Why handlle dameware as spyware ?

  • Thread starter Thread starter Gerard
  • Start date Start date
G

Gerard

Just installed the betaversion of antispyware and started
a scan. Unfortunately the tool also recognises dameware
as spyware and on top of that during the scan keeps on
finding entries in the dameware folder in program files.
IN THAT PROCESS USING UP 100 % of my CPU resources so
there is not comming an end to my scan. The only way to
stop it is ctr + alt + delete. Tried telling the program
to skip the dameware folder in the advanced scan options
but still it was scanning this folder and same problem
occured. In this way the tool is totally unusefull so
deinstall it is the only remedy.

Hopefully only a beta problem but I fear the worst.
 
All Remote Access Tools are brought to your attention by MSAS in case you
were not the one to install them.

I would rather be told they are there than to for MSAS to assume you are the
reason Dameware was installed.



--
If you are under attack and MSAS does not seem to help:

*Submit suspected spyware report in the tools menu of MSAS*

1. Download:
lspfix.exe www.cexx.org/lspfix.htm
ccleaner.exe www.ccleaner.com
killbox.exe www.bleepingcomputer.com/files/killbox.php

2. Reboot into safe mode - http://tinyurl.com/pfca

3. Clean out all temp file locations - ccleaner.exe
(be sure to configure to delete all temp files
and not just those 48 hours old or older)

4. Run MSAS at least twice in full/deep mode

5. Run a robust, updated antivirus software scan

6. Reboot into normal mode,see if problem has been corrected

7. Install and use killbox to delete stubborn files

Battle Notes:
- If you have trojans (files that won't go away),
you may have to disable System Restore on XP:
http://tinyurl.com/movy

- If your Internet connectivity quits:
http://support.microsoft.com/kb/892350
LSPFix - http://www.cexx.org/lspfix.htm

- This program will not detect or remove viruses
http://www.microsoft.com/athome/security/viruses/default.mspx

** For a detailed attack plan **
http://spywarewarrior.com/sww-help.htm

*** For assistance in battling infestations***
- Get HijackThis.exe from:
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
- Save it to C:\hjt (new folder)
- Open it and select "Scan and Save Log"
- Note where you saved the log
- Send it to Ron Kinner as an attachment
- Ron's email address is (e-mail address removed)
- Put Hijack in the subject so he knows it's not spam
- He will tell you what to do next


Application Notes:
Registering a VB6 dll seems to fix missing agents:
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware

- Several issues are addressed by Microsoft -
Cookies, supported OS, and cost.
http://www.microsoft.com/athome/security/spyware/software/faq.mspx

- This program will not work with Windows 98 or ME.
If you need a tool for 9X/ME, go here:
http://www.majorgeeks.com/downloads31.html

- If your taskbar is on the side of your screen, the alerts
scroll off the screen. Move the taskbar back to the
bottom or top to stop the scroll, then revert back.

- Mark Ferguson maintains an FAQ:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
 
I'm glad it detects Dameware--JohnF has given the rationale. It isn't
suggesting that there's anything wrong with the software--just that you
should be aware of it. The default, when a scan finishes, should be ignore,
I believe, and you can change that to ignore always.

There's something wrong with what is happening on your machine, however--I
haven't had any complaint about this issue from other Dameware users--and
there've been a number of those.

Are you sure it is still working on Dameware, or has it moved on to
something new? The general issue you are reporting has been reported
before, but not in connection with Dameware.
 
JohnF. said:
All Remote Access Tools are brought to your attention by MSAS in case
you were not the one to install them.

I would rather be told they are there than to for MSAS to assume you
are the reason Dameware was installed.
Click to expand...

Not quite. It detected that I have VNC, but it did not find Remote Desktop
Connection. I installed both. If the distinction is that I have only the
client part for Remote Desktop Connection, then that's understandable.

The only issue I have is that remote access tools are not spyware, but have
the potential to be abused. They should not be indentified in a way that
leads the user to think that they are spyware, but the user should be told
that they exist, that they are not harmful programs, but if they were not
placed there by the user, then they are risks and should be removed.
 
The only issue I have is that remote access tools are not spyware, but
have
the potential to be abused. They should not be indentified in a way that
leads the user to think that they are spyware, but the user should be told
that they exist, that they are not harmful programs, but if they were not
placed there by the user, then they are risks and should be removed.
Click to expand...

