Hi,

I have SpyBot S&D 1.3. It came with Tea-Timer which I did not install. I have upgrading to Windows XP Pro.

Is Tea-Timer worth installing?

Does it use alot of resources?

What does it truly do?

Thanks,

Woody

Hi & welcome to Wilders. Yes, it is worth installing . The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future: You can set TeaTimer to:

* be informed, when the process tries to start again
* automatically kill the process
* or generally allow the process to run

There is also an option to delete the file associated with this process.

In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change.

As TeaTimer is always running in the background, it takes some resources of about 5 MB. SpyBot including teatimer utilizes 13.70 MB -

Spy bot doesn't run in the back ground so it does not use any system resources unless you start it to remove spyware correct?

If tea timer monitrs the registry what happens when you install a new program or update to a program? Does tea time try and stop it?

Thanks so much,

Woody

{QUOTE-> Spy bot doesn't run in the back ground so it does not use any system resources unless you start it to remove spyware correct?

If tea timer monitrs the registry what happens when you install a new program or update to a program? Does tea time try and stop it?

Thanks so much,

Woody <-QUOTE}

SpyBot scanner only runs when u activate it to do a scan. With Teatimer, when u instal a new program, it will notify u of the registry change and ask if u permit the change or deny it. The same holds if u update a program. In this case u would permit the change as it is required to run the program. But say for example if u are simply surfing the internet and Teatimer pops up advising u of a registry change asking if u wish to permit it - I would say "no" because it would tell me that there is something in my computer trying to make a change without my knowledge. In this case, I would immediately scan my computer for spyware, etc. Teatimer blocks registry changes until u give permission that the change is okay or deny. With teatimer u have full control over any registry changes.

Thanks. That help mee understand it so much more and clearer. I appreciate it.
I will definitly install the Tea Timer option.

Woody

{QUOTE-> Teatimer blocks registry changes until u give permission that the change is okay or deny. With teatimer u have full control over any registry changes. <-QUOTE}
Please allow me to make two small corrections.
1) TeaTimer do not block the change, it detects the change after it was done, and offers to undo it.
2) TeaTimer only monitors a few keys in the registry. You definitely do not have full control over any registry changes. Particularry there are several dangerous keys not monitored by TeaTimer. See this post (http://www.wilderssecurity.com/showpost.php?p=179721&postcount=1) about Registry Monitor Comparison
-hojtsy-

So are you saying that Tea Timer is not worth installing and that a better software application is available for this purpose? ???

sadi by hojtsy
"Please allow me to make two small corrections.
TeaTimer do not block the change, it detects the change after it was done, and offers to undo it.
"

Actually....Tea Timer advises\warns as the change is being attempted....not after.

@ unholyone

The link hojtsy provided is an excellent source for information concerning registry monitoring programs....but realize there is more to Tea Timer than just registry monitoring.

Related info on Tea Timer---> Teatimer Question, Browser compatibility? (http://forums.net-integration.net/index.php?showtopic=23715)

I used to have TeaTimer installed. Just Uninstalled it today. In my opinion, it's overkill on my machine. MJ RegistryWatcher is much more effective (as alluded to above by Hojtsy) at detecting changes to the Registry.

{QUOTE-> I used to have TeaTimer installed. Just Uninstalled it today. In my opinion, it's overkill on my machine. MJ RegistryWatcher is much more effective (as alluded to above by Hojtsy) at detecting changes to the Registry. <-QUOTE}

I also don't have TeaTimer installed. Like u, i have other apps. that do the same or better job at this. :)


snowbound

OK so what is the consenses? That Tea Timer is not worth installing and that there are better programs for such?

What I woory about is system resourses. By the time you instal and run Anti-Virus, Anti-Trojan, Firewall, Anti-Spyware/Adware Registry programs your resourses could become to low.

It appears that many are running multiple system programs as Privacy Guard, Tea Timer, TDS and such.

What is the best for the job?

{QUOTE-> What is the best for the job? <-QUOTE}What is stored between your ears 8)

Actually....that really should have more meaning to it than it does but unfortunately prevention to most folks means more guard dogs. Knowledge of how best to secure our browsing experience, proper e-mail handling....etc....would go along way in curtailing system resources. The anti-trojan\virus folks would go hungry if they waited for me to purchase there programs but fortunately the market is there and will always be there.

As for your question....I'm not sure there can be a consensus given the fact there has not to my knowledge been any extensive testing between programs that monitor certain registry keys and processes like Tea Timer does. I have not come across any official post or comments explaining\showing every process that Tea Timer watches for.

