[gui-talk] Review of Spybot Search & Destroy Version 1.5
Steve Pattison
srp at internode.on.net
Wed Mar 5 17:41:49 CST 2008
Seeing some people use Spybot Search & Destroy to remove spyware I thought people might be interested in the following review that appeared in PC Magazine and is taken from www.pcmag.com/print_article2/0,1217,a=224597,00.asp. -Steve.
Spybot Search & Destroy 1.5
REVIEW DATE: 02.15.08
BOTTOM LINE:
Spybot's skill at cleaning up malware-infested systems is mediocre, and it has almost
no ability to protect a clean system. Back in its heyday it was deservedly popular,
but that day has long passed. For modern threats you'll need a modern spyware protector.
PROS:
Advanced mode tools are handy for highly skilled users. Immunization prevents some
problems by adjusting browser settings. Boot-time scan manages some locked files.
CONS:
Poor at real-world spyware removal. Real-time protection interferes with spyware
removal and rarely identifies malware. Does almost nothing to prevent malware install
on a clean system.
COMPANY:
Safer Networking Limited
SPEC DATA
Price: $0.00
Type: Personal
Free: Yes
OS Compatibility: Windows Vista, Windows XP
By
Neil J. Rubenking
Spyware seems so ubiquitous these days that it's hard to remember it wasn't always
so. I first wrote about the topic in 2000, and in that same year Patrick Kolla started
developing a program to counter the threat. In the early 2000s, Kolla's Spybot was
one of the few antispyware utilities available, and it became hugely (and deservedly)
popular. Unfortunately, over the years it hasn't kept up with modern malware. I stopped
recommending it some years ago. But when we ran our roundup,
Nine Ways to Wipe Out Spyware
there was a great outcry at its omission. Apparently, many of you stuck by this
elder statesman of spyware long after I gave up on it. I decided that if so many
of you still swore by it, I owed it to you to put the latest version of Kolla's app
through the same tests as all the rest-either to confirm your opinions or to warn
you that Spybot didn't measure up. Accordingly, I ran the current version, Spybot
- Search & Destroy 1.5, through my standard testing regimen.
The program hasn't visibly changed in years. It's still separated into a main Spybot
scanning module and a real-time protection module that goes by the unusual name of
TeaTimer. Installation is quick and it leads you through getting the latest updates
and running its immunization process, which is supposed to prevent certain unauthorized
changes to your system. I was a bit surprised at the date on the latest immunization
files: July 25, 2007. That was over six months ago-not a good omen for Spybot.-
Can It Search and Destroy?
I installed Spybot on my usual test systems, each infested with several malware samples
such as adware, spyware, Trojan horses, rootkits, and rogue antispyware products.
The utility seized up during the fixing process on a couple of systems, forcing me
to cold-boot and start over. On one system, the software threw a ton of error messages
and then blue-screened, but on reboot the scan worked. While the process was a little
rocky, it wasn't any worse overall than what I experienced evaluating
Spyware Doctor with AntiVirus 5.5.
The cleanup process was rendered extremely tedious by infighting between Spybot's
two personalities. To clean up many found threats, the program had to delete the
Registry items that caused the threat to launch at start-up. But the real-time protection
module reported the Registry change attempt and asked me whether to allow it-
every
time! Worse, whenever Spybot found an in-use file, it created a Registry entry to
delete that file at the next reboot. Here, too, the real-time protection module flagged
each change and asked me whether to allow it. Talk about the left hand not knowing
what the right hand is doing! On one system I had to answer more than 60 of these
pop-up queries. Why can't it just quietly take care of business, like the competition?
In order to make sure it had the best opportunity to succeed at malware cleanup,
I carefully checked the "Remember this decision" box and clicked "Allow change" every
time it asked whether to allow its own Registry changes. But wow, what a waste of
time!
