Results 1 to 2 of 2

Thread: Why ZA may be finding trojans/spyware not found by scans with other programs.

  1. #1
    tony_a Guest

    Default Why ZA may be finding trojans/spyware not found by scans with other programs.

    Recently, many users have been reporting that ZA is finding trojans and spyware that are not being found by other programs. If ZA is actually only finding a Registry Key, this is what I believe is happening.


    The spyware ZA is finding, is actually just a registry key inserted by a spyware/trojan removal program to disable (kill) a known piece of malware. In the spyware removal program definition database is an identifier (CLSID), often a long string of numbers, that is associated with a piece of malware. A technique to disable (kill) the malware is to create and insert a key in the Registry that contains the CLSID and sets a value for the key that the operating system recognizes as a signal to prevent the malware from running. (See: http://support.microsoft.com/kb/240797)


    When a spyware/trojan removal program inserts this key in the Registry, it is just doing its job preventing the malware from running.

    Just because a spyware removal program inserts a key in the Registry to prevent malware from running, doesn't necessarily mean that the malware was found! It just means that the CLSID was in the Spyware remover database, and the Registry key was created and inserted as a preventive measure. When the spyware remover definition database is updated, it might just insert a new key without informing the user, or the user may not understand that what is actually being reported, is the insertion of a new key in the registry.


    When a scan is done by ZA, one of the things it does is to compare the ZA Definition Database with the keys it finds in the Registry. If a Registry key it associates with malware is found, it tries to name the malware and notify the ZA user. If ZA doesn't have the exact CLSID in its database, as the CLSID it finds, it uses the name of what it thinks is the closest CLSID to what it does have, Often, this leads to a false identification.

    When ZA removes what it believes is a malware key from the Registry, the spyware remover program is often instantly aware if this, and thinking that the spyware/trojan is attempting to run, immediately re-inserts the key in the Registry to prevent it from running. The spyware program is just doing a good job.

    Of couse the next time a scan is run by ZA, the Registry key is found again, and the user, usually in a panic, thinks a major problem exists.

    The problem is is actually that the ZA and the spyware remover program definition databases are out of sync.

    When ZA reports the presence of such a Registry key, it's because the ZA database is not up-to-date. If a spyware remover program reports the presence of such a key, that ZA doesn't find, it's probably because the spyware remover database is not up-to-date.

    How To Check If The Registry Key Found, Is Intended to Stop A Program From Running.

    To check the Registry, it is necessary to use Regedit. It is always wise to backup the Registry before using Regedit and the simplest way to do this is to set a Restore point. If you're not familiar and comfortable with setting Restore points and using Regedit, check your documentation; browse Help, and seek assistance from someone who knows how to do the following.

    Run Regedit and navigate to the Registry key displayed by ZA.

    If the value under Compatibility Flags REG_DWORD is 0x00000400 (1024), then the key has been set to kill the Registry key program.

    The Bottom Line

    If a Registry key is the only thing that is found by a ZA scan, and the Registry key is set to 'kill', then the problem is probably only that identification databases are out of synchronization and no actual malware is present. To check if the Registry key is being inserted by your spyware remover program:

    after ZA finds the supposedly 'malware' Registry key, and before you quaranteen or delete it;

    exit your spyware remover program (you don't have to uninstall it, just make sure it's not running);

    use ZA to delete the malware;

    scan again using ZA; and,

    if the scan is clean it's probable the Registry key is being inserted by your spyware remover program.

    To double-check, re-start you spyware remover program;

    run another ZA scan; and,

    if ZA finds the malware again, it is almost certain the Registry key is being inserted by your spyware removal program. If it's not found, maybe there was an actual piece of malware on your system and the Registry key was somehow left over from a removal process.

    If the Registry key is found again, and your spyware removal program is inserting it, it doesn't mean there is anything wrong with your spyware remover program!

    If there is any doubt in your mind that the Registry key found by ZA is not being inserted by your spyware program, or if the Registry key is not set to 'kill', or if ZA finds anything other than just a Registry key, than you should regard what is found by ZA as an real piece of malware and take appropriate steps to remove it.

    All the above is only my opinion, but I hope it helps understanding what may be happening.

    Tony_A

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2

    Default Re: Why ZA may be finding trojans/spyware not found by scans with other programs.

    Yo, you might be right! ZA Anti-Spyware seems to pick stuff up and the others don't anything. Might just be the way the CA product is designed.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •