However, the newest version is a bit different. Instead of installing many several different Antispyware and Antivirus removal tools, it now uses a "Scanwolk" or "ScanCloud". This means that potential malware related files are being uploaded there and are being scanned by a couple of different engines. These engines are Eset (NOD32), Avira, PrevX, Emsi Software - a-squared Anti-Spyware and Ikarus Anti-Virus. As far as I know, some of these "Scansoftware" are for free. Correct me if I am wrong.
This is a littlebit the same principle as Virustotal, but in this case, it happens automatically without users interference.
Previous versions of HitmanPro were for free, however, this time, the new version is different. Scanning stays for free, but to remove what it has found, you have to purchase a license. First you get a trial which is able to remove the found threats - but once that trial has expired, you have to purchase a license..
Before testing this application, I already had a few remarks....
* What about false positives the external scanners find. Will HitmanPro remove them as well or not?
* Automatically uploading files to the "ScanWolk" (as how they are calling it) - what about users interference? Is this automatically allowed? Most scanners ask this before users upload potential suspicious files to a server. HitmanPro goes for faster results and uploads automatically without users interference. Ethics???
Anyway, those were my main concerns, so I decided to give HitmanPro3 a try..
If I test software, I always try it in a Vmware Image first. In this case, it was Windows XP Pro Service Pack 2.
It was a clean install, only some analysis tools (tools which enumerate windows loading points) were installed.
I've downloaded HitmanPro 3 and executed it...
Once again, this is a clean Windows XP SP2 install with only some analysis tools present.
It started with the scan...
Ok, tracking cookies in the first place. You're kidding if people really have to purchase a license to remove these tracking cookies. Easy money..
Anyway.. the other detections..
Too bad to see it detected one of my favorite analysis tools (OtScanIt.exe) as Trojan.Dos.Win32....
I've uploaded it to Virustotal and came back with the following results: http://www.virustotal.com/nl/analisis/ab129671f0130d829a70e395ec5b64fa
HitmanPro uses the Prevx engine, and in this case, its detected as "Cloaked Malware". This is a heuristic detection and may be a false positive. Not sure where HitmanPro gets the "Trojan.Dos.Win32.." from..
Anyway.. during detection, there is NO WAY where you can deselect what it has found. The only option you get is the "next" button. (and the option to select what subscription you have).
Then, if you click the "next" button, it removes what it found, no matter if it was a false positive or not (after all, you could not deselect in from the main screen). Byebye OtScanIt - I couldn't save you.. :(
And even in my clean Vmware image, HitmanPro decided (without notice) to remove my desktop background and replace it with the 'plain blue standard background'. Is there any reason why? Without notice? So this means that everyone who runs HitmanPro3, no matter if you're infected or not, gets a "blank" desktop afterwards?
Once again, this was in a clean Windows XP SP2 image. Detections and removal of files that weren't even malicious and deleting valuedatas in keys (without notice) that weren't even malicious...
It also appears that some others were having problems as well with this newest version. For example:
http://www.techzine.nl/nieuws/18270/SurfRight-brengt-finalversie-Hitman-Pro-3-uit.html (First reaction present there).
To translate: "I've used it two times and deleted it immediately. The scripts crashed and deleted important files from my PC. BSOD, then a system restore (removed HitmanPro) and everything worked OK again."
I'm not suprised at all.....
So the only thing I can say here is... please remove the official version and give it more time to beta test. It's way too dangerous to use/release it in public.
Some important thoughts:
* Ask for confirmation before uploading potential dangerous files.
* Make sure people can select/deselect what files to remove.
EDIT: There's indeed an option to select/deselect what files to remove, but only if you rightclick the view and select the "Virus analist view". Many people won't know about that option (I didn't either), so it may be better to make checkboxes to select/deselect in the main view.
* I can't find a backup/quarantine option. Better to give the option to quarantine what it removed with the option to restore if needed.
... and some more thoughts that I will post later.
Extra note... I have NOT tested this on an infected system yet - I'll certainly do this later and see how it acts/reacts - and post the results. My main important point was how it acted/reacted on a NON infected system since many people just love to run tools and even purchase them if not needed.
0 comments:
Post a Comment