CounterSpy "review"

Talks about most anything... No SPAM! No advertising! No lingo, ebonics, or street talk! Period! End of story...

Moderator: Forum Moderators

CounterSpy "review"

Postby wkitty42 » Mon Mar 28, 2005 6:20 pm

The following was originally written and posted in the Fidonet WIN95 echo. It is being posted here with full permission of the author who notes that he still retains all copyrights to the article.


----[ WIN95 ]-----------------------------------------------------------------
On: Sun 27 Mar 2005 11:57 (Sent: Sun 27 Mar 2005 12:01)
By: mark lewis
To: all
Re: counterspy "review"
St: Local Sent

well, this is my first "review" type of thing so please bear with me... i've not gone about being very scientific with it, either... i just downloaded, installed and ran the scan on this daily-use box... this message is rather on the "long" side... i remember seeing the line count around 240 while i was writing it but reformatting done by my software will shorten that a bit...

the box:
this box is a celeron 300a with 256 meg of ram running win98se on a 30gig harddrive... there is no modem... only a network card and a sound card... the motherboard is an intel 440bx-2... definitely nothing fancy and pretty far behind the curve of today's machines... this system was set up and installed Dec 21, 2000... it has seen a lot of use over these last 4 years...

getting counterspy wasn't so hard... i just had to give them a name and an email address... of course i created and used a new sneakemail address... "just in case" ya know ;) once this was done, i was carried over to the page where i could download the 13Meg installer... the version of counterspy their downloaded pushed to me was v1.0.29 which i tacked on to the filename since they were sending a "plain" filename, counterspy.exe... i stored it on my machine as counterspy-1.0.29-EVAL.exe since i was not getting the full registered version or a license key...

once the installer was received, i ran it after saving my registry and checking the registry's current startup locations and several other key sections... the installer created three new registry keys in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

"sunasDTServ" = "C:\Program Files\Sunbelt Software\CounterSpy
Client\sunasDTServ.exe" ["Sunbelt Software Inc."]

"Default" = (no data)

"sunasServ" = "C:\Program Files\Sunbelt Software\CounterSpy
Client\sunasServ.exe" ["Sunbelt Software Inc."]

and one new registry key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

"Default" = (no data)

i suspect that those "Default" blank ones are coding errors... they were not there before running the counterspy installer... after the reboot, the sunasDTServ key had been converted to all caps... the other two keys stayed the same and the key in the RunOnce section had been removed...

initial update:
when the system reloaded, there was a counterspy icon in the system tray and another one on the desktop... i clicked the one on the desktop to open the program so i could run my first scan...

upon opening, there was a box that popped up in the lower right corner of the screen that said that it was updating the spyware definitions... at this point, the software firewall started popping up alerts as the counterspy updater attempted to access the internet... it was allowed access to which is my filtering proxy and then it also wanted access a UDP ports... the UDP port appears to be used to send back ACKs as each block of downloaded material comes in... for those old timers, yeah, kinda like xmodem ACKs each block ;)

i left the system to run its download for a bit... due to my slow connection, it took a while... during this time, i tried to do a few other things but the counterspy updater had a tight grip on the system... it hadn't even redrawn its own window after i had ok'd the firewall's popups...

i am unable to determine exactly what the updater downloaded... i should have taken a snapshot of the install directory before allowing the update to take place... there are several files in the install directory that contain timestamps consistent with the updater's execution... one of those files is 3Meg in size...

initial scan:
after the updater finished, the program appeared to simply close. i double clicked on the desktop icon again and was greeted with the counterspy splash box and then their "first time execution wizard" which set the defaults and wanted to try updating a second time... i had to clear another UDP port thru the firewall for this... after that, i simply kept clicking NEXT until the wizard was completed... then i ended up at a screen where i could execute the initial system scan... i selected to run a full deep scan on the entire system and added a checkmark to the box to scan the entire drive... then i started the process and watched as counterspy went to work...

after some 4000 files, counterspy said that it had found something it calls NetAware and says that it is surveillance related... i ran into problems at this point because i tried to use the mouse and click on this item to see what it was and to see if counterspy would allow me to look at details while it was running... when i clicked on this item, i saw a box popup and then disappear... it took me a few times to realize that i had to click and hold so as to keep the box up... unfortunately, there wasn't as much detail in the box as i'd have liked to see... specifically the filename of the suspected infestation...

