Thursday, January 31, 2008

False/Positive Detection of WinPatrol by Kaspersky & Prevx1

Kaspersky and Prevx1 users need not be concerned if WinPatrol pops up in a scan by either software. This is a false/positive and has been reported.

The results of an upload of WinPatrol to VirusTotal currently yield the following results:
Kaspersky 2008.01.31 not-a-virus:AdWare.Win32.DealHelper.ak

Prevx1 V2 2008.01.31 Heuristic: Suspicious Hijacker
This isn't the first time this has happened. It seems to accompany a WinPatrol update. See


Kaspersky removed the Patrol Setup.exe from their definitions but Prevx1 is still showing it as "Prevx1 V2 2008.01.26 Heuristic: Suspicious Hijacker". At least I an understand this since "WinPatrol uses a heuristic behavioral approach to detecting attacks and violations of your computing environment." However, it would be better if Prevx whitelisted it.

Update 01Feb08:

Prevx responded and has added WinPatrol to their white listed.

Many thanks to both Kaspersky and Prevx for responding so quickly.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Sunday, January 27, 2008

Minor Update to WinPatrol

2008-01-27 14.0.2007.1
Fixed bug in caused by compiler optimization error.
On some systems the alert of new startup programs may be delayed.

Read about the update in Exciting WinPatrol Update!

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thank you, Mentors!

Thursday, 24 January 2008, was "Thank Your Mentor Day". Although I missed the actual date, since I have a number of mentors to thank, I'll do it in alphabetical order and hope they forgive my tardiness.

The special rose!Aaron
For always being willing to explain the "techie" details in easy-to-comprehend non-techie terms.
The special rose!Canuk
Although not with us any longer, Canuk was always available to answer my questions and review my responses.
The special rose!IAMSKINZ
Taught me so much on the "behind the scenes" operations and handling "difficult" or "controversial" situations.
The special rose!Mitch
Mitch was responsible for "pushing me out the door" so to speak, providing encouragement and help when I started.
The special rose!SpyDie
The "Jedi Master" is the go-to person for registry questions. His help and advice has been invaluable.
The special rose!Winchester73
Win73 reviewed my very first "official" log analysis/instructions and helped me as I broadened my sphere of help.

To each of you, my personal thank you for all the help you have provided and continue to provide; for having faith in me when I found it lacking and for your never-ending encouragement.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Head's Up Comodo Management {See Edit}

Edit Note 29Jan08:

See comments, please, for the anonymous poster's follow-up comment.


I think that it is time to call off the trolls. No, I did not publish the comment below in the linked topic. Rather I chose to post it here in hopes of getting the message across that this type of support for Comodo does more harm than good.
"Anonymous has left a new comment on your post "Comodo Firewall Update":

I wouldn't trust Online-Armor either after this

25/01/2008 01:11:01 SYSTEM 1548 Sign of "VBS:Malware-gen" has been found in "" file.

If malware gets onto their forum how good can their software be"
There is no malware at the Online Armour Support Forums. In fact, the post that "Anonymous" was warning people away from is actually a typical gentlemanly post by Mike Nash:

"Hi Everyone,

Scot Finnie has some nice words to say about Online Armor at his blog.

He's looking for people who have used Online Armor to relate their experiences, both good and bad.

So - there's the link, the comments and the contact details.

Please be kind, and if you can't be kind, at least be fair Smile



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, January 26, 2008

Shades of "Julie Amero"?

Because children flock to social networking sites like MySpace, perhaps time and effort would be better spent dealing with the many issues at MySpace, evidenced by the separate MySpace label used by Paperghost.

Via SunbeltBLOG:
"This time, the story is in Florida — and at a school that’s not too far from our own Sunbelt headquarters.

A school cop at Gulf Middle School, John Nohejl, created a MySpace page to educate kids about safety (with the support of the school). Well, as Wired puts it:

Gulf Middle School resource officer John Nohejl didn't have porn on his MySpace profile, and he didn't link to porn. But one of the 170-odd people on his friends list, which seems mostly populated by students at his school, had a link to a legal adult site. Now the New Port Richey Police Department and the Florida attorney general's elite cyber crimes unit are investigating him for making adult content available to underage children.

From press reports, the adult site linked seems to have been Amateur Match Free Sex, an Adult Friend Finder type of site. It’s well known to anyone on MySpace that affiliates of these types of outfits have been known to do bad things on MySpace (AFF recently settled with the FTC for such behavior). It could have even been a link in the comment of a Friend.

Oh, and after this broke, it was found that the school’s site itself had a link to gay porn. The principal is “outraged”. As Kevin Poulsen at Wired points out, does that mean he gets criminally investigated as well?"


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Friday, January 25, 2008

Exciting WinPatrol Update!

Regular readers of Security Garden have no doubt that I not only use WinPatrol Plus but also sincerely admire Bill Pytlovany -- not only for what he provides computer users in the form of the free version of WinPatrol, but also for his high moral convictions and dedication. Thus, there is no question that I highly recommend WinPatrol.

WinPatrol is Windows Vista ready and yet still works on all earlier versions of Microsoft operating systems.
If you have not tried WinPatrol before, now is the time.

See What's New in WinPatrol 2007 (14):

  • Enhanced Keylogger Detection
    The use of keyloggers for illegal purposes has exploded. A Schenectady man was recently jailed for up to three years for felony eavesdropping after putting a keylogger on his wife's computer. I've heard too many stories of abuse made possible due to keyloggers so it's time for it to stop. While WinPatrol PLUS had always detected keyloggers we've enhanced this feature and it's now available to free users so everyone is protected.
  • Interactive PLUS code Activation
    Unfortunately the number of users depending on illegal PLUS codes has become a problem. While honored by the worldwide popularity of WinPatrol this could slow down access to PLUS information by our paid supporters. Our new version will do more to screen out invalid codes. In a few cases, users may find their valid codes are no longer working correctly. Those affected can write to support @ and we'll make sure they receive the correct code.
  • Optimized Detection of New Services
    As more and more programs move to the Windows Service model it become apparent that this may be a popular avenue of attack in the future. The routine used to monitor and detect new Window Services has been optimized to make this process transparent.
  • Decrease CPU Usage and Conflicts
    Conflicts with some other registry intense programs may have resulted in abnormally high CPU usage on past versions. WinPatrol 14 includes some intelligent routines to allow complete protection without fighting over resources with other security suites and system level programs.
  • Default -expressboot option
    WinPatrol now includes a -expressboot option which will be used when machines boot up for the first time. This new feature optimizes boot time and allows other applications to maximize their initialization routines.
  • Regular Registry Cleanup
    Some registry cleaners have complained that we don't clean up some data stored in the registry quickly enough. This version will remove information that is no longer needed and "First Detected" information on a regular basic when the file no longer exists.
  • Multiple copies of WinPatrol in startup
    Occasionally, users have written to let us know they have multiple copies of Scotty in the list of Startup programs. This version can correct any errors by checking the "Automatically run WinPatrol" box under the Options tab.

Get Scotty! Scotty Icon Free - Install WinPatrol 2007 v14.0.2007.0 (690 KB)

Get Scotty Plus! Scotty Icon Upgrade to WinPatrol PLUS today

See WinPatrol 14 Enhances Keylogging Detection

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, January 24, 2008

Windows Vista Reports

A pair of reports were issued by Microsoft yesterday.

Jeff R. Jones issued "Windows Vista One Year Vulnerability Report", providing an analysis of vulnerabilities reported and security updates for Windows Vista's first year. Although Jeff's report is directed toward Systems Administrators, pointing out the reduction in patch events resulting in less work, the report also included is an interesting comparison with Windows XP as well as "competing" operating systems Red Hat, Ubuntu and Apple.

Download the PDF from Jeff Jones Security Blog.

As Austin Wilson pointed out in the second report, Windows Vista Security One Year Later",
"Also from the One Year Vulnerability Report, we see that Windows Vista in its first year had significantly fewer fixed and unfixed vulnerabilities than Windows XP in its first year: 36 fixed/30 unfixed for Windows Vista vs. 68 fixed/54 unfixed for Windows XP."
Another issue pointed out by Austin is that there were 60% fewer malware infections in the first half of 2007 on Windows Vista. I look forward to the next update of the Microsoft Security Intelligence Report (SIR) to find out the impact in the second half of 2007 of increased usage of Windows Vista combined with more advanced/experienced users.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Comodo Firewall Update

Earlier this week, I posted information regarding the Comodo 3 "Basic Firewall" based on a report from Scot Finnie's Scot's Newsletter Blog. Scot has been "in the industry” for many years and is the Editor-in-Chief at “Computer World” (See Scot's Website and "Full Disclosure" following).

