One of the most fallacious topics about CaSIR I came across is a topic on a public board led and administrated by a
Microsoft MVP called "Tom Mercado". The topic shows that it's not always true to
trust a Microsoft MVP and blindly believe all what they say or any insight they provide!
I here am going to address Mr. Mercado and explain to him that he was
far away from giving a honest opinion!
Dear Tom,
So you got asked and you gave your honest opinion? Okay, I will tell you, and your two friends (if there were any) what you did and wrote on your own website and on the other websites which was far far away from being “only giving a honest opinion”!
The topic started by a user who has a website that is devoted to
promoting freeware, he asked your opinion about CaSIR and you replied that you
didn’t read much into it yet but you will.
Another user came after that and stated this:
“The trial is a detect but not
remove program. You have to purchase it to remove infections so it doesn’t
class as freeware.“
At this point, and after this clear, objective and honest statement, the
first person (the freeware guy) got the answer he wanted because he just wanted
to know whether CaSIR is freeware or not.
But you came (or one of your friends) and said:
“That’s one strike
against this thing.”
Oh God, What a hostile and irrational start!!! I’ve just known that if a
program (any program) is not freeware then it is a strike against it!!!
Lets see what was the “second strike”; You said:
“See any sort of details as to
where exactly these infections are? Registry keys, files, folders? hello?”
And
you posted the following log:
RKA - Disabled Windows Firewall Infection
Buy to remove infection!
RKA - Disabled Windows Firewall Infection
Buy to remove infection!
RKA - Disabled Windows Firewall Infection
Buy to remove infection!
RKM - Disabled Show System Files/Folders restriction
Buy to remove infection!
RKM - Disabled Show System Files/Folders restriction
Buy to remove infection!
RKD - Default startup folder infection
Buy to remove infection!
SFL - Trojan.Win32.Small.wv
Buy to remove infection!
RKM - Worm.Win32.AutoRun.dkk (Ahsan Virus)
Buy to remove infection!
RKA - Security
Center
Buy to remove infection!
RKA - Security
Center
Buy to remove infection!
You forgot to take a minute or two to read the software help page to
know that:
RNP means Running Process
GFL means Group of Files
SFL means Single File
GFD means Group of Folders
SFD means Single Folder
RKM means Registry Key to be Modified
RKD means Registry Key to be Deleted
RKA means Registry Key to be Added
RSO means Regular System Optimization
Now you may ask me why you don’t see more details as to WHERE exactly
these infections are? Okay, I’ will answer you.
I intentionally hide such details for many reasons:
1. To prevent the other new
developers from harvesting my own work and include them in their products (this
happened to me many many times in the past without my permission).
2. To prevent the sick people
who call themselves “malware authors” from learning how to do the trick,
because if you teach them what and how to DISINFECT, they can easily
reverse the process and use it to INFECT.
3. Normal users (whom CaSIR is
intended for) don’t usually like programs that give too much details, they like
the one that fixes their problems with only one click and then shuts up, they don’t
even have time to read (set aside understand) all that details, if they have, they would fix their
problems manually, why using CaSIR?!
Now lets move to the “third strike”, you said:
“Third strike, not much of a
very large target list now is there“.
This has been explained to you before, but you don’t seem to want to get
it, those 155 records are NOT how many malicious objects CaSIR can remove, in
fact, every one single record of them means thousands of malicious objects.
I’ll give you an example: The “illegitimate System service Infection”,
it’s counted by you as only one target right? No sir, I want to ask you, how
many malicious objects in the wild that use the trick of naming themselves svchost.exe?
of course thousands of them, may be more, now take lsass.exe, services.exe,
winlogon.exe, csrss.exe, smss.exe, inetinfo.exe, spoolsv.exe...etc.
CaSIR's database has only 155 records but Kaspersky database has 1,001,351
records, does that mean that Kaspersky removes much much more than what CaSIR
does? Of course yes, but not that too much you imagine, Kaspersky's database
includes thousands of records for malicious objects whose names are
svchost.exe, lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe,
inetinfo.exe, spoolsv.exe… CaSIR briefs that huge number by only ONE TARGET!
That is: “illegitimate System service Infection” And that’s what makes CaSIR
different!
Kaspersky uses the classic binary signature method, CaSIR uses the file
names method beside the classic binary signature method (only when necessary),
this gives CaSIR a huge advantage over Kaspersky in the scan speed, in few
seconds CaSIR can detect any malicious object of these thousands because it
goes DIRECTLY to them, Kaspersky needs hours to full scan your computer to
detect them.
I’ll give you a practical example; Suppose that there's a new virus that its binary signature is not
included neither in Kaspersky database nor in CaSIR database, and lets say that
the virus puts itself on the system startup and creates its body in c:\whatever\whatever\whatever\svchost.exe and it’s running and currently active.
Now do a full scan with Kaspersky, wait for bloody hours (depending on how
huge your file system is) and then what? Oops! nothing detected!
Now run CaSIR, wait for only two or three seconds (no matter how huge your
file system is) and then what? BINGO! illegitimate System service Infection
DETECTED, and REMOVED!
Now suppose that this virus is one of the nasty malware type that
disables tens of AVs, Kaspersky will say bye-bye, and when you try to reinstall
it, Oops! ERRORS, ERRORS!
Now run CaSIR, wait for a second or two, restart your computer and then
try to install Kaspersky, BINGO! the installation process starts normally!
Lets now move to the “fourth strike”, you (or one of your "professional" friends) said:
Wtf are:
Disabled CCleaner Infection
Disabled RegClean Product Infection
Disabled SkyNet FireWall Infection<<
Since when have infections begun to target utilities like this? I’ve not
seen one.
So SkyNet Firewall is from Terminator movie? Where does Jackie Chan come from
then? What a low level of objectivity you have and and what a new type of
professionals you are! Okay, forget the professional thing, couldn’t you just like
any normal user google Sky NET Personal Firewall? to at least be honest and
take your time to test? you would know that it's one of the best firewall products in China, but oh, my
mistake, it’s a Chinese product and I guess you don’t speak a word of Chinese,
so leave it alone!
Have you ever heard about a worm called Win32.delf.cc and what it does
to your computer? I guess not, this worm when infects your computer you will
NEVER be able to RUN/INSTALL/REMOVE/REINSTALL any of more than 80 different
security process that belong to the most well-known AVs (Symantec, Kaspersky,
McAfee….) and other security tools and utilities like CCleaner, RegClean,
HijackThis…. this worm is very old, and I wonder how come you don’t know it
disables Ccleaner and RegClean, SkyNet Firewall and other utilities like this, all you did is to
say: “I’ve not seen one!!!”, Really? Okay I’ll make you meet one, I have that
worm isolated here in my lab PC, if you want a copy of it for your tests just
let me know, but be aware, this is a very nasty one, it will even prevent you
from booting in safe mode because once you attempt to do so the ugly face of
the BSOD will shows up. So if you want to remove it manually in safe mode I
advice you not to do so, you will have nothing to do but booting in normal mode
and look at the worm stealing your private data and submits them to the worm
author! you have nothing to do but to unplug yourself from the net until you
find a solution. Do you know what the solution is? it is not one of that
well-known AVs because the worm wont let you install any of them! YES sir, the
solution is CaSIR! With only one single click and in only one minute, your
computer will be 100% free of this nasty worm!
Lets now move to the Fifth strike, you said:
“Take a look at some of the
comments at Rays blog, Most are not very good.”
Most? Are you sure? Is that the honesty of the MVP? I don’t think so!
Lets move to the sixth strike, you (or one of your friends) said:
“It’s getting added to hpHosts
with the FSA classification.”
Is this your way of judging any new program? you add the website of its
developer to hpHosts thing with the FSA classification before you even contact them to ask for more details? (Oh, forget it, you’re too "professionals" to contact a
fresh developer like me), Okay, before you even read the software instructions and
help page? Oh, forget it, before you even think you might be dealing with
something you have no idea about? Is that your professionalism?!
Do you think that adding my website to your hpHosts with the FSA
classification affect my website reputation? Are you smarter than CNET team who
hosted and tested my programs and found them free of malware? Are you smarter
than Mcafee Siteadvisor.com team who had their
tests of my website and found it SAFE? Are you smarter than CHIP magazine and com! magazine who wrote about my programs and included them in their free DVDs? Are you smarter than Kaspersky and all
other well-known AVs that don’t use the FUD term who found my program free of
malware!
Lets move to the seventh strike, you said:
“It would appear 9\33 av
engines call this a number of different things I think he needs to recode that
^%$@# so’s it’s not flagged”
You know that’s because you scanned the CNET version which is packed and
protected by ACProtect which appears to some AVs as suspicious, but when you
knew you should scan Sergiwa.com version and you found that both VT and Jotti
shows low detection rate for it, you said:
“He’s obviously been pretty
quick to re-pack/modify it to evade detection …..”
My God! how could you say that? Where is the objectivity? Where are the
facts? Where are the evidences?!
At last the topic starter (who TRUSTS your judgment) came and read all
what you said, what would he think and what would he say based on your lies
about CaSIR?
He of course said:
“Thank you so much TeMerc. I
hate it when they do that. It stinks!”
And I bit he didn’t even make his tests because he trusts that you did all the tests for
him and you gave him the honest results of yours.
And then he left!
What you call this Mr. Mercado? Is it spitting venom on new developers? I don’t
think so, you are not that cheap, you’re a "professional", but I can’t find a real
reason of that shower of lies against CaSIR, otherwise it would be just ignorance, but you (and your friends) are “REAL” professionals, you are far away from being a bunch of ignorants. Is it the venom thing? Is it? no
no it can’t be, I am just a fresh developer, you can’t envy a fresh developer,
you are a professional, It must be something I have no idea about, Is it my
race? Is it my religion? I don’t think so, it must be something else because
race and religion has nothing to do with software developing! SIGH!
Anyways, you know what Tom? do you know how did you make me
feel? I have being dreaming to be a MVP one day, it’s just a
dream, we all dream, yes I have being dreaming to be an MVP one day, but an MVP
that does not only means “Most Valuable Professional”, but also means a person
who has the morality, the care about the other’s feelings, the objective way of
using the facts to seek the truth, but after what you said and what you did, I
thank God I am not an MVP... and I don’t want
to be!
Follow-up:
Tom Mercado has shut down his public board and now he has a section on Malwarebytes.com forums and he's now spreading his "honest" and "professional" wisdom there. And by the way, he is still keeping my website address on his list till this very day although I abandoned it years ago! And guess what? Malwarebytes AntiMalware was one of my competitors back then, and guess what? they falsely have my abandoned products as malware in their database till this very day!
