Spyware Detection Methods - Please Explain

I am currently using SpywareBlaster, SpySweeper, and Spybot S&D. These programs try to do the same thing, I think, buy using different methods. For instance.

• SpySweeper - The user scans the hard drive looking for malware based on signatures in the apps database which are regularly updated. Obviously, the application must be running (resident) to scan the PC.
• SpywareBlaster - This application apparently does not scan the hard drive. Instead it saves something to ones computer that prevents spyware from running (I think), based on signatures in it's database that is regularly updated. The application does not need to be running (resident) for the protection to be in force.
• Spybot S&D - It combines both of the above methods.

1. Assuming apps (not necessarily the ones above) that use these methods for detecting spyware had the same signatures in their databases, which is the most effective method for keeping spyware off of ones PC?
2. What exactly is SpySweeper saving to ones PC that keeps spyware from running? How does this work?

Thanks!

 

Spywareblaster installs kill bits in the registry in the locations that spyware usually runs from. the kill bits stop active x from running in the spyware prog.
This is a simplified example but it is basicaly what it does. and I believe that both methods of detection used in conjunction with each other makes for a better protected comp.

 

If I have two apps that use the Kill Bit method, are they writing the same kill bits over kill bits written by the other app?

 

If they both do, I would use one or the other. If only because if or when something goes wrong, it will be easier to isolate the problem. Right now I use SpywareBlaster for modifying the registry and Spybot S&D only for scanning.

Nick

 

That is a good question, but I run multiple security app also and I have seen no incompatabilities between them. I know that is not the answer you wanted, but since I don't have the answer without doing some searching that is the only answer I have right now. I do know that SBS&D and spywareblaster get along great.

 

Yes....they will simply overwrite the same identical entry.

Speaking of Spybot and SpywareBlaster only....at the moment SpywareBlaster has almost a 3 to 1 ratio of CLSID's in it's database in comparison to Spybot and some\most of them mirror each other. As time goes on I'm sure Spybot's database will increase and even tho the criteria the authors use is their own personal opinion....I would bet they do not differ much.

 

Thanks, BigC. I've been running the three I referred to above together for a while with no apparent conflicts.

Thanks, LWM. I was wondering if that was happening.

Thanks Bubba. That makes me wonder if I really need S&D. By the way, what does CLSID's stand for?

 

Hi, Dazed_and_Confused

In short it is a Class Identifier.

The Is Microsofts Answer:- CLSID

Take Care,
TheQuest

 

Dazed, you only have Spybot, SpywareBlaster, & Spysweeper for detecting spyware? Is this correct? If so, there are other 'free' and very helpful programs you could add to your repertoire, if you would like to. Such as Winpatrol, A Squared, Ad-Aware, X-Cleaner, SpywareGuard and others. Maybe you feel you have enough protection with the apps you have, but i would recommend you at least give some of them a try. You never know what you might find on your system. The least you'll get is the knowledge of how to better use them and to help others with these apps in the future. Hth.

 

Thanks 0_0. I am already running AdAware (see signature), in addition to a number of other anti-malware apps. Yes, I do feel secure, because I'm already running the best. Unfortunately, running all these apps makes it quiet around here. Not too many visitors, if you know what I mean.

Thanks, Mr Quest!

 

Hi, Dazed_and_Confused

Sorry for the short answer but it is difficult for me to explain it.

S&D as some useful tools as you must know ie, it Shredder.

Also it will remove spyware and keyloggers etc, which SWB can not.

I don,t know if SpySweeper does, but as you say you also have Ad-aware.[will remove]

And you have the Piece de Resistance in DiamondCS Process Guard.

Take Care,
TheQuest

 

Regarding the "kill bit" approach, I always thought the registry was just a non-executable entity. I guess I don't understand how placing entries in the registry can keep apps from starting. Do these apps (malware) read these entries in the registry and then simply self-destruct? Or do these registry entries restrict the malware's access to needed resources?

 

I think the spyware will see the entries and think it's already installed and therefore never installs itself. Correct me if i'm wrong.

 

I think that the killbits in spywareblaster or in other apps are registry settings that are needed by malware. and lets say:

CLSIDName=180solutions | saiemod.dll
CLSID={5DAFD089-24B1-4c5e-BD42-8CA72550717B

the clsid= 5DAFD089-24B1-4c5e-BD42-8CA72550717B and this is the vital dll for the malware: saiemod.dll

these two the dll will write this reg setting 5DAFD089-24B1-4c5e-BD42-8CA72550717B and this will be probihited by a instruction into the app. the necessary registry setting will be taken from the malware so the dll will not work and so the spyware/malware will just not work.

this is my personal view and If I am wrong I hope someone will correct (guess this will not be a prob here ;-)

bye

 

No offence, but you do seem to one of the typical wilders users who run all sorts of antimalware but have little idea what or how they work.

 

I know in general how they work. But more importantly, I know they do work. Like many technically oriented people,it's fun to learn more specific details. You seem to have a problem with that. I'm glad to see your in the minority here - no offense intended of course..

 

Welcome to Wilders Ronin,

Hopefully you'll stick around and consider becoming a member. As for the typical wilders users comment....I'll add to that by saying a good percentage of users....regardless of their Site affiliation....have no clue how their Secuirty software works. However....as time goes on they run across a problem and visit sites such as Wilders and they then learn more about what they have installed. Hopefully you'll hang long enough with us to offer assistance to the less knowledgeable users that have installed antimalware without a clue of what it does.

 

Yes, but the typical user does not run out and install and test every single
security product advertised here.

I would draw a parallel between the distinction of hackers and scriptkiddies.
The typical wilders security user could be called a "white hat scriptkiddie" or an antiscript kiddie.

Much like a script kiddie who uses scripts made by other hackers , antiscript kiddies love to run antimalware proggies created by real security experts -white hats, though in both cases there is little understanding of what really is happening.

Like most script kiddies, antiscript kiddies generally know little or no programming, though many of them do eventually gain some kind of understanding of roughly how the scripts they are using work,enough to do some modifications and changes by trial and error.

Like scriptkiddies, antiscriptkiddies , are often in awe of the real experts and love to mingle with them, this forum among many is one of those places on the net that serves this purpose. Their blackhat counterparts have their respective locations too of course.

I don't wish to be too down on such users, after all as little as they know compared to the real experts, the best of them do know a whole lot more than the majority of people and can adequately defend their systems against most attacks (such as those mounted by their black hat counterparts for example).

Though I think I might have more knowledge than many of the members here, I must sadly admit that I'm no more than a glorified anti-script kiddie too!

 

Hi, Ronin

Please take the offer from Bubba and become a Member and share
the benefit of your Knowledge, as any help will be appreciated.

Take Care,
TheQuest