Turn around from false postive to signature removed

[Edward Torkington]

Hi,

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime-catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

I quote one of my customers saying "Until the issue is
cleared with Microsoft, I have uninstalled the software
and cleaned the system."

This is one of many emails and obviously causing loss to
my business so timescales are important.

Many thanks,

Edward Torkington

 

[Mark L. Ferguson]

Well, the customer may always be right, but the detection of your software as spyware is not 'uncleared' by MS, No MS BETA product
could be said to do that. Your customer is just an Idiot.

 

[John]

Instruct your customers with a high quality step by step procedure document
on how to allow your software to run and not be removed by MSAS.

 

[Edward Torkington]

Hi,

Thanks for your feedback. I could do this but my
customers actually want the software to be removed as
MSAS is saying it is something bad when according to the
criteria specified on spynet it isn't - and even if it is
it certainly isn't a keylogger of any sort.

They trust MSAS and do not understand even with detailed
explanations that this is a MSAS issue. The onyl solution
as the customer specifies is waiting for the signatures
to be updated hence my original question.

Many thanks,

Edward Torkington

 

[Edward Torkington]

Hey,

Yep I know what your saying but from a customer point of
view they trust MSAS and automatically think my software
is bad. Even if the customer is stupid (they aren't -
they are doing the sensible recommended thing to secure
their business...) it is still costing me money hence my
question of turnaround to the signatures are removed?
Anyone know?

Many thanks,

Edward Torkington

-----Original Message-----
Well, the customer may always be right, but the

detection of your software as spyware is not 'uncleared'
by MS, No MS BETA product

 

[Robin Walker [MVP]]

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime-catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074702 if you
wish to understand why Crime Catcher is considered to be potentially hostile
software. Microsoft are not the only organisation placing Crime Catcher in
this category. If someone installed it on my PC without my knowledge, I
would be glad that MS AntiSpyware drew it to my attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to whether they intended
Crime Catcher to be there. If so, they can just select "Ignore always" in
MS AntiSpyware.

 

[Edward Torkington]

-----Original Message-----

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime- catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx? id=453074702 if you
wish to understand why Crime Catcher is considered to be potentially hostile
software. Microsoft are not the only organisation placing Crime Catcher in
this category. If someone installed it on my PC without my knowledge, I
would be glad that MS AntiSpyware drew it to my attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to whether they intended
Crime Catcher to be there. If so, they can just select "Ignore always" in
MS AntiSpyware.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

Hey,

Thanks for the reply. There are two points here:

Point 1- Is Crime Catcher spyware? i.e. A webcam program
which a user installs (can not be secretly installed)
which transmits an image to a remote site. Most webcam
programs do this. I can see both sides of the arguement
but am not going to pursue this avenue for now because of
point 2...

Point 2 - the difference is in the description: The site
you specify says:

"Category: Surveillance - Any software designed to use a
webcam, microphone, screen capture, or other approaches
to monitor and capture information. Some such software
will transmit this captured information to a remote
source. See also Key Logger."

This is accurate enough and a user seeing this would say
thats what I want it to do! MS says it is this:

"Crime Catcher
Type: Commercial Key Logger
Threat Level: High
Author: Edward Torkington

Description: A commercial key logger is a program that is
installed by a user of a computer to explicitly monitor
the activity of other users. These types of program can
be installed using stealth tactics to hide themselves
from other users. In addition these programs can be
purchased from commercial organizations for this use."


Wildly inaccurate and doing nothing with keys hence the
confusion.

Many thanks,

Edward Torkington

 

[anonymous]

That link leads to pestpatrol information, pestpatrol is
a moderately disreputable anti-spyware program with a
reputation for absolute refusal to remove false detection
(even ones they acknowledge are false!) Maybe you could
post a link to a good antispyware site.

-----Original Message-----

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime- catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx? id=453074702 if you
wish to understand why Crime Catcher is considered to be potentially hostile
software. Microsoft are not the only organisation placing Crime Catcher in
this category. If someone installed it on my PC without my knowledge, I
would be glad that MS AntiSpyware drew it to my attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to whether they intended
Crime Catcher to be there. If so, they can just select "Ignore always" in
MS AntiSpyware.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

 

[Bill Sanderson]

Should we believe an assertion about relative reputation from someone who
posts anonymously?
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

That link leads to pestpatrol information, pestpatrol is
a moderately disreputable anti-spyware program with a
reputation for absolute refusal to remove false detection
(even ones they acknowledge are false!) Maybe you could
post a link to a good antispyware site.

