SpyBot Tea-Timer - Is it worth installing?

Discussion in 'other anti-malware software' started by unholyone, Nov 23, 2004.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    I didn't mean to be picky. It's just that Graphic Equaliser went to a lot of effort in order to cause RegWatch to FIRST reverse a change, & THEN ask if the user wants the change reinstated.

    Graphic achieved this & other improvements by working in close concert with guidelines & suggestions provided by hojtsy, paranoid, D&C, & other gurus here at Wilder's (of which I am NOT one -- duhhh).

    It took a lot of work on Graphic's part, PLUS much testing & helpful comments by Wilder's gurus, to greatly improve the protective power of RegWatch. Thus, although RW is most certainly NOT bullet-proof, it has become pretty bloody strong for a polling monitor, wot!

    Therefore, it is significant to take note (as hojtsy did) as to whether or not Tea Timer's reg monitor has this additional attribute. Per your *hard data* above -- which is VERY much appreciated -- TT does not have this attribute.
     
  2. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Currently there are 3 kinds of registry protector applications.
    Type 1) Proxy, which intercepts, and authenticates the registry change while it is made. Any change in the registry happens only after you press OK. The implementation solution usually used (sandbox) in these applications enable them to identify and display the *application* which attempts the change. Examples for such softwares are DCS Process Guard, and Tiny Personal Firewall.
    Type 2) Poller with auto-undo, which repeadetly polls the content of some specific registry location every few seconds, and when it detects a change, it auto-undos, and then offers a popup to allow the change, or leave the old values. Example is MJ RegWatcher, and SSM.
    Type 3) Poller with no auto-undo, which which repeadetly polls the content of some specific registry location every few seconds, and when it detects a change, it offers a popup to leave the change, or undo to the old values. Examples are TeaTimer, Giant Antispyware, and DCS RegistryProt.

    All of this can be easily tested with the proper tools. Now as you can see that the working method of both Type 2, and Type 3, require the change to actually happen and succeed in the registry. Only after the registry contents are already different than the old ones, can they detect the change. While to human senses the time lapse between the change and the popup can be minimal, for a computer that is a whole lot of a time. A malware could possible force a reboot during that whole lot of a time, and then the registry poller will be stopped, and reboot will happen with the changed registry contents. Another danger is that a malware could possibly overwrite the registry location every 1 second. After a hunder popups, you will reboot the computer yourself, and that reboot will also happen with the changed registry.
    Type 1) applications protect from both of these dangers, and Type 2) decreases the risks, by decreasing the time interval of vulnerability.

    I do not intend to bash TeaTimer. I am using it myself. But you should be aware the weaknesses of your applications so you can cover the holes with other softwares. The advice I can give is if you want medium security, use TeaTimer which provides a medium level registry monitoring and a medium level resident spyware protection. If you want full security use MJ RegWatcher, plus buy a specialized resident antispyware/trojan application. Of course this would need more money, resources, and time. It is your decission.
    -hojtsy-
     
  3. charles barker

    charles barker Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    3
    Location:
    walla walla washington
    This whole issue of "teatimer," and such, has been a learning experience to me, so i thank all of you, and wilders security site. CHARLES BARKER *puppy*
     
  4. charles barker

    charles barker Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    3
    Location:
    walla walla washington
    But I am hardly a "junior!' ha ha !!
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    While I am advid fan....and paticipant at times....of members tearing into a project....this thread by it's Title(SpyBot Tea-Timer - Is it worth installing?)....is not strictly about a registry monitoring program. This is about a feature of Spybot that watches certain reg keys for change and monitors the processes called/initiated found in the SSD definitions(similar to an Anti-Virus resident).

    If unholyone....or anyone for that matter....is interested in strictly a registry monitoring program....I suggest they check out the links that are made available in this thread concerning strictly registry monitoring programs and if they feel they need a description of a registry monitoring program....they might find that discussed in those threads also.

    All I'm asking\saying....is to not compare apples\oranges as far as Regwatch vs TeaTimer....but to do unholyone justice with his question and make it a level playing field and do a comparison discussion of say....SpywareGuard vs TeaTimer....registry and process monitoring programs.

    By writing to the registry at a given moment in time....an exploit can force a re-boot ? Please....let's do indeed start a thread concering that. I would love to see that in action....or discussed just a little further than theory or meer words. :cool:
     
  6. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    By writing to the registry at a given moment in time....an exploit can force a re-boot ? Please....let's do indeed start a thread concering that. I would love to see that in action....or discussed just a little further than theory or meer words. :cool:[/QUOTE]

    I agree. That would be a good discussion indeed.
     
  7. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    That was a misunderstanding. A (non-interactive, immediate) reboot can be initiated by calling a simple windows API function. About 10 lines of souce code. No registry access is needed. It is way too easy! I have already made applications doing that! So the malware could initiate the reboot with this API call, after it modified the registry. Not so much trickery needed... :cool:
    -hojtsy-
     
  8. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    Bubba said...
    Since TT includes a Registry Monitor which cannot be turned off, comments relating to that component ARE cogent to making a decision as to whether or not TT is worth installing.

    Too bad TT isn't configurable so that (a) the list of items monitored by its Reg Mon can modified, and/or (b) its Reg Mon can be turned off altogether, if desired.

    By the way, the reason we got into this level of detail is because of comment #8 in this thread. Without it, the ensuing discussion of TT would have stayed right on track. ;)
     
  9. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    TT can be turned off. You must do it un tools> Resident> and uncheck the box next to it. Then it is disabled.

    As for Reg Mon are you refering to the one MJRW . Is that a good registry monitor?
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Whatever floats your boat bellgamin ;)
     
  11. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,099
    Location:
    Hawaii
    Bubba, I deeply appreciate and admire your composure, as well as your work in moderating here at Wilders. Truly I do. I got carried away. Shalom. Peace.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.