LS SteveJ

  • Content Count

  • Joined

  • Last visited

Everything posted by LS SteveJ

  1. Hello Easter. I cannot comment at this time as to the full set of features that will be included in Ad-Aware 2006, as it is still under development and this will not be made public until the beta testing phase. Proactive protection is the way forward I agree. The number of malwares coming out daily is jst getting ridiculous. However, the biggest problem with pure pro-active / heuristic protection, is that a human being has not evaluated the file that is being blocked. Whereas this may be ok in the A/V industry where a Virus is simply a Virus, in the adware/spyware industry the threat levels vary on a large scale and the line between good/bad is very clouded. This line is very important to both the users and the vendors, as many vendors accept that some users will remove them, and some users may accept the risk level to get some "free music" or something... So my point is... if you want to go with heuristics and block everything, you open yourself up to a ton of legal issues. How does heuristic protection know how bad something is based on a signature that flags something as a downloader for example? Many innocent programs install by downloading their own installtion files. My personal opinion on this matter... and believe me, it is a topic of discussion, is that anti-spyware vendors may push ahead to quickly with wanting to adopt the A/V style of detection and open themselves up to some very serious legal problems. Also, one of the side effects of this aswell, is that vendors will no longer have any reason to change their business models for the better. Lavasoft rates vendors according to the TAC scale. If a vendor makes a serious change to their software that merits a reduction in threat level, then this will be reflected in the TAC rating - even going so far as to remove things from our database althogether. With this form of impartial rating, vendors have an incentive to change their software, and also learn that they can change their business model while still producing revenue. It pains me to see that certain other anti-spyware vendors refuse to alter the threat level of softwares in these cases - why does it pain me? Well... ask yourself a question... if you need to make money, and your software is being deleted because of its threat level being too high, plus any attempts to change the business model / software generate no change from the side of the anti-spyware vendors, what is your only option? GET MORE AGGRESSIVE... this unfortunately is the only way out for many.... they must find more aggressive ways of getting onto the system, and staying on the system. So at best, removing everything just elevates the war... its a classic "arms race"... In conclusion, I would like to say that we must move forward with heuristics... but I believe that the level of heuristics we use should be based on the nature of the family in question. As you correctly state, some of the really stubborn or nasty ones (Look2Me, Nail, DollarRevenue etc) and also things that exhibit Keylogging behaviour should be blocked by a very high degree of heuristics.... however, the closer you get to that grey line, the more careful you have to be... at this point the level of heuristics should probably resemble the same kind of detection that our current CSI method uses. The ability to spot new variants of already known families... Thus we can employ the correct TAC level for that particular file... I am in the strong belief that this form of "pseudo-heuristic" detection will be the norm in the future, and that moving to fully heuristic detections (as powerful as it may be) should be done with caution and certainly an option that the USER must activate.... Let me know your thoughts on this... Thanks //Steve
  2. Keliboo. Is that the scan log from before or after your computer started to act strange. If this is the scan log from before, then I see nothing that could possibly indicate that Ad-Aware has changed your internet connectivity in any way. Could you check all the logs on that machine and make sure you are posting the one from the scan that you made right before you encountered the problem? Thanks //Steve
  3. Symptom Ad-Aware Freezes During the Memory Scan Cause This can be caused by one of the realtime shields in the SpySweeper 5 application Resolution Spysweeper producer "Webroot" has been informed of the compatibility issues with our and other applications. For the time being, you should disable SpySweeper realtime protection while performing an Ad-Aware scan
  4. This forum relates to reports of infections where we know the name of the offending family. Therefore I am moving this to Ad-Aware Support forum..
  5. Hello hbman. To get this to work, you must surround the entire command with speech marks, but make sure the slashes are outside, otherwise windows may try to interprete the forward slash as something to do with paths and convert it to a backslash. ex: "%programfiles%\lavasoft\ad-aware SE professional\ad-aware.exe" /full +nodefnotice +update More on this problem can be found here Hope this solves your problem Best Regards //Steve
  6. Hello jinnyj. Your problem is actually unrelated to the topic you have posted in, as this was a specific problem from a few weeks ago which is now resolved... please start a new topic. We will be closing this topic... thanks //Steve