-----Original Message-----

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime- catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx? id=453074702 if you
wish to understand why Crime Catcher is considered to be potentially hostile
software. Microsoft are not the only organisation placing Crime Catcher in
this category. If someone installed it on my PC without my knowledge, I
would be glad that MS AntiSpyware drew it to my attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to whether they intended
Crime Catcher to be there. If so, they can just select "Ignore always" in
MS AntiSpyware.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

 

[anonymous]

I would expect that you should take that point of view no
matter who I choose to call myself. Would you have taken
my view more seriously if I had called myself "Bob Jones"
or something?

Instead of deciding whether or not to oppose my point of
view based on what I choose to call myself when I give a
quick comment to the community, check out pestpatrol, do
a scan, find a false positive (don't worry, there are
plenty), and try to get it removed. You will see what I
meant and it won't matter how well you know me.

-----Original Message-----
Should we believe an assertion about relative reputation from someone who
posts anonymously?
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

That link leads to pestpatrol information, pestpatrol is
a moderately disreputable anti-spyware program with a
reputation for absolute refusal to remove false detection
(even ones they acknowledge are false!) Maybe you could
post a link to a good antispyware site.

-----Original Message-----

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime- catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx? id=453074702 if you
wish to understand why Crime Catcher is considered to

be
potentially hostile

software. Microsoft are not the only organisation placing Crime Catcher in
this category. If someone installed it on my PC

without
my knowledge, I

would be glad that MS AntiSpyware drew it to my attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to whether they intended
Crime Catcher to be there. If so, they can just select "Ignore always" in
MS AntiSpyware.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

.

 

[Bill Sanderson]

Yeah--I thought about it afterwards and decided it was unlikely that you'd
be able to provide sufficient ID that I'd be willing to take your word over
others.

My understanding is that false positives are a pretty significant issue in
this area of work--we're certainly seeing some in this beta, but I believe
they are being resolved, although perhaps not as fast as some might wish.

What's your equivalent experience with Microsoft Antispyware?
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

I would expect that you should take that point of view no
matter who I choose to call myself. Would you have taken
my view more seriously if I had called myself "Bob Jones"
or something?

Instead of deciding whether or not to oppose my point of
view based on what I choose to call myself when I give a
quick comment to the community, check out pestpatrol, do
a scan, find a false positive (don't worry, there are
plenty), and try to get it removed. You will see what I
meant and it won't matter how well you know me.

-----Original Message-----
Should we believe an assertion about relative reputation from someone who
posts anonymously?
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

That link leads to pestpatrol information, pestpatrol is
a moderately disreputable anti-spyware program with a
reputation for absolute refusal to remove false detection
(even ones they acknowledge are false!) Maybe you could
post a link to a good antispyware site.

-----Original Message-----
Edward Torkington <[email protected]>
wrote:

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime-
catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453074702 if you
wish to understand why Crime Catcher is considered to be
potentially hostile
software. Microsoft are not the only organisation
placing Crime Catcher in
this category. If someone installed it on my PC without
my knowledge, I
would be glad that MS AntiSpyware drew it to my
attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to
whether they intended
Crime Catcher to be there. If so, they can just
select "Ignore always" in
MS AntiSpyware.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

.

 

[anonymous]

Yes, false positives are quite a bad thing for the
reputation of an anti-spyware product. Even worse is when
an anti-spyware outfit gets the idea in their heads that
they can leave in all the false positives that don't
totally break things and then market on the motto "we
detect 'more' than the other products" where 'more' seems
better to the uniformed user but is actually a collection
of false positives.

When I tried to report false positives to pestpatrol the
end result from the (drawn out) conversation was
something along the lines of "we know the detection is
false, but we let it up to the user to decide whether or
not to remove what is detected"

I had a chance test the trial version of giant anti-
spyware and compare it to MS-AS. Even with MS-AS beta1
with the first definitions many false positives had been
removed from the last giant release.

The acknowledgment that false positives exist and
can/will be removed puts MS-AS on a track far better than
the one pestpatrol is on.

Right now I am waiting for the beta2 build to be
released, and by that time I hope a large number of the
false positives will be resolved as well as problematic
program behavior (like allocating memory until it crashes
when getting an access denied error from the registry)
will be fixed, then I will re-evaluate MS-AS and get down
to some real beta testing/false positive hunting.

