Re: WallWatcher - Spyware?

From: Dan Tseng - WallWatcher author (newsgroups_at_wallwatcher.com)
Date: 09/28/04 

Date: 28 Sep 2004 14:35:22 -0700

"B. R. 'BeAr' Ederson" <br.ederson@expires-2004-09-30.arcornews.de> wrote in message news:<1nqp8ubkf2e93.dlg@br.ederson.news.arcor.de>...
> On Sat, 25 Sep 2004 18:17:19 -0400, Miles Fromier wrote:
>
> [Identify regions which an AV regards suspicious]
> > There may be several such "regions" where changes result in no false
> > alarm - so this is chasing your tail. For example if the def says
> > something like "if there is this and that with some number of
> > interceding code followed by zero or more inconsequential bytes of code
> > and this this[2] and/or that[2] commutative property applies (or that[2]
> > and/or this[1]) with less than 27 bytes interceding...
> >
> > You can see how many changes in different regions can give the same result.
>
> Yes. I wouldn't advise Dan to do these tests. It is most probably not
> worth the immens efforts. The only thing I wanted to point out is that
> the usage of high level language does not necessarily disqualify methods
> used with assembler programs. It's just a lot more time consuming and -
> as the programs are usually much bigger - some kind of bee work....
>
> BeAr

Well BeAr, once you planted the seed, it grew into an irresistable
urge to try a variation of your suggestion. The Norton problem is
gone, but another program, AntiVir ("AVP"), has been saying for months
that WallWatcher contains "Backdoor.vb5" (whatever that is). So, I
installed AVP on a spare computer, turned on its "heuristics" option,
and sure enough, it complained loudly.

So, I proceeded to remove a few sections (functions) at a time from
WallWatcher, and checked each result with AVP. It continued to
complain. By the time I was finished, ALL of the code had been
removed; ALL of the external support modules had been removed; and ALL
of the objects in the WallWatcher window had been removed. In fact,
there was nothing left at all, except whatever Microsoft's compiler
simply couldn't bear to drop from an empty program. AVP still said it
was Spyware.

The person who first reported this to me has been in communication
with the company that makes AVP, and he forwarded this escapade to
them. Finally, they actually took a look at WallWatcher, and wrote
back to him that he was right: they could not find anything suspicious
in the program, and would update their virus definitions in the near
future.

Since I'm retired and derive no income from WallWatcher, these False
Positive incidents have mostly been amusing to me. But, if I was
still earning my living by selling software, these "incidents" would
have been upsetting, to say the least, and likely very costly. Unlike
a bad review in a printed magazine, which a few people may see once
and then forget, everything on the Web remains available for years,
and can cause continuing damage long after the truth comes out.