PDA

View Full Version : True Sword FP (I hope)



SG1windowsxp
2006-07-30, 21:44
--- Search result list ---
True Sword: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350

True Sword: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350.1

True Sword: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

(Pat)

md usa spybot fan
2006-07-30, 22:04
Pat:

I do not have that final say on if something is or is not a false positive because I do not deal with the detection rules. But from what I see this is not a false positive but rather a false hope on your part that it is not.

Read this from Symantec:
TrueSword
http://www.symantec.com/security_response/writeup.jsp?docid=2006-062816-5804-99&tabid=1
Quote from:
The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites by Eric L. Howes
http://www.spywarewarrior.com/rogue_anti-spyware.htm

True Sword securitystronghold.com ridiculous false positives work as goad to purchase [A: 1-3-06 / U: 1-3-06]

MisterW
2006-07-31, 11:55
md usa spybot fan is right: True Sword seems to be not a false positive and will not be removed from our detection.

Best regards
Markus

bubba
2006-07-31, 15:35
True Sword is not a false positive and will not be removed from our detection.Hello Markus,

If We set aside the fact that TrueSword being installed would be a legitimate find in regards to a Rogue type program and only focus on the eSellerate registry entries....would eSellerate(an online Company of Digital River via the purchase of MindVision) by itself should or should not be flagged ?

Regards,
Bubba

MisterW
2006-07-31, 17:05
So if the program flags another usefull tool we have to find a way that it will only flag the bad parts of it!

I could not find any "good" software that uses the eSellerate keys but perhaps i am blind. :scratch:
Which software do you mean is flagged by these entrys? Could you send me a link or some samples?

regards,
Markus

bubba
2006-07-31, 17:47
I could not find any "good" software that uses the eSellerate keys but perhaps i am blind. :confused:I will not view it as you being blind ;) ....I feel these eSellerate type entries only will be raising there head more so given Digital River only recently purchased MindVision\eSellerate....which means you may be seeing more of these eSellerate only entries :confused:


Which software do you mean is flagged by these entrys? Could you send me a link or some samples?This is the first I have seen of this possible problem and it was brought to our attention by the thread starter above in this Wilders thread (http://www.wilderssecurity.com/showthread.php?t=141268) that was started yesterday. I suggested they create a thread @ your official Forum concerning this matter since I am not privy to you all's detection rules or criteria. Perhaps if the thread starter could post a complete log of the scan result that flagged the entries it would possibly eliminate True Sword as being part of the equation if eSellerate were the only entries found :confused:

Also....whether this was a true test or not....I deliberately added via a .reg file yesterday the below shown reg entries only and Spybot did flag the 3 entries as True Sword.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350]

[HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350.1]

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}]

I realize that might not be of much help but that's what I found and as time permits I have been looking further into this new eSellerate development as it relates to Digital River.

Digital River Buys eSellerate (http://sharewareblogs.com/Digital-River-Buys-eSellerate)

Regards,
Bubba

md usa spybot fan
2006-07-31, 19:27
Just as a note:

I originally found the Symantec article that I referenced in my original post by the actual Spybot detections listed by SG1windowsxp (http://forums.spybot.info/member.php?u=9872), not the name of the detections (TrueSword).

If you go into the following Symantec article and click the "TECHNICAL DETAILS" tab, there is a complete listing of what Symantec thinks is added with TrueSword (including the three (3) detections that SG1windowsxp (http://forums.spybot.info/member.php?u=9872) posted):
TrueSword
http://www.symantec.com/security_response/writeup.jsp?docid=2006-062816-5804-99&tabid=1

bubba
2006-07-31, 20:01
As an additional note in case the above mentioned Wilders link is not followed:

This poster has stated in the Wilders thread that they "buy lots of stuff online, and eSellerate is a vendor often used". That being the case....perhaps it will be important to know from this user if there was an eSellerate program such as eSellerate 2.5 (http://www.tucows.com/preview/275352) purposely installed which could be the reason for the ESellerate registry entries ?

bVolk
2006-08-01, 04:02
I let Spybot S&D delete the three True Sword registry entries and next my Registry Compactor program started to throw errors. After restoring the deleted entries Registry Compactor runs smooth again.

I purchased Registry Compactor in 2004 from Rose City Software and the order was processed by the eSellerate e-commerce system.