Perhaps a consensus needs to be pared down to what programs need to be compared to each other so testing can be done ?

{QUOTE-> OK so what is the consenses? <-QUOTE}I didn't detect a consensus. Depends on your preferences and your current security arsenal.

No, it is not a consensus that Tea Timer is not worth installing! It does things that no mere Registry monitor can do - unfortunately no one seems able/willing to give a detailed account of these additional features.

I've been happily running SpywareGuard, SpywareBlaster, Tea Timer all together for some months. Now I am trialing Giant AS as well - without conflicts so far! If I could be sure Giant is definately covering all the functions of SG, SB & TT, I'd happily drop them. But I'm still waiting for this assurance!

I am also running WinPatrol for Reg monitoring (and am keeping a close eye on RegWatcher). All this duplication is not a good idea - but what to leave off?

{QUOTE-> I've been happily running SpywareGuard, SpywareBlaster, Tea Timer all together for some months. <-QUOTE}
Agreed. But Spyware Blaster is not a Stay-Resident program as the other two are. It's not even a scanner. Therefore, takes no resources. :)

{QUOTE-> Spyware Blaster is not a Stay-Resident program as the other two are. It's not even a scanner. Therefore, takes no resources. <-QUOTE}
No, but there is still potential conflict of function; which is what I was referring to. Up until a few days/weeks ago, if you used Giant's innoculation capability you knocked out some items from SB's protection list (and vice versa). Fortunately this problem has now been sorted, but who knows, there may be others! :)

{QUOTE-> No, but there is still potential conflict of function; .. <-QUOTE}
Good point. I stand corrected. ;)

This is a point. Look at Daiseys (dazed & Confudes) security she has on her PC.

Security Portfolio: TDS-3; PortExplorer; ProcessGuard; Wormguard; CryptoSuite; NOD32; ZoneAlarm Pro; RoboForm Pro; Spybot S&D; SpywareBlaster; SpySweeper; AdAware; WindowsWasher; MJ RegistryWatcher;

Now I don't see an Anti-virus inclided but with all that running system resources are low are they not?

I don't know anything about DS-3; PortExplorer; ProcessGuard; Wormguard; CryptoSuite; NOD32; RoboForm Pro; SpySweeper; AdAware; WindowsWasher; MJ RegistryWatcher; so I don't know if all are needed or not seems like overkill and drain on the system.

I currently Use AVG Pro 7 Anti-virus, SpywareBlaster, Spybot (without Tea Timer), Zone Alarm Pro, and will be installing BoClean for Trojans. I am thinking about AdWare also. But how much is to much before your system is drained where you cannot operate properly meaning running your normal programs such as word processors and graphic software.

Woody

I have had quite a few problems with processguard 3 so I uninstalled it and turned on tea timer and it is working pretty well with no problems yet.

NOD32 is her antivirus - and most of the applications mentioned are not going to be running resident.

SWB doesn't run at all after setting its protection except to update.
The free version of Ad-Aware is used only to scan on-demand. I believe the same applies to Spysweeper and WindowsWasher.
Spybot is also for scanning on-demand with the exception of Tea-Timer. In my case, I have Tea-Timer installe but simply shut it off whenever I'm not using IE (which is most of the time) since I use FF.
I also don't think CyptoSuite will have a resident process either - though I may well be mistaken - I only tried the proggie out - quite impressive but just not something I feel I need at this time.

{QUOTE-> NOD32 is her antivirus - and most of the applications mentioned are not going to be running resident.. <-QUOTE}
Correct. :)

{QUOTE-> SWB doesn't run at all after setting its protection except to update. The free version of Ad-Aware is used only to scan on-demand. I believe the same applies to Spysweeper and WindowsWasher. Spybot is also for scanning on-demand with the exception of Tea-Timer.....I also don't think CyptoSuite will have a resident process either .... <-QUOTE}
Correct. :)

{QUOTE-> ...I have Tea-Timer installe but simply shut it off whenever I'm not using IE (which is most of the time) since I use FF.... <-QUOTE}
I always use an IE Shell. But I disabled TT because I use MJRW (http://www.jacobsm.com/index.htm#sft). More powerful and comprehensive IMO. ;)

{QUOTE-> ...CyptoSuite...quite impressive.... <-QUOTE}
Correct, again! ;D

Thanks, Detox :D

{QUOTE-> I have had quite a few problems with processguard 3 so I uninstalled it and turned on tea timer and it is working pretty well with no problems yet. <-QUOTE}
Really sorry to hear that, BigC. :'( I'll have to go over to the PG forum to get the details. No (substantial) problems here!

{QUOTE-> Actually....Tea Timer advises\warns as the change is being attempted....not after. <-QUOTE}
Umm... I am *fairly* certain that Tea Timer polls for registry changes. If I am correct, then there is no way that Tea Timer can know a change has been made until after the change takes place. Therefore, if the user declines the change, Tea Timer THEN reverts the registry item back to its previous state.

Concerning which, it might be useful to read...
_/ Post #65 HERE (http://www.wilderssecurity.com/showthread.php?t=32823&page=3&pp=25).
_/ Posts #132 & #135 & #145 HERE (http://www.wilderssecurity.com/showthread.php?t=32823&page=6&pp=25).


It would be helpful if someone, who knows how to run an actual TEST of Tea Timer on this matter, would do so.

{QUOTE-> Really sorry to hear that, BigC. :'( I'll have to go over to the PG forum to get the details. No (substantial) problems here! <-QUOTE}


I didn't even go to the PG forum I just got tired of it blocking almost everything that was allowed and yanked it out. It will probably take the three other apps I have that work in that line to fill the gap.

{QUOTE->
It would be helpful if someone, who knows how to run an actual TEST of Tea Timer on this matter, would do so. <-QUOTE}
:) I reckon we can split hairs if picky is your suit....and yes....technically at that split second in time an entry is being written to the registry and a split second later Tea Timer presents it's registry change pop up.

As for an actual test....I believe even you could accomplish that yourself given a little knowledge of a simple program like RegMon. Make a simple change of your Home Page and watch the action begin.

Edit:
TeaTimer in action as the change is being attempted to change the Home page. As was said....the entry is written to the registry and if Deny Change is selected....the Old data: is written back from the polling info it holds in memory.

{QUOTE-> :) I reckon we can split hairs if picky is your suit <-QUOTE}
I didn't mean to be picky. It's just that Graphic Equaliser went to a lot of effort in order to cause RegWatch to FIRST reverse a change, & THEN ask if the user wants the change reinstated.

Graphic achieved this & other improvements by working in close concert with guidelines & suggestions provided by hojtsy, paranoid, D&C, & other gurus here at Wilder's (of which I am NOT one -- duhhh).

It took a lot of work on Graphic's part, PLUS much testing & helpful comments by Wilder's gurus, to greatly improve the protective power of RegWatch. Thus, although RW is most certainly NOT bullet-proof, it has become pretty bloody strong for a polling monitor, wot!

Therefore, it is significant to take note (as hojtsy did) as to whether or not Tea Timer's reg monitor has this additional attribute. Per your *hard data* above -- which is VERY much appreciated -- TT does not have this attribute.

{QUOTE-> sadi by hojtsy
{QUOTE-> TeaTimer do not block the change, it detects the change after it was done, and offers to undo it. <-QUOTE}Actually....Tea Timer advises\warns as the change is being attempted....not after. <-QUOTE}
Currently there are 3 kinds of registry protector applications.
Type 1) Proxy, which intercepts, and authenticates the registry change while it is made. Any change in the registry happens only after you press OK. The implementation solution usually used (sandbox) in these applications enable them to identify and display the *application* which attempts the change. Examples for such softwares are DCS Process Guard, and Tiny Personal Firewall.
Type 2) Poller with auto-undo, which repeadetly polls the content of some specific registry location every few seconds, and when it detects a change, it auto-undos, and then offers a popup to allow the change, or leave the old values. Example is MJ RegWatcher, and SSM.
Type 3) Poller with no auto-undo, which which repeadetly polls the content of some specific registry location every few seconds, and when it detects a change, it offers a popup to leave the change, or undo to the old values. Examples are TeaTimer, Giant Antispyware, and DCS RegistryProt.

All of this can be easily tested with the proper tools. Now as you can see that the working method of both Type 2, and Type 3, require the change to actually happen and succeed in the registry. Only after the registry contents are already different than the old ones, can they detect the change. While to human senses the time lapse between the change and the popup can be minimal, for a computer that is a whole lot of a time. A malware could possible force a reboot during that whole lot of a time, and then the registry poller will be stopped, and reboot will happen with the changed registry contents. Another danger is that a malware could possibly overwrite the registry location every 1 second. After a hunder popups, you will reboot the computer yourself, and that reboot will also happen with the changed registry.
Type 1) applications protect from both of these dangers, and Type 2) decreases the risks, by decreasing the time interval of vulnerability.

I do not intend to bash TeaTimer. I am using it myself. But you should be aware the weaknesses of your applications so you can cover the holes with other softwares. The advice I can give is if you want medium security, use TeaTimer which provides a medium level registry monitoring and a medium level resident spyware protection. If you want full security use MJ RegWatcher, plus buy a specialized resident antispyware/trojan application. Of course this would need more money, resources, and time. It is your decission.
-hojtsy-

This whole issue of "teatimer," and such, has been a learning experience to me, so i thank all of you, and wilders security site. CHARLES BARKER *puppy*

But I am hardly a "junior!' ha ha !!

{QUOTE-> It's just that Graphic Equaliser went to a lot of effort in order to cause RegWatch to FIRST reverse a change, & THEN ask if the user wants the change reinstated.....Graphic achieved this & other improvements by working in close concert with guidelines & suggestions provided by hojtsy, paranoid, D&C, & other gurus here at Wilder's <-QUOTE}While I am advid fan....and paticipant at times....of members tearing into a project....this thread by it's Title(SpyBot Tea-Timer - Is it worth installing?)....is not strictly about a registry monitoring program. This is about a feature of Spybot that watches certain reg keys for change and monitors the processes called/initiated found in the SSD definitions(similar to an Anti-Virus resident).

If unholyone....or anyone for that matter....is interested in strictly a registry monitoring program....I suggest they check out the links that are made available in this thread concerning strictly registry monitoring programs and if they feel they need a description of a registry monitoring program....they might find that discussed in those threads also.

All I'm asking\saying....is to not compare apples\oranges as far as Regwatch vs TeaTimer....but to do unholyone justice with his question and make it a level playing field and do a comparison discussion of say....SpywareGuard vs TeaTimer....registry and process monitoring programs.

{QUOTE-> A malware could possible force a reboot during that whole lot of a time, and then the registry poller will be stopped, and reboot will happen with the changed registry contents. <-QUOTE}By writing to the registry at a given moment in time....an exploit can force a re-boot ? Please....let's do indeed start a thread concering that. I would love to see that in action....or discussed just a little further than theory or meer words. 8)

By writing to the registry at a given moment in time....an exploit can force a re-boot ? Please....let's do indeed start a thread concering that. I would love to see that in action....or discussed just a little further than theory or meer words. 8) <-QUOTE}

I agree. That would be a good discussion indeed.

{QUOTE-> By writing to the registry at a given moment in time....an exploit can force a re-boot ? Please....let's do indeed start a thread concering that. I would love to see that in action....or discussed just a little further than theory or meer words. 8) <-QUOTE}That was a misunderstanding. A (non-interactive, immediate) reboot can be initiated by calling a simple windows API function. About 10 lines of souce code. No registry access is needed. It is way too easy! I have already made applications doing that! So the malware could initiate the reboot with this API call, after it modified the registry. Not so much trickery needed... 8)
-hojtsy-

Bubba said...{QUOTE-> ...this thread by it's Title (SpyBot Tea-Timer - Is it worth installing?)....is not strictly about a registry monitoring program. This is about a feature of Spybot that watches certain reg keys for change and monitors the processes called/initiated found in the SSD definitions(similar to an Anti-Virus resident). <-QUOTE}
Since TT includes a Registry Monitor which cannot be turned off, comments relating to that component ARE cogent to making a decision as to whether or not TT is worth installing.

Too bad TT isn't configurable so that (a) the list of items monitored by its Reg Mon can modified, and/or (b) its Reg Mon can be turned off altogether, if desired.

By the way, the reason we got into this level of detail is because of comment #8 in this thread. Without it, the ensuing discussion of TT would have stayed right on track. ;)

TT can be turned off. You must do it un tools> Resident> and uncheck the box next to it. Then it is disabled.

As for Reg Mon are you refering to the one MJRW (http://www.jacobsm.com/index.htm#sft) . Is that a good registry monitor?

{QUOTE-> By the way, the reason we got into this level of detail is because of comment #8 in this thread. Without it, the ensuing discussion of TT would have stayed right on track. ;) <-QUOTE}Whatever floats your boat bellgamin ;)

{QUOTE-> Whatever floats your boat bellgamin ;) <-QUOTE}
Bubba, I deeply appreciate and admire your composure, as well as your work in moderating here at Wilders. Truly I do. I got carried away. Shalom. Peace.