how-to block ads
|
eburger68
Premium,MVM
join:2001-04-28
edit:
February 14th, @10:54AM
| ASW Vendors in La-La Land
Hi All:
Mike Healan of SpywareInfo.com and Suzi of Spyware Warrior have early word on some puzzling new developments on the anti-spyware front -- see:
Don’t Drink the WhenU Kool-Aid
»netrn.net/spywareblog/archives/2···ool-aid/
Leading Antispyware Vendors Quietly Drop WhenU Detection
»www.spywareinfo.com/articles/spy···pped.php
At the heart of this strange tale is WhenU, the well-known adware vendor that struck a controversial deal with anti-spyware maker Aluria late last year:
»WhenU Enters the Anti-Spyware Market
I should note that Mike's and Suzi's reports are based on some routine testing that I performed with the latest version of BearShare, a popular P2P file sharing application that bundles WhenU Save.
Here's what we know:
1) Lavasoft has Removed WhenU from its Detections Database
Lavasoft removed WhenU's applications from their definitions database sometime in the last month -- it looks like it was probably the Feb. 5 update, but it might have been earlier. It was certainly done after the Dec. 29th update, because WhenU's SaveNow is confirmed detected with that definitions database.
The problem is that nowhere did Lavasoft announce this significant change publicly. It certainly didn't appear in any of their recent update announcements, where removals are typically disclosed:
02-05-05
»www.lavasoftsupport.com/index.ph···ic=58404
01-25-05
»www.lavasoftsupport.com/index.ph···ic=57706
01-11-05
»www.lavasoftsupport.com/index.ph···ic=56758
This failure to disclose the removal of WhenU from the Ad-aware detections database to Lavasoft's customers is a serious matter. Whatever one thinks of the de-listing, it should have been disclosed and Lavasoft should have offered an explanation for this change in policy in a clear, public manner. It did not. Instead, it slipped the change into its detections database and failed to inform users, even after users began to complain that WhenU was not being removed, such as this Lavasoft customer did here:
»www.lavasoftsupport.com/index.ph···hl=whenu
2) Pest Patrol has Removed WhenU from its Detections Database
It also appears that Pest Patrol removed WhenU from its detections database, though the situation here is a bit murkier. With the latest definitions Pest Patrol 5 does not flag any of the WhenU Save files. Strangely enough, it does flag a number of WhenU Registry keys, but erroneously labels them as BargainBuddy, Mirar Toolbar, and PurityScan. A sample chunk from a Pest Patrol 5 scan log:
said by PPv5Log.txt:
2/13/2005-4:11:05 PM,29692390,-1630934736,Detected,BargainBuddy,Adware,453068324,key "hkey_local_machine \software\whenusave" value "iptomsa_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607404736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "uninstalltag_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "urlchangecount",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "timeddbupdate_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607304736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "heartbeattime",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "msa",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "maxpopups_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "iptomsatime_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607204736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "himp_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandskin_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607104736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_incomplete",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_server_update",-1,
2/13/2005-4:11:07 PM,29692390,-1607004736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "db_stamp_rs",-1,
2/13/2005-4:11:08 PM,29692390,-1604494736,Detected,PurityScan,Adware,453073488,key "hkey_classes_root \wusn.1" value "wusn_id",-1,
2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_rs" data "24",-1,
2/13/2005-4:11:13 PM,29692390,-1551924736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "brandstrip_url" data "http://spweb.whenu.com/save_brand3.html",-1,
2/13/2005-4:11:13 PM,29692390,-1551824736,Detected,NN_Bar,Toolbar,453077032,key "hkey_local_machine \software\whenusave" value "src_url" data "http://spweb.whenu.com/pop_up/",-1,
As you can see from one of the attached screenshots, Pest Patrol still detects BearShare, the host application, which is an odd arrangement indeed.
The situation is just as confused on the Pest Patrol web site, where the "Most Prevalent Pests" as of 2/13/04 listed 4 WhenU applications:
»research.pestpatrol.com/Lists/Mo···ests.asp
If you click the names on that page for more information, you'll get next to nowhere, as the most obvious pathways to Pest Patrol's write-ups on WhenU's applications are now broken. The pages can still be found, as Suzi notes -- they're just not findable using the research page search function.
There are some tantalizing hints on Google that WhenU's de-listing was disclosed on this page:
»research.pestpatrol.com/News/New···ions.asp
That de-listing seems to have happened with an earlier update that is no longer detailed on the above web page. Even if it was disclosed on that page, the change certainly was not prominently announced, nor do we have a public explanation for Pest Patrol's decision to de-list WhenU.
3) Aluria Security Center 4.0 Detects WhenU as Spyware
In what is surely the strangest twist in this whole story, Aluria's recently released Security Center 4.0, which incorporates the latest version of its standard anti-spyware application Spyware Eliminator, *does* detect WhenU Save as "spyware" (see the second attached screenshot above). This comes as a surprise because Aluria recently declared WhenU to be "Spyware-SAFE":
»www.aluriasoftware.com/spyware-s···enu.com/
It also partnered with WhenU to offer an adware-supported anti-spyware application called UControl:
»www.whenu.com/whenu_solution.html
Why Aluria's anti-spyware application would be flagging WhenU as "spyware" at the precise moment when Lavasoft and Pest Patrol are de-listing WhenU is puzzling.
