I'm not so familiar with the programming languages, but it would be fun to know how ClearType can be integrated into Spybot, like it uses CT by default if the user's machine has CT enabled.
I'm not so familiar with the programming languages, but it would be fun to know how ClearType can be integrated into Spybot, like it uses CT by default if the user's machine has CT enabled.
Thanks alot md usa spybot fan, you're code is what I was looking for, appreciate it.
Hi, thanks for this great software, it's good to see how the best stuff is still free (as so often) and that you're sticking to it for so long. I hope this is generating good business for you and that you managed to get in tune with that mystical Girl we've been praying for
I just read on your frontpage people complain about speed, and even I am twiddling my thumbs for the hour it takes to scan. So here my suggestion as a software designer, programmer, and database person:
Your scanning algorithm seems to follow the following nested loop structure:
for(threat in ALL_THREATS) {
for(fingerprint in threat.fingerprint) {
for(fingerprintOnObject in fingerprint.affectedObjects) {
fingerprintOnObject.check();
}
}
}
problem with this is a lot of random access seeking 300000 times the same 100000 objects, hitting the registry 200000 times and >100000 times the same <10000 files. Instead, how about streaming the registry and files through a filter that looks for all fingerprints per file rather than files per fingerprint?
for(object in ALL_THREATENED_OBJECTS) {
for(objectThreatFingerprint in object.threatFingerprint) {
objectThreatFingerprint.check();
}
}
that way you check every object (file, registry key) only once and each time you check for all known threat fingerprints. I think you could get a 10x to 100x speed improvement out of that.
What do you think?
I have one more suggestion about usability. The other day I had a very ugly virtumonde infestation. And eventually it killed my setup to the point where I rebuilt a Windows machine (after > 5 years and 1 hard drive crash). The problem was something was deleting WINDOWS/system32/drivers files (pci.sys was gone). But why did I even restart?
I restarted because I was trying to kill winlogon before killing that sdss (sp?) process. And I did that because I loaded up some new process killer which I had to do for the first time and hit the wrong button then the machine came down never to boot again.
This shows:
- you want to avoid rebooting during clean up as much as you can
- when something bad has happened, any user will be executing unfamiliar
stuff under a state of stress with possibly limited access to information (if the browser has a "helper" that spawn malicious processes, you don't want to run the browser to read the fine-print.)
So, therefore, the more that Spybot S&D is able to kill processes automatically so that it can stop the spawning of malicious processes and insertion of registry keys, the better it is for a successful recovery. That new (?) virtumonde thing can probably teach a lesson into how it could work. You need to
1. kill the system-process (winlogon?) that spawns processes and inserts keys
2. while keeping the machine from shutting down and rebooting
3. do a sanity check on system files required for the next reboot
4. restore those files from a backup previously stashed away (outside of the recovery checkpoint function, which is affected by the same malware.)
and finally
6. Protect Spybot S&D from becoming itself a target for malware (keeping in mind that with increased popularity comes increased exposure.)
Thanks for all you have already done!
6. one small attempt in the current version are the randomly named copies of main executables in the Spybot-S&D folder and that they're marked system & hidden. We have two much stronger concepts at hand for 2.0 though. Not sure if I should mention them here to allew malware creators to counteract before they're even available
As for the other stuff, you're right there of course, but I wonder what you would think about the bootable CD thing (insert a CD, boot from it, clean stuff while your system is inactive and malware can not interact/conflict) compared to your suggestions?
edit: overlooked the post above. actually, there is quite of lot of optimization in avoiding multiple lookups. Most of the commands and parameters use pre-created and optimized caches. Whether your suggestion would be a speed improvement or slowdown depends a lot on comparing the number of files to the number of patterns, and modern Windows installations grow quite huge, and has other disadvantages. As for the direction of comparing things, did you see this blog post? I tried to explain a bit about the difference of the two possible approaches and why we feel a hybrid would work best.
Last edited by PepiMK; 2008-12-28 at 23:02.
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
is there any set date on when 2.0 will be released??
For the fastest, safest browsing experience get Google Chrome
Hello,
No, there is not any date set yet.
Best regards
Sandra
Team Spybot
The bootable CD would be a good thing, very certainly. That's something to want to have handy at all times. Sometimes I see some haphazardly thrown together Linux bootable CD with stuff that then doesn't do so much. But would be neat to have this for Spybot.
O.K. I'll read this. You probably already do the right thing then. Just wish there was some magic to make it all go faster.
I have some suggestion for the Spybot team.
Resident available for Firefox.
Better detection for ad-ware, malwares, dialers, keyloggers, trojans and worms.
Reduce memory usage during scan.
Increase the amount of updated threats.
More updates(not weekly).
Spybot- FileShreader
this already has 'templates' to shread specific directories, im more than curious why the recycle bin directory wasnt included in it, as it would logically be one of the more pertinant places to use it?