Author Topic: Again "a-squared free" goes bunkers!  (Read 6791 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33126
  • malware fighter
Again "a-squared free" goes bunkers!
« on: May 24, 2007, 10:04:24 AM »
Hi malware fighters,

After quite some while started a smart scan again with my updated a-squared free scanner. It came up with a brilliant FP according to my knowledge of malware definitions. 34 instances of the Netcraft Toolbar anti-phishing toolbar, very safe according to me, a medium security risk according to a-squared. Here is my scan log:
//////////////////////////
a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start:   24-5-2007 9:14:10

C:\Program Files\netcraft toolbar    detected: Trace.Directory.Netcraft Toolbar
C:\Program Files\netcraft toolbar\localblock.dat    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\logo.bmp    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\menu.xml    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\nctb.dll    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\netcraft.xml    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\retrievepage.dll    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\updater.exe    detected: Trace.File.Netcraft Toolbar
C:\Program Files\netcraft toolbar\xss.dat    detected: Trace.File.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Logo --> LastModified    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Menu --> LastModified    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> GUID    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> LastCheckedDLL    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> LastCheckedLBF    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> LastCheckedLogo    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> LastCheckedMenu    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> LastCheckedNetcraftMenu    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> LastCheckedXSS    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_CURRENT_USER\Software\Netcraft\Toolbar\Settings --> Licensed    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar --> {D554D8FC-B36D-4BB4-93DB-4A3394D505E3}    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> DisplayName    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> DisplayVersion    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> EstimatedSize    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> HelpLink    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> InstallLocation    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> InstallSource    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> Language    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> ModifyPath    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> Publisher    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> UninstallString    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> URLInfoAbout    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> URLUpdateInfo    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> Version    detected: Trace.Registry.Netcraft Toolbar
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00F87673-B929-4644-9322-7243E8289B54} --> WindowsInstaller    detected: Trace.Registry.Netcraft Toolbar

Scanned

Files:    52097
Traces:    115060
Cookies:    1
Processes:    44

Found

Files:    0
Traces:    34
Cookies:    0
Processes:    0
Registry keys:    0

Scan end:   24-5-2007 9:32:51
Scan time:   0:18:41
/////////////////////////////

What are they doing there at a-squared, plucking their noses? In such a fashion their scanner is being turned into a risk tool in the hands of the uninformed. What do the forum members think of all this? Shall we advise against using this spyware scanner or is there still hope, that a-squared will turn back on it's sloppy ways?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline drhayden1

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3233
  • Avast & Garfield-Best Protection
Re: Again "a-squared free" goes bunkers!
« Reply #1 on: May 24, 2007, 10:18:56 AM »
now you can see WHY damian- it is gone from my 2 computers FOREVER :P
remember my HELL with it :o
http://forum.avast.com/index.php?topic=27877.0
Gateway Laptop-AMD Phenom™ II Quad-Core Processor N830 (2.1GHz)-5000MB Dual-Channel DDR3 1066MHz Memory-ATI Radeon® HD 5650 Graphics with up to 1024MB of dedicated memory-500GB 5400RPM SATA hard drive-Windows® 8 Pro (64bit)-Windows Live Mail-Kaspersky Pure 3.0-WinPatrol Plus....

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33126
  • malware fighter
Re: Again "a-squared free" goes bunkers!
« Reply #2 on: May 24, 2007, 10:21:46 AM »
Hi Dan,

You were so right there, and the update I installed, thanks for the heads-up, and have a good night's rest, my friend. It is 10.20 AM here on the European Continent, just had my coffee.

Damian

P.S. Click the picture for animation...
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline drhayden1

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3233
  • Avast & Garfield-Best Protection
Re: Again "a-squared free" goes bunkers!
« Reply #3 on: May 24, 2007, 10:25:07 AM »
it's 3:25 here damian and no coffee-that animation above is where i am going NOW!!!!
sorry for your false positve from the product inserted below ;)
in case you want to update again damian ;D
Quote
2007-05-24 09:43
Traces signature update for the great a-squared free false positive software
137 Spyware Traces
http://www.emsisoft.com/a2/changelog/free/
http://www.emsisoft.com/en/support/malware/?showmalw
« Last Edit: May 24, 2007, 11:04:18 AM by drhayden1 »
Gateway Laptop-AMD Phenom™ II Quad-Core Processor N830 (2.1GHz)-5000MB Dual-Channel DDR3 1066MHz Memory-ATI Radeon® HD 5650 Graphics with up to 1024MB of dedicated memory-500GB 5400RPM SATA hard drive-Windows® 8 Pro (64bit)-Windows Live Mail-Kaspersky Pure 3.0-WinPatrol Plus....

