eburger68
Premium,MVM
join:2001-04-28
edit:
July 22nd, @02:14AM
| Sunbelt Adjusts WhenU Detections
Hi All:
Sunbelt has announced the completion of a review of WhenU's software. As a result of that review process, Sunbelt will be downgrading some, but not all, of its detections for WhenU's products:
* Some of WhenU's products have been reclassified as "Low Risk Adware" or "Adware Bundler" with a Threat Level of "Low Risk" and a Recommended Action of "Ignore."
* WhenU's main advertising application, Save!/SaveNow, will remain classified as "Adware" with a Threat Level of "Moderate" and a Recommended Action of "Quarantine."
You can read a short digest and explanation of Sunbelt's handling of WhenU's software here:
»sunbeltblog.blogspot.com/2005/07···ase.html
A copy of Sunbelt's full 25 page write-up and review of WhenU's software is available in PDF form here:
»www.sunbelt-software.com/ihs/ale···july.pdf [pdf]
Full disclosure: since November of 2004 I have provided consulting services to Sunbelt Software.
Best,
Eric L. Howes
Edit: replaced "adjusting" with "downgrading" in first paragraph. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA |  Thank you again for all your hard work and reporting!
 |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to eburger68
Well, I just find this odd because one of the biggest threads here at DSLR was when you voted this:
»ASW Vendors in La-La Land
{disclaimer by CalamityJane and just wondering: I do not consult for a paid fee for anyone} |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·Clearwire Wireless
 ·RoadRunner Cable
edit:
July 22nd, @12:27AM
| reply to eburger68
said by eburger68  :Full disclosure: since November of 2004 I have provided consulting services to Sunbelt Software. Best, Eric L. Howes We should all know by now that's it's not about what "words" are in current fashion or popularity to define "SpyWare, AdWare, etc..."
It's about "FULL DISCLOSURE" or the lack of it.
Any criticism from the announced actions certainly won't be from a lack of "Full Disclosure".
BIG EDIT: Calamity Jane has raised an excellent question. Has the word "Downgrade" been replaced with the 'softer, kinder' sounding word "Adjusts"? |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T DSL Service
·Charter Pipeline
| reply to eburger68
I'm going to be consistent and state I'm disappointed. WhenU may be in the process of cleaning up it's act, but it still has a long way to go, which Sunbelt makes known it's aware of and is the reason for differing defaults on different WhenU programs. As recently as June an instance of drive by installation was found. WhenU shut down the distributor and claimed the distributor was acting alone and without authorization. As far as I'm concerned as long as there is a problem with any of WhenU's programs the default be moderate risk and quarantine.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. |
|
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
| reply to eburger68
... the climate in the spyware/malware/adware market seems to be very active and muddled lately, as more and more vendors scramble for survival and some shred of credibility ... I think as long as anti-spyware utilities publicly disclose changes to selection databases, and offer the user a clear choice of actions they can take (allow, ignore, remove), that's all we can reasonably expect - they have to be able to defend whatever actions they take, but offering users input may be enough to avoid the frivolous lawsuits ... it's when they don't announce these changes that the users get screwed, or don't offer options on how WE want to treat these products ...
... at least, that's my take on recent developments, f w i w ...
--
... "Nobody's perfect - well, there was this one guy, but we killed Him" ... Christopher Moore, 'Lamb' ... |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| reply to SnowyOne
said by SnowyOne :said by eburger68 :Full disclosure: since November of 2004 I have provided consulting services to Sunbelt Software. Best, Eric L. Howes We should all know by now that's it's not about what "words" are in current fashion or popularity to define "SpyWare, AdWare, etc..." It's about "FULL DISCLOSURE" or the lack of it. Any criticism from the announced actions certainly won't be from a lack of "Full Disclosure". OH! I see! Lavasoft should have hired Eric, right? Full disclosure is the key.
I'm having a problem with this...I really am.
And then, it's ok to downgrade WhenU. What will be next? gator?