After publishing the original article, Scot received a barrage of comments and Comodo’s president and CEO, Melih Abdulhayoglu, posted a reply in the Comodo forum, including what I consider a couple rather unprofessional "rants" at the end of his reply (copied below).

Although I do not use Comodo Firewall, it was added to Vista Compatible Firewalls based the testing and designation by Matousec that
This software runs on Windows Vista.
However, please note that Comodo Firewall is not listed in the Windows Vista AppReadiness database as being "Ready" for Windows Vista.

Like Tashi at Certified Bug suggested in her updated report
Comodo’s CEO Fires Back, users of Comodo Firewall are encouraged to read the references below to make your own educated decision.

Full Disclosure:
  1. I have not personally used the Comodo Firewall.
  2. I was a subscriber of Scot's Newsletter for many years, a member of Scot's Newsletter Forum (SNF) since 2003 and am currently an Administrator of SNF Forum.

Related Topics:
Sorry to hear your site going down and I am glad you got help from the people you link to in the blog;)

---begin rant--- Nerd

You know what pisses me off the most: Its ill-informing, mis-informing doing a disservice to users, because of our own agendas!!!! I have no problem with people liking or disliking what we have, we respect opinions, however people in the position to make a difference, abusing the trust that users have bestowed upon them by ill-informing is just plain wrong!!!

---end of rant--- Nerd

« Last Edit: January 21, 2008, 11:45:06 PM by Melih »"

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, January 22, 2008's Privacy Tool Tracks Users

With all the latest hype about the Ask Toolbar in the security community (see Related Posts below), Security Garden readers will not be surprised to learn that a coalition of privacy groups filed a complaint with the FTC (Federal Trade Commission) 19 January 2008 against The complaint alleges that the search engine history anonymization tool (AskEraser) could actually be used to track people rather than providing anonymity and protecting their privacy.

So, what in layman's terms is the complaint about? One might simply say cookies, but that would be a gross oversimplification. To begin with, not all cookies are bad (See Tea and Tracking Cookies). The problems are in the procedures and methods used by's toolbar mechanism. Here are just a couple of examples copied from the Complaint (click the images to see a larger version):
Not that I have anything to hide, however, a "Persistent Identifier" that allows any government agency to track and monitor . . .
No regulation of the data collected . . .
Interesting. . .


"Consumer Privacy Coalition Files FTC Complaint Against
EPIC and five other groups filed a complaint (pdf) with the Federal Trade Commission alleging that is engaging in unfair and deceptive trade practices with the representations concerning AskEraser, a search service that purports to protect privacy. Among the critical points highlighted by the consumer privacy coalition: (1) users must accept an AskEraser cookie and disable a genuine privacy feature in browsers that block cookies; (2) the AskEraser cookie is a unique persistent identifier that makes it easy for, its business partners, and the government to track the activities of AskEraser users; and (3) will disable the search delete feature -- the central purpose of the Ask Eraser service -- without notice to the user. The complaint follows a December letter (pdf) to describing these security and privacy problems. (Jan. 19)"

Now, you tell me. Do you want to use a software that includes the Ask Toolbar, regardless of any changes purportedly made to the software? Not me. I'll stick with the tried and true, safe, honorable and ethical.

Related Posts:


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Microsoft Does NOT Send Updates Via Email

Based on the report on the SunbeltBLOG yesterday, it is again a good time to issue a reminder that Microsoft does not ever, never has and never will, send update information via e-mail.

As Alex Eckelberry indicated, the payload for the latest spam update is IRC.Backdoor.Trojan.

Related Topics:

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Lavasoft Responds to Toolbar Inquiry

Posted by CalamityJane, a respected member of the security community and Microsoft MVP.

LS CalamityJane
post Yesterday, 06:37 PM
Post #2

Advanced Member
Group Icon

Group: Administrators
Posts: 6,976
Joined: 19-April 06
From: Central Florida, USA
Member No.: 65

This topic was held temporarily offline until the Office in Sweden was open today so that it could be confirmed or not as I had no information on this and the blog post you linked does not give any indication of whether this is rumor or not. So, having confirmed, can now bring this topic back online so our home office can respond.

Michael Helander asked me to post this for you, Winchester

Michael Helander
Vice President Marketing

Hello all –

It seems as though I only jump into the forums these days when there is some hot topic that needs a quick reply before it spirals out of control with rumors and mis-information. I’ll have to change that! I rather love a good discussion.