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Again "a-squared free" goes bunkers!
« Reply #4 on: May 24, 2007, 11:40:44 AM »
What are they doing there at a-squared, plucking their noses? In such a fashion their scanner is being turned into a risk tool in the hands of the uninformed. What do the forum members think of all this? Shall we advise against using this spyware scanner or is there still hope, that a-squared will turn back on it's sloppy ways?
Shame on a-squared, again...
Maybe they're fighting for high number of detectable things and just trying to persuade users to get the anti-malware (payed) version.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84911
  • No support PMs thanks
Re: Again "a-squared free" goes bunkers!
« Reply #5 on: May 24, 2007, 03:53:05 PM »
It's just a fact of life, a false positive, if your going to ditch each and every security application that has an FP, you might not be on these forums ;D It has to be user education and unfortunately, many get in trouble before that education 'never delete' quarantine or ignore (if low risk assessment) and investigate.

I'm currently ignoring two registry key detections in adaware that I believe are not an issue, I choose to ignore them (not exclude) so I can monitor if suddenly they are no longer detected. I quite like adaware but it is a real hassle to try and report a possible false positive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Again "a-squared free" goes bunkers!
« Reply #6 on: May 25, 2007, 04:53:48 AM »
you might not be on these forums
David, why are you been so radical?
Do you use a-squared? Did you know about a-squared failures to restore infections from Quarantine and even avoiding the user to boot? It's not a silly false positive but a program that cannot *manage* its own Quarantine functions. The encryption of Quarantined items fails from time to time... it's silly... pathetic...
I'll keep blaming against a-squared false positives, yes I will. Lack of support of its forum is another problem...
« Last Edit: May 25, 2007, 04:57:13 AM by Tech »
The best things in life are free.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Again "a-squared free" goes bunkers!
« Reply #7 on: May 25, 2007, 09:08:32 AM »
Hi Tech,

I think David was suggesting that if you were going to abandon every product that ever produced a false positive, then you would have no anti-malware scanners left to use, including avast!.

The quarantine error with a-Squared was a serious issue, but it's wrong to imply that support on the a-Squared forum is a problem.

The issue was fixed the same day it was reported with an apology and an explanation posted by the a-Squared team. What more could be expected?  ???

http://forum.emsisoft.com/Default.aspx?g=posts&t=2038

Quote
It is a false alert, or better said a bug in our signatures.

The signature file has been fixed now. Please run an online update to verify.

I apologize for the troubles it made!

Quote
The problem was, that it did not try to quarantine the missing reg key only, it quarantined nearly the whole registry. That can't work and would take hours to complete. I guess that's the reason why it was not able to restore it.

Your complaint about lack of support in the same thread was mad a week after these postings!

A couple of FP issues I've had were dealt with promptly after I reported them on the forum.

With the detection by a-Squared of malware quarantined by other anti-malware products, the a-Squared team posted an entirely reasonable response:

Quote
Btw. if you require immediate answers, please post a support ticket at the customer center. We're not hourly watching the progress of every single forum thread.

http://forum.emsisoft.com/Default.aspx?g=posts&t=2066

But by this time you'd gone off in a huff!

Quote
I'll give up on waiting for an official answer...
It's a pity. Lack of support

They then fixed the problem the same day.  ::)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline drhayden1

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3233
  • Avast & Garfield-Best Protection
Re: Again "a-squared free" goes bunkers!
« Reply #8 on: May 25, 2007, 12:53:32 PM »
even spybot had a false positive incident the other day and corrected it-so not all software is perfect
i posted this in updates yesterday
Spybot Search & Destroy - http://spybot.info/en/updatehistory/index.html
An update is available to correct a false positive which occurred with yesterday's update
At the time of posting the website had not been updated but the update is available.

i have just had my share of troubles with a-squared free and decided not to use it anymore-my computer-my choice of software that works for my computer :D

Gateway Laptop-AMD Phenom™ II Quad-Core Processor N830 (2.1GHz)-5000MB Dual-Channel DDR3 1066MHz Memory-ATI Radeon® HD 5650 Graphics with up to 1024MB of dedicated memory-500GB 5400RPM SATA hard drive-Windows® 8 Pro (64bit)-Windows Live Mail-Kaspersky Pure 3.0-WinPatrol Plus....

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Again "a-squared free" goes bunkers!
« Reply #9 on: May 25, 2007, 01:42:38 PM »
The quarantine error with a-Squared was a serious issue, but it's wrong to imply that support on the a-Squared forum is a problem.
I've posted in two threads and does *not* receive any official answer about the bug. I'm not implying anything, just reporting a personal experience, sad one.

The issue was fixed the same day it was reported with an apology and an explanation posted by the a-Squared team. What more could be expected?  ???
The issue? No, for sure not. They've corrected the false positive detection.
Quarantine was still unable to restore the deleted keys of the Registry and the Quarantine has still unencrypted items.

