Comments Off

By Admin, November 9, 2007 12:53

Hot:

Really? A FREE YEAR of Broadband?!? Nobody gives away a free year…

Recently I’ve received copies of a Phishing Attempt that looks like it’s from Shaw (a cable/internet/telephone service company in Canada). This phishing attempt is congruous to the Ebay and banking phishes of the recent past, in that it actually does NOT resemble a ‘real’ email, rather a fictional email to get people excited, in this case instead of warning the user it attempts a positive reaction from “getting free internet for a year”. Whoopie! A years worth of internet from Shaw isn’t that expensive. Phishing attempts are typically NOT viral or malware orientated but certainly can and do use such methods. In this case it looks like a standard email spam sent via exploited web sites.

This is a sophisticated method. It uses a similar style as Shaw uses in their correspondence and uses a legit; if inappropriate, email address. The email was generated and sent using multiple methods so tracking it will be harder to accomplish. Additionally, I shall show the details of the spam and my analysis. Our whois data will be included in the rest of the article.

First off, I will advise of the RED FLAGS in this phishing attempt

#1- “A Free Year of Broadband” – This doesn’t make sense. Shaw has trademarks and service marks that it would use to advertise it’s broadband internet service. Only someone ignorant of Shaw’s trademarks would say this. It’s really unlikely anyone who really works for Shaw would make this error.

#2 – Canadian Law states that any ‘contest’ or ‘giveaways’ contain details of said event. In most cases it’s prudent to disclaim whether or not the contest is allowed in Quebec, since the law is vastly different, and Quebec law generally does NOT allow this type of Contest. (disclaimer: I’m in no way a lawyer, but I am aware of consumer rights.). Missing the disclaimer is a definite flag

#3 – The email that is seen in the From: header is not a normal Shaw correspondence email account.

#4 – The link clearly shows a ‘secure’ link, but in no way is it going to a ‘secure’ site.

#5 – Typical email headers (on email from Shaw) missing

So just upon a quick review of this email we can deduce that it’s not a valid email. To get more pertinent details I’ll analyze these email in detail. I won’t paste the email headers in entirety, any ambiguity will be displayed by ‘XXXXXXXX’, to avoid email harvesting, but I will show you what details were more noteworthy.

The return-path was interesting. One was:

apache@utel16.besthosting.com.ua

, the other one was:

nobody@omega.omc.net

This would indicate to me that the web server sent this email, and in typical hosting fashion, it would be doing so via script on one of the hosts or virtual hosts on the system.

None of the received headers would indicate anything unexpected here, “omega” even has SSL/TLS

enabled but verify set to no.

The header in one of the emails is very interesting:

Date: Thu, 08 Nov 2007 20:49:28 +0200

From: “Shaw Communications Inc.” service@shaw.ca

Subject: Win a year of free broadband

To: XXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id: XXXXXXXXXXXXXXXXX@utel16.besthosting.com.ua

MIME-version: 1.0

Content-type: text/html

X-PHP-Script: 213.186.117.120/~loveterra/indexzz.php for 82.208.212.146

Date and time indicates a East European Time zone. I know Shaw doesn’t have any servers in Europe…

The X-PHP-Script header shows a very interesting detail of where this email came from. We’ll come back to this IP in a bit. But this is a key indicator of an exploited web site on a hosting company or something similar. This IP definitely hosts a web server, and with the above mentioned user account, but at time of checking this link generated a error.

The for address 82.208.212.146 is interesting as it resolves to:

whois -h whois.geektools.com 82.208.212.146 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’82.208.212.0 – 82.208.212.255′

inetnum: 82.208.212.0 – 82.208.212.255

netname: ITSOLUTIONSNET

descr: ITSolutions, Obrenoviceva 124 4/10

descr: 18000 Nis

descr: Serbia and Montenegro

country: CS

admin-c: IS1188-RIPE

tech-c: AZ919-RIPE

status: ASSIGNED PA

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

person: Ivan Stankovic

address: ITSolutions

address: YU

e-mail: i.stankovic@my-its.net

phone: +38118512796

fax-no: +38118512797

nic-hdl: IS1188-RIPE

source: RIPE # Filtered

person: Aleksandar Zakic

address: ITSolutions NET

address: CS

e-mail: a.zakic@my-its.net

phone: +381-63-222-361

fax-no: +381-18-512-797

nic-hdl: AZ919-RIPE

source: RIPE # Filtered

% Information related to ’82.208.192.0/19AS13091′

route: 82.208.192.0/19

descr: JP PTT Srbija

descr: PTT Srbija Net

origin: AS13091

mnt-by: PTTSRBIJANET-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

Reviewing the other IP address of the X-PHP-Header gives us this info:

whois -h whois.geektools.com 213.186.117.120 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the “-B” flag.

