Archive for the ‘Spyware’ Category.
I was perusing the Webroot website when I found the Phileas page. It sounds like the Microsoft Research Honeymonkeys project.
Phileas is a ground-breaking online spyware research system developed by Webroot. Using patent-pending technology that scours the entire Web, Phileas discovers spyware on the Internet faster and more efficiently than any other research method. More importantly, it does so before home computer users or corporations unwittingly become infected.
Back in August I wrote about a purchase of Aluria by Earthlink. I speculated that might end the relationship with AOL.
Well, the shoe has finally dropped. AOL has announced that AOL Spyware Protection 2.0 will be using Computer Associates Spysweeper product. And AOL just couldn’t resist some potshots at Aluria suggesting they couldn’t be trusted to categorize spyware, the dont have a large antispyware database, they dont update often enough, they dont offer realtime protection and their scans take forever. Funny AOL wasn’t singing that tune when they went with Aluria, previously unheard of company from Maitland Florida.
I’ve only evaluated the enterprise version of the Spysweeper product. It was ok back in June 2004, but now it is not performing well on recent bakeoffs.
I called support yesterday to check in on any possible interactions between Symantec Antivirus Corporate Edition version 10 and Webroot Spysweeper Enterprise. SAV 10 now has realtime spyware protections and I wanted to see if there would be any issues. Symantec warns about using the antispyware parts with other realtime antispyware programs. Support says there should be no issues. Just make sure you dont have the install block turned on when you try to upgrade (duh). Also they say I might want to have SAV exclude the webroot directories for performance reasons.
I also asked them when Webroot 2.5 will be available for existing customers. The support tech reports that will be available after Labor day. So I can push Webroot down my list of things to do until next week.
Spy Sweeper Enterprise 2.5 is currenntly available for new installations only. They say they will be releasing an upgrade package for current customers “shortly.”
Just as well, I’ve got some other things to be working on anyway.
Another bit of news from Donna’s security flash. Earthlink has picked up the assets of Aluria software.
Aluria is a small company from Lake Mary Florida. That’s just north of Orlando, so I know the area a bit from my time down there. Although Aluria’s consumere product has been highly rated, I was never high on them. I seem to recall some controversy about them whitelisting whenu.
Doesn’t Aluria currently provide the antispyware functionality in the AOL Security Edition? Also I believe that Webroot had been providing Earthlink’s antispyware capability. Interesting changes, hmmm.
I figured after Pestpatrol got bought by CA that two things would happen: 1) Pestpatrol would no longer be highly rated. 2) There would be more consolidation as the major companies try to buy into the antispyware market.
I saw over on Donna’s Securityflash that Webroot has put out a press release that their enterprise version 2.5 is now available. I’m sure as a customer, they’ll let me know this sooner or later. 
Actually there is a “news” page within the product, so I would probably have learned this next time I opened the admin console.
http://www.webroot.com/resources/archive/pr/2005/aug/ssenterprise2-5.html
Sounds like they have some good features including enhanced reporting, faster scan times, the ability to set a safe mode scan, enhanced scanning ability, and a new web admin interface, alternate data stream prevention, and enhanced client updates for mobile users.
Sounds like I have a few busy days ahead of me. I probably should resist the urge deploy for about a week and let other people be the guinea pigs. I’ll probably at the least deploy the upgrade to my test group now.
Sunbelt Software Counterspy has an article analyzing WhenU practices here.
I thought I’d said all I was going to say on the hijacked 404 web page, but there was a little bit of news today.
1. A moderator reports that the problem is resolved. So at least that is progress if they are admitting there was a problem. I’d prefer to know what was wrong and how they made sure it doesn’t happen again. That’s how we treat users where I work, I and I’d expect the same when I’m the customer.
2. POWWeb support did get back to me Sunday morning (1.5 days after the ticket was entered). All they really said was there was no problem and they closed the ticket.
3. PoWWeb locked a thread on their bulletin board discussing this issue. I dont think the thread was at all out of line. I’m a bit annoyed at their ham-handedness in closing the thread as well as their unresponsiveness in general.
Over the past 6 months I’m really starting to doubt powweb’s commitment to security. Certainly users installing Content Management Systems like phpnuke doesn’t help things. People picking dumb passwords doesn’t help things. But when I do everything I can to run a secure site, and the host fouls things up, that pisses me off.
I got a note back from Websense today that they’ve added the link I sent them to the block list, so Websense customers with the Premium Spyware Group will be protected from that little baddie.
I also finally added in the custom 404 redirect. I didn’t take the time to add in a redirect for 401,403 or 500. I really should do that, just to protect myself from further ISP incompetence. I haven’t noticed any 404 hijacking for the past day or two, so we may be out of the woods.
I took the files that the fake 404 error page was attempting to install and sent them to Symantec. As I mentioned in my last post, virus total showed several other vendors detecting it as a virus, but not Symantec. I should mention that virustotal.com does not use version 9 of Symantec and would be unable to detect adware, so I checked it myself before submitting with SAV 9.0.2.
Symantec’s Antvirus Response Center reports that the chm file is a trojan downloader and the exe file is a trojan adclicker. The 4/17 intelligent updater files should contain defs for this.
Another user on the web server cluster I am on reported that users of his website are reporting virus detections. Sure enough, with McAfee when I go to his site, I get a virus detection immediately. I can see in the source for the page I get that there is an iframe loading something from a .la TLD. This is like what happened to me. I suspect that he has a bad link on his page.
Just like my problem, it comes and goes. 3 hours later, I now cant reproduce the problem on his site.