Your complaint about lack of support in the same thread was mad a week after these postings!
Still there was a position from them about the Registry restoration.
Neither in Safe Mode...

The a-Squared team posted an entirely reasonable response:
Quote
Btw. if you require immediate answers, please post a support ticket at the customer center. We're not hourly watching the progress of every single forum thread.
Reasonable? I've sent the email to the support team... receive nothing...

They then fixed the problem the same day.  ::)
They don't fix the problem... they fix the false positive.

Frank, I won't think different. I'm not a fan-boy. If I don't like the product or the support I will complain.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84911
  • No support PMs thanks
Re: Again "a-squared free" goes bunkers!
« Reply #10 on: May 25, 2007, 02:31:03 PM »
you might not be on these forums
David, why are you been so radical?

Not so radical, I think, realistic.

Frank exactly understood my comment in his reply (quote below), that false positives are a fact of life that have to be worked around rather than jump from application to application as it effects them all including avast to one degree or another. Some won't even admit to false positives.

Hi Tech,
I think David was suggesting that if you were going to abandon every product that ever produced a false positive, then you would have no anti-malware scanners left to use, including avast!.

Your issue with the functionality is an entirely different matter (serious), but in this topic we are talking about false positives, that and only that was what my post was about.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Again "a-squared free" goes bunkers!
« Reply #11 on: May 25, 2007, 03:19:49 PM »
Quote
The problem was, that it did not try to quarantine the missing reg key only, it quarantined nearly the whole registry. That can't work and would take hours to complete. I guess that's the reason why it was not able to restore it.

The a-Squared statement has explained the issue to my satisfaction at least: the FP resulted in the quarantine feature being required to back up the whole registry, something it was not designed to do and could not reasonably be expected to do.

So there is no 'bug' in the quarantine feature.

Of course a-Squared can be criticised for not spotting a FP with such disastrous consequences in the first place.

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Again "a-squared free" goes bunkers!
« Reply #12 on: May 25, 2007, 04:01:34 PM »
false positives are a fact of life that have to be worked around rather than jump from application to application as it effects them all including avast to one degree or another. Some won't even admit to false positives.
Well-known things...

Quote
The problem was, that it did not try to quarantine the missing reg key only, it quarantined nearly the whole registry. That can't work and would take hours to complete. I guess that's the reason why it was not able to restore it.
The a-Squared statement has explained the issue to my satisfaction at least: the FP resulted in the quarantine feature being required to back up the whole registry, something it was not designed to do and could not reasonably be expected to do.
Yes, this is called bug.

So there is no 'bug' in the quarantine feature.
Yes, there are:
1. Non-encrypting quarantine itens.
2. If restore feature won't work, at least I expect a message: "you won't be able to roll-back this operation. Do you want to proceed?"
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84911
  • No support PMs thanks
Re: Again "a-squared free" goes bunkers!
« Reply #13 on: May 25, 2007, 04:41:37 PM »
I think you have a bug ;D in your quoting again Tech as you are putting words into my mouth again ;D when it was Frank who made the statement you quoted.

So there is no 'bug' in the quarantine feature.
Yes, there are:
1. Non-encrypting quarantine itens.
2. If restore feature won't work, at least I expect a message: "you won't be able to roll-back this operation. Do you want to proceed?"
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Again "a-squared free" goes bunkers!
« Reply #14 on: May 25, 2007, 06:19:20 PM »
Quote
So there is no 'bug' in the quarantine feature.
Yes, there are:
1. Non-encrypting quarantine itens.
2. If restore feature won't work, at least I expect a message: "you won't be able to roll-back this operation. Do you want to proceed?"

1. Quarantine items were encrypted, but some other AV products were able to decrypt a-Squared quarantine files because both used the same 'generic decryption module'. You pointed this out in a thread started on 29th April, on 1st May you wrote:

Quote
I'll give up on waiting for an official answer...
It's a pity. Lack of support

Having given up on a-Squared support, perhaps you didn't notice the two relies from the a-Squared team posted the same day:

Quote
Other virus scanners come with a generic decryption module that are able to unpack our crypted quarantine files. We'll use a stronger encryption in the next version.

Quote
Today's beta update should fix that problem.

I think three days to investigate, identify and fix a problem is actually pretty good support, and I'm having trouble understanding your impatience on the a-Squared forum.  ::)

2) If a-Squared had seen the problem coming, they would presumably have just not introduced the FP identification. They are saying that quarantine is not designed to back up the entire registry. It's a bit like saying 'My seat belt didn't protect me when the wheel fell off my car, it careered of the road and exploded: why doesn't the manufacturer provide better seat belts?' What you should be asking is 'Please can you ensure the wheel doesn't fall off my next car please?'  ;D
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog