MSAS Suspected Spyware Report

[Guest]

After today's scheduled daily scan, MSAS informed me it had found a trojan --
Rivarts.A.backdoor -- my first through MSAS! Imagine my surprise! I elected
to remove the quarantined file, there were 9 settings in the Registry that
had been affected, and decided to prepare a suspected spyware report.
Unfortunately, on a number of tries, on pressing the Submit button I got a
message telling me to check my internet proxy settings and try again. Well,
I don't use proxy settings and also checked IE6 LAN settings, as I use
broadband, and checked with my ISP and we did a couple of pinging tests,
which came out okay. After these checkups, prepared the report again but on
trying to submit, still got the same message.

The other aspect to this question relates to the actual information sent in
the report, me having looked at it. It doesn't include the results of the
scan that found the trojan, which I would have thought would be important
information. How can one include that in the spyware report?

Interestingly, NAV2005 didn't find it nor Spyware Doctor. But, NAV's online
encyclopedia does have a similar trojan, called PWSteal.Rivarts found earlier
this month.

How can I send you a spyware report? Thanks.

 

[Bill Sanderson MVP]

I can respond to several issues you raise here, although not, perhaps in the
way you might expect:

1) The Rivarts.A finding that you saw is in all likelyhood a flawed
detection. You are presumably on definitions 5823. Definitions 5825,
available yesterday, change the program operation in a way which eliminates
this alert. No harm, however, is done by your having removed the "threat."

This alert was caused by registry entries made by another antispyware
program on your system as an "innoculation" against Rivarts.A. Removing
them eliminatest that protection, but it will be replaced by that app on the
next startup.

2) the proxy error on attempting to send a suspected spyware report is a bug
in Microsoft Antispyware. No workaround is available.

So--I can't really discuss the content of the report--that mechanism has
gone completely in beta2, in favor of reliance on Spynet reports, and a
mechanism for direct submission of samples--either false positives or false
negatives, here:

http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx

(users of beta1 are welcome to use this link as well!)

The other thing I would be remiss if I didn't mention is that Windows
Defender, beta2 of Microsoft Antispyware--is available now:

http://www.microsoft.com/downloads/...E7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en

Download, run--it will uninstall the current Microsoft Antispyware and
replace it with Windows Defender.

Some notes about what folks may find confusing:

1) No tray icon is present by default if no user interaction is needed.
They've stated that in a later version, there will be the ability to display
the icon as an optional choice.

2) A number of the advanced tools are absent--some of these are present in
IE7 beta, which is also available:

http://www.microsoft.com/windows/ie/ie7/default.mspx

3) Updates within the program come via AutoUpdate--so there's a lag waiting
for the update to appear, and no progress bar--give it a few minutes, and
watch the balloon notifications. If you have balloons turned off, you won't
see any indications about the update process--start the UI again in about 5
or 10 minutes and see if the definitions have changed. As with Microsoft
Antispyware, definitions are slightly more than once a week on average.

4) there are three separate executables--a system service that starts on
startup, which does real-time protection and services during scans, a
command-line executable which does definition updates and scanning, and a
third piece which provides the UI into what the other pieces are doing.


--

 

[Guest]

Dear Bill,
Thanks for your comprehensive reply. Firstly, let me thank you for the
informative comments made, as I was not aware of some points you made. Now
to my reply.

1) I am still using beta1, with latest definitions updated on 30Mar06 being
version 5821. My MSAS daily scan is scheduled for 6.30pm and today's scan,
as I am in the process of reading your reply to my query, has produced a
clear result.

Spyware Doctor v.3.5.1 only immunizes ActiveX controls and updates to the
database happen almost daily (which was updated today), after which it goes
through its immunizing process and a popup message tells me how many ActiveX
controls out of the total required immunizing. Today there was only 1
required immunization, probably the Rivarts.A, as you have intimated would
happen.

2) As MSAS is working fine, will wait to upgrade when it is due, in approx.
120 days' time.

3) I'm not comfortable with the idea of installing IE7. IE6 is working just
great. Perhaps you could tell me, if you know, what are the MSAS beta1
Advanced Tools that are no longer available in Defender and which are now
part of IE7? Perhaps, then, I may make a decision to upgrade to IE7, prior
to upgrading to Defender in the normal course of events. Or, should I
investigate the IE7 link you have given, to find information about IE7
features?

4) In the meantime, thanks for the link re submitting suspected spyware
reports. Will check it out and see what I can do there. Since got an
all-clear with the MSAS scan today, can only send them details of the
Registry keys affected with yesterday's scan -- have saved that information
as a separate file.

 

[Guest]

Latest report on Rivarts.A from Spyware Doctor, as flws:

"The Rivarts.A detection in most cases is picking up the following registry
entry as Rivarts.A.

HKLM\SYSTEM\Currentcontrolset\Services\mchInjDrv

This appears to be a false positive detection.

MchInjDrv is a third-party driver used by many security applications to
provide process protection. However, this driver can also be used for
malicious purposes by those intent on writing Spyware. There are some
AntiSpyware programs that do not understand that this is a legitimate driver
that can be used maliciously but in most cases is used legitimately.

Spyware Doctor in fact uses mchInjDrv as do many other legitimate security
programs."

Will also send this comment in my with my suspected spyware report. Today's
scans in MSAS and Spyware Doctor are all-clear.