% Information related to ’213.186.117.0 – 213.186.117.143′

inetnum: 213.186.117.0 – 213.186.117.143

netname: UTEL-DC5

descr: Utel DataCenter networks. Colocation

country: UA

admin-c: UNOC-RIPE

tech-c: UNOC-RIPE

status: ASSIGNED PA

mnt-by: AS6877-MNT

remarks: INFRA-AW

source: RIPE # Filtered

role: Utel NOC

address: 101, Volodymyrska str.

address: 01033, Kyiv, Ukraine

phone: +380 44 2359001

fax-no: +380 44 2304560

e-mail: noc@utel.net.ua

admin-c: OLE-RIPE

tech-c: BES100-RIPE

tech-c: OLE-RIPE

tech-c: JIM-RIPE

tech-c: ALT-RIPE

tech-c: UHM-RIPE

nic-hdl: UNOC-RIPE

mnt-by: AS6877-MNT

source: RIPE # Filtered

% Information related to ’213.186.112.0/20AS16124′

route: 213.186.112.0/20

descr: Utel DataCenter, Ukraine

origin: AS16124

mnt-by: AS6877-MNT

source: RIPE # Filtered

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.

So, it looks like someone possibly in Serbia and Montenegro, ran a cross site script residing on a server in the Ukraine, against utel16.besthosting.com.ua which sent the email. One would actually have to test this out, which I have not done to confirm this. This is a dangerous step I decided to avoid for brevity.

[page_break]

Looking at another similar email we see:

Date: Tue, 06 Nov 2007 23:24:54 +0100 (CET)

From: “Shaw Communications Inc.”

Subject: Win a year of free broadband

To: XXXXXXXXX@shaw.ca

Reply-to: service@shaw.ca

Message-id:

MIME-version: 1.0

Content-type: text/html

X-Authentication-warning: omega.omc.net: Host localhost.omc.net (127.0.0.1)

claimed to be omega.omc.net

But we can see the authentication warning from this server. No detail unfortunately.

Regardless, the viewable content of these two emails is identical, including an ‘offical’ Shaw footer to further reinforce it’s legitimacy, but it’s futile. These are NOT from SHAW.

The content included in plaintext: However to ensure not even ‘google’ browses the evil link from our site I have sanitized it so it breaks. Details to fix will be below the actual email content:

Content-Transfer-Encoding: 8bit

209.85.15.18 is the address removed above with “Removed.example.com”. This address resolves to:

11/09/07 14:19:19 whois 209.85.15.18@whois.geektools.com

whois -h whois.geektools.com 209.85.15.18 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.arin.net.

Results:

OrgName: Everyones Internet

OrgID: EVRY

Address: 390 Benmar

Address: Suite 200

City: Houston

StateProv: TX

PostalCode: 77060

Country: US

ReferralServer: rwhois://rwhois.ev1servers.net:4321/

NetRange: 209.85.0.0 – 209.85.127.255

CIDR: 209.85.0.0/17

NetName: EVRY-BLK-15

NetHandle: NET-209-85-0-0-1

Parent: NET-209-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.EV1SERVERS.NET

NameServer: NS2.EV1SERVERS.NET

Comment:

RegDate: 2005-12-14

Updated: 2006-11-28

RAbuseHandle: ABUSE477-ARIN

RAbuseName: Abuse Department

RAbusePhone: +1-713-579-2850

RAbuseEmail: abuse@ev1servers.net

RNOCHandle: NOC1445-ARIN

RNOCName: Noc

RNOCPhone: +1-713-579-2850

RNOCEmail: noc@ev1servers.net

OrgAbuseHandle: ABUSE271-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-214-782-7802

OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: NOC1445-ARIN

OrgNOCName: Noc

OrgNOCPhone: +1-713-579-2850

OrgNOCEmail: noc@ev1servers.net

OrgTechHandle: VST3-ARIN

OrgTechName: Stinson, Valarie

OrgTechPhone: +1-713-579-2850

OrgTechEmail: admin2@ev1servers.net

# ARIN WHOIS database, last updated 2007-11-08 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

At this point this site seems to be up. Anyone receiving any email similar to this should simply delete it.