We don't know at this point why Lavasoft and Pest Patrol apparently decided to de-list WhenU from their defintions databases, though we strongly suspect that these decisions are in reaction to a new notice and disclosure screen for WhenU Save that was recently added to the BearShare installation process (see the third attached screenshot above).
Full Disclosure:
In the course of my work on spyware and adware issues I routinely talk with a number of companies, individuals, and organizations, including anti-spyware vendors of all sorts. I also have occasion to exchange views with adware and spyware vendors, as readers of this forum will be well familiar with:
»Opinions, please: eBates MoeMoneymaker
As it happens, I became familiar with the new notice/disclosure screens for WhenU that were just recently incorporated into the latest installation of BearShare from several discussions with Avi Naider of WhenU. In fact, it was in the process of reviewing this new BearShare installation that I stumbled across the anomalous behavior with Ad-aware, Pest Patrol, and Aluria reported above.
Although I, like Mike Healan, regard the new notice/disclosure screens incorporated into BearShare to be a significant improvement on the installation process previously used in BearShare, I cannot recommend that anti-spyware vendors de-target WhenU's applications at this time for a number of reasons.
More importantly, though, I am very disappointed that anti-spyware vendors might have de-listed WhenU's applications without publicly and forthrightly announcing and explaining those changes to their users. Anti-spyware vendors are in a business that places a premium on trust, and it is critical that they be forthright with their customers -- many of them the victims of unscrupulous commercial behavior -- at every step of the way. When anti-spyware vendors de-list an adware application like WhenU from their detections, they have a duty to report that change in policy to their users. At the present point in time, it appears that Lavasoft and Pest Patrol did not fulfill this obligation to their users, and that is unfortunate.
Conclusion
In closing I should also note that I have asked Lavasoft about its removal of WhenU from the Ad-aware detections database -- see:
»www.lavasoftsupport.com/index.ph···ic=58938
At this time I have received no response from Lavasoft, though I look forward to both Lavasoft and Pest Patrol providing users a forthright explanation of their targeting policies for WhenU and any recent changes they might have implemented in those policies.
Best,
Eric L. Howes | |
harmisajedi
join:2004-10-16
Mountain View, CA | fascinating post. thank you, & i bet many of us in the forums will keep tuned for new developments.
/end_harm | |
Scaramouche8
join:2004-09-10
Philippines
| reply to eburger68
This is pretty confusing. I'm not sure what it means, or even what you can extrapolate from it.
Is Aluria trying to regain some of the legitimacy they lost in the WhenU deal? Was the WhenU deal only so WhenU could buy a branded version of the Aluria client to sell?
Has WhenU successfully wooed Pest Patrol and Lavasoft? If so, why were the removals done so abruptly, and so secretively?
--
In the interest of full disclosure I should say that I work for FBMSoftware, makers of ZeroSpyware a spyware-removal tool. Opinions posted do not reflect my employer's unless otherwise noted. | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to eburger68
Very strange, indeed, Eric. Thanks so much for posting this. I would be very interested in seeing a response from those Antispyware vendors as to why they delisted WhenU without any notice. 
I'd like to know on what basis this was done and why they didn't tell us.
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
Hickerx2
God Bless The U.S. Military
join:2001-03-04
Franklinville, NY
| reply to eburger68
There is a question posted regarding this in the Lavasoft forums as well. If they don't come up with a good explanation for this action, I will demand a refund, and recommend against AAW to every one of my customers. WhenU meets every single requirement and all criteria for adware. Omission from detections can only be construed as greed by Lavasoft, as I'm sure monies were paid by WhenU
--
Kerry for President? Is this Saturday Night Live?....whew!....it was only a bad dream | |
Toymaster
Premium
join:2001-12-27
Flint, MI
clubs:
 ·AT&T Midwest
| reply to eburger68
My question is does Spybot Search and Destroy still list the above programs or target ad program as spyware...I have not use Lavasoft for awhile now and never use Aluria or Pest Patrol products. At this point I see no reason to use said products. I hope none of this where products you have to actually pay for, I will continue to donate my funds to free products I deem trustworthy, Spybot. And if they where purchase products can the consumer retaliate against said company for false advertising?
--
Join SETI Now! | |
Ctrl Alt Del
Premium
join:2002-02-18 | reply to eburger68
Thank you for that wonderful post. I have uninstalled Ad-Aware as I no longer trust Lavasoft and their Ad-Aware product as a tool to identify software that may be malicious or annoying.
--
less talk, more music | |
B
Premium,MVM
join:2000-10-28
|
The Ad-Aware "deal" (if that's what it is) is the only somewhat surprising part of this.