  7. We are thrilled to announce that one of our long term and most active forum members, "CalamityJane" has joined the Lavasoft team. Jane is very well known within computer security circles and can be seen throughout the various security forums, providing assistance to any and all who need it. Jane is very well versed in all windows operating systems and holds a Microsoft MVP (Most Valued Professional) in recognition of her work for users of the Microsoft Windows operating system. Link here CalamityJane is now known as "LS CalamityJane" and will continue her role providing excellent online support for Lavasoft users. We welcome her to the team and hope that she will enjoy her role in one of the largest and most successful Anti-Spyware companies. Congratulations CalamityJane!
  8. what is really strange about this, is that I have received no notification from them as to the problem...but I will get in contact with them and try to straighten this out... Thanks //Steve
  9. Actually I would like to correct this. It is up to the user to decide whether or not they wish to remove something. Lavasoft provides an impartial risk assessment and a means to remove these items (Ad-Aware) if the user so desires. We do not instruct the user to delete anything, nor does Ad-Aware delete anything by default (unless instructed to do so) However, we do inform you on the consequences of not removing these objects Negligible Items are objects in our database that have a threat level of 2 or below. These are families which have been lowered to such a level that they can no longer be considered a threat. It is up to you whether or not you wish to remove them, but when they have reached a risk level 2, they do not pose a serious threat to your system. Thanks //Steve
  10. These kind of conflicts do occur with security applications due to the fact that they are looking for the same signatures. The way around it is to accept the warnings from Ad-Watch, and add McAfee to the ignore list if it appears in a scan McAfee should not be recommending the removal of Ad-Aware as the ignore list function resolves this problem. Thanks //Steve
  11. I would like to point out that this forum is for support of Lavasoft products and this thread is fast becoming a support thread for the NoAdware product. The "start page shield" discussion has very little to do with the detection of NoAdware by Ad-Aware and a I will be closing this thread as there really is very little more to be added to this discussion. My latest post explains our current position on this matter. Thanks //Steve
  12. Update to this situation:- Please note that NoAdware is in a probationary period. This means that it is open to discussion by the security community, and our users, on whether or not this application should be removed from detection. I would kindly ask people to provide their commentary on the steps we are taking. Thanks //Steve
  13. If you are repeatedly receiving a "Your definition file maybe out of date" message, though you still get "No new updates available" when trying to do a webupdate, then there are a couple of things you can try. 1. Delete any definition files in the "c:\Program Files\Lavasoft\Ad-Aware SE" folder. (This file is usually "defs.ref") (the folder name will changed depending on if you have pro / plus / free). There may also be a defs.ref.old, you can safely delete this too. Then try a webupdate. 2. Check your "hosts" file. It could be that a malware has changed it so that connections to our update server are not working. Your hosts file is located in "c:\windows\system32\drivers\etc\". Open the file "hosts" with notepad. If you see any references to "" or anything else regarding Lavasoft, you should remove them. Now try your webupdate again 3. If the first 2 methods do not work, then you should try a manual update. Update the definition file by downloading the zipped definition from Unzip this file and you will get a "defs.ref" file. This file should be copied to "c:\Program Files\Lavasoft\Ad-Aware SE\" (the folder name will changed depending on if you have pro / plus / free) Now load Ad-Aware. If the definition file is still showing your old one, then click on the settings icon (the cog wheel), then click "General". At the bottom right, there is a box saying "Using Definition File". Click the "Open file" icon next to that box and then browser to the definition file in "c:\Program Files\Lavasoft\Ad-Aware SE\" (the folder name will changed depending on if you have pro / plus / free) Select it and press open. You should now have the latest version 4. If all of this fails, please contact technical support, or post a question on the support forums. It could be that you have a sneaky malware on your system that is disturbing your internet connection to certain servers and need to have it removed first. Please make sure you try ALL of the methods above before posting a question. Thanks //Steve Edit by LS Joakim 27 March 2007: I changed the definition download-links to the correct addresses used. Edit by CalamityJane 20 July 2006: to correct download updates URL from TO:
  14. Hello. You are experiencing a false positive on the iTunes installer in memory. There is nothing malicious going on here and this is occuring most probably due to a recent update in the iTunes installer that is conflicting with a malware signature. This will be addressed in the next definition update, but for now you can "Accept" the harmful process when Ad-Watch informs you... Thanks //Steve
  15. Hello. Please also post an Ad-Aware scan log of these detections Thanks //Steve
  16. Hello leyupab Please submit this file to us at Label your submission as "False Positive - Python File" Thanks //Steve
  17. Can I change the user interface language? No. Lavasoft Personal Firewall is only available in English for now.
  18. I have password-protected my Lavasoft Personal Firewall but forgot my password. What should I do? Do one of the following: Reinstall the firewall Delete the configuration file for the firewall called configuration.cfg (by default located in the Lavasoft Personal Firewall installation folder), and create a new configuration file.
