Seth Posted September 21, 2006 Hello, As a computer technician, I purge systems of various types of malware on a daily basis. For about the last month, I've been testing SAS's malware detection and removal abilities and have been thoroughly impressed. The following are results from a comparison I conducted on a heavily infected system. None of the scanners were allowed to remove any infections: SCANNER________ADWARE/SPYWARE___TROJANS/BACKDOORS/DIALERS/ETC___TOTAL Spybot________________11________________________0___________________11 AVG___________________0________________________12_ _________________12 Ad-Aware______________21________________________6____ _______________27 Norton 2005____________11_______________________17_______ ____________28 SpySweeper____________20_______________________13_ __________________33 NOD32_________________17_______________________22_ _________________39 BitDefender_____________21_______________________2 3__________________44 SuperAntiSpyware_______25________________________1 9__________________44 A-Squared______________23_______________________22__ __plus 1 rootkit____46 Kaspersky______________16_______________________34 ___________________50 Ewido__________________22_______________________33 ____plus 1 rootkit____56 Suggestions: The term "SUPER" in SuperAntiSpyware, sounds very cheesy and reminds me of a rogue product. Also, the name doesn't mention that SAS is very good at detecting trojans, keyloggers, downloaders, and other such types of malware. Anyway, thanks for a wonderful product. SAS has top rate detection, a simple and straight forward user interface, excellent real time protection, and very useful utilities. I'll be purchasing and recommending the professional version. Share this post Link to post Share on other sites
SirJon Posted September 21, 2006 I agree with your testing results. I too, am a tech and I generally use SAS along with Kaspersky AV and between the two I am able to nail just about everything out there. I use a BartPE CD on the infected drive and am in the process of building a small heavy duty "super box" with tons of RAM, a very large HD, and a quick mobo and processor to be used as a "diagnostic test box" for my work. I always try to get the user to purchase SAS after their PC has been cleaned and explain the benefits. The term "SUPER" in SuperAntiSpyware, sounds very cheesy Since I try to stay in tune with the rogue anti-spyware programs out there, I too had trouble with the name at first, but with time it has proven itself over and over. Share this post Link to post Share on other sites
nosirrah Posted September 21, 2006 I agree with your testing results. I too, am a tech and I generally use SAS along with Kaspersky AV and between the two I am able to nail just about everything out there. I use a BartPE CD on the infected drive and am in the process of building a small heavy duty "super box" with tons of RAM, a very large HD, and a quick mobo and processor to be used as a "diagnostic test box" for my work. I always try to get the user to purchase SAS after their PC has been cleaned and explain the benefits. I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances . The idea of a shop version that imports a slaved drives registry to work with the scanning of a slaved drive has been proposed already . The box by itself is an awesome idea . I built one for my work and could not live without it . Make sure to add a raid card to attach external ide cables and a high powered PSU . The way I have mine set up allows me to work on 8 ATA , 2 notebook and 4 SATA drives at once . A multicore processor is also a must . Currently the best applications to scan a slaved drive are PestPatrol , CounterSpy , ZeroSpyware , Kaspersky and AntiVir . They don't seem to care where the malware is located . The load hive function of regedit will allow you to edit a slaved drives registry . This can be a life saver if a non-malware problem prevents normal booting . There is also a way to build a new registry from a system restore point . This is easy to do when you slave the problem hard drive to an XP PRO system . If you have any questions about my work machine let me know . Share this post Link to post Share on other sites
Seth Posted September 21, 2006 Thank you for the replies. I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances . This is interesting. Can you elaborate or provide further details please? Share this post Link to post Share on other sites
nosirrah Posted September 21, 2006 Thank you for the replies.I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances . This is interesting. Can you elaborate or provide further details please? If I take the hard drive out of an infected machine and scan it as a slaved drive SAS does not find much . If I put the drive back into its home system and scan it again many more malware threats are discovered (and not just the registry remnants) . You can ask SUPERAntiSpy for the technical details but the way he explained it to me made it sound like the scan engine is designed to produce very few false positives and as a result the malware on a second drive is sometimes missed . He also mentioned a new shop version of SAS specifically designed to remove malware from a slaved drive may be in the works . It would be the first of its kind I believe . I ran into this problem a while back and made the mistake of thinking that SAS sucked because of its slaved scan results . I was proven wrong shortly afterwords when I tried it on a live system . Share this post Link to post Share on other sites
Seth Posted September 21, 2006 If I take the hard drive out of an infected machine and scan it as a slaved drive SAS does not find much . If I put the drive back into its home system and scan it again many more malware threats are discovered (and not just the registry remnants) . I've never scanned a slave with SAS, but I guess I just can't see why it would be poor at detecting malware on a slave. Of course the main difference is that the master drive is live and the slave has no running processes. But this shouldn't make any significant difference in a scanners detection ability. However, I will definitely try and reproduce your results at the next opportunity. Share this post Link to post Share on other sites
SirJon Posted September 21, 2006 Thanks for the advice on the creation of a SUPERBOX, nosirrah. As I said in an earlier post, I've been using BartPE for remote scanning and have had great success. I use RunScanner to scan the remote registry. Your comments regarding using SAS remotely is interesting. If I take the hard drive out of an infected machine and scan it as a slaved drive SAS does not find much . If I put the drive back into its home system and scan it again many more malware threats are discovered (and not just the registry remnants). It's interesting because you have the choice of what drive you want to scan. Of course you don't have that luxury with the registry, so that's why I use RunScanner to redirect the default registry scan from the BartPE CD to the infected HD. It has worked well for me this way. I have also used Kaspersky and Spy Sweeper with great results. One thing I'll admit though, I've never rescanned the HD again after scanning it from the BartPE CD from RAM. I'll have to try this approach next time to see what is found by the anti-malware utilities by them running directly from the HD after the RAM drive scan. Share this post Link to post Share on other sites
nosirrah Posted September 21, 2006 I anyone has any questions about why the slave scan is not effective with SAS go ahead and ask SUPERAntiSpy . He is the one that explained it to me when I discovered that SAS did very poorly when I tested it this way . I started slave scanning in direct response to the rootkit outbreak and because I was tiered of being limited to a customers crummy hardware to fix their system . This also lets you clone an old 5400 rpm drive onto a raptor , disinfect it and then clone it back . Share this post Link to post Share on other sites
SUPERAntiSpy Posted September 22, 2006 I agree with your testing results. I too, am a tech and I generally use SAS along with Kaspersky AV and between the two I am able to nail just about everything out there. I use a BartPE CD on the infected drive and am in the process of building a small heavy duty "super box" with tons of RAM, a very large HD, and a quick mobo and processor to be used as a "diagnostic test box" for my work. I always try to get the user to purchase SAS after their PC has been cleaned and explain the benefits. I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances . The idea of a shop version that imports a slaved drives registry to work with the scanning of a slaved drive has been proposed already . The box by itself is an awesome idea . I built one for my work and could not live without it . Make sure to add a raid card to attach external ide cables and a high powered PSU . The way I have mine set up allows me to work on 8 ATA , 2 notebook and 4 SATA drives at once . A multicore processor is also a must . Currently the best applications to scan a slaved drive are PestPatrol , CounterSpy , ZeroSpyware , Kaspersky and AntiVir . They don't seem to care where the malware is located . The load hive function of regedit will allow you to edit a slaved drives registry . This can be a life saver if a non-malware problem prevents normal booting . There is also a way to build a new registry from a system restore point . This is easy to do when you slave the problem hard drive to an XP PRO system . If you have any questions about my work machine let me know . 99.99% of the infections that our real-world users are going after are live infections on their primary box/harddisk. We did not design SUPERAntiSpyware to scan slave drives, mount slave registries, etc. although we may provide that ability in a future version. The items we will be "non-effective' with on a slave box will be mostly registry items as any of the file items that are detected by our regular definitions/signatures will be detected on the slave drive as well, those are non-path dependent. Share this post Link to post Share on other sites
SUPERAntiSpy Posted September 22, 2006 The term "SUPER" in SuperAntiSpyware, sounds very cheesy and reminds me of a rogue product. Also, the name doesn't mention that SAS is very good at detecting trojans, keyloggers, downloaders, and other such types of malware. Thanks for the compliments and test posting - that's the typical results we see in real-world live infection detections and removals. The "SUPER" name is part of our brand - we have SUPERAntiSpyware, SUPERAdBlocker, SUPERFileRecover and soon other "SUPER" products - the "SUPER" is part of building a brand and product recognition. We do include text on all of our sites and literature regarding the fact that SUPERAntiSpyware will detect and remove Spyware, Adware, Malware, Trojans, Keyloggers, Dialers, Downloaders, etc. Share this post Link to post Share on other sites
SirJon Posted September 22, 2006 I just tested Spy Sweeper and SAS from a CD and from the HD. I infected the HD with several types of malware in particular Vundo and SmitFraud. With the exception of a few registry entries found (and some cookies) from running the utilities from the HD and not from the CD, the files and folders are the same. Share this post Link to post Share on other sites
mike Posted December 9, 2006 "The "SUPER" name is part of our brand - we have SUPERAntiSpyware, SUPERAdBlocker, SUPERFileRecover and soon other "SUPER" products - the "SUPER" is part of building a brand and product recognition. " How about combining into a single product? Share this post Link to post Share on other sites
SUPERAntiSpy Posted December 9, 2006 "The "SUPER" name is part of our brand - we have SUPERAntiSpyware, SUPERAdBlocker, SUPERFileRecover and soon other "SUPER" products - the "SUPER" is part of building a brand and product recognition. "How about combining into a single product? We are keeping them as separate products as most users are not fans of the bloated "suites" of software. Share this post Link to post Share on other sites