Assiste.Forums

[pierre]

Salut IPL


Personne ne dort aujourd'hui ?

Amitiés

[ipl]

Salut Pierre,

Non, tu nous tiens en haleine !

Amitiés,

[pierre]

Bonjour,

La fiche sur RemoveIT Pro, sur le site, a été mise à jour
http://assiste.com.free.fr/p/craptheque ... t_pro.html

[ipl]

Bonjour Pierre, Elipsons, bonjour à tous,

Pierre, j'ai écho (par nicM, sur Zeb') d'un "accrochage" semblable avec le concepteur de RemoveIT Pro en mars sur Wilders Security.
Nous te donnerons plus de détails sous peu.

[pierre]

Bonjour IPL,

Je connais ce fil. Il fut initié par le pseudo danmega0 qui est Damjan Irgolic lui-même venant faire un coup de pub pour son truc. Mal lui en a pris !

http://forums.spywareinfo.com/index.php ... moveit+pro

Puisque je suis aussi administrateur ASAP je vais faire une communicatin sur notre board.

Amitié

[Gof]

Bonjour à vous,

Je suis la conversation avec intérêt ! Très intéressante ! Tenez nous au courant des développements !

[pierre]

Salut Gof

[pierre]

Bonjour

Récap postée sur SWI, ASAP et ZEB

Par ailleurs, je vais rédiger un petit mémo à l'attention des chercheurs chez les différents éditeurs d'antivirus et anti-spywares ainsi qu'à Marcin Kleczynski (RogueRemover) pour suggérer de le placer en PUP (Potentially Unwanted Program) sur la base de ma mailing-list publique à http://assiste.com.free.fr/p/antivirus_ ... alyse.html.

Puis-je vous demander, justement, de regarder cette récap des éditeurs et de me suggérer des mises à jour éventuelles (en particulier des adresses de contacts hors des adresses de soumission d'échantillons).

_______________________________________

Hello,

This is an alert to all webmasters and helpers
This has also be posted on the SWI board

A French webmaster was talking about RemoveIT Pro these days and notice my card in « La Crapthèque » at http://assiste.com.free.fr/p/craptheque/removeit_pro.html

On the June 20, 2007, he wrote to some of his contacts by e-mail, including me in the diffusion of this e-mail and he also included there Damjan Irgolic (InCode Solutions), author of RemoveIT Pro, asking him a denial in connection with my classification in crapware of this software and explanations.

Here is some of the sequence of exchanges.


RemoveIT Pro

I have notify Pierre Pinard to remove RemoveIT Pro from site because RemoveIt Pro has nothing with crapware like site http://assiste.com said.

Best regards!
Damjan

Assiste.com
I issue a new analysis of the software and wrote this, in French on my board, at
http://assiste.forum.free.fr/viewtopic.php?p=106604#106604
I notice the fact that, creating empty files (0 characters) named with names in the database (based on random names algorithm !) of RemoveIT Pro will generate alarms with suggestions to delete these dangerous files !
zqeenlkr.exe - 1 occurrence(s) sur tout Google !
zqbtletr.exe - 1 occurrence(s) sur tout Google !
zjtbreln.exe - 1 occurrence(s) sur tout Google !
zernlcnz.exe - 1 occurrence(s) sur tout Google !
xtztnert.exe - 1 occurrence(s) sur tout Google !
xrnelsxs.exe - 1 occurrence(s) sur tout Google !
xlxektlr.exe - 1 occurrence(s) sur tout Google !
xjjhlbqn.exe - 1 occurrence(s) sur tout Google !
xhzenqnj.exe - 1 occurrence(s) sur tout Google !
xblkenwj.exe - 1 occurrence(s) sur tout Google !
wtnkhhkh.exe - 1 occurrence(s) sur tout Google !
And so on …
I, then, wrote to Damjan Irgolic :

Hello,

I regret to bring to your attention that, in the current state of my analysis of RemoveIT Pro,
this one does not comprise any criterion justifying its exit of "La Crapthèque".

Worse: the thorough analysis that I was brought to lead makes it possible to declare that
this product does not have at all its place among the security tools for computers and privacy on the Internet.

Thank you to inform me on the operation of "High-level protection technology (HLP)" Sincerely

Sincerely

Pierre Pinard
Assiste.com

Thank you for your email!

This 3 detected threats are not false positives if you think that.

Win32.BKZECSLK or BKZECSLK.EXE is dangerous accorording to Prevx, see details
http://spywarefiles.prevx.com/RRGFAJ313973...lk%252Eexe.html
Win32.hpxdfjax or hpxdfjax.dll is also dangerous accorording to Prevx, see details
http://spywarefiles.prevx.com/RRGHJB314900...EQWCSW.EXE.html

If you have different information about this files please let me know.
You can't threat some AV program like crapware because you think that some located threats are legitimate.
First you have to prove that this threats are false positives.
You dont know nothing about RemoveIT Pro and you cannot judge about some AV program because you are not experts in antivirus field and you dont know how viruses spread them selfs so please remove your review.
Please also note that fruther files from your forum are also dangerous with random filenames generated by trojans.

