Tuesday 17 April 2007
- CyberDefender: Early Deceit
CyberDefender: Early Deceit
By Steven Burn - April 15th 2007
I first found out about CyberDefender due to a contest at CastleCops.
One of the first things that made me suspicious about it however, is that the "free" version contains adverts. Not suprisingly, quite a few of us began questioning the fact it was permitted
as one of the prizes for the competition. Eventually, we were told the version being given away for the competition, was a full licence without adverts.
Join me for the next few minutes as we find out how this is not the case.
Other than it installing the toolbar without asking me, and displaying an "Installation failed" error (which by the way, was rubbish as it actually DID install - fix your installer guys!!!). The installation went pretty smoothly.
No re-start was necessary, and it didn't mess anything up (that I've noticed).
The initial wizard starts up as soon as the installation has finished, and here's where the fun begins.
The initial wizard screen is just a bog standard "welcome". Clicking next takes you to the "Real-Time Security Updates" screen. For some reason, it tells you to have the firewall allow the updates, which is fair enough and pretty standard. There's just one problem here - after going through the wizard and checking the options, you find EDC has already kindly DISABLED THE WINDOWS FIREWALL!!!!
This is not a good start guys.
The next screen we have in the wizard is Scanning and Scheduling. From here you can set what you want EDC to scan, and when. The next screen is Network Auto Protection. Again, this allows you to configure certain settings within the program.
The next screen is where it gets rather strange as the first sentence is;
"If you agreed to install the safeSEARCH toolbar, you've got a great way to search safely!"
There's just one problem here - I WAS NEVER ASKED IF I WANTED TO INSTALL IT - YOUR INSTALLATION PROGRAM INSTALLED IT WITHOUT ASKING!!!
Clicking next takes you to the "Avoiding Harmful Spam" screen (aka earlySPAM). Here you can activate the spam protection, and give them some free advertising by having it add a tag at the bottom of your e-mail (much like NOD32, Avast etc etc etc, do).
The next screen brings us "Phishing Attacks & Bad Sites". I'm beginning to wonder what the point of the wizard is now as half of these screens so far, don't actually do anything - other than tell you how great everything is.
I've got another problem here already however, as the "Phishing Attacks & Bad Sites" wizard screen kindly tells you that you will be informed immediately when another user on the "CyberDefender network" encounters a "bad site".
Firstly, there's no information on how this actually works. Are these user submitted websites? are they verified by CyberDefender?, and last but not least, the last sentence tells us;
"There are no settings in this module. We recommend you keep it enabled."
Fine, I will - but how could I disable it anyway if "There are no settings in this module."?????
The next screen is "Additional Security Features" (aka earlyMONITOR). Here we are told it will tell us when there are new Windows updates, it will allow us to check the firewall status (it's already disabled the Windows firewall, so this doesn't inspire confidence), allow us to see which cookies we have and remove them, and finally, allow us to see which passwords Windows has stored and remove and optionally disable, them.
By far the favourite however, is the last screen in the wizard - "If Your Subscription Expires".
Here we are told EDC will go back to the "free" version when the subscription expires, so you get all those wonderful adverts again. However, as you'll see later, there ARE ADVERTS IN THE PAID VERSION ASWELL ANYWAY!!!
There's a couple questions easily answered by this notification. Firstly, the adverts are always present, irrespective of whether or not you have paid for EDC, in the form of "earlySERVICES".
We'll get to the adverts themselves in a second.
|Initial Wizard Screenshots|
EDC duth load
Finishing the wizard, we have the screen asking us to insert our registration key. If like me, you kept it in a PDF printout, you're going to hate this as they key is quite long.
Once the key is entered, and verified, you are finally taken to the EDC main screen. This begins an initial scan of your machine.
During the scan, earlyVIRUS apparently thought one of the Epson printer files, were malware (EDC detected sagent2.exe as W95/CIH.1003a), and quarantined it. I wasn't notified of this and indeed, actually found out accidentally whilst going through its various dialogs. YOU COULD HAVE ATLEAST BOTHERED TO NOTIFY ME!!!!