If you think it really is legit, call Shaw directly and ask them BEFORE you click on the link. I feel this analysis is accurate and is limited in it’s conclusions. However I hope it serves to help or assist any other who seeks to eliminate phishers, and other scammers.

Comments Off

By Admin, October 23, 2007 12:09

Hot:

Well it appears that ‘supercatalogo.info’ is a HUGE source of spam and malware. I have identified the IP as

89.111.180.225

And the following whois details:

10/23/07 10:15:20 whois 89.111.180.225@whois.geektools.com

whois -h whois.geektools.com 89.111.180.225 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #3.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to ’89.111.176.0 – 89.111.191.255′

inetnum: 89.111.176.0 – 89.111.191.255

netname: CENTROHOST-NET

descr: JSC Centrohost

country: RU

org: ORG-JC13-RIPE

admin-c: IA327-RIPE

tech-c: IA327-RIPE

status: ASSIGNED PA

mnt-by: PAN1-RIPE-MNT

mnt-lower: PAN1-RIPE-MNT

mnt-routes: PAN1-RIPE-MNT

mnt-domains: IA327-RIPE-MNT

source: RIPE # Filtered

organisation: ORG-JC13-RIPE

org-name: JSC Centrohost

org-type: OTHER

descr: JSC Centrohost

address: 78, Profsojuznaya str.,

address: Moscow, Russia, 117393

phone: +7 495 3630309

phone: +7 495 3630318

admin-c: IA327-RIPE

tech-c: IA327-RIPE

mnt-ref: PAN1-RIPE-MNT

abuse-mailbox: abuse@hc.ru

mnt-by: PAN1-RIPE-MNT

source: RIPE # Filtered

person: Ivan Albetkov

address: Hosting-Center LTD

address: 22, Litovsky bulvar

address: Moscow, Russia, 117588

phone: +7 495 5445566

remarks: **************************************************

remarks: Please send abuse and spam reports to abuse@hc.ru

remarks: **************************************************

nic-hdl: IA327-RIPE

mnt-by: IA327-RIPE-MNT

source: RIPE # Filtered

% Information related to ’89.111.176.0/20AS41126′

route: 89.111.176.0/20

descr: JSC Centrohost route

origin: AS41126

mnt-by: PAN1-RIPE-MNT

source: RIPE # Filtered

So Mr. Gay can go find another rock to crawl under.

Oh, if your looking for details on supercatalogo.info Click the read more to view.

Domain ID:D15402764-LRMS

Domain Name:SUPERCATALOGO.INFO

Created On:22-Nov-2006 14:39:27 UTC

Last Updated On:21-Jan-2007 20:32:36 UTC

Expiration Date:22-Nov-2007 14:39:27 UTC

Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)

Status:OK

Registrant ID:DI_4743150

Registrant Name:Isaias Stefanski

Registrant Organization:Isaias Stefanski

Registrant Street1:Devon Rd 67 26

Registrant Street2:

Registrant Street3:

Registrant City:BATON ROUGE

Registrant State/Province:Louisiana

Registrant Postal Code:70814

Registrant Country:US

Registrant Phone:+1.5043223563

Registrant Phone Ext.:

Registrant FAX:

Registrant FAX Ext.:

Registrant SuperCatalogo.info

Admin ID:DI_4743150

Admin Name:Isaias Stefanski

Admin Organization:Isaias Stefanski

Admin Street1:Devon Rd 67 26

Admin Street2:

Admin Street3:

Admin City:BATON ROUGE

Admin State/Province:Louisiana

Admin Postal Code:70814

Admin Country:US

Admin Phone:+1.5043223563

Admin Phone Ext.:

Admin FAX:

Admin FAX Ext.:

Admin SuperCatalogo.info

Billing ID:DI_4743150

Billing
Name:Isaias Stefanski

Billing Organization:Isaias Stefanski

Billing Street1:Devon Rd 67 26

Billing Street2:

Billing Street3:

Billing City:BATON ROUGE

Billing State/Province:Louisiana

Billing Postal Code:70814

Billing Country:US

Billing Phone:+1.5043223563

Billing Phone Ext.:

Billing FAX:

Billing FAX Ext.:

Billing SuperCatalogo.info

Tech ID:DI_4743150

Tech Name:Isaias Stefanski

Tech Organization:Isaias Stefanski

Tech Street1:Devon Rd 67 26

Tech Street2:

Tech Street3:

Tech City:BATON ROUGE

Tech State/Province:Louisiana

Tech Postal Code:70814

Tech Country:US

Tech Phone:+1.5043223563

Tech Phone Ext.:

Tech FAX:

Tech FAX Ext.:

Tech SuperCatalogo.info

Name Server:NS1.THEHOSTDIRECT.INFO

Name Server:NS2.THEHOSTDIRECT.INFO

Comments Off

By Admin, October 17, 2007 13:40

Hot:

If you have a web site, chances are you deal with spam in some way. It’s become reality in the last couple years and dealing with it can be either finicky and time consuming or you spend very little time with it, thanks to effective solutions.

Here we get lots of spam even though the traffic here doesn’t warrant it. 90% of the visitors here are bots and only about 2% of those are spammers.

We have a great system for dealing with spam and so far we’ve had great success with it. No spam has been posted on this site that had to be manually removed. However we get an endless number of attempts.

One IP 195.225.177.190 has been particularly mindless in their attempt to spam our site got up to 10 to 15 attempts per day. During the latter part of September 2007, this ONE BOT generated over 100 attempts.

This is the detail of the identified spammer.

10/17/07 11:25:56 whois 195.225.177.190@whois.geektools.com

whois -h whois.geektools.com 195.225.177.190 …

GeekTools Whois Proxy v5.0.4 Ready.

Final results obtained from whois.ripe.net.

Results:

% This is the RIPE Whois query server #1.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

%
See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to ’195.225.176.0 – 195.225.179.255′

inetnum: 195.225.176.0 – 195.225.179.255

netname: NETCATHOST

descr: NetcatHosting

country: PA

admin-c: VR1273-RIPE

tech-c: VR1273-RIPE

status: ASSIGNED PI

mnt-by: RIPE-NCC-HM-PI-MNT

mnt-lower: RIPE-NCC-HM-PI-MNT

mnt-by: NETCATHOST-MNT

mnt-routes: NETCATHOST-MNT

mnt-routes: WZNET-MNT

source: RIPE # Filtered

remarks: ***************************************

remarks: * Abuse contacts: abuse@netcathost.com *

remarks: ***************************************

person: Vladislav Radchek

address: IBC Tower Floor 9 PO Box 901-2389

address: Manuel Espinosa Batista Avenue

phone: +372 7121250

nic-hdl: VR1273-RIPE

source: RIPE # Filtered

% Information related to ’195.225.176.0/22AS31159′

route: 195.225.176.0/22

descr: NETCATHOST (full block)

mnt-routes: WZNET-MNT

mnt-routes: NETCATHOST-MNT

origin: AS31159

mnt-by: NETCATHOST-MNT

remarks: ****************************************

remarks: * Abuse contacts: abuse@netcathost.com *

remarks: ****************************************

source: RIPE # Filtered

% Information related to ’195.225.177.190/32AS31159′

route: 195.225.177.190/32

descr: Mark Stosberg

origin: AS31159

mnt-by: NETCATHOST-MNT

source: RIPE # Filtered

remarks: *******************************

* Mark Stosberg *

* +1 (202) 657-5440 *

* US, 47374, Indiana *

* Richmond, 914 E Main St *

****** Send abuse to: *********

* abuse@myfreepages.org *

*******************************

Results brought to you by the GeekTools WHOIS Proxy

Server results may be copyrighted and are used with permission.’,'This IP is part of the NETCATHOST.COM Domain and is a Web hosting provider. Two IP’s in this block were attributed in the spamming the one noted above and this one 195.225.176.177. This is a RIPE address space from the looks of it being used by an ISP in Europe and further used by this American either intentionally or otherwise. Given it’s a web hosting account I’d say the server has been compromised.

It was interesting that while these bots were spamming me, I received no other spam attempts. [well there were two] Once I blocked this IP block from accessing my site, the other bots started up again. Most curious.

I still average about 3 spam attempts per day and depending on the success of this article I may post further major spammers in the coming months.

Comments Off

By Admin, February 18, 2007 11:00

Hot:

In the latest of the current software we are ready to wrap up our final review of Internet Security packages from the major vendors.