I don't disagree: What was the default action suggested for Dameware? Was
the description accurate?

Remote Desktop is not listed, either server or client. On an XP Pro
machine, Remote Desktop cannot be used without the knowledge and consent of
the user. It's true that a server administrative or terminal services
session doesn't show at the console, but it can be detected by an
administrator if they wish to monitor--and again, domain credentials or
credentials on the individual server or workstation are needed.
 
Bill said:
I don't disagree: What was the default action suggested for
Dameware? Was the description accurate?
Click to expand...

I don't know. I didn't encounter it with Dameware, but with VPN. I
remember that my initial reaction was one of surprise, and I did have to
read through things before I could tell that there was no threat, but I
don't remember the details. It didn't handle things the way I expected, but
then again, it wasn't something that made me come here and post either. It
wasn't until the Dameware thread that I figured it's at least something to
consider.
Remote Desktop is not listed, either server or client. On an XP Pro
machine, Remote Desktop cannot be used without the knowledge and
consent of the user. It's true that a server administrative or
terminal services session doesn't show at the console, but it can be
detected by an administrator if they wish to monitor--and again,
domain credentials or credentials on the individual server or
workstation are needed.
Click to expand...

I'm running W2K, so I obviously don't have the server part. But for VPN,
the server part cannot be run without the user knowing it, unless
something's been hacked. (at least in W2K) However, since the server part
was not running when MAS found it, there was no risk that anything produced
a hacked version that started on its own.

It would make sense for MAS to alert users in a different way if something
is running than if it's merely on the disk, and it should include Remote
Desktop too, especially if it's running as a server.

As for something that's not actively running, the product should be
consistent. Either the risks should be assessed to determine whether it
even makes sense to warn the user, given a product's ability to run in
stealth mode, or the product should warn about all remote access tools,
including Remote Desktop. If Remote Desktop is not active, and it's not
considered a potential threat because of it, then identifying others in the
same circumstance could be seen as anticompetitive.
 
Hagrinas Mivali said:
As for something that's not actively running, the product should be
consistent. Either the risks should be assessed to determine whether it
even makes sense to warn the user, given a product's ability to run in
stealth mode, or the product should warn about all remote access tools,
including Remote Desktop. If Remote Desktop is not active, and it's not
considered a potential threat because of it, then identifying others in
the
same circumstance could be seen as anticompetitive.
Click to expand...
I agree that consistency is key here. I think they have considered some
changes in categorization. There've been long threads here about some
Resource Kit pieces that are flagged--things that aren't risks for the pc
hosting them,. but tools which could be used against other network
assets--and are apparently flagged basically so that the user of the machine
is aware that they are installed.

RD is an interesting point--I suspect the logic in not listing it is pretty
carefully thought out, but it isn't something they are likely to publish,
although it might come out in some legal proceeding. I don't see any issue
with it on XP workstation--neither RD nor RA can be used without it being
clearly visible to the workstation user. OTOH, the server end is invisible,
but needs to have been installed by an administrator--but then this is
probably also true of Dameware. I don't know the uses/misuses of the third
party tools--Dameware and VNC are the two I'm aware of, but there are a
number of others--to be clear on the aspects that gain them listing.

I think calling these tools out to the user in an unmanaged network or home
situation is important. In a managed network where presumably there's more
control, I'm certain that the managed corporate version of this product will
allow the powers that be to not flag their chosen management tools to the
users at the workstations.
 
Bill said:
I don't disagree: What was the default action suggested for
Dameware? Was the description accurate?
Click to expand...

I went back and removed VNC from my Ignore list to see what would happen.
MAS indentifies it as a threat. The recommended action is Quarantine. The
"Advice" is to remove it only if unexpected. (Actually, the phrase is
"should only be removed if unexpected," which is not the best wording.)

The problem is that the advice is off to the right and conflicts with the
other information. It is identified as a threat, not a possible threat.
The recommended action conflicts with the advice. Some users will follow
recommendations blindly and consider the narrative too technical to even
look at. But having these two conflict with each other is the real issue.
Having a single recommendation in this case is not valid since it requires a
tiny truth table. The appropriate recommendation should be to read the
"advice."
 
That does sound confusing. I'll keep an eye out for this one--I see it
fairly regularly since I use VNC in some circumstances, and at some point
they apparently changed the detection criteria for it because my always
ignore's came up detected again.
 
Back
Top