Spyware Detection Methods - Please Explain

Discussion in 'other anti-malware software' started by Dazed_and_Confused, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I am currently using SpywareBlaster, SpySweeper, and Spybot S&D. These programs try to do the same thing, I think, buy using different methods. For instance.
    • SpySweeper - The user scans the hard drive looking for malware based on signatures in the apps database which are regularly updated. Obviously, the application must be running (resident) to scan the PC.
    • SpywareBlaster - This application apparently does not scan the hard drive. Instead it saves something to ones computer that prevents spyware from running (I think), based on signatures in it's database that is regularly updated. The application does not need to be running (resident) for the protection to be in force.
    • Spybot S&D - It combines both of the above methods.
    1. Assuming apps (not necessarily the ones above) that use these methods for detecting spyware had the same signatures in their databases, which is the most effective method for keeping spyware off of ones PC?
    2. What exactly is SpySweeper saving to ones PC that keeps spyware from running? How does this work?
    Thanks!
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Spywareblaster installs kill bits in the registry in the locations that spyware usually runs from. the kill bits stop active x from running in the spyware prog.
    This is a simplified example but it is basicaly what it does. and I believe that both methods of detection used in conjunction with each other makes for a better protected comp.
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    If I have two apps that use the Kill Bit method, are they writing the same kill bits over kill bits written by the other app?
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If they both do, I would use one or the other. If only because if or when something goes wrong, it will be easier to isolate the problem. Right now I use SpywareBlaster for modifying the registry and Spybot S&D only for scanning.

    Nick
     
  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    That is a good question, but I run multiple security app also and I have seen no incompatabilities between them. I know that is not the answer you wanted, but since I don't have the answer without doing some searching that is the only answer I have right now. :oops: I do know that SBS&D and spywareblaster get along great.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Yes, if two products using the kill-bit method had the same definitions, they would merely set the same registry key. You would never be able to tell which set a specific key, because it is the same key and same value being set.

    You can view this using SpywareBlaster and Spybot S&D. I have both installed and both set to maximum protections. I then opened SpywareBlaster and chose one of the older, more common ActiveX items and un-checked it, and had SpywareBlaster remove protections for unchecked items. The image below shows which one. The bottom part of the image was made by opening Spybot and going to its Immunize screen. When it rechecked the items it protects, it found the unprotected one because it covers that one, too.

    I reset it by telling Spybot to Immunize again. When I opened SpywareBlaster, I had "all protections" enabled again.

    The registry keys used for kill-bits, IE restricted zones, and IE6 P3P cookie protections are standard Microsoft assigned keys. Any product providing these protections uses the same exact keys to provide those protections.
     

    Attached Files:

  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Yes....they will simply overwrite the same identical entry.

    Speaking of Spybot and SpywareBlaster only....at the moment SpywareBlaster has almost a 3 to 1 ratio of CLSID's in it's database in comparison to Spybot and some\most of them mirror each other. As time goes on I'm sure Spybot's database will increase and even tho the criteria the authors use is their own personal opinion....I would bet they do not differ much.
     
  8. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks, BigC. I've been running the three I referred to above together for a while with no apparent conflicts.

    Thanks, LWM. I was wondering if that was happening.

    Thanks Bubba. That makes me wonder if I really need S&D. o_O By the way, what does CLSID's stand for?
     
  9. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Dazed_and_Confused

    In short it is a Class Identifier. o_O

    The Is Microsofts Answer:- CLSID

    Take Care,
    TheQuest :cool:
     
  10. 0_0

    0_0 Guest

    Dazed, you only have Spybot, SpywareBlaster, & Spysweeper for detecting spyware? Is this correct? If so, there are other 'free' and very helpful programs you could add to your repertoire, if you would like to. Such as Winpatrol, A Squared, Ad-Aware, X-Cleaner, SpywareGuard and others. Maybe you feel you have enough protection with the apps you have, but i would recommend you at least give some of them a try. You never know what you might find on your system. The least you'll get is the knowledge of how to better use them and to help others with these apps in the future. Hth.
     
