PDA

View Full Version : A few questions.



qwerty12345
2010-11-23, 22:20
Hello. I haven't used Spybot for a few years, and I have a few general questions about the latest version.

1) What are the "Use source Whitelists", "Use entry black- and whitelists" and "Paranoid mode" options? The helpfile doesn't really explain.

2) When I first installed Spybot a couple of months ago, the TeaTimer would ask me to allow (or not) certain changes. For the first few days, it told me about lots of things, but since then, it has been completely silent. If I check the log, it shows that it has allowed everything, based on either "blacklist", "whitelist" or "user decision". This may have something to do with 1), but I haven't changed any of those options.

3) Whenever I check for updates they are always roughly (exactly?) the same size (5MB and ~800KB). This is either an incredible coincidence, or (more likely) it would suggest the entire database is being downloaded every time Spybot updates. What would cause this to happen? I have known it happen with other programs when the database has become corrupt. I'd like to sort this out, as I check for updates every couple of days, and although Avira usually takes less than a minute, Spybot takes 1/2 an hour to update.

4) Finally, when I doubleclick the icon in the systray, Spybot doesn't load. If I right-click and choose to run Spybot, a small loading window will appear and after a few seconds, Spybot will open. If I open Process Explorer and then doubleclick the icon, I can see SpybotSD.exe (sometimes two) does open for a split-second, but then closes immediately.

I have a couple of other questions, but I think it would be more appropriate to ask them in a dedicated thread.

Thank you for reading, and, of course, thanks for a very worthwhile program.

PS: I don't know how you do it, but your website (safer-networking.org) is lightning fast - every page loads in under a couple of seconds. I'm on dial-up and the web hasn't felt this fast in years.

spybotsandra
2010-11-24, 12:09
Hello,

1. The black list of the resident TeaTimer is for denied registry changes, the white list is for allowed ones.
The changes are only added to the black and white list if you have marked "remember this decision" when you allow or deny an item.

Please read this information about TeaTimer:
What is the Resident TeaTimer? (http://www.safer-networking.org/en/faq/33.html)
and Why does Resident TeaTimer terminate the application before asking? (http://www.safer-networking.org/en/faq/34.html)
If you surf the web and without any user interaction the TeaTimer pops up and warns about a registry change it is better to "deny", but if you install something by yourself it is OK to "allow" the change.
The tutorial (point 8) (http://www.safer-networking.org/en/tutorial/index.html) on our homepage should also help explaining.

2. This is the new way of monitoring by TeaTimer. To return to the "old" way of monitoring right click on TeaTimer and change it to "Paranoid Mode".
This thread (http://forums.spybot.info/showthread.php?t=46937) has more details on the new TeaTimer.

3. If you download updates the whole file of our detection rules is being downloaded. We have choose to do this because if you are infected and make a fresh installation of Spybot - Search & Destroy - like most of our users do - you only need to update once - only one file.

4. The loading from the system tray seems to be a little buggy.
We recommend to start Spybot - Search & Destroy from the Start Menu (http://www.safer-networking.org/en/faq/42.html) in your Windows.

Best regards
Sandra
Team Spybot

qwerty12345
2010-11-25, 15:22
Hello Sandra, thanks for your reply.

1) So, the whitelist is for things I have said are fine and should be allowed (always) and the blacklist is for things I have said are malicious or that I simply don't want and should be blocked (always)? And these are the 4 tabs I see when I select "Settings" from a right-click on the tray icon? Considering I don't think I have ever selected "Remember this decision" and those 4 tabs are therefore (correctly) all blank, does this mean that the selections to use (or not use) the blacklists and whitelists on the right-click menu are meaningless?

2) When it says "Paranoid mode (ask on any unknown)", what does the "unknown" refer to? Items that are on neither a blacklist nor a whitelist? When not in paranoid mode, does that mean that all unknowns are automatically allowed?

3) & 4) are a shame, but maybe they will change in the future?

PS: Thanks again for helping me out. Do you actually work on Spybot?

spybotsandra
2010-11-25, 15:54
Hello,

1. That's correct. But those lists are not meaningless, you have just not used that option yet.

2. Ask on any unknown means that whenever there is a registry change that we do not know you will be asked if you want to allow it or deny it.
We also have our lists for bad and good stuff. But we can not know every single process, because the spyware sector is growing and developing too fast.
So whenever there is one item that we do not know you will be asked.

We always work on Spybot. ;)

Best regards
Sandra
Team Spybot

qwerty12345
2010-11-27, 17:38
Hello Sandra, and thanks again for replying. Unfortunately, I think maybe something is getting lost in translation.

1) I didn't mean the lists are meaningless. I mean, when I right-click on the icon in the systray, there are two options "Use source whitelists" and "Use entry black- and whitelists". As the "Settings" are empty, I might expect the two options to be greyed out, but they are still available to be selected, or not. Whether there is a tick next to them or not, presumeably will make no difference? Also, what is the difference between a "source whitelist" and an "entry whitelist"?

2)
So whenever there is one item that we do not know you will be asked. I understand this (it is pretty self-explanitory). I'm not sure quite how else to put this, but, when there is no tick next to "Paranoid mode (ask on any unknown)", what happens to the "unknowns"? Are they automatically allowed?

Thanks.

PS: I appreciate that your English is much better than my German. :bigthumb:

spybotsandra
2010-11-29, 13:09
Hello,

1. The difference between the lists is the following:
Source lists are made by us. They go back to our detection rules.
So we can distinguish if an entry is bad or not.
The entry lists are made by you, whenever you allow or deny an entry and mark it as remember this decision.
The lists are always avialable, they are not greyed out.
That way they can be used if it is necessary, without enabling them before.

2. Whenever there is an unknown entry you should be asked.
Probably you did not make any changes to the registry, so that the TeaTimer is silent.

Best regards
Sandra
Team Spybot

qwerty12345
2010-11-30, 22:36
I see, thank you. I wonder then, why it says "(ask on any unknown)" after "Paranoid mode". Maybe it's a typo? I suppose it doesn't matter.

The way these settings are laid out is quite confusing. So, just to be certain:

If only the lists are selected, then I will only be asked about unknowns (things that do not appear on any selected list). If only paranoid mode is selected, then I will be asked about everything. If nothing is selected, then that will be the same as paranoid mode? And if all 3 options are selected, which takes precedence?

Also, when I asked if you worked on Spybot, I meant you personally. ;)

spybotsandra
2010-12-01, 11:46
Hello,

That's correct.
In Paranoid mode you should be alerted of every change.
The other mode does only alert you on unknown registry changes.
And yes, I am part of the official Spybot team.

Best regards
Sandra
Team Spybot