-hdl: UNOC-RIPE

mnt-by: AS6877-MNT

source: RIPE # Filtered

% Information related to ’213.186.112.0/20AS16124′

route: 213.186.112.0/20

descr: Utel DataCenter, Ukraine

origin: AS16124

mnt-by: AS6877-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.

[page_break]

Looking at another similar email we see:

Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)

From: “Shaw Communications Inc.”

Subject: Win a year of free broadband

To: XXXXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id:

MIME-version: 1.0

Content-type: text/html

X-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)

claimed to be omega.omc.net

But we can see the authentication warning from this server. No detail unfortunately.

Regardless, the viewable content of these two emails is identical, including an ‘offical’ Shaw footer to further reinforce it’s legitimacy, but it’s futile. These are NOT from SHAW.

The content included in plaintext: However to ensure not even ‘google’ browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:

Content-Transfer-Encoding: 8bit

209.85.15.18 is the address removed above with “Removed.example.com”. This address resolves to:

11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.com

whois -h whois.geektools.com 209.85.15.18 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.arin.net.

Results:

OrgName: Everyones Internet

OrgID: EVRY

Address: 390 Benmar

Address: Suite 200

City: Houston

StateProv: TX

PostalCode: 77060

Country: US

ReferralServer: rwhois://rwhois.ev1servers.net:4321/

NetRange: 209.85.0.0 – 209.85.127.255

CIDR: 209.85.0.0/17

NetName: EVRY-BLK-15

NetHandle: NET-209-85-0-0-1

Parent: NET-209-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.EV1SERVERS.NET

NameServer: NS2.EV1SERVERS.NET

Comment:

RegDate: 2005-12-14

Updated: 2006-11-28

RAbuseHandle: ABUSE477-ARIN

RAbuseName: Abuse Department

RAbusePhone: +1-713-579-2850

RAbuseEmail: abuse@ev1servers.net

RNOCHandle: NOC1445-ARIN

RNOCName: Noc

RNOCPhone: +1-713-579-2850

RNOCEmail: noc@ev1servers.net

OrgAbuseHandle: ABUSE271-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-214-782-7802

OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: NOC1445-ARIN

OrgNOCName: Noc

OrgNOCPhone: +1-713-579-2850

OrgNOCEmail: noc@ev1servers.net

OrgTechHandle: VST3-ARIN

OrgTechName: Stinson, Valarie

OrgTechPhone: +1-713-579-2850

OrgTechEmail: admin2@ev1servers.net

# ARIN WHOIS database, last updated 2007-11-08 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it.

If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurate and is limited in it’s conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.

Hot:

Well everyone needs an antivirus solution don’t they?

 

No.  I don’t believe everyone NEEDS one anymore.  To be truly effective you will probably need two or three, but good luck running them all together.  Its not recommended, and you will probably have real issues.

As a consequence even software designers are realizing this and integrating their AV solution into a more comprehensive and complete solution, bringing other features that should not be part of a pure anti-virus solution.

 

Let me state some declarations for the security vendors out there who may read this.

First declaration.  We don’t want “vendor-specific” integrated solutions.  Period.  Anyone who thinks they do can email me directly or on the forums and we can discuss it. 

Second declaration.  No AV/Security Vendor has a ‘good’ integrated solution let alone a ‘excellent’ one.

Third declaration.  Stay out of endeavors unless your going to do them well.

Now even some AV products are moving into integrating other ‘features’ into their software.  Kaspersky v6 Beta is one of those.  This was supposed to be a pure Anti-Virus program but as I highlight it isn’t.

 

Since this is an article about my last 24 hours with this program I shall try not to pick on integrated solutions any more. 

Why I don’t believe you need AV products anymore?

Truthfully virus’ are very very rare forms of malware these days.  They are making a bit of a comeback but mostly as rebuilt worms or trojans.  Worms and trojans are the big purveyors of nasty malware, and of course spam, phishing etc are even larger spreaders of the disease, BUT they are not virus either. 

 

So Anti-virus products simply waste resources and offer little to no actual protection?

Exactly.  Almost none are capable of “true” real-time protection unless you are being infected with very old malware.  However this is really where the value in Anti-virus software is.  Typically the value comes into play only after you discover that your already infected. [1]  Sure none of us like this, and we wish we would never get infected but it happens.  Our AV solution typically works good to excellent at removing and cleaning ‘known’ infections.  Sure, sometimes we need to do more than scan, quarantine, and delete, but our investment in the AV program should be able to assist at weeding out the ‘known’ malware and ensuring our data is clean. 

Only in the know…

It doesn’t stop unknown virus’.  Hence why you need to keep updating your software with new ‘signatures’ and additionally keep scanning your systems to keep up to date with what’s ‘known’.

Anti-virus software tends to be excellent at dealing with virus, pretty good at trojans and worms, but ‘only’ if the signature is up to date.  Besides nobody trades floppy disks much anymore so boot sector virus’ are dying out as malware matures in new forms[2].  So the AV product typically cannot stop trojans or worms from moving around, unless it has detection signatures for it.  But these definitely are acquired after the trojan or worm has typically ran it’s course.  Some worms have lifetimes in seconds.  How do you detect it, report it, confirm it, publish it, add it, update it, scan it all in a few seconds?  You can’t.  You would be infected during that phase with no trigger from your AV software.  

Since I don’t need to waste time and money getting little return on investment I choose not to install Anti-Virus tools.  Regardless of the solution though remember, “true” real time protection comes at a cost to performance.  On a home PC who wants to give up performance?  On a gaming machine, no WAY your giving up performance.  So don’t waste your time installing this software on these machines.  There are better solutions. 

Isn’t Kaspersky Anti-Virus v6 Beta different?

Yes.  Kaspersky v6 Beta was downloaded as I have always heard good things about this company and they tend to get fairly favorable reviews.  However most people hated v5 for a variety of reasons and I was led to believe (reading other reviews) that 6 was like a phoenix from the ashes type of release compared to v5.  It wasn’t.  It’s very like 5 and add new features you may love, but I guess you won’t, I sure didn’t.

From the beginning

Well the MSI installer was the first strike against this product. I’m no fan of the MSI installer, it creates numerous difficulties at installing software, and there should NEVER be a PROBLEM installing software. If there is, you shouldn’t have released it with the problem.

 

I attempted the installer on Vista RC2 and it completely failed with no real error (unknown error, didn’t I just type this…).  I then attempted to install this on a XP SP2 box I use that has ‘never’ seen an Anti-virus product before, and has been running for 6 months.  This installed fine requiring a reboot at the end.  However it attempted to update during the install, and this simply caused a hangup of both the installer and windows explorer.  I wasn’t impressed.  The reason for this hanging will be clear in a minute.

 

After a successful reboot, the software came up and started flagging various dll’s mostly, with nice smallish yellow popups,  and asking me what I wanted to do.  Folks, this is like many MANY other products out there, most are firewall solutions, but a few call themselves Anti-Virus solutions.   Now with all these packages the capabilities are morphing also.  Its an application tracking program that shows hooks into system routines, accesses and injections and changes of course.  This can be a very powerful tool to ensuring you stay protected.  However this!?!?!? In an AV product?  Give me a break.  Someone forgot to tell these folks ‘I only want my AV software bothering me IF IT’S A VIRUS OR OTHER MALWARE!!!!!!!’, we do need to remind them.

Why is this a problem?

I expect my anti-virus tool to ‘detect’ virus’.  Not tell me every little thing going on inside my system.  If I wanted an effective tool for active malware discovery I would use a serious appliance built for that purpose.  Maybe  the Anti-virus software guys and gals want to detect 0-days, something they never have done in the entire history of anti-virus tools.  Great lofty goal, but then they break trusted processes (detecting and removing virus’) with new features that can misplace trust, and then all bets are off.

So, question is.  Do I really want this level of protection?  Maybe. 

Do I want it from a trusted application like an anti-virus tool?

No, since they don’t know whether it’s malware or not, it asks you to make the decision.  I’m not sure if this would have an effect on scanning files against known attacks but I’m not about to either guess or take a chance.  Of course in my case I’m sure this is all innocent routine stuff, but it’s being treated inappropriately by Kaspersky so it’s possible one can make bad decisions.

 

Every little task generates this ‘alertwindow’ providing you only with:

 

A:  The classification of the alert;

B:  The location of the file causing the alert.

Then you have to make decisions as to:

C:  Whether to accept or deny it;

D:  Whether to make the above choice permanent, or just this time;

E:  Whether to simply trust this application to do what it wants, or not.

 

Lets look at each of these in more detail.

 

A:  The classification is a single word.  “Invader”  “Downloader”  “Threat”.  You can click on it to go to http://www.viruslist.com and check the definition in the encyclopedia, but don’t waste your time.   The definition you probably already formed in your head is more accurate and descriptive.

 

B:  The location is helpful, but in no way assists in decision making.  Does the software ‘belong’ there?  Are there other files called this also?  What is the manufacturers version information from the file?  Do we have a MD5 or SHA hash to verify it’s integrity?  Is this an essential windows file or not?  Is it a virus because my AV program displayed it to me?  Too many questions still and no definitive answers from the program that’s supposed to be definitive.

 

C:  Whether to
accept or deny this activity.  How am I supposed to make an intelligent decision based on the little panic information I have received so far?  Honestly you can’t.  So you flip a coin.  However chances are something ‘legit’ was trying to do something and if you deny it, very likely the application will now no longer have any communication back to the system including the calls and threads it already created and will typically crash the application or worse the desktop, or sadly, the entire machine.  So, the default choice is to accept it.  Why bother me then? 

 

D:  Now we have to make a choice that we will have to live with if we ever run this again.  Again same logic trail as C: above, so same conclusion.  Why bother me then?

 

E:  Should we just ‘trust’ this application to do what it wants? Now here’s the ‘stop annoying me’ choice, we can tell the program “look you annoying software, quit bugging me with popups and just trust the blasted application”.  Still we don’t know whether this is our photo gallery we wanted to start up to add some pictures from the weekend, or the latest worm/trojan file deletion tool.  But we can trust it and never hear from Kaspersky again. 

 

So the conclusion, this behavior from Kaspersky isn’t warranted or desired in an AV product because it doesn’t provide decent support.  It simply gives the user very powerful filtering capability which one can most simply avoid, and probably will.  This type of processing smacks of ‘host intrusion prevention systems (HIPS)’ but these are typically poor or overly complex applications.  Here with Kaspersky AV v6 Beta we have not overcome that hallmark.

 

The second contention I have with Kaspersky AV v6 Beta, is all the links direct one to a page to download the ‘trial version’ from, but with no way to activate the ‘trial version’.  The docs indicate that the activation tool (help -> activate) allows one to buy a license for this or activate later, or activate with a trial code.  Well the ‘trial version’ I downloaded from the ‘trial page’ does not have a ‘activate with trial code’ option.  So it’s either no updates or buy a license.  Well lets see how it does with it’s current database on my box that has never seen a anti-virus tool.  Aha, this is why my install hung up, it won’t allow the updater to update.  How silly.

 

Ok, I start the scan and I do like some of the options it provides like showing you all the exploits at theo >end f the scan.  I like this.  So, I run the scan, it estimates about two hours to scan everything (lots of partitions) and unbelievably it was done in just under two hours.  Very impressive.  Two little things I have seen before but they actually work as expected.  Wow.  It’s truly unfortunate that little else worked as great or made a positive lasting impression on me.

 

Remember we scanned a box that has XP SP2 installed patched semi regular (I let it inform and download, but I install manually) basis, no firewall except windows firewall, no antivirus ever until Kaspersky v6 Beta was installed, This has office 2003 installed runs Outlook as the mail client, has perl installed, IRC runs constantly, and most web browsing is done from this box, including this report being initially typed on it.

 

After a full two hour scan of my box I found one ‘threat’ on my PC.  Oh, that’s darn good I say to myself.  Just one file.  Considering some of the PC’s people have brought to me that I’ve cleaned up, repaired and rebuilt over the years, typically finding unbelievable amounts of malware  or a simple single infection still resulting in numerous files found during a scan.  Just one file infected.  Must have contained it…

So what one did I have?  I clicked on the result and was shocked.  The result was ‘Not-a-virus:mirc-616.exe’.  I couldn’t believe this.  It was showing me a backup copy of MIRC from my last update.  Hey I use MIRC daily, and rely upon it.  I bought the tool so I’m licensed, and when it did an upgrade it created a backup first.  How intelligent. 

So why is Kaspersky bugging me about this innocent tool?

 

I guess someone could ‘run’ it and take advantage of the exploits to infect my box, so I deleted it afterwards.  Was it infected?  No.  Why does it flag me with a bunch of insignificant warnings when it’s harmless?  Why did it not say ‘look you should delete this old version or upgrade if this is the current version you are using’?  Because it’s not a patch management solution, nor is it an auditing solution.  So I cannot fathom why my Anti-Virus software is behaving like one. 

 

Maybe it’s trying to be more encompassing and deal with the latest threats, rootkits.   But then shouldn’t it promote itself as an anti-rootkit tool?   Well we all know that there isn’t any such thing (yes many are trying to build one, but nothing actually works in detection), even tools such as ‘Rootkit Revealer’ by F-secure simply tell you a bunch of stuff that may ‘look’ like a rootkit, but you’ll have to do much more system analysis to determine for real or not.

 

Lets do some work

So, I figure I’ll wait and see if I can get the 30 day activation code to use this product, check around to ensure I haven’t missed something in terms of getting the proper beta product.  In my travels I find this great RAR file I want to download.  Ok firefox causes numerous popups in Kaspersky as DLL’s are loaded to process the download.  Ok I get the download and click on open in my download window in firefox, get more including AdobeIEsomethingorother.dll I can’t see why it needs this and select deny.  Windows Explorer crashes.  Ooops.  Attempt to repeat, crashes again.  Turns out that the download window launches in explorer.exe space and any time it looks up how to handle extensions several dlls are loaded for that purpose, including the AdobeIEsomethingorother.dll that I denied.  I wasn’t running IE or Adobe, but Windows Explorer (explorer.exe) required it during it’s initialization and denying it made it quite unstable.

 

Ok, this is not why I have security products installed on my machines.  I install them to:

 

A:  Improve the security of my systems, and improve my ability to do said;

rr

B:  Improve the stability and reliability of my systems and the data that resides on them

C:  To protect and ensure the accuracy and validity and privacy of the data and software that resides on the machines.

 

If the software I’m installing/using interferes with ONE of those conditions it fails and gets removed.

 

Kaspersky failed on the first two accounts.  It did not improve my security, and it destabilized my system by halting processes in stream to popup windows.  This regularly caused issues and in some cases fails, or crashes or unrecoverable applications.  In one case it completely crashed my TCP/IP stack since the protocol doesn’t like waiting for responses.  As for the third I can say the installation/removal of the software did not adversely affect any system files.  It did not interfere with the accuracy of the files that presided, nor did it interfere with them (outside of the routine application issues)

 

I could not recommend this product since:

 

1. It misleads the user about particular findings
2. Activation was a major headache with no immediate solution attainable
3. The product introduces so many additional points of failure that system stability could be a factor
4. It wastes the users time with notices of things that are innocent additionally it doesn’t make notice of important things.
5. Misuse of the tool by the user can render a machine or application useless.  Even to the point of crashing system kernel routines.

 

In my opinion this Anti-virus product is only 1/5th of it’s capabilities, and I was not seeking integrated solutions.  Since the AV portion does seem to work effectively it alerts you to non-virus files, which could cause one to delete something they use accidentally.

Installation Ranking: 3/5 – Using MSI and saying it installs on all windows but would not on Vista nor would it generate a decent error.  XP works fine.

Initial Setup and Patching: 1/5 – Unable to do anything except hang the machine attempting to make connections the
program blocks.  Unable to recify within test period, granted it was very short, so we give it a one.

Usability: 3/5 – Overall the program worked as we expected and did not cause issues or confusion when we asked it to do things.  It was not so clear when it prompted you with popups about app activity.

Dependability: 3/5 – Overall it’s engine scanned effectively and found all the planted malware on our test box.  It’s discovery of non-malware as malware concerned me greatly about it’s ‘cry wolf’ potential.  I would not rely on results singularily by this software I would have to confirm them with another more reliable package to ensure it is accurately determining valid malware, and not potential malware. 

Overall score: 2.5/5 – Software adequate.  Price to purchase unrealistic to it’s abilities.  Certainly has potential as a combo AV-Application Watcher, but why?

I don’t want to have to second guess my results, my AV software shouldn’t either.  If it does then it no longer has any ability to do what AV software is supposed to do….detect.

 

---

[1]This happens as a result (typically) by being infected during the ‘unknown’ phase, and once the signatures were updated, you now ‘detect’ the infection running around doing whatever it wants until now.

[2]Traditionally you got virus from copying files usually from a floppy disk.  Over time as other file transfer methods developed, the ways for virus to spread changed also.  However malware creators also realized that in order to get the virus around, they needed to figure out how to spread it.  Email, news, IRC protocals were used and the development of hiding virus in (even legit) programs was developed, now commonly referred to as trojans or trojan horses.  Worms also are an effective spreader technology since it’s whole concept in life is to move around the internet.