  19. Attack Detection is a very powerful intrusion detection system. It is built into the program and it will protect from existing and future hacker attacks. The IDS module screens inbound data and determines its legitimacy either by comparing it against a set of known attack fingerprints or by performing behaviour evaluation analysis.
  20. A suspicious packet is a single access to any closed port on your PC. To maintain minimal false positives, these packets are not qualified as non-legitimate actions. The firewall displays a Port Scan message only if several suspicious packets are received from one remote host within a specified time interval.
  21. The Rules Wizard is the operation mode which allows you to decide each application's permissions to use the Internet. You will be notified whenever an application first tries to send or receive data. Rules Wizard is the default operational mode and is recommended for most users. If a rule is made for an application then the Rules Wizard will not be displayed again for that specific application. If there is no rule for the application then the Rules Wizard will be displayed again the next time that application tries to send or receive data.
  22. System ports can be classified as: Used - the port is used by the system or some application for incoming or outgoing connections. Listen - the port is used by the system or some application to receive incoming messages. Unused - the port is not used for any incoming or outgoing connections, the port is listed in the system. Blocked/filtered - regardless of whether it is used or not, access to the port is forbidden according to Lavasoft Personal Firewall rules. Packets are dropped by the system and a 'port unreachable' ICMP message is sent to the packet source. Allowed - regardless of whether it is used or not, access to the port is allowed according to Lavasoft Personal Firewall rules. Unused ports can be put in stealth mode. A port in stealth means that packets sent to it are simply ignored by the firewall without notifying the source via any ICMP or TCP message. If a port is in listen or used, any invitation from an outside source to communicate is either accepted or a 'port unreachable' notification is sent, therefore that port is not and cannot be in stealth mode. An open port is a port that is in listen and allowed by Lavasoft Personal Firewall. A closed port is a port that is blocked by Lavasoft Personal Firewall regardless of the port's state (whether it is in listen, used or unused states). Important: Know that netstat.exe and the Open Ports category in the Lavasoft Personal Firewall's left pane cannot be used for detecting whether a port is open or not. 'Listening' in terms of netstat simply means 'waiting for an inbound connection' regardless of whether it is allowed or blocked by Lavasoft Personal Firewall. Also note that information displayed in the Open Ports category in Lavasoft Personal Firewall's left pane lists those ports that are monitored by the firewall at the moment, but not all of them can actually be open on the network.
  23. From a security point of view, TCP and UDP ports on your system are divided into several groups according to probabilities of an attacker using them to break in. Attempts to access ports that are assigned to vulnerable services like DCOM or RPC must be regarded a serious indication that you are being maliciously probed. Vulnerable ports are divided in two groups: System and Trojan. System ports are vulnerable because they are often open for everyday system services. Trojan ports are those known to be exploited by Trojan horses. We recommend paying special attention to the following ports: System: 0, 21-23, 25, 79, 80, 110, 113, 119, 135, 137, 139, 143, 389, 443, 445, 1002, 1024-1030, 1720, 1900, 5000, 8080 Trojan: 21, 23, 25, 80, 113, 137, 139, 555, 666, 1001, 1025, 1026, 1028, 1243, 2000, 5000, 6667, 6670, 6711, 6776, 6969, 7000, 8080, 12345, 12346, 21554, 22222, 27374, 29559, 31337, 31338 Lavasoft Personal Firewall lets you create a list of ports that are tempting to attackers. In this area, Lavasoft Personal Firewall will pay particular attention while monitoring network traffic. To manage the list of vulnerable ports, click the Advanced tab in the Attack Detection settings dialog and then in Vulnerable ports, click Specify.
  24. Lavasoft Personal Firewall has different operational modes to choose from to meet the protection level you prefer. It will give a wide choice of protection levels. You can totally block all Internet access of every application on your computer or allow full access to every application. There are five different operational modes: 1. Block all - All network connections are disabled. 2. Block most - All network connections are disabled except those applications you enable. 3. Rules Wizard - You enable or disable applications when they first run. The Rules Wizard mode is chosen by default. 4. Allow most - All network connections are enabled except those applications you disable. 5. Disable mode - All network connections are enabled.
  25. Allow and Block Once are available only for outgoing TCP connections. If you are in Rules Wizard mode these connections are on hold until you answer the question to Allow it or Block it. Outpost blocks all other connections (incoming TCP and UDP) even in Rules Wizard mode and only after that does it show the Rules Wizard dialog. At that point you can create a rule but you cannot Allow or Block a particular connection or packet because it will already have been blocked.