We did not review Norton’s/Symantec’s or McAfee’s offerings due to the popularity of these items in the store and the fact that they are the most primitive and intrusive software install offerings in the market. Installing one of these packages in the past usually left us with a box we had to completely rebuild. We tested them out earlier in 2006 when they were available to beta testers and we decided not to bother. If you have used their older versions these are not that different nor better or improved.

To the topic we are discussing CA’s offering.

Computer Associates has a slogan that people have associated with it which says "The place good software goes to die". We certainly agree with this slogan. This company in 2005 bought our favorite firewall product Tiny firewall. This software has completely disappeared and now has been brought back to life in a ‘less filling’ option called CA Firewall. The ISS package comes complete with anti virus, anti spam, anti spyware, and firewall.
This package is one of the better offerings in this field only in the sense that the package is very intuitive to use and requires very little input from the user. If your users are not security savvy or like being dialogged by software to make decisions, then this package is it.

The anti virus offering is below par, but still decent enough to not miss any of our test patterns. The anti spyware is pestpatrol which is one of the better packages on the market and CA still offers access to its wonderful database of files. The anti spam is basic white/black lister so nothing special here, other than its clean and works well to protect you immediately. However its not complete alone so we would not recommend this product on its own, but with the ISS package features anti virus so it can also help prevent infection in addition to blocking. The firewall is very well done, but simply is missing very critical components that were part of Tiny Firewall. I assume that this is only being offered now with commercial products.

The real downside of this whole package is its lack of documentation, a feature comparison, its lack of instruction, its terrible help file and its just strange terminology.

Sure there isn’t much to set or change, but for experts who want more control this software is simply inadequate especially coming from Tiny’s excessively tweaky interface, your constantly feeling like you are missing things, and rightfully you are.

It doesn’t prevent anything like keyloggers from working or stealth dll intercepts or global hooks (except in a generic sense which doesn’t give enough detail to determine good or evil intent) so it’s still not going to deter any 0 day vulnerabilities but for the lightweight user or for your kids computer this is a competent package.
We give this a 6 out of 10, which if I’m not mistaken is the best rating we have given a ‘Integrated Security Solution’ ever.

Surprise to us that its from Computer Associates. Maybe this is a change to that old slogan but they are still paddling up the river with the same old boat. Good job guys, maybe next year we get a new boat to float in.

Comments Off

By Admin, January 1, 2007 21:01

Hot:

Well continuing my review of ‘integrated security solutions’ I have once again become dismayed by the terrible offerings by the various security vendors out there.

Today we don’t have massive virus outbreaks, nor do we even have a big problem with Trojans (except when it comes to malware) and worms are even starting to slow down. We can thank enterprise scale solutions and active monitoring of networks for this. Yes, even email/spam solutions are stopping many of these things right at the server at our ISP, so very little should be getting into our machines today, unlike just a couple years ago when ISP’s were leaving each of us to our own solutions.

Today, malware in the form of ADWARE and SPYWARE, as well as BOTNETS and ROOTKITS are our big challenge, and in many of these that we encounter tend to not be detected in many products until they are discovered. In my mind this does not provide a solution but a clean up.

So I don’t recommend people who are pro-active to buy these ‘Internet Security’ solutions that the vendors are pumping. They are just no good and a waste of CPU time.

F-Secure’s offering is probably the worst I’ve encountered to date. But like many of these packages, they taunt you with a free trial offering, which seems to work pretty good.

F-Secure offers the same as every other package, Anti-Virus, Anti-Spam, Firewall, as well as malware detection and a rudimentary rootkit check tool. Let’s start at the top.

The anti-virus solution is definitely the best of the inclusions with this product. When it updated that is. Our biggest challenge was getting this product to work through a proxy. Seems the F-Secure developers don’t comprehend proxies and the awesome solutions they provide, and many times our updates would never get downloaded. An Anti-Virus product is only as good as it’s updates, and we constantly had to fiddle with the settings to do a simple update. Pathetic. So we would just as soon use Avast for FREE which does not seem to have a problem with proxies.

The anti-spam solution was incredibly poor however causing several minutes of delays in processing email from nearly every ISP I tested this with. A normal POP session usually takes about 1 minute and about 10 seconds per email on the slow side. With F-Secure Anti-spam this increased ten fold. We were easily waiting about a minute per email, causing us to go for coffee every time we checked email. Since we use spam-assassin on our free servers and a very pricey solution for our Microsoft exchange server, we really don’t need anti-spam. It was no better at detecting the stuff that made it through these tools so it was simply wasting time.

