Slashdot Mirror

← Back to Stories (view on slashdot.org)

CA's 'Pest Scan' Results Mislead Users

Posted by timothy on from the vested-interest dept.

FriedDuck writes "After reading E-Weeks' article about CA's ranking of spyware threats I went to their site to check it out and try their free spyware scan. I was stunned. CA reported that my machine is being terrorized by eleven 'pests' including some that are pretty serious (not just tracking cookies.) Unfortunately all of the serious threats were false positives. CA reported that I had a key logger, cracking tool, and various other nasties that all turned out to be common software (e.g. Flash, SourceSafe) that one wouldn't easily mistake for malware. In fact, without exception my system contained none of the registry keys, folders, or binaries that CA itself say should be there. A blatant attempt at scaring people into buying shoddy software." Read on for the details of what was found, and what was actually on the system.

"If it matters, here's what it reported, and what was there on my system:

  • System Spy - Key Logger. Mistook MSFT's SourceSafe executable for the keylogger. None of the other registry keys, folders or binaries were present
  • Fake CD .99 - Cracking Tool. Mistook the generically-named unins000.exe that InstallShield uses as the Cracking tool. None of the other binaries were present
  • Ezula TopText - Adware. Mistook the installation of Flash as the adware. Stupid.
  • BonziBuddy - Spyware. Mistook a common library intalled by Borland's CaliberRM (EZSMTP object) as the spyware.

None of the other binaries, folders or keys (of which there are many) were present."

37 comments

  1. FYI re: AVG Free Edition by Tumbleweed · · Score: 4, Informative

    Speaking of virus scanners, I've got the new v7 of AVG's free edition on my newly-installed system, and found something odd. Some virus infections require Grisoft's "vcleaner.exe" program (from their website) to clean infections. Strangely, this also scans the entire system, and found (& fixed!) some things AVG itself didn't even find. Bizarre.

    1. Re:FYI re: AVG Free Edition by Anonymous Coward · · Score: 0

      Thanks for the heads-up.

    2. Re:FYI re: AVG Free Edition by bhima · · Score: 1
      you know, Smoosh were on All Songs Considered recently...

      http://www.npr.org/programs/asc/archives/asc74/

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  2. I already know what's on your system by Anonymous Coward · · Score: 0

    And I'm glad you don't trust CA.

  3. Help... file delete by Davak · · Score: 3, Interesting

    I was recently writing this article for tech-recipes where I was trying to describe how to remove spyware files that are "protected."

    http://www.tech-recipes.com/windows_tips778.html

    Isn't there a program out there that will tell you which services or programs are protecting a file?

    Davak

    1. Re:Help... file delete by Johnno74 · · Score: 3, Informative

      Yes, there is a tool to tell you what process has is holding a lock on a file - you mentioned it in your article too!

      Use process explorer from Sysinternals. (free download)

      If you use the "find handle" function, and enter the filename, or partial filename, it will list the processes that have this file opened. The find dll function is similar, but finds all processes that have loaded the specified DLL. Very handy for spyware that lives in a dll and has loaded itself with rundll.exe...

      Its an incredibly useful tool. Its one of the first apps I install after a rebuild.

    2. Re:Help... file delete by rpresser · · Score: 2, Informative

      Even quicker in many instances is Sysinternals handle.exe, a commandline version of the find handle function.

  4. VIRUS FOUND by Nykon · · Score: 0, Troll

    WARNING VIRUS FOUND: 'Windows.XP OS'

    Please download the fix by running the FDISK utility and visiting http://www.gentoo.org

    --
    "It's better to be a pirate then join the Navy"
    1. Re:VIRUS FOUND by Anonymous Coward · · Score: 0, Insightful
      WARNING TROLL FOUND: Nykon (304003)

      Please moderate down to -1 so that other users will not be infected.

    2. Re:VIRUS FOUND by Anonymous Coward · · Score: 0

      Of all the places, you think slashdot would have found the humor in his post

    3. Re:VIRUS FOUND by Anonymous Coward · · Score: 0

      where have you been? slashdot has been inundated with win kids since the UID's went 6 digits and signal11 bailed. Only the editors and a few holdouts actually run other OS's

  5. From the scan: by shufler · · Score: 4, Funny

    You must be using Internet Explorer with your security settings set to allow ActiveX controls to use the Pest Scan.

    So, I must lower my security, so you can test my security? Well, I guess that means I win!

    1. Re:From the scan: by th3w4y · · Score: 1

      a very good point....

  6. Spyware by maddskillz · · Score: 1

    I ran this scan before and it said I had a keylogger. Turns out it was something to do with the registration wizard in the Sims 2. Have to say, was a little worried at first, when I saw this!

  7. Doesn't work with Linux... by advocate_one · · Score: 1

    hah... that's one web page I wouldn't want working on my Linux box anyway... :)

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  8. Flash by theCoder · · Score: 1

    Mistook the installation of Flash as the adware. Stupid.