MisterW
2006-08-01, 11:05
After bVolk gave me some information about a tool where the FP exists, I could check the problem and now I can confirm that there is a False Positive in the detection. It will be removed with the next update scheduled for the end of the week

:bigthumb:

SG1windowsxp
2006-08-02, 12:05
Anyway... for good or ill, I let Spybot erase the entries mentioned in my 1st post. {By the way, I had not bought the bogus security app True Sword and hence, not being a programmer and not a real whiz bang security guy, apparently - I didn't quite see what the tie in was/wasn't with the two companies, etc.}

Parenthetically, while running a trial ver. of Trend Micro's AntiSpyware, it too pegged an eSellerate registry mention as being a baddie, but not True Sword; however, TM's AS also pegged NirSoft's ShellExView, Vcom's PowerDesk 6.0, and Analog X's Script Defender as bad guys... so take that with a grain of salt, I guess.

But, good to see Spybot team on top of things, as I read they will be taking care of this Fp in update later this week, I read here.

Many thanks for help, info on this.

SG1windowsxp (Pat)... living and learning, thanks to these great forums and folks always willing to assist.

SG1windowsxp
2006-08-02, 12:18
As an addendum: no, I've not any eSellerate app, per se (or not that I am aware of). It's been just, as far as I know, that when buying apps online a given seller uses that particular vendor.

Also, happened to notice today that there's also a few Control and Engine .dlls (from eSellerate) in SYSTEM32 Dir. No idea what that's about; seems a bit much to get from a co., just from buying an app or two through them, though). ???

These folks work for Google and/or the CIA, by chance? <g>

SG1windowsxp (Pat)

Mike...
2006-08-04, 03:11
Gotta love those false positives. Always glad to find threads like this one. ;)

Anyway, I knew it was a FP because I know a completely legitimate company that uses the eSellerate purchasing system.

Head over to http://www.fscloud9.com/, they make Microsoft Flight Simulator add-ons. I bought a scenery add-on from them (and a boxed set before, bought in a store). You've got the scenery (or aircraft or whatever) installer, it installs a demo version of the product. You can try it. Then through the MS Flight Simulator interface, you can click on buy and a pop-up window will appear for your name, address, credit card info, etc... Secure connection, e-mail confirmation, no problems. And the purchase process activates the scenery. And no illegal activities with the credit card after the purchase. ;)

By the way, I only got True Sword: Library (File, nothing done) C:\WINDOWS\eSellerateEngine.dll


Talking about false positives, I got two more results, returning favorites:

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Windows.Explorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-823518204-879983540-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=W=0

Does Spybot really need to report just those two things? If it finds those changes along with other fishy stuff, fine, but I don't see the "spy" in those registry keys.

Rosenfeld
2006-08-05, 03:20
They are not false positives.

Sybot is flagging that the settings are not the expected defaults (!=W=2 means the data for that value is not the expected 2). Of course if you disabled security center and disabled active desktop changes deliberately, then you know it's OK, but if you didn't then you would investigate further.

If you set them deliberately, you can left click on one to highlight, then right click, click on exclude this detection from further searches and they won't show up again.

MisterW
2006-08-07, 11:15
Ok, seems like there is a little bit confusion now. The keys

True Sword: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350

True Sword: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\eSellerateControl.350.1

True Sword: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{25982EAA-87CC-4747-BE09-9913CF7DD2F1}

have been false positives because they are used by some legit applications, too. So we decided to correct our detections.

The keys

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Windows.Explorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-823518204-879983540-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges!=W=0

are no false positives. They are windows settings which often gets changed by some malware. If you have made these changes by yourself, please ignore these detections.

Best Regards,
Markus :D:

Konstantin Artemev
2008-09-19, 15:01
Well, it seems that the discussion was a long time ago and found it only now. It's better to do something late than never as we say in Russia.

My name is Konstantin Artemev and I'm the head of department which developed True Sword you were talking of here.

I can assure you that True Sword is a legitimate application and I encourage you to perform your own tests to check this out. As far as I remember Sbybot team de-listed us long time ago.

However, this post is still visible in the Internet so everyone who visits it often sees the very first messages of the discussion where someone named True Sword to be bogus application. Well, there was a time when True Sword had some problems with false positives and this generated questions from the community. However, True Sword _never_ was a bogus program - our business is open for all and clear.

Right now True Sword is a modern and quality anti spyware and I invite everyone to check this on your own.


http://forums.spybot.info/showthread.php?p=60058#post60058