The firewall was the worst of the bunch. First problem we encountered was one of our test boxes had NVideo Forceware Network Access Manager already installed. This is a firmware based firewall, and it works very well. The downside was that F-Secure Internet Security refused to install “anything” with this product installed. In this box we simply wanted to test the anti-virus and anti-spam solutions but we were forced to install the firewall product also. Trying to disable the firewall and reinstall NAM was ok, and thankfully NAM remembered are old settings saving us more time. Not F-Secure!

Once everyhting was installed in this box, we found out we could no longer access our network shares. Yes F-Secure firewall was blocking these accesses. Adding rules to allow this traffic made no difference. Isn’t a firewall made to configure what “I” want, not what some dork developer wants? I guess not. Nothing we could do (short of disabling the firewall) would allow us access to our network shares again.

The rootkit checker was bland. Featureless, did not detect 22 of our suspicious ADS streams and did not provide any output that could be used to track and discover where potential problems could be. The average person does not understand rootkits enough to be able to troubleshoot this without a lot of hand holding, and this tool has none of that available. Eeye’s BLINK was better for this yet even it was an ineffective tool at current rootkits. Old and very public rootkit technology was noted effectively, but most of the problems these days are botnet driven and none of these were detectable until infection occured and the OS was exploited. Then the anti-virus solution did it’s job.

The anti-malware portion of this software was very paranoid and kept advising us of tools that it didn’t think the average PC should have, like netcat or nmap, even PE builder tools were quarantined by F-Secure which annoyed me to no end. Sure one could build exceptions but shouldn’t the tool ask this during detection, not AFTERWARDS? Barts PE builder broke thanks to F-Secure’s gross paranoia. Perhaps they should devise a color coding like DHS has for terrorist alerts, ah never mind, they’d all be red…

The kicker was purchasing a license and getting technical support. I had to send two emails to get my license since they didn’t bother sending it automatically as part of the order. Very irritating to have to ask after a week of buying a license where it is.

The next kicker was contacting support about our two major issues. Updates and our firewall problems. Neither were addressed in a satisfactory manner. We were advised to disable proxies for updates. Ok, not a big deal but every week this needed to be changed since it seemed to forget the settings. As a consequence we were hardly up to date. This should be automatic and not require tweaking internet settings just to update so we fail this product on this point alone. The other components had very few updates (some never updated in the two months we used this product) so we wonder how effective a solution is if it is never updated. Snort rules for instance are updated almost every day, and they haven’t come close to detecting everything yet, so if I have a choice I’ll stick to a real IDS solution and not the ‘cleanup’ proposed by F-Secure.

Technical support was terrible also. Three phone calls to them and after explaining my problem to some fellow who speaks very poor English, he would offer to ‘email’ me a solution. I think he simply could not grasp the English alphabet over the phone when I tried to spell my email address since on all three occasions I never received an email from him. By phone call#4 I asked if he could simply walk me through this on the phone. He refused and insisted to email it. I then asked if he really was a technical support person? He said yes. I asked if he could REALLY help with my problem or if he didn’t have a clue how to fix my firewall/proxy solutions? He said he could. So I told him that I want him to help me now on the phone. He hesitates, but otherwise agreed..

F-Secure — you call that support? I call that very disappointing and disrespectful of your clients when you continually waste there time. Secondly, get people who can speak English. Make it a requirement of the job for those who prefer to get support in english.

After talking to this guy for about 20 minutes and following his instructions I was able to ‘one time’ update the package (I had to repeat his instructions every time I needed an update), but my firewall issue was not finding a solution. Even with rules in place (confirming I had indeed set them up correctly, but it still didn’t work) with the fellow from technical support still did not lead me to a working solution. I asked if there was a way to remove the firewall component completely. The tech stated I would have to download the Anti-virus program alone to accomplish this. I did not have a license for that product so I would have to buy another product to do this.

At this point I simply stated this product was ineffective and I requested a refund. This the tech support fellow was able to do very quickly, and in minutes I had a email in my inbox to confirm this.

This was the best performance I received from F-Secure.

My suggestion for you considering this ‘integrated solution’ Save your money and just buy the Anti-Virus product alone. IT’s the only thing worth any money, provided you don’t have any proxies to affect your updates.My suggestion was to stick with Avast anti-virus, which does most of this stuff for free and much more effectively.

My rating of this product is 1 out of 10. This should not even be out of beta, but getting a refund was no trouble.