Solved

Is Spector Pro on my Mac?

Posted on 2011-02-16
13
915 Views
Last Modified: 2012-06-21
I have a client who purchased computer from employer on exit. The company was known to use Spector Pro on employee machines.

Q1 - How can I tell if Spector is installed on his computer?
Q2 - Does the Mac version report back to a "Mother Ship" or is the captured data kept on the local hard drive?
Q3 - Best removal technique?

Links are always helpful, but let me know if you have personal experience with this issue.
Thanks in advance.
0
Comment
Question by:mccrick
  • 5
  • 5
  • 3
13 Comments
 
LVL 32

Accepted Solution

by:
aleghart earned 400 total points
Comment Utility
Q1 - you should assume that it already is.  Files are not in the clear, and no icon/uninstaller.

Q2 - local storage w/remote access.  CNE and 360 caches locally, then uploads to a SQL database

Q3 - format and reinstall will take care of all software issues...you don't know what else is installed, including VNC or others

You need the uninstaller program plus the installation password set by the admin.  Which, no admin will divulge, lest other users start uninstalling the monitoring software.

The proper solution is to wipe the drive completely and re-install.
0
 
LVL 11

Author Comment

by:mccrick
Comment Utility
Thanks for the speedy reply. Your Q3 answer is what I told my client.

Going back to Q1, is there any way to confirm or verify that it is on there?
0
 
LVL 32

Expert Comment

by:aleghart
Comment Utility
re: Q1 - if there are installation files or the viewing app left behind, then the admin didn't do it right, and it's easy to spot.  But, the files are designed to be obscure.  And many anti-virus scanners might skip it, since it is legitimate software.

The bandwidth consumed is very small, and there's no noticeable drag on the system resources.

Getting into details about circumventing company security software is not allowed on Experts Exchange.  The same info can be used by a current employee on an actively monitored computer, so I'd have to err on the side of caution and say just wipe it.

Better for liablility that way anyway.  Noone can claim that company secrets were carried out.
0
 
LVL 11

Author Comment

by:mccrick
Comment Utility
I have a client who wants to know if he is being spied on. There is no moral imperative that I am aware of that says all company rights supersede all personal rights. I don't know what you mean by "Noone can claim that company secrets were carried out." This is not about company secrets. My client would like to avoid the expense of wiping out his hard drive, "just for the heck of it."

I am requesting help with a perfectly legitimate technical issue. If someone asked me how to install OS 10 I would not deny them that information base on the premise that they might break a software agreement license by installing it just because the legal process is the same as the illegal process.

It is possible that no one knows the answer to my question, but if someone does your help is appreciated.
0
 
LVL 32

Expert Comment

by:aleghart
Comment Utility
Short answer:  SpectorSoft doesn't publicly share that info.

The "legal process" as you call it, is to use the provided installation software, and the installation password to remove the software.  Has nothing to do with company v. personal rights or re-installing an OS.  Don't see how that argument comes in.

The files are obscured from any user, including an admin.  The processes are hidden as much as possible.  Some antivirus software will flag it, some will not.  I have two different AV.  One flags it.  The other doesn't.  I can alter the one that flags it so a deployed copy isn't flagged.  So...how do you really know?  Even on internal computers that don't show up in a Spector deployment, I wipe the drive.  I've found VNC and other goodies installed on a few occasions.

Providing information on defeating security software like this can be used for good or bad.  I'd hazard a guess that tech support at SpectorSoft would not assist by divulging locations of files and names of processes, etc.  I would hope not, as any employee here could jump on the phone an claim to have bought a company computer that needs cleaned.

But, possession is key...you always have the option of wiping when in doubt.  YMMV, but if you declared it "clean" based on one internet recommendation, then a breach or data theft occurred, who is liable?

Not trying frustrate you.    But, I don't have to pay someone to work on my computers, so I understand the interest to save money.  Security and privacy trumps all that for me.  I changed the locks after moving into a new house...didn't consider that "just for the heck of it".  Normal behavior for most people.  Begrudging a few dollars for safety is unwise.
0
 
LVL 11

Author Comment

by:mccrick
Comment Utility
First of all I appreciate your comments and your willingness to help. But since you are not directly answering my question, yet offering explanations I will entertain a rebuttal to your arguments. No disrespect intended, only appreciation for your efforts:

>>Short answer:  SpectorSoft doesn't publicly share that info.

If companies that created problems provided all of the solutions to solve those problems then EE would not exist. No company provides all of the answers for the products that they create. I understand it is in the interest of SpectorSoft to maintain proprietary secrets. It is in my client's interest to know if this software is being used against him.

>>The "legal process" as you call it, is to use the provided installation software, and the installation password to remove the software.  Has nothing to do with company v. personal rights or re-installing an OS.  Don't see how that argument comes in.

The OS install is just a metaphor: The same act can be ethical or unethical depending on context.

>>I have two different AV.  One flags it."

If you could tell me which one catches it, that would be a reasonable technical answer to my question.
If I can do a scan and show my client that he is infected, then I can make an argument for wiping his drive and he will feel better about paying me for something he knows he needs.

>> Providing information on defeating security software like this can be used for good or bad.

Whether or not this is security software or malware is contextual. In this context, this is malware. We simply need to detect it and wipe the drive if it is found. There is no company security at stake here.

