13 replies to this topic

[marvinm]

I was on your site to purchase the a-squared Anti-Malware, when I ran across your new free offereing "MalAware".  I thought 'what a cool USB sized tool' and decided to run a test...

I updated a-squared Free & ran a Quick Scan - clean (ok, a cookie... log attached) (I also later ran a Smart Scan to confirm, with same results).

 a2scan_091206-231927.txt   1.08K   153 downloads

I then downloaded & ran MalAware 1.0.0.3 (log attached)... it found two infections (13 objects):

 scan_091206-232304.log   3.47K   139 downloads

Spybouncer & Crime Catcher 3.2 (both HKEY_CLASSES_ROOT\CLSID\...\InprocServer32TrheadingModel)

OK, so before I go further... a-squared Free does fully scan the registry in all modes, right?  and a-squared Free is identical to a-squared Anti-Malware in detecting malware, right? So, we're dealing with a false-positive, right?

OK, back to MalAware:  



Now the most interesting part to me is that MalAware is all red & ATTENTION: 2 INFECTIONS FOUND! & flagged them both as 'high risk' - yet your own Malware database lists them as 'medium risk' and 'low risk' (respectively).  

http://www.emsisoft.com/en/malware/Adware.Win32.SpyBouncer-remove.aspx
http://www.emsisoft.com/en/malware/Adware.Win32.Crime_Catcher_3.2-remove.aspx

MalAware's screen layout & colors clearly indicate great danger, and of course, the immediate and pressing (and only) solution is to 'buy a-squared Anti-Malware today!'...

Frankly, I don't know which concerns me more... that MalAware may actually be detecting a true problem that a-squared Free (and therefore a-squared Anti-Malware) will not even see, or that you have simply created a marketing tool to prey on the fears of those without knowledge or resources to determine if a threat is real or how dangerous it is... a tool that detects a false-positive, overstates its threat level and, without confirmation, pressures the user to 'buy our awesome program to make the bad things go away'... and what happens when they do... and it doesn't?

MalAware is a cool idea - I like its size & speed, and it could do well for you, but the sense I have right now is that it takes your image as a company of integrity and a top contender in the field, and puts you squarely in the middle of all the other bottom feeders on the internet that specialize in ripping people off through malware/fearware/scamware.

Please consider if the 'results page' of this product really represents the image you intend... it may get you sales, but if they buy to fix a false positive - that doesn't even get fixed, you will not have a happy customer, and the sale may have cost you more than you know...

Maybe you could more clearly (and gently) invite them to your site to confirm their problem before kindly offering to relieve them of their cash...?

... I do hope you guys are above this...

[Fabian Wosar]

I just took a look at the signature database. Both applications should report the same malware. None of the signatures are actually deactivated. Could you export one of the keys reported by MalAware and send the export to fw@emsisoft.com please for a further review?

[Lynx]

Hi marvinm, and welcome to the forum

First thanks for the report.

MalAware is very young Software .

We all are just testing it.
I've never seen any malware being caught by the newbie yet, though

It would be very helpful for all and definitely for developers if you provide (attach) the report of Deep Scan with the latest Signatures update in situation like this, when MalAware is showing the presence of infection.

The scanning and the ability to remove, if necessary is identical regarding Free and Anti-Malware, so at this stage it is just interesting to know what the full scan of a-squared Free shows.
Be careful though with removal yet until you got the answers about the detections.... and sure in idea there should be "synchronization" in detections

... but as I said we all just learning MalAware and the developers will help for sure

My regards

P.S. {added}

Thanks Fabian... typing at the same time

I just took a look at the signature database. Both applications should report the same malware. None of the signatures are actually deactivated. Could you export one of the keys reported by MalAware and send the export to fw@emsisoft.com please for a further review?

[Fabian Wosar]

Can you please redownload MalAware? Since the keys are not detected for me - neither by MalAware nor by Anti-Malware.

[marvinm]

Thanks guys, for the quick response. Fabian, I've sent a rar w/the 1st two keys of each positive. We're on different time zones & I'm about to shut down (3:30am), so I'll run a deep scan & forward the report when I get up.

Also, I have two systems, with identical symptoms, down to identical keys being flagged. I will only run the deep scan on one to ensure I don't wipe out all evidence.

I've updated the signature & have turned off everything under Configuration/Permissions except the 1st two 'start' checks, and have done this for each user in the drop-box, in hopes of preventing changes without my knowledge. You guys can let me know what I 'could have done' & if needed I can rescan in the morning.

[marvinm]

OK, I re-downloaded & re-ran MalAware. Identical symptoms. I've checked several things that I'd normally think of (other apps running, etc) & compared a little between the two systems, but find nothing useful.

I could export my entire registry if you can handle it... it's about 3.8meg compressed (@92meg expanded).

These keys are, of course, crosslinked throughout to other areas of the registry, so perhaps it's detecting the signature at other locations - perhaps this is just the 'main reference point' that it all ties back to? It's just a thought... I have no idea how the program is processing the registry structure...

Equipment wise, these are quite different machines, but they have many of the same applications installed (zone alarm, AVG, etc). However, they are not necessarily running the same versions of these different programs, and each have many things installed that the other does not...

Still, it should help that I have matching symptoms on two different systems...

I'm not too worried about the offending registry entries (I can brute-force if needed), and I haven't even done the normal digging into exactly what put them there or what they do (or even if they are malicious)... however, I would like to at least give you guys the ability to work through this on your end...

Any other thoughts? Shall I go ahead with the deep scan as configured per my previous message? Do you want my entire registry?

[Lynx]

... I will only run the deep scan on one to ensure I don't wipe out all evidence...

What do you mean by that, marvinm?

In any case the result will stay in the detection list and you will just save the report if any flaggings.

There is no "auto-" quarantine / deletion if that's what you mean

The permissions are set for the users running under the limited rights, so they are restricted to perform some actions...

My regards

[marvinm]

It is quite late here, & I didn't remember how your software handled such things - I just wanted to be sure we could reproduce whatever occured. Since you don't an 'auto quarantine', no problem.

I'll run the deep scan & see what happens.

Two final points: (1) you are welcome to change the spelling error on the thread title (if allowed), and (2) please forgive me if I came across too harsh. It was simply my initial response to what felt like a manipulation. I've been in this stuff since way before most of the world knew there was an internet, and I guess that little screen just reminded me of the thousands of 'apps' I've seen take over the net over the more recent years. I'm all for you guys making money off your hard work... but hope to encourage you to do so with honor & integrity. The net is already full of those other kinds, and I've watched some really excellent companies over the years follow that path - and the end is always the same...

Keep the bar high. It will pay in the long run.

Kind regards, Marvin

[Lynx]

Hi Marvin,

While you are sleeping...

I recall and realized that I can actually test something here regarding the above “synchronized postings” :

... Both applications should report the same malware...

... and sure in idea there should be "synchronization" in detections...

I have this old MS RegCleaner that a-squared is flagging and it is quarantined.

- I prepared both MalAware and a-squared to be ready to run

- the Software was restored;

- MalAware and the Quick Scan, that should pick up the Traces as well were fired up
and I got the expected result

I even ran the the Software... but in this case it was actually not necessary (I was just wondering about the [process] itself... … anyway … that's next for studying )

My regards

Attached Thumbnails

• 

[marvinm]

Sleep! Ha! It's overrated, you know... (I did catch about a 3hr nap, but had work to do...).

OK, I updated a-squared Free on both systems & ran a deep scan - neither detected the questionable registry entries. I then re-ran the MalAware (it updated) & have the same sypmtoms as before. Here are logs:

 a2scan_091207-115601.txt   2.68K   132 downloads

 scan_091207-155730.log   3.48K   147 downloads

One thing I did notice... a-squared Free log file shows Heuristics scanning is "Off". I didn't remember an option for that, but poking around, I find it under 'Custom Scan'... is it only available if I setup a custom scan?

I can't see MalAware having time to do much in the way of Heuristics... but could that be the difference?

I've downloaded the 30day trial & installed it. With heuristics on, I've left it running another deep scan. We'll see in the morning...

By the way... the image you sent... did you notice that the results were shown as 'high risk', although it is considered only a medium risk virus in the a-squared Malware database? I guess every positive (false or true) will flag as 'high risk'... hmmm...


Added: (per your posting rules, this should have been included much earlier... sorry.) System: Intel Core2 Due E6850, Asus PK5 MB, 4gb DDR2, XP Pro, SP2 (32bit) w/all updates - I'll go SP3 next time I have to reinstall the OS... Zonealarm Pro, AVG Free (disabled for now), Malwarebytes Anti-Malware (on demand), a-squared 30day trial (active)...

[Fabian Wosar]

We are currently discussing how to make MalAware a bit less annoying. We have a few ideas we want to test first. And you are right ... currently MalAware will mark everything as "High Risk" due to a bug. Will be fixed with one of the next releases.

[Lynx]

Hi Guys,

...currently MalAware will mark everything as "High Risk" due to a bug. Will be fixed with one of the next releases.

I forgot to tell that I ran the same test recently (see the image I posted on Dec., 08)

There is no discrepancy regarding the risk level.
Both scanners are showing “medium risk” in sync. So that's fixed.

Thanks to developers!

[Lynx]

Hi ance,

1) No, it will not clean

...will only provide an indication of whether a PC is infected with malware or not...

Actually the answers is here

2) When you run you are alerted if there is new version is available and asked about re-downloading

My regards