Getting past this, we now have another problem. "earlyMONITOR" alerts us that the "Firewall Status" is "Off" - you don't say - YOU TURNED IT OFF!!
I turned it on, and then noticed the option under "earlySERVICES" labelled "Backup Your PC". Knowing how important backups are, and expecting EDC to perform a backup of my lovely little machine incase anything goes wrong - I clicked it, and boy am I glad I did.
Clicking "Backup Your PC" does not in actual fact, backup anything at all. It IS AN ADVERT that takes you to "Mozy Online Backup" (mozy.com), with the EDC ref (affiliate) ID. This website then offers you either a paid or "free" online backup facility. This is quite clearly an advert, so being the annoyed and sceptical person I am I closed the IE window (after taking a screenshot of course), and clicked "Your Credit Report".
I was immediately suspicious of "Your Credit Report" as it's not something you expect to see in a security program, and I was to be proven right to be suspicious. You know what is coming here don't you?
Thatís right folks, I was taken to yet another website, with the EDC ref (affiliate) ID. This time for a website called "privacy matters 1-2-3" (membershipme.com).
Clicking the now known to be, third advert in the list - "Prevent Identity Theft", we are taken to a website called "LifeLock" (lifelock.com), and yes, this also includes an affiliate ID.
The conclusion so far, we've been misled. The paid version of EDC is supposed to be free of adverts, yet it is quite clearly the opposite. Irrespective of whether or not you pay for it, you get ads. The only difference is how many.
Be sure to join me for part 2 of the EDC review when we'll go through its various "features" find out just how good it's apparent "protection" features really are.
Response and references
This review was originally due to be published 24 hours ago. Unfortunately this was delayed when CyberDefender Corp's Alan Wallace (SVP, Corporate Communications), asked for an additional extension to allow for response to the issues I brought up in the review.
As of publishing, no response, other than an e-mail asking for screenshots surrounding one of the issues, and a public debunking of the review on CastleCops, has been received.
Though CyberDefender SVP, Alan Wallace, claims much of my review is not accurate, he has not provided information on how or what, is not accurate. The review published here contains only what I both saw and found during the course of the review, and as I told Alan, was successfully re-produced twice on my test system (see "Test Conditions" below).
CyberDefender Early Detection Center
Free License Giveaway Contest: CyberDefender
033107 - CyberDefender and Linkshare, ClikXchange, Tradedblr
This review was performed on the default administrator account, using my test system;
- CPU: AMD Sempron 2400+
- RAM: 256MB DDR
- HDD: 10GB
- Windows XP SP2*
- Internet Explorer 6 SP2
- WinPatrol 11.2.2007.1
- AVG AntiSpyware
* All Windows Updates were installed prior to review (with the exception of Internet Explorer 7).
Notes: As this review was done so solely for the purpose of the issues raised in the CastleCops thread, the additional tests and monitoring I would additionally perform, were not included (see Disclaimer).
I would like to thank the following people for their help with both allowing this review to take place, and/or for their help proof reading and provision of opinions on, the draft review (apologies before hand if I've forgotten anyone).
Hewee (Calendar of Updates)
Donna Buenaventura (Calendar of Updates)
JeanInMontana (TeMerc Internet Countermeasures)
TeMerc (TeMerc Internet Countermeasures)
fredvries (MalwareBytes) (especially for alerting me to the spelling/grammar errors)
RubbeR DuckY (MalwareBytes)
I would also like to thank Alan Wallace (CyberDefender) for the provision of the licences that allowed me to actually do the review in the first place.
This article is based on my own findings of CyberDefender Early Detection Center v3.0 Build 0329 and does not cover the detection and protection capabilities.
As you can probably tell, I am not the greatest writer in the world, so if you have any questions concerning this article, please get in touch.