Back to Top

Monday, February 09, 2009

Security charlatans

Why do people go to charlatans?

  • Because they make them feel good about themselves
  • Because they will make a big effort to speak in a language which the customer understands and can relate to (even if the things said are not-that-true)
  • Because sometimes they (the charlatans) get to a level where they themselves believe that they have "magical powers" - but every time when they have to stand the scrutiny of science, they fail.

Now lets see one of these delusions in the security space: WinPatrol. It claims to be a security tool:

As a robust SECURITY MONITOR, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol PLUS includes our unique, patent pending R.I.D. technology.

"Patent pending" - sounds cool, doesn't it. It also tells you what R.I.D stands for: Real-time Infiltration Detection (because intrusion detection wasn't good enough, we had to invent a new word).

How real-time is it? Not very - my guess is that it watches the filesystem for changes or uses the API included in Windows to do it. When I started testing it, it took more than a minute (!) to observe that I changed the host file (in fact it took so long that I started to doubt its functionality). This is bad (amongst other reasons) because the longer the time period, the harder for the user to make the connection between the action that s/he performed (the cause) and the effect.

How is this similar to charlatanism?

  • It aims to make people feel good about themselves: "One time fee! Satisfaction is guaranteed"
  • It uses marketing goobly-goo (and avoids the professional, well accepted terms!) to talk about the program
  • He deludes himself into thinking that this "security solution" can stand up to any level of attack.


The only reason this program (somewhat) works, is because its very, very small marketshare. Would it become even slightly popular (lets say 0.5% of the security concious Windows users), malware would instantly disable it. Heck, here are two commands, using nothing other than built-in Windows utilities, that kill it easily:

taskkill.exe /F /IM winpatrol.exe
taskkill.exe /F /IM winpatrolex.exe

Malware is known to contain long lists of products which it wants to kill. Adding a new item to it would be trivial (and devastating for Winpatrol).


For the same money, one can buy much more performant security solutions which (besides the anti-malware component) contain elements that have the same functionality as WinPatrol, only that they are better implemented (they are in fact real-time, not just claim to be).


This utility creates a false sense of security. It doesn't encourage (or even mention) security best-practices like running as a low rights user.


Picture taken from Aliwood Studios' photostream with permission.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.