On the topic of toolbars:

Toolbars have become such a sensitive issue in our business, particularly because several companies have chosen to distribute them without any restrictions, or without challenging the existing system to result in social change. But for us here at Lavasoft, toolbar issues are no worse than most of the other issues that we deal with – so we don’t consider it a forbidden topic at all.

The fact that we have talked with Ask regarding toolbars is nothing that we feel the need to hide. One would be hard-pressed to find a company these days that has not been approached by Ask (or Yahoo, Google, or a plethora of other search engines) to distribute their toolbar. So, even those that are saying “shame on you” to anyone that is distributing the toolbar have most likely been approached and talked to Ask as well.

Why are we different? We are actually engaged in extensive and in-depth discussions with Ask directly. Instead of just saying ‘no’ and then pointing a damning finger at everyone else who chooses to distribute a toolbar, we choose the uncommon path of trying to make a real difference in the industry. We’re involved in an analysis of their toolbar, based on Lavasoft’s detection criteria (which set the standard for this entire industry of anti-spyware detection, I might add), that could actually result in a clean toolbar. We are working with Ask the same way that we would work with any other company that approaches us with an application that could be considered questionable. We analyze the application. We have consistent and ongoing talks with them about what changes are necessary in order to have a clean application. They decide whether they can or cannot make those changes. If they can make the required changes, then we have done our job to create social change in our industry. And I assure you it is no easy task to meet the criteria from our research lab! If they cannot make the required changes, then we still feel very confident that we have given them all of the knowledge necessary to provide an application that Lavasoft believes is acceptable for consumer privacy and security.

Many people say that Ask has a bad reputation. So what? Does that mean that we should turn a blind eye to our core corporate ethics of creating change in our industry? Yes, we work with those that everyone else likes to call “the bad guys”. We think that is pretty cool. It creates an opportunity to really make a difference.

And another thing about toolbars…the cynics say that it is just about the money…making a quick buck (yes, search engine companies pay their toolbar partners – that’s business folks). But really, think about it. If Lavasoft were just out to make a quick buck, wouldn’t we just develop software and send it out to you, year after year? Instead, we spend exhaustive hours and energy actually trying to get “the bad guys” to create their applications without compromising computer users (yourself included). When you buy Ad-Aware, or even take the freeware version, you are a part of the process of creating real change in this industry. The option? There are plenty of other companies out there that are extremely good at marketing the newest bells and whistles on their products – and are busy pointing fingers at all of the bad things being done by everyone else. That’s not interesting for Lavasoft employees. We’re here for the real change. We’re in it for the long haul.

So to answer your original question, winchester73, “Is the AskToolbar coming?” It’s not out of the question. If we can find a way to create change in the toolbar arena, we will certainly find a way to get it into the hands and onto the computers of consumers who want a clean toolbar. Of course it would be prominently disclosed. Of course it would be opt-in only. Of course we take things like that into consideration.

So, for all the naysayers out there that that say Lavasoft is only about the money…they’re way off base. They just have no idea of how much effort we put in to make real industry change…on their behalf. So for that, we forgive them.

For those of you who are open enough to understand what it takes to fight malware AND create social change at the same time, we thank you, and hope you are in it with us for the long haul.

Cheers –


On a highly personal note, it is important to me to include here that I have the utmost respect for CalamityJane. She has helped countless thousands of people remove malware from their computer and continues in that tireless effort day after day. Beyond what she does as a paid consultant for Lavasoft, Janie continues volunteering many hours of her personal time helping at many other sites.

That said, with regard to Lavasoft, it appears that times have changed at Lavasoft and their employees actually get the weekend off now. Yes, it took a while for the damage-control article to be written, but rest assured, thorough research was conducted:

magnify this user Magnify User (Security Garden) 22nd January 2008 08:26:44 AM

Referring Link No referring link
Host Name
IP Address [Label IP Address]
Country Sweden
Region -
City -
ISP Bb-cust-lavasoft
Returning Visits 0
Visit Length Multiple visits spread over more than one day
Browser Firefox 2.0
Operating System WinXP
Resolution 1024x768
Javascript Enabled

Navigation Path

Date Time WebPage
21st January 200802:06:01 AMNo referring link
21st January 200802:10:07
21st January 200802:11:07
21st January 200802:12:16
21st January 200802:29:11 AMNo referring link
21st January 200802:29:29
21st January 200802:30:06
21st January 200803:10:08 AMNo referring link
21st January 200803:18:56 AMNo referring link
21st January 200803:46:47
21st January 200803:47:35
21st January 200803:51:40
21st January 200803:52:28
21st January 200803:52:31
21st January 200805:11:01 AMNo referring link
21st January 200805:13:02 AMNo referring link
21st January 200805:13:42 AMNo referring link
21st January 200807:20:43 AMNo referring link
21st January 200807:20:55
21st January 200808:08:28 AMNo referring link
21st January 200808:08:38
21st January 200810:12:55 AMNo referring link
21st January 200810:12:55
21st January 200810:20:09
22nd January 200803:18:38
22nd January 200803:26:50 AMNo referring link
22nd January 200803:27:09
22nd January 200803:34:34
22nd January 200803:45:41
22nd January 200807:22:24 AMNo referring link
22nd January 200808:22:07
22nd January 200809:04:36
22nd January 200809:04:48
22nd January 200809:05:38
22nd January 200809:06:03
22nd January 200809:06:15
22nd January 200809:06:36
22nd January 200809:06:38
22nd January 200809:07:08
22nd January 200809:07:48
22nd January 200809:08:00
22nd January 200809:09:10
22nd January 200809:09:20
22nd January 200809:11:34 AMNo referring link
22nd January 200809:30:08
22nd January 200810:36:15 AMNo referring link
22nd January 200810:36:36
22nd January 200810:37:12 AMNo referring link
22nd January 200810:39:30
22nd January 200811:20:57
22nd January 200811:21:55
22nd January 200811:22:04

It is quite amazing that this rather unknown blog has garnered so much attention from Lavasoft.

Related Posts:

(Edit Note: Added addtional visits after 8:07 AM today from "" that occurred after the original posting. I gather folks were checking to see if I included a follow-up after being provided notice of the returned forum posting and response.)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Sunday, January 20, 2008

Do Not Rely on Comodo 3’s ‘Basic Firewall’

I certainly am glad that I realized something was wrong with my RSS feed for Scot's Newsletter Blog or I may have missed passing along this important information. As Scot reported today:

"I have learned directly from Comodo executives that the Basic Firewall installation option of Comodo 3 does not offer any outbound leak protection whatsoever. They may add that protection in a future version of Comodo 3.x. The Basic Firewall option turns off Comodo 3’s Defense+ HIPS module, which provides the leak protection for Comodo 3.

The previous generation of the Comodo 2.4 provided anti-leak protection without the HIPS.

Not only does this mean that Comodo 3 Basic Firewall is no longer a contender in this blog’s firewall evaluation, but if you are relying on this version of Comodo for your firewall protection, Windows XP users should switch to Online Armor FREE version (or newer) and Vista users should uninstall Comodo 3 and reinstall it, choosing the “Advanced” installation option."

In an earlier post, Scot reported that Online Armor Firewall Shows Strong Promise. Online Armor isn't ready for Windows Vista yet. See Windows Vista Compatible Firewalls for links to free and subscription Vista compatible firewalls.

24Jan08 Edit Note: See Comodo Firewall Update

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Lean, Mean, Taking Care of My Machine, Software

Providing help on forums, I see a lot of situations where users have loaded their computer with numerous system-hogging security software programs intended to keep their computer safe from infection. The problem, however, is that with so many software programs installed, the cure is often worse than the disease.

Instead, how about a "Lean Mean, Taking Care of My Machine, Software!" That is what you get with WinPatrol. Scanners have to know ahead of time what they're looking for. Not with WinPatrol. It uses a heuristic approach to detect attacks to your computer.

BREAKING!!! Coming soon to the next version of WinPatrol is a focus on keyloggers for the free version of WinPatrol!!! This is available now in WinPatrol Plus, but will be incorporated for all users of WinPatrol in the next release. A local situation is why BillP determined this needs to be available for all users.

Learn more about WinPatrol in the recorded MP3 of the TechWatch Radio show at or

Selecting WinPatrol as the program of the week, Ray Wilson wrote in the Philadelphia Bulletin that WinPatrol is
"an unpretentious program that goes about doing what it does with little intervention from the user."
I couldn't agree more!

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, January 19, 2008

Secunia Security Advisory: Ask Toolbar

I think this speaks for itself, don't you?

"Ask Toolbar ToolbarSettings ActiveX Control Buffer Overflow"

Secunia Advisory: SA26960
Release Date: 2007-09-25
Last Update: 2007-09-28

Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software:Ask Toolbar 4.x

Related Posts:


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...