I wish there was a more significant disclaimer on the
beta that tells users who trust MS-AS beta too much just
because it says "Microsoft". Like a short non-legalese
disclaimer that says what they should expect of MS-AS
beta (and what beta means) and have several check boxes
that the user has to check to continue the install
(like "I acknowledge this is a beta and that there are no
guaranties that this program won't break my system's
OS/software" and "I acknowledge that this beta may have
false positives and I will not take the scan results as
gospel")

-----Original Message-----
Yeah--I thought about it afterwards and decided it was unlikely that you'd
be able to provide sufficient ID that I'd be willing to take your word over
others.

My understanding is that false positives are a pretty significant issue in
this area of work--we're certainly seeing some in this beta, but I believe
they are being resolved, although perhaps not as fast as some might wish.

What's your equivalent experience with Microsoft Antispyware?
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

I would expect that you should take that point of view no
matter who I choose to call myself. Would you have taken
my view more seriously if I had called myself "Bob Jones"
or something?

Instead of deciding whether or not to oppose my point of
view based on what I choose to call myself when I give a
quick comment to the community, check out pestpatrol, do
a scan, find a false positive (don't worry, there are
plenty), and try to get it removed. You will see what I
meant and it won't matter how well you know me.

-----Original Message-----
Should we believe an assertion about relative

reputation
from someone who

posts anonymously?
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

That link leads to pestpatrol information, pestpatrol is
a moderately disreputable anti-spyware program with a
reputation for absolute refusal to remove false detection
(even ones they acknowledge are false!) Maybe you could
post a link to a good antispyware site.

-----Original Message-----
Edward Torkington

wrote:

Having contacted spynet some time ago about incorrectly
identifying Crime Catcher ( http://www.crime-
catcher.com )
as a commercial key logger (err hello?) I was wondering
what the turn around is between filling in that vendor
dispute form and actually seeing the product removed?

See http://www3.ca.com/securityadvisor/pest/pest.aspx?
id=453074702 if you
wish to understand why Crime Catcher is considered to be
potentially hostile
software. Microsoft are not the only organisation
placing Crime Catcher in
this category. If someone installed it on my PC without
my knowledge, I
would be glad that MS AntiSpyware drew it to my
attention, and offered me
the option of deciding what to do with it.

Your users just have to make up their minds as to
whether they intended
Crime Catcher to be there. If so, they can just
select "Ignore always" in
MS AntiSpyware.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.



.

.

 

[Bill Sanderson]

Yes, false positives are quite a bad thing for the
reputation of an anti-spyware product. Even worse is when
an anti-spyware outfit gets the idea in their heads that
they can leave in all the false positives that don't
totally break things and then market on the motto "we
detect 'more' than the other products" where 'more' seems
better to the uniformed user but is actually a collection
of false positives.

When I tried to report false positives to pestpatrol the
end result from the (drawn out) conversation was
something along the lines of "we know the detection is
false, but we let it up to the user to decide whether or
not to remove what is detected"

I had a chance test the trial version of giant anti-
spyware and compare it to MS-AS. Even with MS-AS beta1
with the first definitions many false positives had been
removed from the last giant release.

The acknowledgment that false positives exist and
can/will be removed puts MS-AS on a track far better than
the one pestpatrol is on.

Right now I am waiting for the beta2 build to be
released, and by that time I hope a large number of the
false positives will be resolved as well as problematic
program behavior (like allocating memory until it crashes
when getting an access denied error from the registry)
will be fixed, then I will re-evaluate MS-AS and get down
to some real beta testing/false positive hunting.

I wish there was a more significant disclaimer on the
beta that tells users who trust MS-AS beta too much just
because it says "Microsoft". Like a short non-legalese
disclaimer that says what they should expect of MS-AS
beta (and what beta means) and have several check boxes
that the user has to check to continue the install
(like "I acknowledge this is a beta and that there are no
guaranties that this program won't break my system's
OS/software" and "I acknowledge that this beta may have
false positives and I will not take the scan results as
gospel")

I've seen one report that a false positive (the searchsquire hit on Spybot
Search & Destroy's placing that URL in the restricted sites zone of IE) was
resolved in 5685. That's generated a lot of traffic in these groups, even
if it really isn't significant.

This beta has broken a bit more than I expected--I wouldn't have expected
all the installer issues we've seen, and there were some winsock breakages
early on which seemed to be due to a false positive. I like your idea for a
beta disclaimer, but I'm afraid Microsoft's lawyers aren't as creative.

I expect that there are some significant bugs to be found. I've been
spending my time communicating more than bug-hunting, but I hope to do more
of the latter once the second beta is released.