WD Find Anything?

[Jim Higgins]

Has anyone's Defender found anything? I have Zone Alarm Internet Security
Suite, Spy Sweeper, Ad-Aware and Spybot S&D 1.4 (never running at the same
time) and occasionally one or the other will find something but never has
Windows Defender ever picked up anything, either the Beta or the current
version. Is there any reason for me to keep it?

 

[Bill Sanderson MVP]

Yes--keep it because it is providing real-time security that the others are
not. I'm not familiar with Zone Alarm's suite, but I don't believe the
others are providing real-time protection.

 

[Guest]

Jim,

The question here would be what have the other programs detected that WD has
not? For example on my machine AdAware and SpyBot always find cookies, WD
does not check for cookies so never finds anything. I always tell people that
when it comes so Spyware/Adware checkers I really can't tell them what's best
because I never get Spyware/Adware! This is why I have 7 of them, in case I
ever do get hit I have options. WD is my first line of defense as it is my
only RTP, but I would never be without multiple OnDemand Scanners.

Off Topic: What is your interpretation of your .sig file ?
2 come to mind immediatly but they are completely the opposit of each other!
I was wondering what you think it means as you use it for your signature

 

[Jim Higgins]

Jim,

The question here would be what have the other programs detected that WD
has
not? For example on my machine AdAware and SpyBot always find cookies, WD
does not check for cookies so never finds anything. I always tell people
that
when it comes so Spyware/Adware checkers I really can't tell them what's
best
because I never get Spyware/Adware! This is why I have 7 of them, in case
I
ever do get hit I have options. WD is my first line of defense as it is
my
only RTP, but I would never be without multiple OnDemand Scanners.

Off Topic: What is your interpretation of your .sig file ?
2 come to mind immediatly but they are completely the opposit of each
other!
I was wondering what you think it means as you use it for your signature

I wasn't referring to cookies but to non-cookie items, two of which were two
rootkit-masked files that Spy Sweeper 5 picked up on about two days ago.
Beats me where, or from what, those two files came from as I never visit the
weird sites. Then once, maybe twice, a month there will be some non-cookie
item that one of the others will pick up-but never has WD picked up
anything.

To me the .sig file means: Boast *after* the battle about your exploits.
Boasting before hand could be very embarrassing after the fact if you can't
cash the checks your mouth writes. See 1 Kings 20:11 for the verse and the
context of the verse.

 

[Guest]

To me the .sig file means: Boast *after* the battle about your exploits.

Boasting before hand could be very embarrassing after the fact if you can't
cash the checks your mouth writes.

That was my first thought also.
My second thought was more
Someone who chooses war (puts on his armor) does not have as much to boast
about as one who chooses peace (takes off his armor).

As Bill brought up, do any of the products you mentioned have a RTP componant?
If not, it is best to keep WD as part of your arsenal. Even if it does not
stop everything it is an other layer of protection.

What sort of things were those "other non-cookie" items?

?
Tim
Geek w/o Portfolio

 

[Jim Higgins]

That was my first thought also.
My second thought was more
Someone who chooses war (puts on his armor) does not have as much to boast
about as one who chooses peace (takes off his armor).

As Bill brought up, do any of the products you mentioned have a RTP
componant?
If not, it is best to keep WD as part of your arsenal. Even if it does
not
stop everything it is an other layer of protection.

What sort of things were those "other non-cookie" items?

?
Tim
Geek w/o Portfolio

two were rootkit-masked files from two days ago and the others I can't
remeber exactly what they were as they don't show up very often. The Zone
Alarm AV component is, I think, RTP but I can't (color me embarassed) say.
I do not have the Ad-Aware rtp "Ad-Watch" turned on. I guess I'll keep WD
then, just in case.

 

[Bill Sanderson MVP]

Those items that Windows Defender missed don't sound good. Am I recalling
that Spy Sweeper was what caught them? Is there a log of any kind that
records the details of those files?

--

 

[Jim Higgins]

Those items that Windows Defender missed don't sound good. Am I recalling
that Spy Sweeper was what caught them? Is there a log of any kind that
records the details of those files?

There is no log file that I can find in Spy Sweeper 5.3. When it flagged
the two items with five bars ("critical" to Spy Sweeper) in Quarantine I
freaked and permanently deleted them. In retrospect I should have left them
safely in Quarantine and looked to see if any of my various programs
hiccupped. The only thing left is a notation in the "Always Apply" tab of
"Options" that says: "System Monitor: potentially rootkit-masked files".
The two files were some .dll files that I did not record. So much for going
into panic mode and using a sledge hammer. Zone Alarm's Internet Security
Suite didn't pick it up either. Possibly a) the real thing or b) a false
positive. If it happens again I will take notes before I use the sledge
hammer.

Here is the info link from Spy Sweeper's threat center page:

http://research.spysweeper.com/sear...&lang=en&loc=USA&category=System Monitor&rc=1

or

http://tinyurl.com/3d3yaz

 

[Bill Sanderson MVP]

There is no log file that I can find in Spy Sweeper 5.3. When it flagged
the two items with five bars ("critical" to Spy Sweeper) in Quarantine I
freaked and permanently deleted them. In retrospect I should have left
them safely in Quarantine and looked to see if any of my various programs
hiccupped. The only thing left is a notation in the "Always Apply" tab of
"Options" that says: "System Monitor: potentially rootkit-masked files".
The two files were some .dll files that I did not record. So much for
going into panic mode and using a sledge hammer. Zone Alarm's Internet
Security Suite didn't pick it up either. Possibly a) the real thing or b)
a false positive. If it happens again I will take notes before I use the
sledge hammer.

Here is the info link from Spy Sweeper's threat center page:

http://research.spysweeper.com/sear...&lang=en&loc=USA&category=System Monitor&rc=1

or

http://tinyurl.com/3d3yaz

I've been there and done the same thing--probably a good reaction.
Yeah--trying to tell whether you were seeing a false positive was what I'd
like to try to get at. If there's really a rootkit in place, I'd expect
there to be more files than just one or two that are bad.

Yes--reading that description, I can see that you'd want to take immediate
and vigorous action. Essentially, they are saying that if you find this
threat in place, you are owned--somebody else has control over your system
and can be monitoring every action you take.

I'd want to see some confirmation from either F-secure's Blacklight ,
Microsoft/sysinternals' rootkitrevealer, or some other specialized
anti-rootkit tool, I think.

I'd certainly recommend running the both of those to you--they are free (at
least at the moment) and easy to find via Google. Rootkitrevealer takes a
bit more knowledge to understand the results--you'll need to read the help
files at least.

I'm not going to blame SpySweeper for having a false positive--this happens
to everybody, and Defender appears to have had a recent one as well. And it
isn't clear exactly what happened--but I'd sure investigate further with any
anti-rootkit tools you choose. Microsoft's Malicious Software Removal tool
which is revised at least monthly--next version should be out tomorrow--has
often targetted rootkits--so be sure you run that one as well. I've been
fortunate enough never to see a machine on which it finds something, but I
know from their published stats that they're finding plenty!