Hello

Reproduced in http://assiste.forum.free.fr/viewtopic.php?t=16896
Note that I register Eric Howes in the mailing list of this conversation.
Note that the intervention of Damjan Irgolic which I answers here relate to my analysis of yesterday of its software, analysis which is at http://assiste.forum.free.fr/viewtopic.php?p=106647#106647

You say
This 3 detected threats are not false positives if you think that.

Win32.BKZECSLK or BKZECSLK.EXE is dangerous accorording to Prevx, see details
http://spywarefiles.prevx.com/RRGFAJ313973...lk%252Eexe.html
Win32.hpxdfjax or hpxdfjax.dll is also dangerous accorording to Prevx, see details
http://spywarefiles.prevx.com/RRGHJB314900...EQWCSW.EXE.html

Forgery! You have twists in your basic reasoning. Never a file is dangerous! Only the contents of a file, whose name as no imports, is more or less dangerous or not at all. That dangerous contents were seen in a file named "thing" at one moment of reason does not allow at any moment to declare that the file "thing" is definitively dangerous: the name of a file is completely without interest and “a fortiori” if it is a random names.

You say
First you have to prove that this threats are false positives.
Yes! They are false positives ! I created these 3 files on my system and they are empty (0 character) but you declare them as dangerous files and suggest me removing them. How do you want that I qualify a software which tells me a similar ineptitude?

But we will not beat in connection with anti-virus technologies if you think that I am not qualified.

It has been years that we denounce the attempts made at detection by envelopes (appearances of the things). All were stopped. No software publisher uses it because it would be instantaneously swept scene.

The last attempt that I stopped was the gaminery "The Remover" in July 2004. See http://assiste.com.free.fr/p/craptheque/remover.html

In January 2005 I pinned Spybot Search and Destroy with matter of a detection per envelope (see page 43 of my “Anti-virus and Anti-trojans Comparative” in "Spybot detects CommomName" at » http://assiste.com.free.fr/p/dossiers/Comp...t_Antivirus.pdf )

Detection by envelope is a heavy fault. No tool having such intrigues will never be authorized to quote. This step was already pathetic 15 or 20 years ago whereas one could already make signatures of contents, even summarily with crc16 or 32. Today, even the md5 or sha1 are on the bolster bus as collisions will be probably obtained soon on demand and the successors of these algorithms are under development.

Random names are, by nature, innumerable and unnamable.

The detection of the code contained is the bare minimum today. Even more, we are not besides there for a long time with polymorphism and hooker (rootkit). The behaviour analysis is necessary. Walk ahead is that of sandbox and other virtualisation “a la” Geswall. It is not a chance if AV Comparative classification emphasizes the multi-engine ones with virtualisation (see before last column of the table at http://assiste.com.free.fr/p/presse_news/c..._assassine.html

I asked you to inform me thoroughly on the technology employed in the Entreprise version of your tool. You scorned my opening. You must understand that it is impossible for me to align me on a simple advertising declaration of the editor of a software. The doubt is the engine of the critical direction.

Cordially

Pierre Pinard
Assiste.com

You can think what you want about RemoveIT Pro but I do know that RemoveIT Pro is helping many people to resolve viruses problem and it is succesful in many cases with threats.
RemoveIT Pro uses filename check to locate viruses, filename check is very effective if you like it or not because many trojans change source of its self and have different MD5 on each infection so filename are one of the ways thing that detect them.
Please also note that standard home user will not create file with trojan filename just to test RemoveIT Pro and it will not judge about some program if it has no experience in programs field. Like I said before you are not expert in antivirus field so please be so kind and remove your review.

Best regards!
Damjan

Hello

The card RemoveIT Pro in "La Crapthèque" have been updated
http://assiste.com.free.fr/p/craptheque/removeit_pro.html

I believe that he refuses to answer my request for information on the technology of the version "Enterprise" of RemoveIT Pro.
I thus think that:
· either it does not exist
· or he knows that it is not credible.

In these 2 cases, RemoveIT Pro reinforces his presence in "La Crapthèque".

RemoveIT Pro wrote:
You can think what you want about RemoveIT Pro

Fortunately!

RemoveIT Pro wrote:
RemoveIT Pro use filename check to locate viruses

We had understood it! It seems that Damjan Irgolic don't have anything to add to defend at least what he calls "the Enterprise version" of its product? Would this be quite simply because there is nothing more inside? And there would even be a server side version ... However I insist heavily so that it speaks to me about it! All occurs, in his remarks, as if there were only one technology, that of the file names.

