G. Morgan wrote:


> Universal Trojans? What the heck are you on about now? I said AA and SBS&D
> could (and does) remove a lot of malware making the system clean again.


And if the malware is an universal trojan horse, the system will remain
infected, albeit appearing clean. So stop claiming the contrary. Most
malware implementations are universal trojan horses.


> A well hardened system would be that image + a good A/V w/updates and a
> firewall running before the system becomes a node on the (Inter)network.


Bullshit. Not just that something like "good A/V" doesn't exist (both by
design and by availability), it's far away from being a security
improvement, and even further away from hardening.

But once again: I have setup a system that is provably clean, but not in a
fresh state. I have AdAware and Sypbot S&D run over it, and it claimed
multiple infections and security issues, which were provably nonsense. Your
example of how it behaves on a fresh systems doesn't disprove my claims at all.

>> Trivial: Just change
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\DataBasePath
>> and it will complain that something isn't right.
>
> Of course a good scanner is going to detect a change in the location of HOSTS,
> I fully expect it to.


Nonsense. HKEY_LOCAL_MACHINE is read-only to normal users, so this change
must have been applied by an administrator.
In fact, it was done exactly so for a better management of ACLs, grouping
together various relevant files for which one specifically limits access to
NT-AUTHORITY\SYSTEM and 'named' only.

And this was only one example. It also claims some group policy settings
(which improve security) as issues, noises about cookies with a DOMAIN
attribute (albeit the webbrowser is configured to not care about it), and
even complains about some known good software (like FlashGet).

Or did you ever try the "immunization" function? It spams the registry full
of useless CLSIDs, fails to do so on HKLM, claims success, then reports
incompleteness on next run, and tries again. WTF?

Not gonna mention AdAware. One does need a test machine just to get around
the broken installer (which tries to write some temporary files to
%SystemRoot%\system32), and then it presents you with an almost empty GUI
(since it tries to use a MSHTML style GUI without even checking if rendering
pictures is active), and then pulls of shit similar to Sypbot S&D.


> Now, what about your claim that SBS&D and Ad aware detect false positives on a
> brand new XP install?


This claim is merely a fiction of yours, or your inability to read and
understand.

Aside from that, why can't it detect the most obvious security issues of
such a fresh install?