PDA

View Full Version : Spybot and screen scrape



rabbitchaser
2008-09-28, 20:03
I am starting a new thread, but I'm posting the same question from this earlier thread: http:/forums.spybot.info/showthread.php?t=29723
That thread became a little off topic and never really answered the OP question.

Let me start by saying I have used Spybot S&D a very long time and I'm quite happy. I also use SnoopFree and feel that it is an excellent little intrusion catching utility.

So back to the original question. For what purpose does Spybot do a screen read or "screen scrape"?

I hope someone can answer that; perhaps Pepi.

Thanks

rabbitchaser
2008-09-28, 20:21
The link to the original post I referenced should be

http://forums.spybot.info/showthread.php?t=29723

drragostea
2008-09-29, 06:37
I'll just give some contribution to this thread.
Anecdote: In some applications that I use (I don't take down the names), during execution, Comodo Pro's Defense+ (HIP;Hosts Intrusion Prevention) will prompt me that the application is attempting to take a "screenshot" or "snapshot".

I think you are getting this prompt because when Spybot is executed, it does not really take a "snapshot" or anything of that kind... but just to show it's GUI.

My explanation sounds a bit vague, but if someone else can explain it better, feel free.

rabbitchaser
2008-09-29, 08:06
I'll just give some contribution to this thread.
Anecdote: In some applications that I use (I don't take down the names), during execution, Comodo Pro's Defense+ (HIP;Hosts Intrusion Prevention) will prompt me that the application is attempting to take a "screenshot" or "snapshot".

I think you are getting this prompt because when Spybot is executed, it does not really take a "snapshot" or anything of that kind... but just to show it's GUI.

My explanation sounds a bit vague, but if someone else can explain it better, feel free.

Then does Defense+ put up a warning when S&D starts a scan?
You see, SnoopFree does not interfere or halt tea-timer in S&D; but when it is scheduled to do it's daily scan at night it stops it.

I just like to know on my security apps why they do something rather than just give permissions. I know S&D is safe, I just want to know why it is doing a screenscrape or if it doesn't at all, then I need to find why SF says it is.

BTW, doesn't S&D offer hosts protection or am I comparing apples to oranges.

Thanks

drragostea
2008-09-29, 08:45
In my perspective, my assumption is that SnoopFree is producing a false positive.

If you think about it... SnoopFree Privacy Shield 1.0.7 (latest) was released in 2004. That was when Spybot-Search&Destroy... 1.3.x or 1.4.x was released, so it may be a false positive. It's been a long time between these two periods. I'm not so sure if SF relies on heuristics, because there doesn't seem to be detection/definition updates [feature] nor has there been a program update in ages. This is just my assumption and I may be wrong. To sum it up, the major program differences (1.3-1.6) may have caused SF to jump up.

Defense+ does not produce a alert during a scan nor does it produce a prompt when Spybot is executed.
-
As for the "screenscrape" or such, you'll have to get to PepiMK (Patrick M. Kolla) for details.

Spybot-SD does offer HOSTS protection : ).
Read: How does Spybot protect against the installation of malware/spyware (http://forums.spybot.info/showthread.php?t=281)

PepiMK
2008-10-01, 19:35
Hmmmm... not sure what exactly it could mean by that. It does implement accessibility support, which in turn supports screen readers. To determine whether the user has set up any accessibility helper, Spybot when started calls the API function SystemParametersInfo (http://msdn.microsoft.com/en-us/library/ms724947.aspx) (hope the link is correct, MSDN isnt loading here currently) using the parameter SPI_GETSCREENREADER.
Quoting (from an offline MSDN version):

Determines whether a screen reviewer utility is running. A screen reviewer utility directs textual information to an output device, such as a speech synthesizer or Braille display. When this flag is set, an application should provide textual information in situations where it would otherwise present the information graphically.I fail to see what would be dangerous in determining whether accessibility help is running, but htis is the closest thing I could find that could be meant.

bitman
2008-10-02, 00:32
Though it's possible SnoopFree is detecting those API hooks for accessibility support, I think a simpler explanation might also exist. This is a section of the explanation of this feature from the SnoopFree online information site.

http://www.snoopfree.com/help_file/Breaches.htm#Unauthorized%20Screen%20Access

When does a harmless program read the screen?

Some programs will read your screen from time to time. This is most likely to happen while playing a computer game. However, some Windows programs will read your screen to draw fancy fading effects on menus and other controls. The worst thing that can happen to a harmless program if you deny access is that it may not display some special effects properly.
Seems to me the recent addition of the PNG graphics and other items might just as easily have mis-triggered this detection. In an attempt to cover a wide range of potential malware hooks, SnoopFree is going to inherently mis-detect some items by its own admission.

Tools like this are only useful in the hands of experts, since many things they detect require interpretation beyond that of the average user. A perfect parallel is TeaTimer, which has suffered from the same inherent issue. It's perfectly fine for the use of someone like myself, with years of computing and even some programming experience, but confusing and even potentially dangerous to the more common non-technical user.

The fact that several people have posted here and elsewhere about this without ever referencing the above page indicates quite clearly that most are completely unable to interpret what they are being told and simply assume such a program 'must be correct'. Flawed from the beginning.

Bitman

PepiMK
2008-10-03, 12:29
Ah, that could be an explanatio as well, right :)
We usually take care to not use fancy graphics stuff, but even the default controls have some effects (I remember that a silly menu fading thing made Spybot temporarily incompatible with Win95 at a point in the past). And the "tree views" (as in the results list, backups list, and some Tools lists) are non-standard (http://www.safer-networking.org/en/3rdpartylicenses/) and might use some tricks to still get the default XP look done (and they also have special accessibility support integrated). If that is the case, the same error should show for RunAlyzer & TagsRevisited.