A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1284  by egomoo
 Thu Jun 17, 2010 1:23 am
Safe Returner is an awesomely impressive anti-malware tool which aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware - when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Safe Returner's a relatively speedy malware remover, it works at a high speed with the full scan taking less than 5 minutes even with other high-resource programs running. It has a self-developed heuristic malware detection engine which displays the severity of the Spyware threat, used ranging from High Risk, Moderate Risk, and Low Risk.

reviews:

http://www.softpedia.com/reviews/window ... 4403.shtml

http://download.cnet.com/SafeReturner/3 ... 06397.html


anyone to try it out to test some samples?
 #1286  by EP_X0FF
 Thu Jun 17, 2010 4:22 pm
Hello,

I tried it against Security Essentials 2010 (aka Internet Security 2010).

It successfully detected and cleaned rouge av (very simple rouge).

As far as I see Safe Returner uses termination of all non whitelisted processes at the beginning of scan.

However exists a lot of fake av's that blocks startup of applications that are not in their whitelist (usually by process name).
So I doubt in real usefulness of this program in comparison with the classical antimalware products such as antiviruses.
SafeReturner does not include any kind of self-protection (or I didn't found it).

I believe it is created only with one purpose - get some bucks from unexperienced users.

Regards.

p.s.
used sample attached.
You do not have the required permissions to view the files attached to this post.
 #1287  by Jaxryley
 Fri Jun 18, 2010 7:14 am
Gave Safe Returner a run against a rogue pack that I have which installs several rogues at once.

It did kill all processes of the active rogues and after a scan/reboot none of the rogues were active allowing a scan of Malwarebytes which cleaned up the dregs.

Sure the author wants to make a buck out of his app but I would rather see a legit app getting some payment rather than the authors of those rogue apps.

Image
 #1289  by Jaxryley
 Fri Jun 18, 2010 8:35 am
It's actually an installer for several rogues. I can't remember where I got it from?

Some of the download links are dead so some of the rogues won't show up. Still nice to play around with though.
RoguePack.rar
You do not have the required permissions to view the files attached to this post.
 #1299  by egomoo
 Sun Jun 20, 2010 12:11 am
1. if the app's purpose is getting bucks from unexperienced users.

It must do not give 30 days all function for trial.

And users do pay nothing remove malware in his 30 day trial.

2. "Safe Returner uses termination of all non whitelisted processes at the beginning of scan"

yes ,it will terminate most of process but not use a whitelisted database.

In XP, it use the api function to let the process closed itself.

ExitWindowsEx(EWX_LOGOFF,0);

send a "LOGOFF" message to system,then all the other process receive the logoff message,and close itself.

But in safereturner,it intercept "WM_QueryEndSession" event,so it sitll run and scan.

3."However exists a lot of fake av's that blocks startup of applications that are not in their whitelist (usually by process name).
So I doubt in real usefulness of this program in comparison with the classical antimalware products such as antiviruses.“

Safe Returner is a none signature-base anti-malware tool.

It has a cloud similar anlysis function but do not base on signature.

All in one, It is a smart version of Sysinternal's Autoruns.

Safe Returner could automatically remove most of malwares which could be removed by manually while use Autoruns with pc skill.

So it's powerful in common use both novice and techs

there are some malware that it could not remove at 1.24 version

1. API hooks to prevent SafeReturner get the right startup item
2. rootkits hide itself from normal detection
here is a answer

http://www.wilderssecurity.com/showthread.php?t=274894
 #1300  by egomoo
 Sun Jun 20, 2010 12:37 am
It did kill all processes of the active rogues and after a scan/reboot none of the rogues were active allowing a scan of Malwarebytes which cleaned up the dregs.
thanks for the review

there are some dregs as it is a non-signature anti-malwaretool.

it focuses on the detection and removal of active malicious software.

if you test more than 10 smaples and with the latest samples ,you will find it is quite different from convential anti-malware products.

here is a story that maybe most tech will have the same with the first experience about safe returner

http://www.wilderssecurity.com/showpost ... stcount=44
====================================================================

True Sword has a 27MB large database file database.db locate at:

C:\Documents and Settings\All Users\Documents\True Sword 5\

in its program files\True Sword\

there is no one dll file,just two simple exe files

it is a very simple signature based anti-malware tool. there is no any new with similar products all around the world.