    I don't know... maybe it just had the wrong name? :)

    --
    "Save the whales, feed the hungry, free the mallocs" -- author unknown
    1. Re:Flash by EricV314a · · Score: 1

      I dont understand how he can call finding Flash a *FALSE* positive...

  9. CA=Computer Associates by Picass0 · · Score: 0, Troll

    Would it kill the Slashdot editors to learn some proper editing skills? In the course of a story you should define all acronyms rather than assume all readers know every combination of letters and numbers.

    Get a book on Associated Press writing style and use it.

    1. Re:CA=Computer Associates by xoboots · · Score: 1

      The only acronyms I saw were "CA" and "MSFT". CA is used by Computer Associates in the same way that General Motors uses GM. There may be reasons to yell at the Slashdot editors but surely, this isn't one of them.

    2. Re:CA=Computer Associates by TFGeditor · · Score: 1

      CA also = California
      AC also = Alternating Current
      GM also = Genetically Modified
      IP = Internet Protocol, Intellectual Property, and hell, around here, even Indecent Proposal

      I agree with the parent. It is incumbent on the "editors" to instill some order; the term "editor" entails more than simply accepting or rejecting stories.

      --
      Ignorance is curable, stupid is forever.
    3. Re:CA=Computer Associates by FriedDuck · · Score: 1

      You're right. I should have provided references to CA and MSFT. I assumed in this context that it would be obvious--neglecting to consider the broader audience that this site reaches. Jeff

    4. Re:CA=Computer Associates by CoderDevo · · Score: 2
      I'm not going to disagree with you. The poster could have used the full name at the start of the post, especially for a two-letter acronym since they typically signify countries or states.

      But, to defend the poster, I would hope that a self-respecting news reading nerd would know CA as one of the 5 largest (by revenue) software vendors in the world, right after Microsoft, Oracle and SAP.

      The company is identified as simply "CA" more commonly than as "Computer Associates International". I guess a valid excuse for not knowing this may be that CA does not offer a wide variety of consumer products beyond desktop security controls - as opposed to EA (sixth largest software vendor) or Id (not Idaho) who sell only entertainment software. Then again, Oracle has no consumer products and I hope you've heard of them.

    5. Re:CA=Computer Associates by Picass0 · · Score: 1

      Computer Associates is a very well known company, and most people will assume it is them being discussed in the Slashdot story. But assuming is different than knowing. The first time CA was used in the story it should have been 'Computer Associates (CA)'.

      If Slashdot aspires to be a news blog ("News for Nerds") they should follow proper editorial standards occasionally. The New York Times, Associated Press, LA Times, and numerous other newspapers publish writing style guidelines. Editors at countless newspapers use the New York Times writing style guide as a baseline for their own stories.

      If Slashdot aspires to be a news blog ("News for Nerds") it is their job to inform the reader, not leaving any room for doubt. That doesn't mean treating the reader like an idiot. It does mean understanding people without CS degrees also come here to read about rapidly changing technology issues.

      It is a writer's job to be clear, and an editor's job to catch when he/she fails. Since story submissions on Slashdot are done by readers it falls on the editors to determine if a story needs to be corrected. /. editors do not perform this task.

    6. Re:CA=Computer Associates by Picass0 · · Score: 1

      It's not you. Slashdot stories are mainly submitted by readers, not all of whom are writers, so it's Timothy this time who's not doing his job.

      I see this sort of thing almost every day on Slashdot. When a new protocol or language is discussed, the story does not make clear why this does or does not matter to most readers.

      Since this website is identified so closely with Linux users, it doesn't help the outside perception of us as elitists when we don't care to convey knowledge in a way that is clear.

  10. Time to upgrade to the 20th century by Safety+Cap · · Score: 2, Interesting
    ~ MSFT's SourceSafe ~.

    I'm glad to see that one other devloper on the planet is using source control, but you really need to upgrade. Seriously, not even MS uses VSS anymore---it is the most unstable, feature-scarce, POS source control there is.

    May I suggest Subversion/Tortoise?

    The best part about SVN over VSS is that you don't need to worry about exclusive locks. If one programmer (or yourself) checks out something and makes changes, you can still check out a pristine copy, make changes, and then everyone can check back in (last one in has to do a merge) without worry.

    On a dev team of more than one, invariably someone will leave something checked out and then take a vacation. With VSS you're pretty much screwed, but with more advanced source control this is no longer an issue.

    --
    Yeah, right.
    1. Re:Time to upgrade to the 20th century by Anonymous Coward · · Score: 0

      May I suggest Continuus?

      It has a steep learning curve. The ideology behind it is bizarre at best. The windows UI is crap. I also strongly suspect it is sentient because of it's unexpected behaviour.

      It is 'professional' and fucking expensive, so it must be good.

    2. Re:Time to upgrade to the 20th century by FriedDuck · · Score: 1

      I presume that this is why Microsoft promises lots of 'Team productivity' enhancements in their next version of Dot Net. (Funny how it's always going to be great in the next version.)

      Our teams have been frustrated not just by SourceSafe, but all of Microsoft's tools. Each new iteration is more complex, unecessarily interdependent with other MSFT products, and buggy. (SourceSafe's penchant for corrupting the very thing it purports to protect comes to mind.)

      Thanks for the links to the other source control tools--I'll check them out.

      --Jeff

  11. Unfortunately these tactics are too common by Mycroft_VIII · · Score: 4, Informative


    Unfortunately lots of free/shareware 'anti-spyware' tools generate false postives and do other 'wrong' things to get you to buy the full version. Some only find the malware, but make you pay to clean them out, and some don't work so well and worst are the ones that install thier own spyware and only clean out 'competitors'.
    There is a site that tracks and lists quite a few 'rouge' anti-spyware programs:
    http://www.spywarewarrior.com/rogue_anti-spyware.h tm
    One of the things they advise against is following any google add, seems buying adds on google is very popular with the bad anti-spyware makers.
    Personally I just stick with spybot S&D and adaware for most malware and avg for anti-virus.
    And the LAST thing I'd ever do is trust some website to scan my computer, no telling what info they are collecting along with the scan to provide 'marketing data' for thier 'bussiness partners'.

    Mycroft

    --
    https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
    1. Re: Unfortunately these tactics are too common by macdaddy · · Score: 2, Interesting

      Even commercial software sensationalizes every so often. Take BlackICE for example. Back when I was a netadm at a Unv I used to frequently get calls, emails and even some visits from students and campus faculty/staff about an "attack" on their computers. Inevitably they'd show me a BlackICE log file warning them about some hacking attempt that involved a ping. Yeah, a ping. Good old ICMP Echo. That's real dangerous. It wasn't even a ping flood; just a single damned ping. Then there were the warnings from SMB packets on the network that were sent out from one of our servers or someone else's desktop. Stupid crap like that. I assume the BlackICE marketing folks want the users to really think they need the BlackICE products in order to survive on the 'Net. That's the onyl reason I can think of to annoy the users like that (and thus me).

    2. Re: Unfortunately these tactics are too common by Mycroft_VIII · · Score: 1

      Yeah, it doesn't suprise me. But some of these programs go past even that. Some are flat out ripoffs of other software (as in dissassemble code, change a few strings re-compile, sell) and some claim specific malware that only thier 'pro' version can fix, malware provably not on the machine (as fresh install of xp, no net connection, the free version of the scan software the ONLY software not on the xp disk installed, ect.). And in a few cases the software itself has installed malware.

      Mycroft

      --
      https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
  12. oh n0s!!!!11 by evilmousse · · Score: 1


    oh n0s!!!!11 my m3gahr7z h4v3 b33n st0l3d!!11

  13. False alarms on cookies by SamNmaX · · Score: 1
    One thing I've noticed when using adware detecting programs is that they often by default include things like cookies in there set of warnings, along with things such as search engines built into Windows as well as messages about registry settings to 'fix' IE.

    While certainly there are a fair number of people who want to be warned about all this, this isn't generally what they are after, and probably shouldn't be detected by default. While for me personally I can tell the difference between what to worry about and what not to, those that don't and thus perhaps most likely to get adware, will see all these warnings about cookies and think their system is infested with adware. They can just have cleaned off their system, then a few days later check again and find some cookies reappear and get false alarm bells. This both frustrates them, and then eventually us when we have to double check their system to see if it's truly clean.

  14. Got to love CA by MerlynEmrys67 · · Score: 2, Interesting
    I remember WAY back in the Day - CA decided to give away free copies of their financial management software Simply Money.

    This was the first time that I ran across free software that I thought I paid too much money for. It was horible. Since then - I was working for a company that was aquired by CA. Everyone in the Lab I worked for was dying to get out - even went so far as to place bets on who would end up at the bottom of the R&R chart to guarantee a buyout package, rather than leaving CA with nothing.

    --
    I have mod points and I am not afraid to use them
  15. You want expensive? by Safety+Cap · · Score: 1

    Do some PVCS (sorry, whatever Merant, er, Serena is calling it now) and get your checkbook out, baby!

    --
    Yeah, right.
  16. Wrong colour :-) by bigsteve@dstc · · Score: 2, Funny
    There is a site that tracks and lists quite a few 'rouge' anti-spyware programs.

    I think you meant "noir" not "rouge", n'est pas?

    1. Re:Wrong colour :-) by Mycroft_VIII · · Score: 1

      LOL, actually I meant rogue, but I suspect that is known.
      I can sometimes type out of sync hand wise, this usually puts a letters reached by the right hand in front of a letters reached by the left which should instead follow, I usually catch this proofreading, but I guesse my brain recognized rouge as a real word, but not as the WRONG word.
      The scarry thing I sometimes do somthing simular verbally and use a simular, but not quite right contextually, word.

      Mycroft

      --
      https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea