الأربعاء، 15 يناير 2020

Avoid TeMerc Internet Countermeasures!


One of the most fallacious topics about CaSIR I came across is a topic on a public board led and administrated by a Microsoft MVP called "Tom Mercado". The topic shows that it's not always true to trust a Microsoft MVP and blindly believe all what they say or any insight they provide!

I here am going to address Mr. Mercado and explain to him that he was far away from giving a honest opinion!

Dear Tom,

So you got asked and you gave your honest opinion? Okay, I will tell you, and your two friends (if there were any) what you did and wrote on your own website and on the other websites which was far far away from being “only giving a honest opinion”!

The topic started by a user who has a website that is devoted to promoting freeware, he asked your opinion about CaSIR and you replied that you didn’t read much into it yet but you will.

Another user came after that and stated this:

“The trial is a detect but not remove program. You have to purchase it to remove infections so it doesn’t class as freeware.“

At this point, and after this clear, objective and honest statement, the first person (the freeware guy) got the answer he wanted because he just wanted to know whether CaSIR is freeware or not.

But you came (or one of your friends) and said:

“That’s one strike against this thing.”

Oh God, What a hostile and irrational start!!! I’ve just known that if a program (any program) is not freeware then it is a strike against it!!!

Lets see what was the “second strike”; You said:

“See any sort of details as to where exactly these infections are? Registry keys, files, folders? hello?” 

And you posted the following log:

RKA - Disabled Windows Firewall Infection
Buy to remove infection!
RKA - Disabled Windows Firewall Infection
Buy to remove infection!
RKA - Disabled Windows Firewall Infection
Buy to remove infection!
RKM - Disabled Show System Files/Folders restriction
Buy to remove infection!
RKM - Disabled Show System Files/Folders restriction
Buy to remove infection!
RKD - Default startup folder infection
Buy to remove infection!
SFL - Trojan.Win32.Small.wv
Buy to remove infection!
RKM - Worm.Win32.AutoRun.dkk (Ahsan Virus)
Buy to remove infection!
RKA - Security Center Corrupted Settings
Buy to remove infection!
RKA - Security Center Corrupted Settings
Buy to remove infection!

You forgot to take a minute or two to read the software help page to know that:

RNP means Running Process
GFL means Group of Files
SFL means Single File
GFD means Group of Folders
SFD means Single Folder
RKM means Registry Key to be Modified
RKD means Registry Key to be Deleted
RKA means Registry Key to be Added
RSO means Regular System Optimization

Now you may ask me why you don’t see more details as to WHERE exactly these infections are? Okay, I’ will answer you.

I intentionally hide such details for many reasons:

1. To prevent the other new developers from harvesting my own work and include them in their products (this happened to me many many times in the past without my permission).

2. To prevent the sick people who call themselves “malware authors” from learning how to do the trick, because if you teach them what and how to DISINFECT, they can easily reverse the process and use it to INFECT.

3. Normal users (whom CaSIR is intended for) don’t usually like programs that give too much details, they like the one that fixes their problems with only one click and then shuts up, they don’t even have time to read (set aside understand) all that details, if they have, they would fix their problems manually, why using CaSIR?!

Now lets move to the “third strike”, you said:

“Third strike, not much of a very large target list now is there“.

This has been explained to you before, but you don’t seem to want to get it, those 155 records are NOT how many malicious objects CaSIR can remove, in fact, every one single record of them means thousands of malicious objects.

I’ll give you an example: The “illegitimate System service Infection”, it’s counted by you as only one target right? No sir, I want to ask you, how many malicious objects in the wild that use the trick of naming themselves svchost.exe? of course thousands of them, may be more, now take lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe, inetinfo.exe, spoolsv.exe...etc.

CaSIR's database has only 155 records but Kaspersky database has 1,001,351 records, does that mean that Kaspersky removes much much more than what CaSIR does? Of course yes, but not that too much you imagine, Kaspersky's database includes thousands of records for malicious objects whose names are svchost.exe, lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe, inetinfo.exe, spoolsv.exe… CaSIR briefs that huge number by only ONE TARGET! That is: “illegitimate System service Infection” And that’s what makes CaSIR different!

Kaspersky uses the classic binary signature method, CaSIR uses the file names method beside the classic binary signature method (only when necessary), this gives CaSIR a huge advantage over Kaspersky in the scan speed, in few seconds CaSIR can detect any malicious object of these thousands because it goes DIRECTLY to them, Kaspersky needs hours to full scan your computer to detect them.

I’ll give you a practical example; Suppose that there's a new virus that its binary signature is not included neither in Kaspersky database nor in CaSIR database, and lets say that the virus puts itself on the system startup and creates its body in c:\whatever\whatever\whatever\svchost.exe and it’s running and currently active.

Now do a full scan with Kaspersky, wait for bloody hours (depending on how huge your file system is) and then what? Oops! nothing detected!

Now run CaSIR, wait for only two or three seconds (no matter how huge your file system is) and then what? BINGO! illegitimate System service Infection DETECTED, and REMOVED!

Now suppose that this virus is one of the nasty malware type that disables tens of AVs, Kaspersky will say bye-bye, and when you try to reinstall it, Oops! ERRORS, ERRORS!

Now run CaSIR, wait for a second or two, restart your computer and then try to install Kaspersky, BINGO! the installation process starts normally!

Lets now move to the “fourth strike”, you (or one of your "professional" friends) said:

Wtf are:
Disabled CCleaner Infection
Disabled RegClean Product Infection
Disabled SkyNet FireWall Infection<<
Since when have infections begun to target utilities like this? I’ve not seen one.

So SkyNet Firewall is from Terminator movie? Where does Jackie Chan come from then? What a low level of objectivity you have and and what a new type of professionals you are! Okay, forget the professional thing, couldn’t you just like any normal user google Sky NET Personal Firewall? to at least be honest and take your time to test? you would know that it's one of the best firewall products in China, but oh, my mistake, it’s a Chinese product and I guess you don’t speak a word of Chinese, so leave it alone!

Have you ever heard about a worm called Win32.delf.cc and what it does to your computer? I guess not, this worm when infects your computer you will NEVER be able to RUN/INSTALL/REMOVE/REINSTALL any of more than 80 different security process that belong to the most well-known AVs (Symantec, Kaspersky, McAfee….) and other security tools and utilities like CCleaner, RegClean, HijackThis…. this worm is very old, and I wonder how come you don’t know it disables Ccleaner and RegClean, SkyNet Firewall and other utilities like this, all you did is to say: “I’ve not seen one!!!”, Really? Okay I’ll make you meet one, I have that worm isolated here in my lab PC, if you want a copy of it for your tests just let me know, but be aware, this is a very nasty one, it will even prevent you from booting in safe mode because once you attempt to do so the ugly face of the BSOD will shows up. So if you want to remove it manually in safe mode I advice you not to do so, you will have nothing to do but booting in normal mode and look at the worm stealing your private data and submits them to the worm author! you have nothing to do but to unplug yourself from the net until you find a solution. Do you know what the solution is? it is not one of that well-known AVs because the worm wont let you install any of them! YES sir, the solution is CaSIR! With only one single click and in only one minute, your computer will be 100% free of this nasty worm!

Lets now move to the Fifth strike, you said:

“Take a look at some of the comments at Rays blog, Most are not very good.”

Most? Are you sure? Is that the honesty of the MVP? I don’t think so!

Lets move to the sixth strike, you (or one of your friends) said:

“It’s getting added to hpHosts with the FSA classification.”

Is this your way of judging any new program? you add the website of its developer to hpHosts thing with the FSA classification before you even contact them to ask for more details? (Oh, forget it, you’re too "professionals" to contact a fresh developer like me), Okay, before you even read the software instructions and help page? Oh, forget it, before you even think you might be dealing with something you have no idea about? Is that your professionalism?!

Do you think that adding my website to your hpHosts with the FSA classification affect my website reputation? Are you smarter than CNET team who hosted and tested my programs and found them free of malware? Are you smarter than Mcafee Siteadvisor.com team who had their tests of my website and found it SAFE? Are you smarter than CHIP magazine and com! magazine who wrote about my programs and included them in their free DVDs? Are you smarter than Kaspersky and all other well-known AVs that don’t use the FUD term who found my program free of malware!

Lets move to the seventh strike, you said:

“It would appear 9\33 av engines call this a number of different things I think he needs to recode that ^%$@# so’s it’s not flagged”

You know that’s because you scanned the CNET version which is packed and protected by ACProtect which appears to some AVs as suspicious, but when you knew you should scan Sergiwa.com version and you found that both VT and Jotti shows low detection rate for it, you said:

“He’s obviously been pretty quick to re-pack/modify it to evade detection …..”

My God! how could you say that? Where is the objectivity? Where are the facts? Where are the evidences?!

At last the topic starter (who TRUSTS your judgment) came and read all what you said, what would he think and what would he say based on your lies about CaSIR?

He of course said:

“Thank you so much TeMerc. I hate it when they do that. It stinks!”

And I bit he didn’t even make his tests because he trusts that you did all the tests for him and you gave him the honest results of yours.

And then he left!

What you call this Mr. Mercado? Is it spitting venom on new developers? I don’t think so, you are not that cheap, you’re a "professional", but I can’t find a real reason of that shower of lies against CaSIR, otherwise it would be just ignorance, but you (and your friends) are “REAL” professionals, you are far away from being a bunch of ignorants. Is it the venom thing? Is it? no no it can’t be, I am just a fresh developer, you can’t envy a fresh developer, you are a professional, It must be something I have no idea about, Is it my race? Is it my religion? I don’t think so, it must be something else because race and religion has nothing to do with software developing! SIGH!

Anyways, you know what Tom? do you know how did you make me feel? I have being dreaming to be a MVP one day, it’s just a dream, we all dream, yes I have being dreaming to be an MVP one day, but an MVP that does not only means “Most Valuable Professional”, but also means a person who has the morality, the care about the other’s feelings, the objective way of using the facts to seek the truth, but after what you said and what you did, I thank God I am not an MVP... and I don’t want to be!

Follow-up:

Tom Mercado has shut down his public board and now he has a section on Malwarebytes.com forums and he's now spreading his "honest" and "professional" wisdom there. And by the way, he is still keeping my website address on his list till this very day although I abandoned it years ago! And guess what? Malwarebytes AntiMalware was one of my competitors back then, and guess what? they falsely have my abandoned products as malware in their database till this very day!

ليست هناك تعليقات:

إرسال تعليق