In a number of cases, because the utility couldn't delete certain files (they were
locked by the malware), it asked to reboot and rescan during the boot process so
that it could delete those files before other programs loaded. But even with this
boot-time advantage, Spybot didn't do a very good job of cleaning up the infested
systems. It totally missed about a quarter of the samples and failed to fully remove
almost half of those it did detect. Some were visibly still running. Overall, the
program scored 6.0 points out of 10. That edges out the latest version of another
venerable spyware fighter,
Ad-Aware 2007 Pro
, which got 5.9 points, but many products score 9 or better on this test.
Spyware Doctor with AntiVirus 5.5 scored 9.5, and
Panda Internet Security 2008
got a full 10 of 10. In short, if you've got an infested machine, Spybot is not
the app I'd recommend for cleaning it out.
On a separate test using commercial keyloggers instead of malware, Spybot totally
missed half the samples and failed to remove most of those it detected. Several of
them were still running and logging keys after Spybot allegedly removed them. The
product scored 2.5 out of 10 on this test, beating Panda's score of 2.1. By contrast,
Norton Internet Security 2008
wiped out all of the keylogger samples, for a perfect 10 of 10. This test isn't
of critical importance, but, still, the results aren't encouraging for Spybot.-
Can It Keep Me Safe?
Many products do a better job of keeping malware out of a clean system than they
do of scraping deeply embedded malware from an infested system. That makes sense:
Bad guys that are already installed can fight back or hide themselves using rootkit
techniques. To test Spybot's protective abilities, I installed it on a clean system
and tried to install the same collection of malware samples.
Typical modern antispyware programs scan files when any attempt is made to access
them-even with the minimal access that occurs when Windows Explorer lists the file
in a folder's contents. Spyware Doctor's File Guard module does this, for example.
But Spybot doesn't go into action until a program launches, and, rather than blocking
known malware, the utility generally displays an ambiguous warning that requires
user intervention. For example, it might say that it has "detected an important Registry
entry that has been changed." As noted, it displays similar warnings for valid programs-itself
among them.
On this test, I blocked only those rare actions from programs that Spybot specifically
identified as malware, because those are the only cases in which the average user
can be reliably counted on to do the same. I'm assuming that the average user will
pay enough attention to notice the mention of "malicious software" and block those
actions. As for the bland warnings that don't mention malware, users don't have the
information to base a decision on. Those who decide to block all such actions will
quickly find themselves disabling valid programs or even preventing Spybot itself
from functioning as designed, and soon they'll join the "allow everything" crowd.
Most antispyware utilities abandoned this simplistic protection style years ago,
replacing it with signature-based scanning of all files on access and comprehensive
behavioral analysis for unknown files.
For over three quarters of the sample installations, the product either took no notice
or displayed a bland pop-up with no reference to malware. When the utility did mention
malware, I checked off the options to let it always kill the offending process and
always delete the file from the disk. Unfortunately, doing so rarely prevented the
malware sample from installing at least partially.
In one case, Spybot got into a protracted knock-down, drag-out fight with a malware
sample trying to install. It accumulated so many small warning windows that they
filled over half the screen, and the system became completely unusable, with all
resources being devoted to the fight between Spybot and the malware sample. In the
end, for keeping malware off of a clean system, Spybot scored a dismal 1.2 of 10,
matching the poor performance of SpyEraser 2. Spyware Doctor blocked almost everything,
scoring 9.8 of 10 on this test, and Panda swept the field with a perfect 10.
It's fortunate for Spybot that I give much less weight to the test in which I try
to install commercial keyloggers on a protected system. Even Panda, which doesn't
do well with keyloggers, scored 3.6 on this test. Spybot's score: 1 out of 10. Norton
aced this one with 10 out of 10.
I could go into more detail about the advanced features and report that they seemed
to seriously bog down the test systems at times, with events that normally occur
too fast to see happening 10 seconds apart. But really, none of this is relevant
information. While Spybot - Search & Destroy 1.5 may be free, its malware cleanup
skills are mediocre, and it has virtually no ability to prevent installation of harmful
software. In its day it was top-of-the-line, but that day is long past.