Wait for it. It will happen. So, ya'll just be ready
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·Clearwire Wireless
·RoadRunner Cable
edit:
July 22nd, @12:56AM
| said by CalamityJane :OH! I see! Lavasoft should have hired Eric, right? Full disclosure is the key. Maybe a full disclosure sound file would be easier to understand? I'm not for the decisions made, but this represents an 'upfrontness' that has been absent with the latest batch of "downgrades or adjustments" or whatever their being called today. Given the education I've gotten in past 2 minutes, I sure wish the title to the thread was
"CounterSpy Downgrades WhenU" insead of "CounterSpy Adjusts WhenU" I'm starting to think it's me that's in La-La Land.
edit: or however this thread titled. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| My comment wasn't about you, snowy...I agree with your topic title edit suggestion. I'm just mad that this whole thing has come down to a software wars thing. It was ok for it to be bad in the thread about Lavasoft...now it's OK because Sunbelt sez so.
No wonder we're all confused here {but Eric is disclaiming he is paid by Sunbelt, so I suspect we have a right to voice our opinions about that!)
Give me a break from the madness!
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
B
Premium,MVM
join:2000-10-28
| Wait a sec, CJ, weren't you the one who said we were all overreacting like crazy and indirectly discouraging malware victims from using a good product (Ad-Aware) to cure themselves?
I'm just not sure which "madness" you're referring to now. Personally I think all commercial antispyware enterprises are doomed, for exactly these reasons. They have to spend too much time finessing the obvious -- spyware companies are evil and must be avoided. They can't just blanket-ban WhenU and Claria without getting sued. That's why we need a lawsuit-proof community based effort or an individualized pseudo-Bayesian approach to spyware blocking. (I said the same in another thread today.)
-- B
--
In a realm outside causality and function |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | The madness is,I think, who make the most money from their ills? 
I will still say that users should use the layered approach, and not depend soley on one product. |
|
eburger68
Premium,MVM
join:2001-04-28
edit:
July 22nd, @01:56AM
| reply to eburger68
Hi All:
In previous threads where the subject of CounterSpy has come up I've declined to comment directly on Sunbelt or its application because of my relationship with Sunbelt. Given that I'm involved in this particular event, I can hardly stand aside and pretend that I'm not already involved -- I am. So, let me temporarily put my Sunbelt hat on and address the issues that have been raised here.
First, word choice ("downgrades" vs. "adjusts"). I chose "adjusts" over "downgrades" because the changes made to WhenU's applications were not across the board (unlike the other situations) -- the key adware application that serves pop-up advertising (Save!/SaveNow) has remained unchanged. The others were changed so that they were more consistently classified with similar applications (comparatively innocuous toolbars or adware bundlers such as P2P programs).
Second, as to consistency with my position in the earlier Lavasoft thread, take a look at my initial post in that thread where I made plainly clear that I regarded the problem to be a lack of disclosure first and foremost. I also happened to note that "I, like Mike Healan, regard the new notice/disclosure screens incorporated into BearShare to be a significant improvement on the installation process previously used in BearShare." The changes made to WhenU's software and practices over the past few months are a continuation of the improvements I noted in that earlier thread.
Still further, I still maintain (as I did in that earlier thread) that WhenU still has problems. For the Sunbelt review process documented in the PDF file write-up, I tested 33 different WhenU installations. The majority of them had been cleaned up, providing much better notice and disclosure. Many had not, however, and the remaining problems are clearly documented in Sunbelt's write-up.
Moreover, Sunbelt's review emphasizes the need to distinguish between different types of applications. ClockSync, for example, displays no ads itself, yet often installs WhenU's pop-up advertising program, Save!/SaveNow. That makes ClockSync more consistent with the adware bundlers and P2P apps that Sunbelt already classifies as "Low risk":
»research.sunbelt-software.com/th···0Bundler
»research.sunbelt-software.com/th···gory=P2P
Similarly, the WhenUSearch and Weathercast programs, which display advertising only within the context of their own program windows and GUIs, are more appropriately treated like other programs that Sunbelt already classifies as "Low Risk Adware" or "Potential Privacy Threats":
»research.sunbelt-software.com/th···20Adware
»research.sunbelt-software.com/th···y%20Risk
It needs to be emphasized, however, that WhenU's main advertising application, Save!/SaveNow, has not been reclassified or otherwise changed in the Sunbelt detections database. The pop-up advertising and continuing problems with some Save!/SaveNow installations clearly set that pop-up advertising program apart from programs that display no ads (ClockSync) or that display ads within the context of their own windows (WhenUSearch, Weathercast).
As for the "drive-by-download," I assume that mers2 is referring to the PickOfTheWeb EZ-Toolbar installation. That appears to have been a remaining live link from an inactive distribution partner. Once informed of the link, WhenU quickly got it shut down.
More importantly, it represents the sole instance since November/December 2004 that I know of in which WhenU's software could still be installed via an automated ActiveX installation. Unlike the situation with so many other adware vendors, where sleazy ActiveX installs (to say nothing of full blown stealth-installs through security exploits) are all too easy to find, the changes that WhenU announced back in November to its distribution practices have largely brought an end to those kinds of installations.
That said, if anyone does have evidence of on-going ActiveX installs of WhenU's software or even stealth-installs through security exploits, please feel free to pass along that evidence to me at:
eburger68@myrealbox.com
I'd be more than happy to take a look. Honestly, though, I simply haven't been able to find such installs since the widely publicized Xpire.info exploits back in November and December.
Before I close, I would urge readers to take a look at the Sunbelt write-up on WhenU, which is available from the Sunbeltblog in PDF form:
»www.sunbelt-software.com/ihs/ale···july.pdf [pdf]
That write-up explains in exhaustive detail just how and why Sunbelt came to the conclusions it did. If you want to disagree with those conclusions, fine. I and the folks at Sunbelt would be happy to listen to concrete, well-reasoned arguments grounded in solid evidence. But please do at least give the Sunbelt write-up a read.
Best regards,
Eric L. Howes |
|
suzi
Premium
join:2004-05-01
edit:
July 22nd, @02:55AM
| reply to eburger68
I'll just add one note here. I know this change might be a bitter pill for some to swallow, but I highly recommend you read the PDF document. It describes in detail the WhenU programs, including installation practices, advertising, system reconfiguration, data collection and transmission, uninstallation, notice and disclosure, choice and consent. The paper also illustrates how the WhenU apps' practices compare with Sunbelt's listing criteria.
I think Eric has done a very thorough analysis of WhenU's apps and documented it well in his usual meticulous style. The paper also includes screenshots.
»www.sunbelt-software.com/ihs/ale···july.pdf
You can read the listing criteria in full here:
»research.sunbelt-software.com/Li···eria.cfm
Full disclosure: I have been providing consulting services to Sunbelt Software since May 2005.
--
aka Suzi, Spyware Warrior
Microsoft MVP Windows Security 2005 |
|
B
Premium,MVM
join:2000-10-28 |
Everyone's gotta eat, but it's a shame... Thanks for all of your generous contributions. (Seriously.)
-- B
--
In a realm outside causality and function |
|
wtf_seriously
@61.8.x.x
| reply to suzi
yes Daphne, it IS 'a bitter pill to swallow' so im not going to swallow it, but am going to spit it out.
you can understand why we wince when we hear the words
* Some of WhenU's products have been reclassified as "Low Risk Adware" or "Adware Bundler" with a Threat Level of "Low Risk" and a Recommended Action of "Ignore."
no, i will NOT be ignoring them, thank you very much. |
|
wtf_seriously
@61.8.x.x | reply to eburger68
why dont you just say
"yes its a bitter pill , but its for you own good, so go ahead and swallow it"  |
|
suzi
Premium
join:2004-05-01
| said by wtf_seriously:why dont you just say "yes its a bitter pill , but its for you own good, so go ahead and swallow it" My point is that I think people would do well to read the white paper to be informed. CounterSpy gives the choice to remove, quarantine or ignore all of the threats it finds on a scan. That has not changed.
