Spy Sweeper 4.5 - False Positives

I run several spyware and keylogger detection programs that I've been
relatively satisfied with (Spybot S&D, Adaware, SpyCop (strictly for
keyloggers) and for haha's I decided to download a free trial of Spy
Sweeper since I've been reading many glowing reviews of this software.

It "detected" my computer as having the "Golden Eye" key stroke
monitor installed because a file named "unins000.exe" exists under a
program folder named URL Helper.

After doing some extensive research, I discovered that none of files
indicating an active infection with this keystroke software exist.
Namely, for starters:

AGSeyApp.exe: This is the main spyware file.
GEHP.dll: This is the Spyware.GoldenEye helper .dll file

No other indications of an infection exist as well - including
modified registry keys, etc. You can read this all for yourself by
checking the following link on Symantec's Security Response site:

http://securityresponse.symantec.com...goldeneye.html

I would suppose it is safe to conclude that this is simply a failure
of Spy Sweeper to correctly detect the actual files indicating an
infection, but instead, just finding an uninstall file that happens to
have the same uninstall file name. Unless I'm missing something is my
conclusion correct?

It also incorrectly assumed I was infected with IOPUS Starr Pro simply
because I had downloaded the setup executable and stored it in a
folder without actually installing the app.

Does anyone know the method by which Spy Sweeper attempts to detect
infections - is it simply by the presence of a filename without
verifying registry keys and other information that would have to exist
for a true infection to be present?

I emailed Spy Sweepers technical support for clarification and was
simply told to reinstall. That alone tells me they don't have too
many sharp tools in the shed when it comes to first tier tech support.

Any comments and suggestions would be welcome.

So far, I'm coming to the conclusion that this software isn't all it
claims to be. Which brings up another point - how much are the rags
like PC Magazine being paid off to give this an editors choice rating
when it seems - even on the surface to be more smoke and mirrors then
anything else.

Regards,

null

In the Usenet newsgroup alt.computer.security, in article
<0u81n19m49j46deu8ec9t3eal39rhat44v@4ax.com>, null wrote:


>After doing some extensive research, I discovered that none of files
>indicating an active infection with this keystroke software exist.

That assumes that the tool you were using (probably some 'file manager')
wasn't altered. It's not an uncommon trick in the UNIX world.

>I would suppose it is safe to conclude that this is simply a failure
>of Spy Sweeper to correctly detect the actual files indicating an
>infection, but instead, just finding an uninstall file that happens to
>have the same uninstall file name. Unless I'm missing something is my
>conclusion correct?

That is one of the mechanisms used to detect problems. Other techniques
involve looking at the registry, or looking at the content of files
searching for specific binary patterns. These all depend on the
anti-malware author keeping up with the changes made by the malware
author. If version 6.5687 is looking for a file named 'AAAAAAAA.AAA'
and the malware author changes the filename to "AAAAAAAB.AAA', your
version 6.5687 won't find it.

>I emailed Spy Sweepers technical support for clarification and was
>simply told to reinstall. That alone tells me they don't have too
>many sharp tools in the shed when it comes to first tier tech support.

Sorry, but that's an old joke about the standard corrective action for
windoze systems - "reboot", "reinstall" or "reformat" for harder and
harder problems. Imagine if that were acceptable actions in commercial
or military airplanes which have _far_ more complex software today.

>Which brings up another point - how much are the rags like PC Magazine
>being paid off to give this an editors choice rating when it seems -
>even on the surface to be more smoke and mirrors then anything else.

Question for you - how much do you think it costs to get that (or any)
magazine into your hands. Do you think that the cover price (which
includes costs to the distribution mechanism and retailer) or the
subscription fee (which includes the lower mailing cost instead) repays
the publisher? If so, why are these magazines full of advertising? Do
you think if product evaluation reports didn't dance around the facts,
but actually reported that $PRODUCT_X is a steaming mountain of elephant
droppings, they'd continue to have all those wonderful advertisements?
Do you think that the evaluators would get advanced access to new
products from the producer of $PRODUCT_X, so that their evaluation can
be out to the readers when the new product is released? Compare the
timeliness of evaluations in magazines with tons of ads verses the few
magazines that don't accept ads, or free products from manufacturers.

Well known, but little understood fact of life: If there are
advertisements, the advertisers are the clients, and YOU are the
product that the magazine (or newspaper, or TV show) is selling.

Old guy