Online database retrieving

[ajakibs]

After performing the Online Analysis mode and then launching RuAlyzer once again - I noticed the announcement: "Information for 1517 entries retrieved. Known data classification will be shown in colors".

O.K. But when coming to Autorun bookmark I was extremely surprised:

1. Most of items are still white colored; e.g. such items as OfficeScanNt Monitor (Trend Micro Inc.), Windows Defender (Microsoft) and many others. When coming to Services bookmark the AdAware 2007 (Lavasoft) item is also - among others - "white".

Thus my question is: do you really not know your the biggest competitors' programs, i.e. the anti-spyware and anti-viruses soft of Trend Micro Inc., Lavasoft and Microsoft ? They are your main rivals in the area - so ... .

2. In my opinion, too many obvious items at the program tables (i.e. those -having obvious meaning) are "white"; other members of this Forum say the same. So, what is the reason that most of items are not known to your Online database ? Or - I do not understand something.

I would like to point out that some 10 days ego (and also yesterday) - I used the option (of Analysis mode): "Submit anonymized unknown log data to our server for analysis". And - it does not help.
Well, sorry for some criticism - but the problem is serious, so ...

3. What is the crucial difference between RunAlyzer and the corresponding tool arranged within the Spybot S&D ver. 1.5 (beta). Is that true that in the latter case the offline database is not up-dated at all; i.e. even during the standard program's entries up-dating procedure - just after launching of this application ?
Well, on the other hand, the recognized items are - in case of Spybot S&D - shortly commented; e.g. "the item is not really needed for the system Windows functioning" - and something like that. These remarks are very helpful for the situation analysis.

My next question is:

4. Why - in case of RunAlyzer - such comments are not given ?
I have observed that in every case - under the tab: "More information" - the announcement "No additional information available" - is given. Well, a pity (!!) - will be it available in the future ?

[PepiMK]

1. It doesn't matter whether software XYZ or ABC is our biggest competitor or whatever - there are hundreds of thousands of entries in the database, and what comes first gets classified first.

2. The reason is that research a really huge amount of entries (as I said, there are hundreds of thousands collected already) takes a lot of time. The majority is already classified, but Vista alone has brought so many new entries...

3. The tools in Spybot-S&D still use sysinfo.org data and try to match entries by entry name and filename. RunAlyzer uses the LASSH algorithm to get a unique ID for each entry - even the slightest change, e.g. a different file size and version, will be a new unclassified entry.

4. "More information" uses the KeyInfoDB.txt file for general information about the current location only, not about single entries.

[ajakibs]

Sorry, but I have not understood - what do you mean by this:

... there are hundreds of thousands of entries in the database, and what comes first gets classified first.

I previously thought that when an entry is known (i.e existing in the offline database) - it is simply classified as known; Thus, what do you mean by: "what comes first gets classified first".
Do not you have the Microsoft, Trend Micro, Lavasoft (etc.) products taken into account in your databases ? Nobody sent to you such well known items for classification ?; was I first ? Decidedly, I do not understand something.

You have written:

The reason is that research a really huge amount of entries (as I said, there are hundreds of thousands collected already) takes a lot of time. The majority is already classified, but Vista alone has brought so many new entries.

I do not use Vista and I am not going to until Service Pack 1 (or even 2) will be published. Thus I still do not understand - why using in my case Windows XP (SP-2) - so many my items are not taken account in your databases (i.e. offline - in my PC and online ones -in your servers, as well).
Well, as I mentioned, yesterday I sent to your server my unknown ("white") items - so, my hope is that (say) after two weeks I will get updated database from your server - after applying Online Analysis mode. If not - I will write to you again .

[Lusher]

Honestly I think this whole whitelisting stuff is not as easy as it seems.

I really wonder if any one-man job can do it. It has to be a community open source effort of some kind. Maybe based around Castlecops.

[PepiMK]

Thus, what do you mean by: "what comes first gets classified first".

If something is "known", that's still a bit "neutral"... it's neither "good", nor "bad", nor "undecided". In that state, adding it to the offline database wouldn't have any advantages.

I really wonder if any one-man job can do it.

I don't doubt that. We're not a one man company though
And I'm not saying that community efforts aren't a good thing, but we've got other things we want to open up a bit first

(by the way... the include file format has been open for anyone to provide detections nearly since the beginning - but one translator who's provided a lot of usage tracks was so far the only person to actually commit new detections. I also have some open source LGPL/GPL code in my blog, to which no one else participated yet... so much for participation )

[Lusher]

If something is "known", that's still a bit "neutral"... it's neither "good", nor "bad", nor "undecided". In that state, adding it to the offline database wouldn't have any advantages.

I don't doubt that. We're not a one man company though

Are you a 10 man company? 50 man company? even that might not be enough.... ???

(by the way... the include file format has been open for anyone to provide detections nearly since the beginning - but one translator who's provided a lot of usage tracks was so far the only person to actually commit new detections. I also have some open source LGPL/GPL code in my blog, to which no one else participated yet... so much for participation )

That's too geeky for most people.

[PepiMK]

In between
So why do you think classifying these entries wouldn't be too geeky?

[Corrine]

Well, as I mentioned, yesterday I sent to your server my unknown ("white") items - so, my hope is that (say) after two weeks I will get updated database from your server - after applying Online Analysis mode. If not - I will write to you again

I don't think you understood that there are literally THOUSANDS of submissions ahead of yours to be analyzed.

Are you a 10 man company? 50 man company? even that might not be enough.... ???

And that isn't counting the women in the company!

Seriously, even Microsoft with all the resources (personnel and otherwise) they have at their disposal does not keep up. (Examples: Windows Defender still does not recognize NOD32 imon or WinPatrol.)

It is one thing for users to submit something "known" to them as good or bad. It is quite another for professionals to analyze those submissions. Without such professional analysis, there is no doubt in my mind that the rogues would slip their goods in.

Taking thoughts of analysis a step further, the ordinary user is not going to test on multiple operating systems as professionals will do.

Keep up the good work, PepiMK and Company.

[manhattan]

Keep up the good work, PepiMK and Company.

There are some of us -usually silent- who have been appreicating your efforts (over the years), and can vaguely fathom the workload you're undertaking. Thanks

[PepiMK]

Glad to hear that

Btw, the idea of opening this thing hasn't left my mind yet... if we find the time, we might indeed open up the RunAlyzer classifications system
Right now though, our resources our bound to three other community projects, one a small forum help thing, one a system for improved, automated and instant beta testing (details available in a few weeks), and a third one I won't name yet