Regards Steve
Email: srp at internode.on.net
Windows Live Messenger: internetuser383 at hotmail.com
Skype: steve1963
-------------- next part --------------
Seeing some people use Spybot Search & Destroy to remove spyware I thought people might be interested in the following review that appeared in PC Magazine and is taken from http://www.pcmag.com/print_article2/0,1217,a=224597,00.asp www.pcmag.com/print_article2/0,1217,a=224597,00.asp
. -Steve.
Spybot Search & Destroy 1.5
REVIEW DATE: 02.15.08
BOTTOM LINE:
Spybot's skill at cleaning up malware-infested systems is mediocre, and it has almost
no ability to protect a clean system. Back in its heyday it was deservedly popular,
but that day has long passed. For modern threats you'll need a modern spyware protector.
PROS:
Advanced mode tools are handy for highly skilled users. Immunization prevents some
problems by adjusting browser settings. Boot-time scan manages some locked files.
CONS:
Poor at real-world spyware removal. Real-time protection interferes with spyware
removal and rarely identifies malware. Does almost nothing to prevent malware install
on a clean system.
COMPANY:
Safer Networking Limited
SPEC DATA
Price: $0.00
Type: Personal
Free: Yes
OS Compatibility: Windows Vista, Windows XP
By
Neil J. Rubenking
Spyware seems so ubiquitous these days that it's hard to remember it wasn't always
so. I first wrote about the topic in 2000, and in that same year Patrick Kolla started
developing a program to counter the threat. In the early 2000s, Kolla's Spybot was
one of the few antispyware utilities available, and it became hugely (and deservedly)
popular. Unfortunately, over the years it hasn't kept up with modern malware. I stopped
recommending it some years ago. But when we ran our roundup,
Nine Ways to Wipe Out Spyware
there was a great outcry at its omission. Apparently, many of you stuck by this
elder statesman of spyware long after I gave up on it. I decided that if so many
of you still swore by it, I owed it to you to put the latest version of Kolla's app
through the same tests as all the rest—either to confirm your opinions or to warn
you that Spybot didn't measure up. Accordingly, I ran the current version, Spybot
– Search & Destroy 1.5, through my standard testing regimen.
The program hasn't visibly changed in years. It's still separated into a main Spybot
scanning module and a real-time protection module that goes by the unusual name of
TeaTimer. Installation is quick and it leads you through getting the latest updates
and running its immunization process, which is supposed to prevent certain unauthorized
changes to your system. I was a bit surprised at the date on the latest immunization
files: July 25, 2007. That was over six months ago—not a good omen for Spybot.—
Can It Search and Destroy?
I installed Spybot on my usual test systems, each infested with several malware samples
such as adware, spyware, Trojan horses, rootkits, and rogue antispyware products.
The utility seized up during the fixing process on a couple of systems, forcing me
to cold-boot and start over. On one system, the software threw a ton of error messages
and then blue-screened, but on reboot the scan worked. While the process was a little
rocky, it wasn't any worse overall than what I experienced evaluating
Spyware Doctor with AntiVirus 5.5.
The cleanup process was rendered extremely tedious by infighting between Spybot's
two personalities. To clean up many found threats, the program had to delete the
Registry items that caused the threat to launch at start-up. But the real-time protection
module reported the Registry change attempt and asked me whether to allow it—
every
time! Worse, whenever Spybot found an in-use file, it created a Registry entry to
delete that file at the next reboot. Here, too, the real-time protection module flagged
each change and asked me whether to allow it. Talk about the left hand not knowing
what the right hand is doing! On one system I had to answer more than 60 of these
pop-up queries. Why can't it just quietly take care of business, like the competition?
In order to make sure it had the best opportunity to succeed at malware cleanup,
I carefully checked the "Remember this decision" box and clicked "Allow change" every
time it asked whether to allow its own Registry changes. But wow, what a waste of
time!
In a number of cases, because the utility couldn't delete certain files (they were
locked by the malware), it asked to reboot and rescan during the boot process so
that it could delete those files before other programs loaded. But even with this
boot-time advantage, Spybot didn't do a very good job of cleaning up the infested
systems. It totally missed about a quarter of the samples and failed to fully remove
almost half of those it did detect. Some were visibly still running. Overall, the
program scored 6.0 points out of 10. That edges out the latest version of another
venerable spyware fighter,
Ad-Aware 2007 Pro
, which got 5.9 points, but many products score 9 or better on this test.