You seem to take sides with the unknown company rather than the unknown user. Let's assume that both parties are rather average in their ethics, neither deviant nor ascetic. EVERY user from the 13 year old daughter to the already-been-caught-cheating-spouse  and certainly the professional adult has a right to privacy. PERIOD. But if someone feels the need to spy on them, then the only ethical way to spy on them is to let them know that they are under surveillance. There is nothing ethical about hidden spyware in any context unless perhaps it is preventing serious criminal activity.

In this case there is no ethical reason this user shouldn't know whether or not spyware was put on his computer.

>> But, possession is key...you always have the option of wiping when in doubt.  YMMV, but if you declared it "clean" based on one internet recommendation, then a breach or data theft occurred, who is liable?

Not everyone can afford the time and expense of wiping their hard drive because of doubts. I have never heard a whisper of a law suit or legal grumbling in 20 years of taking care of people and their technology. Liability is simply off topic.


0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 32

Expert Comment

by:aleghart
Comment Utility
>>I have two different AV.  One flags it."

>If you could tell me which one catches it, that would be a reasonable technical answer to my question.
If I can do a scan and show my client that he is infected, then I can make an argument for wiping his drive and he will feel better about paying me for something he knows he needs.

Sorry, wasn't trying to be obtuse on that one.  That would be Norton Internet Security 2003 or thereabouts, for Windows XP.  I would have included the name, but the info is out of date and on the wrong platform.  My point was that just running a scan would be inconclusive.  I don't know of one that can catch it 100% of the time, as SpectorSoft has been around for a while and does test against the major AV packages to avoid detection.


>In this case there is no ethical reason this user shouldn't know whether or not spyware was put on his computer.

Agreed.  But if _this_ package was installed, one has to assume it was made by someone with administrative privileges to do it.  In this context, a company admin installed on a computer computer, then may-or-may-not-have uninstalled it.  Bad form for the admin/company to transfer ownership without wiping the computer.

But, the nature of spyware is to hide.  Publicizing detection methods defeats the "spy" part of that.

SpectorSoft doesn't make the detection methods public AFAIK.  I don't even know if it's in the standard tech support section (requires login with client license #).  But tech support does help registered admins who are on contract.  That leaves a big grey area.  Somewhat similar if someone asked how to shut off XYZ alarm panel, and I had a manual or schematic.  If it isn't public, I wouldn't share it.  There are some google references, but I wouldn't stake my privacy on them being 100% accurate.

>Not everyone can afford the time and expense of wiping their hard drive because of doubts.

We're in opposite camps on this one.  Convenience is the opposite of security in most every context.  But easy to say that when I have the luxury of doing the work myself, and am accustomed to working at all hours.  Not easy when you have to pay someone else to do the work.  By the title of the question, I was assuming this computer was yours ("Is Spector Pro on my Mac?").

But, from a technical standpoint, wiping and re-installing has become almost a trivial matter.  Especially with OS like OS X and Win7.  Not like the days of DOS + Windows + custom drivers.

You don't need to know much.  But, if you can't perform those tasks and pay someone else to do your housecleaning...you need to budget that into the cost of acquiring a second-hand computer.

I told that to one client and he walked.  Paid off my hard expenses and kept working with the system in a questionable state.

I told that to another, and they opted to give the computer to a charity and just paid me to wipe the drive with dban.  It wasn't worth paying me for 4-6 hours to reinstall everything.  Paid $30 to wipe the drive, then took a write-off for the donation.

Sorry, it seems I've been little help except to say that it would be inconclusive to perform any type of AV scan and be sure that it isn't there.

You can always kill/delete this question and ask again.  Sometimes threads that are already populated with responses will get skipped over by experts who think that it's been solved.
0
 
LVL 11

Author Comment

by:mccrick
Comment Utility
I certainly will assign points for your efforts, frustrating as they might be. I'll leave the post live for a bit to see if anyone comes up with a simple link or comment that solves it. Thank you much aleghart.
0
 
LVL 53

Expert Comment

by:strung
Comment Utility
Try Little Snitch: http://www.obdev.at/products/littlesnitch/index.html

It will detect attempts at outgoing internet connections.
0
 
LVL 53

Expert Comment

by:strung
Comment Utility
There is a free three hour trial avaliable for download at the link above.
0
 
LVL 32

Expert Comment

by:aleghart
Comment Utility
That's a good thought.  I had thought of WireShark or other sniffer, buy Pro is local storage, no home database.  eBlaster might attempt notification if you surf porn sites or type "embezzle" in a search engine...but you don't know how the admin set it up.
0
 
LVL 53

Assisted Solution

by:strung
strung earned 100 total points
Comment Utility
You could try setting up a Spotlight window as per the attached screen shot and see what invisible or system files get changed with you use applications that you think Spector might be tracking.
Screen-shot-2011-02-17-at-8.14.2.pdf
0
 
LVL 11

Author Closing Comment

by:mccrick
Comment Utility
I'll take the lack of a foolproof answer as an answer to the question. Impressive software from all the research I did.

Thank you both for your thoughtfulness and creativity.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Users will learn how resize a batch of photos from a single command in Photoshop via Photoshop's Image Processor. Open up an Image you'd like to resize in Adobe Photoshop: Adjust the image size according to your preferences. Image > Adjustments > …
Users will learn how to set proper sequence settings, scale images, paste attributes, add transitions, fades, and music. Open up Final Cut Pro 7 and Create a new Project: Set the Sequence Settings. a) Click File > Easy Setup > Format > Apple ProRe…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now