RemoveIT Pro wrote:
many trojans change source of its self and have different MD5 on each infection

Precisely, this is why I said to you that the analyses had to use behavioural, sandbox, virtualisation like Geswall...

RemoveIT Pro wrote:
so filename are one of the ways

Not! They change also file name (random names!). It is useless and puerile to collect random file names as they only be used once. This is reason why the villains of the Net develop generators of random names: so that they appear only one time and thwart research by envelope.

RemoveIT Pro wrote:
standard home user will not create file with trojan filename just to test RemoveIT Pro and it will not judge about some program if it has no experience in programs field

This signs your step: you take the users for stupid and you thus believe yourselves authorized to sell anything to them because they are inefficient! Beautiful mentality! There is more than 10 years that I communicate on the Net in order to inform the users and you come to preach the obscurantism and his commercial exploitation! I will not allow it to you.

RemoveIT Pro wrote:
you are not expert in antivirus field

Indeed! I am only 35 years old in the compiler, language and system theory. I do not even have 30 years of expertise and consultant in data processing and systems of organization. I was originator, leader projects and I directed teams of data-processing development during 30 years only just to kill time in front of the coffee machine. Assiste.com became the most important French-speaking resource in the world about computers security and privacy because I do not know what I am talking about... The co-optation of the site, the forum and myself within the ASAP (Alliance of Security Analysis Professionals) was undoubtedly done by inefficient notorious (and incidentally MVPs)

· I am thus smelled authorized to give an opinion on your product and on your total lack of expertise as regards antivirus scanners and, more generally, as regards informations systems security
· I feels a duty to communicate this judgement to the greatest number

RemoveIT Pro wrote:
please be so kind and remove your review

We will break there because there is nothing to wait nor to hear from somebody who do not want to defend his product when one gives him the opportunity to do that and which has for only one argument to throw to the face of its interlocutor a peremptory and final "you are not expert in antivirus" without the knowledge of which he has in front of him.

Cordially

Pierre Pinard
Assiste.com

[Elipsons]

Pierre,

J'ai écrit à des dizaines de Sites.

Dom, Co-WebMaster site TSO et ailleurs....peu importe.
http://www.thesiteoueb.net/modules/news/

[pierre]

Bonjour Elipsons

Il faut savoir qu'il n'y a que 20 ou 30 sites au monde qui comptent en matière de sécurité informatique de cette nature (ouverts au "grand public" avec des assistants trapus et pédagogues simultanément, capables d'aller d'un problème de déplacement de la souris à une analyse approfondie du noyau d'un système). Je ne parle pas des sites spécialisés réseaux, honeypots, IDS etc. ...

Ces quelques sites ont un poids énorme auprès des éditeurs et peuvent influer sur un développeur qui c'est fourvoyé dans une impasse en le conseillant et le guidant (on ne peux pas influer, par contre, sur une bande de criminels faisant volontairement ce qu'ils font ni sur un développeur qui campe sur ses positions et est persuadé d'être dans la vérité et d’avoir la science infuse).

Ces quelques sites influents peuvent également peser très lourd dans les choix des éditeurs d'outils majeurs de sécurité (antivirus, anti-spywares, pare-feux...) et les conduire à classifier un code dans leurs bases de signatures.

Je crois aussi à la pédagogie et à l'intelligence, même latente, des individus. C'est pourquoi je te suggère de donner, dans tes interventions sur divers sites pour dénoncer RemoveIT Pro, un minimum de justifications ou, plus simplement, ces deux liens :

La fiche d'information
http://assiste.com.free.fr/p/craptheque ... t_pro.html

La possibilité d'intervenir
http://assiste.forum.free.fr/viewtopic.php?t=16896

Assiste.com est la référence francophone et, de toutes manières, un jour ou l'autre, tous ceux qui font des recherches sur un produit finissent par aboutir ici si nous en avons parlé (en bien comme en mal). C'est l'une des raisons pour lesquelles nous sommes extrêmement prudent et parlons peu tant que nous ne dominons pas complètement un sujet car, pour beaucoup, ce que nous pouvons dire ici est parole d'évangile. Nous n'avons pas droit à l'erreur.

J'ai vu plusieurs de tes interventions à ce sujet partout sur le Net. Elles sont un peu "épidermiques" et je le comprend (tu conseillais ce produit et tu t’aperçois que tu t’es fait avoir ce que personne n’aime ni ne supporte facilement) mais il faut savoir raison garder et non pas asséner aux lecteurs "c'est de la m....", ce qui les prend à rebrousse poil, mais dire "Voilà pourquoi il y a un problème" et faire suivre des liens ci-dessus.

Je t'autorise donc à recopier ces liens et, si tu le souhaites, je puis faire une intervention sur ton forum.

Cordialement