I've viewed Lavasoft with distrust for YEARS now.
Recently I've used it once or twice in a pinch. I now feel very bad about that decision.
Lavasoft hasn't been on the side of the angels in quite a long time.
Long live Kolla (Spybot). He may be the only trustworthy provider of this stuff.
-- B
--
In a realm outside causality and function | |
timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
clubs: |  If Patrick Kolla is the only one continuing the good fight, then we should all probably help by sending him some monetary support.
Tim | |
speedwell
@65.197.x.x
 from:
timcuth 
| reply to eburger68
I'm going to go give that good man some cash right now... | |
dadkins
Land of Confusion
Premium,MVM
join:2003-09-26
Hercules, CA
 ·Comcast
| reply to eburger68
Is this next?  | |
markwp2001
Spreadhead
Premium
join:2002-05-25
Long Beach, MS | reply to eburger68
Many thanks for staying on top of this, eburger. Hope I can buy you a beer or single malt one of these days.
--
Widespread Panic - when only the best will do | |
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State
| reply to eburger68
Very interesting post. It makes me wonder how many other backroom deals may have been struck that are as yet undiscovered.
Perhaps AdAware would be more effective using a pre Dec. 29 database for the time being. Obviously this would be a short term solution... | |
mstrlogcrw
join:2002-11-23
Granada Hills, CA
·Charter Pipeline
| reply to eburger68
One angle of this we might be overlooking is that there may be certain legal proceedings going on in the background that are forcing certain companies to remove detection from their products. Whenever an anti-virus vendor has a false positive, everybody gets up in arms and the people whose software is falsely identified seem to start legal proceedings. I don't doubt the spyware vendors would try and push the anti-spyware companies out of business.
Do we know if Lavasoft is being pressured behind the scene?
Just a thought,
Chris | |
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
·RoadRunner Cable
·AT&T Yahoo
| reply to eburger68
I'm glad I dumped CA's EZ Antivirus in favor of Avast
Home edition a few days ago. Even though their Pest
Patrol division pulled out of COAST (of which WhenU
is a member), the fact they removed WhenU from their
detections make me trust them even less. And Lavasoft,
who has been known to post in this forum at times, is
curiously silent on this. I'm waiting for them to
respond to this situation; if none is forthcoming
within a timely manner, I will dump Ad Aware by the
end of the week.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. | |
B
Premium,MVM
join:2000-10-28
| reply to mstrlogcrw
said by mstrlogcrw :One angle of this we might be overlooking is that there may be certain legal proceedings going on in the background that are forcing certain companies to remove detection from their products. Whenever an anti-virus vendor has a false positive, everybody gets up in arms and the people whose software is falsely identified seem to start legal proceedings. I don't doubt the spyware vendors would try and push the anti-spyware companies out of business. Do we know if Lavasoft is being pressured behind the scene? Good point, but what's the difference?
The issue Eric raises is NOT that they apparently and significantly changed the database for reasons unknown, but that they did so without clearly notifying their own customers.
-- B
--
In a realm outside causality and function | |
dadkins
Land of Confusion
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to eburger68
Huh? | |
Drize a bone
@zqwdrqsz.com
| reply to eburger68
For pity's sake! I only purchased the Plus version of Ad-Aware about 8 weeks ago to help support their good work. Now they do this!!! It won't stop me uninstalling it and looking for something else though. If they don't give a reasonable explanation then it's going. I'll have to start revising some alternatives that run on Win ME. | |
eburger68
Premium,MVM
join:2001-04-28
| reply to eburger68
Hi All:
I'm glad to see that you've found this information useful and informative. I thought I'd add some other information to head off any potential confusion or misunderstanding.
First, while testing the BearShare/WhenU installation yesterday, I confirmed that a number of reputable anti-spyware applications still detect WhenU Save. Still detecting WhenU Save are:
Intermute SpySubtract
McAfee AntiSpyware
Microsoft Anti-Spyware
PC Tools Spyware Doctor
Spybot Search & Destroy
Sunbelt CounterSpy
Webroot Spy Sweeper
Xblock X-Cleaner
As you know, there are many more anti-spyware applications available on the Net, and I have not tested all of them against the BearShare/WhenU installation. The applications listed above do detect that adware bundle, though.
Second, as noted on all my pages at Spyware Warrior, since late November 2004 I have performed part-time consulting work as an independent contractor for Sunbelt Software, makers of CounterSpy. Because of that relationship and the conflict of interest that it represents, I must recuse myself from public comment on CounterSpy. That means that I cannot and will not publicly evaluate, test, or even recommend Sunbelt's anti-spyware product. The anti-spyware products that I do recommend, all of which are competitors to CounterSpy, are listed here:
»spywarewarrior.com/asw-features.htm#rec
You'll notice that Pest Patrol and Ad-aware are still on that list. Although I find this situation disturbing, I cannot justify removing those two applications from my short list of recommended anti-spyware applications before having heard a response from the companies involved.
Best,
Eric L. Howes | |
|