  11. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks 0_0. I am already running AdAware (see signature), in addition to a number of other anti-malware apps. Yes, I do feel secure, because I'm already running the best. :D Unfortunately, running all these apps makes it quiet around here. Not too many visitors, if you know what I mean.

    Thanks, Mr Quest!
     
  12. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Dazed_and_Confused

    Sorry for the short answer but it is difficult for me to explain it.

    S&D as some useful tools as you must know ie, it Shredder.

    Also it will remove spyware and keyloggers etc, which SWB can not.

    I don,t know if SpySweeper does, but as you say you also have Ad-aware.[will remove]

    And you have the Piece de Resistance in DiamondCS Process Guard.

    Take Care,
    TheQuest :cool:
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Regarding the "kill bit" approach, I always thought the registry was just a non-executable entity. I guess I don't understand how placing entries in the registry can keep apps from starting. Do these apps (malware) read these entries in the registry and then simply self-destruct? Or do these registry entries restrict the malware's access to needed resources?
     
  14. chiphead

    chiphead Guest

    I think the spyware will see the entries and think it's already installed and therefore never installs itself. Correct me if i'm wrong.
     
  15. OPTIMIZER

    OPTIMIZER Guest

    I think that the killbits in spywareblaster or in other apps are registry settings that are needed by malware. and lets say:

    CLSIDName=180solutions | saiemod.dll
    CLSID={5DAFD089-24B1-4c5e-BD42-8CA72550717B

    the clsid= 5DAFD089-24B1-4c5e-BD42-8CA72550717B and this is the vital dll for the malware: saiemod.dll

    these two the dll will write this reg setting 5DAFD089-24B1-4c5e-BD42-8CA72550717B and this will be probihited by a instruction into the app. the necessary registry setting will be taken from the malware so the dll will not work and so the spyware/malware will just not work.

    this is my personal view and If I am wrong I hope someone will correct (guess this will not be a prob here ;-)

    bye
     
  16. Ronin

    Ronin Guest

    No offence, but you do seem to one of the typical wilders users who run all sorts of antimalware but have little idea what or how they work.
     
  17. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I know in general how they work. But more importantly, I know they do work. Like many technically oriented people,it's fun to learn more specific details. You seem to have a problem with that. I'm glad to see your in the minority here - no offense intended of course..
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas

    Why don't you register and we can talk more.

    This is a place to learn, not criticize.
     
  19. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Welcome to Wilders Ronin,

    Hopefully you'll stick around and consider becoming a member. As for the typical wilders users comment....I'll add to that by saying a good percentage of users....regardless of their Site affiliation....have no clue how their Secuirty software works. However....as time goes on they run across a problem and visit sites such as Wilders and they then learn more about what they have installed. Hopefully you'll hang long enough with us to offer assistance to the less knowledgeable users that have installed antimalware without a clue of what it does.
     
  20. Ronin

    Ronin Guest

    Yes, but the typical user does not run out and install and test every single
    security product advertised here.

    I would draw a parallel between the distinction of hackers and scriptkiddies.
    The typical wilders security user could be called a "white hat scriptkiddie" or an antiscript kiddie.

    Much like a script kiddie who uses scripts made by other hackers , antiscript kiddies love to run antimalware proggies created by real security experts -white hats, though in both cases there is little understanding of what really is happening.

    Like most script kiddies, antiscript kiddies generally know little or no programming, though many of them do eventually gain some kind of understanding of roughly how the scripts they are using work,enough to do some modifications and changes by trial and error.

    Like scriptkiddies, antiscriptkiddies , are often in awe of the real experts and love to mingle with them, this forum among many is one of those places on the net that serves this purpose. Their blackhat counterparts have their respective locations too of course.

    I don't wish to be too down on such users, after all as little as they know compared to the real experts, the best of them do know a whole lot more than the majority of people and can adequately defend their systems against most attacks (such as those mounted by their black hat counterparts for example).



    Though I think I might have more knowledge than many of the members here, I must sadly admit that I'm no more than a glorified anti-script kiddie too!
     
  21. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Ronin

    Please take the offer from Bubba and become a Member and share
    the benefit of your Knowledge, as any help will be appreciated.

    Take Care,
    TheQuest :cool:
     
Loading...
Thread Status:
Not open for further replies.