Computer Gripes

documenting the down side of computer stuff

Home Search Merchandise About Michael Horowitz My CNET Blog

Index: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z ALL

CounterSpy Gripes

CounterSpy is an anti-Spyware program

More Gripes

June 2, 2006. Windows XP with all patches applied. CounterSpy version 1.5.82 with definitions as of May 29, 2006.

After installing CounterSpy, nothing happens. The user is not told to run it and if the program is not run and configured, it won't prevent new Spyware installations. The default should be for the best protection.

CounterSpy's left hand doesn't know what the right hand is doing. In the My PC Checkup section I modified the security of an IE Zone. CounterSpy said the modification was done. It lied. A few seconds later up popped a warning that a Zone was being modified and asking me if this was OK. Doesn't give you a warm fuzzy feeling.

I tell CounterSpy's left hand to allow the change to the IE Zone and it says in response:

Your Internet Security Zone level has been changed to: 73728

Say what?

The main CounterSpy window has no function/icon for checking for updates. However, once you go to a sub-section of the User Interface, then an Updates button does appear on the top.

When checking BHO programs one of them was marked with a yellow exclamation point. However the descriptive text said it was safe.

There are bugs in the GUI for My PC Explorer.

CounterSpy is a CPU hog. Perhaps this is more noticeable because the system I was using at the time was old (650MHz processor, 256MB ram). CPU usage attributable to CounterSpy was constantly rising and falling when viewed with Task Manager. It never stopped, even when the only thing happening to the computer was that I was watching it.

They way you tell CounterSpy not to run automatically at boot time is confusing. There is no option specifically for this (as there is with Norton AntiVirus for example). Turns out that if you turn off the automatic protection, then it doesn't run at boot time. Trial and error should not be required.

When checking ActiveX programs, it did not know about some programs it probably should have: the F-Secure online antivirus scanner, the Trend Micro anti-Spyware scanner and the Dell system scanner.

All in all, it felt more like a beta than a mature product.

Norton AntiVirus 2006

March 28, 2006. I purchased and installed the latest version of Counterspy today. Then I installed Norton AntiVirus 2006. Counterspy did not seem to be aware of the NAV files and asked what to do with them every time NAV tried to install some type of hook into Windows. I wanted to ask tech support whether this was true and searched for a log of the questions CounterSpy asked me. There is no log (at least one that I could find).

I went to the Sunbelt Software web site and asked about some of the programs that CounterSpy had objected to, to see if they were part of Norton Antivirus 2006 and whether CounterSpy was aware of NAV 2006. Sunbelt never responded (as of June 1, 2006 - still no response).

Installation Hang

December 27, 2004. CounterSpy version 1.0.25 with Spyware definitions version 44 from December 27, 2004. ZoneAlarm calls it version 1.00.0025 from November 30, 2004.

I installed the $20 client version of CounterSpy on a Windows XP SP1 machine and during the installation process, it hung. Specifically, when it got to the point shown in the picture at the right, the computer (a high end Pentium 4) was constantly running at about 50% cpu and nothing was happening. According to Task Manager, the program hogging the cpu was the counter spy data service - sunasDtServ.exe.

It did respond to a right click on the CounterSpy icon in the system tray, but selecting the Open CounterSpy option did nothing. After over 10 minutes I shut down CounterSpy (by right clicking on the systray icon) and rebooted. It seemed to be running fine afterwards. The machine was connected to the net with DSL.

Then I installed the 15 day trial version of CounterSpy on another Windows XP machine. Same thing - the installation hung at the same point. This was an older machine so CounterSpy consumed a full 100% of the cpu. This machine was connected to the net by a cable modem.

Here too, I shut down the program by right clicking on its systray icon.

Then I tried to start CounterSpy again (without re-booting) and got the error shown here at the right. It complained that the trial had expired, even though the product had only been installed for about 15 minutes.

Again, rebooting seemed to fix everything.

Update Hang

December 29, 2004. The second computer cited above is not used often. Today it was booted and CounterSpy immediately tried to update itself. Again, it hung, looping and burning cpu and also accumulating ram. The screen shot at the right shows the point of no return. It was updating Spyware definitions from version 44 to 48.

Process Explorer showed that the runaway program was sunasDtServ.exe version 1.00.0000.0118 from November 15, 2004. The specific thread that was consuming almost all the cpu was msvbvm60.dll|Created|ExprSrvObj+0xbfa. It also showed that the amount of ram being used by this process was constantly increasing. It got to 25 MB before I killed it.

Shutting down CounterSpy did not stop this program from burning cpu. Instead I had to kill it directly with Process Explorer.

January 3, 2005. It looped yet again when installing Spyware definitions version 54. I cancelled the sunasDTServ.exe process and shut down CounterSpy. Restarting CounterSpy and manually checking for updates showed that the product was up to date.

Through "contacts" I have been in touch with Sunbelt Software and someone there claimed to be unable to re-create this problem. They asked a few follow-up questions but never asked for their own diagnostics. I accidentally stumbled across the fact that CounterSpy has built in diagnostics for just this sort of thing: Help -> About -> Diagnostics button. How serious could Sunbelt have been if they didn't ask for their own diagnostics?
To be continued. . .

No Protection

January 3, 2005. Even while running, CounterSpy does not offer the protection it should.

I was using Real Player to listen to an Internet radio station. Shortly after closing Real Player, Counterspy popped up a window saying that it allowed something. What did it allow? Don't know. The window disappeared before I could read it. It should warn you that a change was made, say it thinks it OK and let me ultimately decide whether to allow it or not. Compounding the aggravation, the main CounterSpy window has no indication that the software just told me something. The Active Protection section of the product also has no indication that it just told me something. In fact, there is no way to view recent messages from the product in the Active Protection section of the product at all. The event log for all the Active Monitors was empty. I guess telling me that it allowed something is not an "event". I poked around however, and happened to find on the menu bar that View -> Active Protection -> View Security Agent Events has a list of messages the product put out, including the one I had just missed. I felt like Sherlock Holmes. This is disgraceful design.

About that message? Here too, CounterSpy let me down. It was a message that the update function of Real Player registered itself to run automatically at system start-up time. CounterSpy said that Real Player contained no Spyware so it allowed the update. But I didn't want to allow it.

According to Sunbelt you can change the behavior of the Active Protection under View --> Settings --> Active Protection or Alerts. To stop the allowed applications from being loaded, choose Allowed Alerts under Alerts. They also pointed out that CounterSpy is focused exclusively on Spyware. When CounterSpy detects an application that might be Spyware, it checks its internal database. If it's known to be a Spyware-free, then CounterSpy allows the program. Otherwise, it alerts you that you may have a dangerous problem. In fairness to the product, Real Player is perhaps best called "nagware" falling in a somewhat gray area.

Any anti-Spyware program, just like an anti-virus program, needs to constantly be fed new definitions of the bad stuff it is looking out for. CounterSpy is capable of automatically downloading new definitions on a schedule that it lets you chose. Fine. However, it has no "Update Now" function. You are totally dependant on the automatic updates, which, for whatever reason, can be disabled.
Update: This was my oversight. CounterSpy can manually check for updates with File --> Check for Updates. This should, however, be somewhat more obvious in the product. This is the second feature I've run across that is only available from the Menu bar and not from the core part of the GUI interface.

CounterSpy marketing has said:

There's a difference between the freeware out there and CounterSpy ... it has real-time protection to reduce the chance of recurring Spyware infections.
The free anti-Spyware tools miss something, they detect and delete Spyware. But CounterSpy detects, deletes and protects!

Spybot Search and Destroy is capable of protecting against new Spyware installations. In a small way, so too does WinPatrol and SpywareBlaster.

Auto Updates

January 9, 2005. Version 1.0.25.

When the automatic update function kicks in, there is no way to cancel it.

It seems that the automatic update does not take place until you open the CounterSpy application. I have CounterSpy installed on a computer that goes days without being turned on. Sunbelt comes out with Spyware definition updates so often, that every time the machine boots, it needs an update. Today, the computer was running for hours with the CounterSpy icon in the system tray and active protection enabled. No updates. As soon as I opened the CounterSpy application though (by right clicking on the systray icon) the automatic update kicked in. I need more confirmation of this however to be sure.

Update: Someone from Sunbelt read this page and had the following comment on the above: "CounterSpy can be setup to check for updates upon System Startup. "View", "Settings", "Stay protected automatically", and change that to "System start up." Here is a screen shot of CounterSpy showing this option. (80KB, opens in new window). January 17, 2005.

Uninstalling

January 10, 2005. Version 1.0.25.

After un-installing CounterSpy and re-booting, traces of the product remained. In C:\Program Files the product directory
Sunbelt Software\CounterSpy Client was still around with about a dozen files totaling 123K. Also, in the Windows temp directory there was a sub-directory called _is40 with CounterSpy files in it that totaled 8.8MB. The largest file was CounterSpy.msi at 8.4MB.

Update: Someone from Sunbelt read this page and had the following comment on this issue: "Currently CounterSpy does that on purpose. If you choose to uninstall and then re-install this product it will retain settings, registration, and other things. We have an open issue in our tracking system that states that the uninstaller should ask the user if they want to totally get rid of these files or leave them on just in case they want to reinstall the product later. Look for that in an up and coming software release." January 17, 2005

Other Gripes

CounterSpy version 1.0.25:

CounterSpy detects tracking cookies, as does every other other anti-Spyware program. The cookies however, seem to be restricted to Internet Explorer only. It does not seem to look for Firefox cookies. Both the web based online scan and the downloaded trial version say nothing in the cookie description about which web browser the cookie reflects.
On a machine that had Adobe Acrobat version 5 installed and no copy of the Acrobat Reader installed, the CounterSpy cleaner offered to remove the history of files viewed with the Acrobat Reader version 4.
Note: Sunbelt said there is a known problem regarding Adobe Acrobat versions that should be fixed soon. December 29, 2004.
In the My PC Explorers section, the Back button does not work correctly. Also, when displaying BHOs, it used a red X icon (see screen shot below) which means something is hazardous, even though every BHO being displayed was said to be safe.
Note: December 29, 2004. Here too, Sunbelt says there are known bugs regarding the back button and the display of the Red X Icon for BHOs and that both should soon be fixed. The more I use the product, the more I see that the Back button doesn't work correctly in other sections too.
When I told CounterSpy to quarantine a Spyware application (the one described below) it closed two open instances of Internet Explorer without any warning.
Note: Sunbelt says the shutting down of IE is by design. They plan on telling the user this in the future.
The default scan is not a full scan of all the files on your computer.
Note: Sunbelt said this is a good thing, what's bad is their documentation. They claim that you can catch 99% of Spyware with a Quick Scan.
On January 2, 2005 CounterSpy warned me that it had been too long since my last full scan. The last scan was 6 days ago, December 27, 2004. This seems like too short a time period to warn users with big red Xs. There seems to be no way to change this warning interval.
I'm looking at the main Counterspy window which shows that Active Protection is enabled. I right click on its icon in the system tray and say to disable Active Protection. The main window does not change. So the system tray icon now says Active Protection is disabled while the product says it is enabled.
The user interface could be improved. For one thing the big buttons on the toolbar are not consistent. On the home page for example, there are none but they do exist in most of the rest of the application. Also, there is a "Settings" section to the product that has no button on the toolbar at all. You can only invoke it with the View option on the menu bar.

BingoFun

December 27, 2004. Bingo Fun was detected on two PCs that I doubt had any Spyware on them. Instead, I suspect, but can't prove, that this is a false alarm. One PC was Windows 2000, the other Windows XP. One used the online ActiveX scanner, the other used the downloaded installable trial version of Counterspy. On a third Windows XP machine, this was not detected.

Counterspy said: "BingoFun is a suite of online gaming (gambling) software that includes Spyware features and popup ads. This is a high risk threat and should be removed or quarantined as to prevent harm to your computer or your privacy." The author is Goodtime Management Ltd.

The files it considered bad are shown here. All are from Macromedia.

Director 8.5 Shockwave Studio in C:\WINNT\system32\Macromed\Shockwave 8\dirapi.dll created: 2/11/2003 5:02:52 AM
Director 8.5 Shockwave Studio in C:\WINNT\system32\Macromed\Shockwave 8\iml32.dll created: 2/11/2003 5:02:54 AM
Director MX in C:\WINNT\system32\Macromed\Shockwave 8\Proj.dll created: 2/11/2003 5:02:56 AM

December 29, 2004. I entered a tech support question about this on Sunbelt's web site. They responded fairly quickly that it is a known problem that they are working on. For the time being, they said to tell Counterspy to ignore this. Still, this sort of thing should be on their web site. It's not. I looked.

Update: April 24, 2005. Working on it? I think not. This still showed up as an "Elevated" Adware threat with the ActiveX CounterSpy scan.

FYI: At download.com someone named Nick commented that counterspy provided false positives. Quoting: "...this program identified at least twenty-five valid Microsoft registry keys as spyware, not to mention it also claimed Macromedia's Flash plug-in was something called Search Squire. To prove that it was incorrectly identifying the flash plug-in, I let it remove Search Squire, then went to Macromedia's site which told me I needed to install Flash (which had been working fine previously), then re-ran CounterSpy which once again identified my newly installed Flash as the spyware Search Squire."

Viewpoint

March 11, 2005. CounterSpy version 1.0.26 with definitions as of March 8, 2005. A program called "Viewpoint Beta" comes up every day as an Elevated threat. Every day it gets quarantined only to turn up again the next day. Deleting the Viewpoint folder under the "Program Files" folder does not help. The folder gets re-created shortly thereafter.

I did some research on this and it seems that Viewpoint is from America Online and the AOL software recreates it every time it runs. The Viewpoint web site goes out of its way to say that they are not Spyware. Is this a false alarm from Counterspy?

I asked Sunbelt if this was a false alarm. They didn't address the question but said that after running a full scan you can tell CounterSpy to ignore a particular program.

FYI

Command Line Options for Microsoft AntiSpyware (beta 1) work with CounterSpy also. April 21, 2005.

Submit a false positive to Sunbelt

May 28, 2005. New features in the upcoming version 1.5 (expected to be released in June 2005). Sunbelt said there are "under-the-hood" improvements in scanning and detection. There is a DNR (Do Not Resuscitate) feature that improves the chances of killing off the parts of Spyware applications that don't allow the Spyware program to be deleted. There two new icons in the toolbar for 'update' and 'manage quarantine' and you now have direct access to the Active Protection Monitors. The type of scan used to default to "Intelligent quick scan". Now the default is a Full scan. You can now also choose "Deep" or "Shallow" scans.

Sunbelt Software created CounterSpy

Known tech support issues with CounterSpy Client Edition.

Email Sunbelt a question about CounterSpy or any of their products

You can download the trial version from download.com

Page created: December 26, 2004

Page last updated: June 13, 2006