Enigma software SpyHunter 4 Review

Posted: April 30, 2016 in Security
Tags: , ,

Due to the amount of controversy around the Enigma Software SpyHunter product, I decided it was time to review my Web Of Trust rating. by retesting the software.
https://www.mywot.com/en/forum/64166-defending-freedom-of-speech
https://blog.malwarebytes.org/security-world/2016/02/bleepingcomputer-defends-freedom-of-speech/

The company claim that they have cleaned up their act and that old comments and reviews are not valid, and damage the company reputation.
Enigma Software have threatened legal action against the web site “Bleeping Computer” because of a negative “review”
http://www.bleepingcomputer.com/forums/t/550005/spyhunter-vs-malwarebytes-vs-iobit/
It not a review, it is a public forum thread where members of the public express their own personal opinions.
The so-called “negative review” within the thread is a post by a moderator in answer to the original post.
The moderator says quite clearly;

In my opinion SpyHunter is a dubious program with a high rate of false positives…

The “opinions” of a public forum moderator, do not necessarily reflect the opinions of the site owners, and do not constitute a “review”.

This is a “SpyHunter review” by Dr.Flay….

Version installed: 4.21.18.4608
Certifications: OPSWAT and West Coast Labs (I investigate these)
AV certifications: None
Install size: 61.6 MB
Test system: Windows XP Pro SP3. 3GHz AMD x32, 2GB RAM, 80GB UDMA-6
Previous scans: MS Defender, Avira Pro, multiple engines with Herd Protect (free) and Reason Core (1 month full trial)

First lets look at the promoted certifications;
OPSWAT certification rates how compatible it is with other software.
SpyHunter gets a Bronze rating, meaning it can be detected by most leading software.
https://www.opswat.com/certified/products?level=bronze
https://www.opswat.com/certified/levels
West Coast Labs certification is now hidden, but I made an account and can see that SpyHunter is rated as “Passed” (whatever that means).
WCL
https://search.checkmarkcertified.com/finder/search/vendor/?name=enigma
Web Archive “test” results show that it “installed”
http://westcoastlabs.com/checkmark/productList/checkmarkTestResult/?productID=383&techGroupID=33&from=v
It looks as if West Coast Labs simply test to see if products will install.
Neither of the certificates have anything to do with the effectiveness of software, and both seem pointless to boast about, as these factors would be the lowest you could expect of any software.

OK then, test time….
After installing and updating SpyHunter 4 scanner, it automatically started to scan, which slowed the PC to a stuttering crawl.
Once the task priority was reduced to “Lowest”, the PC could be used again.

Funky DNS or DNS Funkiness ?

Results started to show fairly quickly, but I wanted to look at the settings to find out why it was warning me about a change to my DNS settings, and asking if I want to allow or block it.
Answer…. Well that depends on who and what the change is, but no information is given.
If the change is because of SpyHunter itself, then I would say no because I am using OpenDNS with DNSCrypt.
If the change is because of a real threat then I should be shown what the change is.
I am confused why it warned me of its own behaviour, in the style of an unknown threat.

I cancelled the scan to concentrate on the DNS issue, and watched the current results disappear.
So, remember to cancel early or let it finish.

Upon inspection I see it offers an “enhanced DNS system”, but when I look at what it really gives you, it is just a pre-selection of “trusted” DNS (you can add multiple trusted DNS to Windows already).
It does not show which DNS uses which IP so users cannot be sure unless they Whois the one they are currently connected to.
It does not show if any of them support security features such as DNSSEC, DNSCrypt or DNSCurve.
It does not seem to use the closest/fastest DNS, or show the user the country so they can choose the closest.
The “secure” DNS in the list is provided by Comodo, who filter access to bad sites…. and many good sites.
You can add your own custom choices of DNS, but if you know about that, you probably know how to do it in Windows already.
I like the idea of what they have tried to give users, but it should show more feedback to be useful and trustworthy.
However this will monitor and fix a DNS hijack which is a good thing (most good AV will also do this).

Singing Detective

Now happy with the DNS situation I rebooted and ran a complete scan.
This time I was immediately presented with a popup warning me about a standard Microsoft link installed by Bing Maps 3D
Threat01

The first “threat” shown in the scan was for “MiPony” and when the scan finished it had found 100 related low priority “threats” and shows a scary generic description that does not seem low threat.

Threat02

“MiPony” is a download manager for those annoying advert-filled upload sites, and helps me to avoid adverts.
The installer is wrapped in a partner-ware installer, which will offer a selection of other programs before installing the main program (I copy the real installer from the TEMP folder and use that).
VirusTotal rating for MiPony 2.4.0. real installer
https://www.virustotal.com/en/file/339a1f717130c4151cbe1d7f49eb710f1f79bb3e1fa86ef48be7ef9d3f32a404/analysis/
The real installer is in my Google Drive if you prefer to use that.

No adware or extra software was installed with MiPony on this PC. Each “threat” listed is for any reference to MiPony.
This includes the EXE, the DLLs, icons, language files, registry entries, and folders.
None of those are threats or adware. They relate to “possible” adware related software…. POSSIBLE. MAYBE.
MiPony used to install a toolbar supplied by Conduit but no longer do.
If there was any adware it would have been that. MiPony has never contained adware itself.