--
aka Suzi, Spyware Warrior
Microsoft MVP Windows Security 2005 |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to B
said by B :That's why we need a lawsuit-proof community based effort or an individualized pseudo-Bayesian approach to spyware blocking. (I said the same in another thread today.) -- B A Bayesian approach..just won't work for this type of thing. What you're describing is a sandbox-like utility that uses your rejection of previous executables to reject new ones. This would require recognising similar parts of executables - this is almost signature based detection with heuristics, back to square one.
Re: "A lawsuit-proof community based effort" perhaps something along the lines of Microsoft's Spynet or ZAs system of whether to allow or deny traffic based on community votes. Basically an app which relies only on an online community being aware that 1)the spyware app exists and 2) a default action based entirely on votes. (A modification of this idea perhaps: »sourceforge.net/projects/proxicus)
I personally favour a black and white criteria model with no default action, with this criteria being as..what's the word..factual? uncontentious as possible.
For example using: »research.sunbelt-software.com/Li···eria.cfm
Un-contentious:
Installs via ActiveX controls
(virtually uncontentious) installs via a security exploit or vulnerability
displays third-party advertising in pop-ups
reconfigures the user's browser home page, search settings, or other user-selectable browser preferences
modifies or deletes the HOSTS file
cause those PCs to establish phone connections to premium rate phone numbers (over X dollars/min)
(with a comprehensive set of subcategories) collects Personally Identifiable Information
installs no uninstallation program or equivalent mechanism (i.e., an "uninstaller")
lacks an End User License Agreement
Contentious:
..not functionally required to view the content
...installs without first providing sufficient notice and choice to users and without securing their full, meaningful, and informed consent.
...uses false, misleading, confusing, deceptive..
...with a documented track record of consumer complaints
...techniques that most reasonable persons would find objectionable
..substandard, inadequate notice and disclosure
...without first providing sufficient notice and choice to users and without securing their full, meaningful, and informed consent
...the acceptance of terms that most reasonable persons would find objectionable, onerous, or outrageous
Contentious criteria is useless in my opinion. Contentious criteria means legal threats.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
|
|
alexeck
join:2004-12-20
Clearwater, FL
edit:
July 22nd, @05:20AM
| Hi folks,
Anyone who knows me or reads my blog knows that we are hardline spyware fighters.
We also believe in transparency. So no "oops, we just discovered Sunbelt changed their database". There will be minor adjustments that we will make from time to time that don't warrant a full release like this one, but bigger ones like this you'll know about.
WhenU SAVE is adware, pure and simple. Just to verify the research team findings, I loaded it myself and tested it. It stays with a default action of Remove and a Moderate Threat level. Period. That is the program that has people here most concerned.
However, we're talking about programs like WeatherCast and WhenU Search here. I downloaded both of these programs and tested them personally. They're fairly innocuous. That doesn't mean we delist them, we have just changed their threat treatment and rating.
These are fine-tunings and adjustments to the database. We are absolutely not delisting these guys. We're just changing the default action and the threat level.
Anyone can also contact me directly if they want to discuss further -- alexe(at)sunbelt-software.com
As an aside, I will say that even though some of the members of the community perform research work for us, you can rest assured that they have full independence in their decisions and are not compromised in the least. They are not pressured to make any decisions. They are highly ethical and extremely conscientious and we wouldn’t have it any other way.
Alex Eckelberry
President |
|
Mowergun
join:2004-02-15
Charleston, IL | reply to eburger68
As I understand it, Counterspy will still detect WhenU stuff, and will remove it if you so choose, and the folks at Sunbelt were upfront and honest.
So what is the big deal, why are some of you getting upset? For crying out loud, calm down. |
|