after i had read what was in this box, i doubleclicked on the name and watched as the program crashed and windows popped up its standard "application fault" box... shrugging our shoulders, i cleared that box off the screen and restarted counterspy... this time i left it to do its thing and went to watch a few shows on television...

the results:
after some 3 hours 40 minutes, counterspy completed the initial full system scan... it said that it had found three spyware products...

recommended action: quarantine
spyware name: NetAware (Surveillance)
threat level: [ELEVATED]

recommended action: ignore
spyware name: Weatherbug (Low Risk Adware)
threat level: [LOW]

recommended action: quarantine
spyware name: Find Protected (Potentially Dangerous)
threat level: [ELEVATED]

the first result is pointing to a shortcut that i had created on my desktop to access one of our network shares for ease of use... the filename is c:\windows\desktop\shortcut to files.lnk

here is what counterspy says about this result...

Type: Surveillance
Level: Elevated
Author: Infiltration Systems

Description: NetAware is a monitoring tool that logs
and records all shared file activity on your computer
or network.

Advice: This is a high risk threat and should be
removed or quarantined as to prevent harm to your
computer or your privacy.

About Surveillance: [blank]

there is nothing dangerous about this link and counterspy completely missed the other three shortcuts to additional network resources on the desktop that were created at the same time and in the same manner... false positive - strike 1...

the second result, weatherbug, i expected... weatherbug installs minibug... minibug retrieves the advertisement skins for the weatherbug application interface...

here is what counterspy says about this result...

Type: Low Risk Adware
Level: Low
Author: WeatherBug

Description: Minibug is an adware that displays ads
on to your computer.

Advice: This is a low risk adware application and
will not cause direct harm to your computer,
removing it is not required. However, it is strongly
recommended that you review this application's End User
License Agreement (EULA) as well as review the
application's privacy policies.

About Low Risk Adware: Low risk adware is an adware
application that is designed to potential show
advertisements via popups. However, this type of adware
program is installed with the user's knowledge and
conforms to the programs EULA which is usually presented
to the user prior to download and during installation. A low risk adware
program will not transmit personal or identifiable information.

we'd already neutered minibug by simply blocking its access to the internet from the firewall...

the last result appears to be another case similar to the first result. this time, it is looking at the unrar.dll file that comes with antivir from antivir uses this dll to look inside archives for virus infected files...

here is what counterspy says about this result...

Find Protected
Type: Potentially dangerous utilities/tools
Level: Elevated
Author: AKS-Labs.

Description: Find Protected is a softare designed to
search for password protected files on local disks and
across a network. With Find Protected you can located
MS Office password protected files and popular password
protected archives, such as WinZip and WinRar. Also,
you can find some encryption systems, such as PGP Disk.

Advice: This is a low risk application and will not
cause direct harm to your computer, removing it is not
required. However, it is strongly recommended that you
review this application's End User License Agreement
(EULA) as well as review the application's privacy

About Potentially dangerous utilities/tools: [blank]

ok? you can do this with most any archiver and some scripting... no big deal... false positive - strike 2

at this point, i simply closed counterspy as i didn't want to do anything with what it had found...

counterspy's interface looks nice and decently thought out... i've not gone tripping around in it other than just to do the scan of this system to see what it was finding...

overall, counterspy appears to be a good package... is it worth the registration fee? i can't really say... that's one of those subjective things... i've not had any problems with the freeware antispyware tools that i've used for several years... i find them to be quite adaquate for the job and i've not gotten any false positives from them... just because something costs money or is commercial doesn't make it better (or worse) than something that is free or costs less...


* Origin: (1:3634/12)
User avatar
solar system
Posts: 3733
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Re: CounterSpy "review"

Postby starchild » Sat Aug 25, 2007 4:22 pm

I know this is pretty old but i wanted to ask if there is going to be a review of the latest CounterSpy?
User avatar
Posts: 1967
Joined: Fri Aug 11, 2006 11:21 pm

Re: CounterSpy "review"

Postby wkitty42 » Mon Mar 08, 2010 5:20 pm

starchild wrote:I know this is pretty old but i wanted to ask if there is going to be a review of the latest CounterSpy?

there were actually several other reviews written but they either failed to get posted or were lost in a crash of our database server some time back... the person who wrote those reviews hasn't done any more in a while... at least not since sunbelt's vipre technology was released...
User avatar
solar system
Posts: 3733
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Return to General Chat

Who is online

Users browsing this forum: CommonCrawl [Bot] and 0 guests