Attention !  Extension Extermination

The next 647 medium priority “threats” to be found show that it would have damaged my Firefox security/privacy if I had paid and let it fix things.

Threat03          Threat04

Most of the “threats” it found are the rule sets for HTTPS Everywhere and Disconnect.me, both privacy addons.
These fix privacy/security problems with the domains SpyHunter has issues with.
The rest are for Cacheit which can fetch pages from blekko if the user wants.
blekko can be disabled as an option in the extension if you don’t want to use it.
blekko is a search engine that has used dubious marketing tactics, but then so has advert-filled Google which has for many years supplied toolbars, “hijacked” browser home pages, sells your data, and sneaked its software into PCs with other programs.
…but that is OK. because it is google.

Mistaken identity

The next single low rated “threat” was interesting in its categorisation, as it identifies a reference to AutoCompletePro within the Disconnect.me extension as a PUP – Potentially Unwanted Program.
It is not a task running on the PC, but a line of text

Threat05

Again this is a rule to protect users from a tracker hosted by the makers of AutoCompletePro

These are not the droids you are looking for.

Finally it finds something that looks like a real threat ! A “Trojan” in the system32 folder !!!

Threat06
However, I already know what this is and why 11/57 AV rate it as a Risk or a Trojan.
https://www.virustotal.com/en/file/f5f7bd4c942db26306ace16e786bc2596549124dbe1fbf3e78ec1b05dcd09d16/analysis/
”vlwc.exe” can change the homepage in your browsers, and even worse it can and will modify many system files !!!
It even can detect changes and can re-patch the files again.

… because that is exactly what it is for. It is the “Welcome Centre” control panel for the WindowsX Windows 7 Transformation pack http://www.windowsxlive.net/seven-transformation-pack/
This dastardly file can make your tired old XP look and feel like Windows 7, but only when you say so.

vlwc

At least 60 system files on this PC are not as they should be, and not copies of Win7 originals, but SpyHunter does not recognise these modified files as a threat.
If the system had been infiltrated, those files would be suspect, and many of them are important.

Here is the folder with the original backed up files (and my groovy XP7 theme).SysFiles

I am not saying that SpyHunter should have classed the modified files as a threat, but that if it can see malware, but that it cannot detect the changes done by it unless the “damage” is a file already in the database.
A good AV will look for types/patterns of damage/change, to see if malware is injected into something else or evidence of known damage relating to a current infection, or to detect that a new variety of dropper has delivered a known threat etc.
If vlwc.exe has really been examined by Enigma Software, why don’t they care about the files it changes but still class it as a threat ?

…. perhaps because they have never installed and examined it, and are basing their “algorithm” *cough* on someone else’s database.
Obviously that is just conjecture, but it just seems to do basic keyword and hash scanning with no context.

Verdict and sentencing

Ooooh look Ma’ it has pretty lights !
A wiser man than me once said “In my opinion SpyHunter is a dubious program with a high rate of false positives”
That was my experience several years ago, and yes, I can say it is better than it was;

Pros.
It did not freak out with a cookie-crisis.
It has a nice selection of reputable DNS.
It has a few other protective features, but not much.
It is small to install and quick to open.
It is 3rd party certified as detectable by other software and “installable” or “passed” ( W.T.F ? )
SpyHunter, Enigma, or members of Enigma have been mentioned or quoted by other famous sites.

Cons.
Install size is as big as both HerdProtect and Reason Core together.
It does not care that the references to domains it dislikes are part of very well known and respected security extensions.
If I had used it I would have lost protection on the sites it wants to protect me from.
It often shows generic information, non-specific to the “threat”, such as seen in the high-risk Trojan detection of vlwc.exe, and the low-risk adware (that was not even installed) with MiPony.
(Indeed it seems to have a lot more to say about MiPony than the other perceived threats)
It is not listed, credited, rated or awarded anything by actual AV testing and comparison sites;
https://www.virusbulletin.com/testing/vendors/active/vb100-antimalware
https://www.av-test.org/en/compare-manufacturer-results/
http://www.av-comparatives.org/av-vendors/

SpyHunter is not malicious, it is just rubbish and requires extra support.
Any good free anti-malware software will protect you better, and find and remove more real threats.
You may notice 1 thing all good AV companies have in common, is they don’t sell home users tech-support.
They don’t need to.
To paraphrase the wise-man;

”In my opinion SpyHunter is of dubious quality with a high rate of false positives.
I would rather rely on MSE/Defender and a lucky-8 ball for tech-support”
Dr.Flay™

If you ever want to know who the current top free AntiVirus  / AntiMalware are, I keep a regularly updated blog where I monitor the results from the different test sites and based on them, rate the top 5 in order of desirability.
The blog also has possibly the largest collection of malware and hacking maps and visualisation, so if you are not paranoid yet, go to the bottom of the page 😀
https://vivaldi.net/en-US/userblogs/entry/best-free-anti-virus 

Disclaimer:
To the best of my knowledge everything written here is factual and based on my own personal experience.
My only purpose with this review is to empower users.
Objections to this review will be noted,
…and then laughed at.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s