Spyware Doctor with AntiVirus 5.5 scored 9.5, and
Panda Internet Security 2008
got a full 10 of 10. In short, if you've got an infested machine, Spybot is not
the app I'd recommend for cleaning it out.
On a separate test using commercial keyloggers instead of malware, Spybot totally
missed half the samples and failed to remove most of those it detected. Several of
them were still running and logging keys after Spybot allegedly removed them. The
product scored 2.5 out of 10 on this test, beating Panda's score of 2.1. By contrast,
Norton Internet Security 2008
wiped out all of the keylogger samples, for a perfect 10 of 10. This test isn't
of critical importance, but, still, the results aren't encouraging for Spybot.—
Can It Keep Me Safe?
Many products do a better job of keeping malware out of a clean system than they
do of scraping deeply embedded malware from an infested system. That makes sense:
Bad guys that are already installed can fight back or hide themselves using rootkit
techniques. To test Spybot's protective abilities, I installed it on a clean system
and tried to install the same collection of malware samples.
Typical modern antispyware programs scan files when any attempt is made to access
them—even with the minimal access that occurs when Windows Explorer lists the file
in a folder's contents. Spyware Doctor's File Guard module does this, for example.
But Spybot doesn't go into action until a program launches, and, rather than blocking
known malware, the utility generally displays an ambiguous warning that requires
user intervention. For example, it might say that it has "detected an important Registry
entry that has been changed." As noted, it displays similar warnings for valid programs—itself
among them.
On this test, I blocked only those rare actions from programs that Spybot specifically
identified as malware, because those are the only cases in which the average user
can be reliably counted on to do the same. I'm assuming that the average user will
pay enough attention to notice the mention of "malicious software" and block those
actions. As for the bland warnings that don't mention malware, users don't have the
information to base a decision on. Those who decide to block all such actions will
quickly find themselves disabling valid programs or even preventing Spybot itself
from functioning as designed, and soon they'll join the "allow everything" crowd.
Most antispyware utilities abandoned this simplistic protection style years ago,
replacing it with signature-based scanning of all files on access and comprehensive
behavioral analysis for unknown files.
For over three quarters of the sample installations, the product either took no notice
or displayed a bland pop-up with no reference to malware. When the utility did mention
malware, I checked off the options to let it always kill the offending process and
always delete the file from the disk. Unfortunately, doing so rarely prevented the
malware sample from installing at least partially.
In one case, Spybot got into a protracted knock-down, drag-out fight with a malware
sample trying to install. It accumulated so many small warning windows that they
filled over half the screen, and the system became completely unusable, with all
resources being devoted to the fight between Spybot and the malware sample. In the
end, for keeping malware off of a clean system, Spybot scored a dismal 1.2 of 10,
matching the poor performance of SpyEraser 2. Spyware Doctor blocked almost everything,
scoring 9.8 of 10 on this test, and Panda swept the field with a perfect 10.
It's fortunate for Spybot that I give much less weight to the test in which I try
to install commercial keyloggers on a protected system. Even Panda, which doesn't
do well with keyloggers, scored 3.6 on this test. Spybot's score: 1 out of 10. Norton
aced this one with 10 out of 10.
I could go into more detail about the advanced features and report that they seemed
to seriously bog down the test systems at times, with events that normally occur
too fast to see happening 10 seconds apart. But really, none of this is relevant
information. While Spybot – Search & Destroy 1.5 may be free, its malware cleanup
skills are mediocre, and it has virtually no ability to prevent installation of harmful
software. In its day it was top-of-the-line, but that day is long past.
Regards Steve
Email: mailto:srp at internode.on.net srp at internode.on.net
Windows Live Messenger: mailto:internetuser383 at hotmail.com internetuser383 at hotmail.com
Skype: steve1963
More information about the gui-talk
mailing list