How Spybot Search & Destroy protects against the installation of Spyware/Malware

An ounce of prevention is worth a pound of cure.

There are four levels of protection currently offered by Spybot - Search & Destroy.

The first level of protection is immunization (a passive protection). When you “Immunize”, entries are added to the system Registry. This blocks cookies from some sites, places other sites in the restricted zone and blocks the download/execution of selected ActiveX scripts. Also Note: If you use Spybot - Search & Destroy and other products like SpywareBlaster, etc. together, there is an overlap of some of the protection offered. If you undo or disable the protection in one product, it may remove some of the protection installed by the other. You should re-immunize or re-enable the protection in the other products as appropriate.

The second level of protection is Spybot's "Resident SD helper", which is also known as "Browser Helper to block bad downloads", "Spybot - Search & Destroy Resident" and "Resident IE" (depending on which Spybot - Search & Destroy panel you may be on or how it is identified in the system tray icon). This is an active protection. It is a BHO (Browser Helper Object) that blocks the download of bad (malicious) files. There are three selectable modes that this can operate in: (1) Block all pages silently (2) Display dialog when blocking (3) Ask for blocking confirmation.

The third level of protection is the TeaTimer. TeaTimer is an active protection that monitors changes to certain system Registry keys such as System Startup, ActiveX Distribution Unit, Browser page and Browser Helper Object, etc. When any change is detected to these Registry keys a pop-up dialog is issued asking you to allow or deny the change and if you want TeaTimer to remember the decision. TeaTimer also monitors processes that are initiated in the system. If the process being initiated matches a list of processes in Spybot's detection files, the process is terminated and a dialog is issued to notify you and allow you to make choices as to how to handle the same process during future detections.

The fourth level of protection is through the addition of HOSTS file entries. This is a passive protection. The HOSTS file contains the mappings of IP addresses to host names and is loaded into memory at startup. The HOSTS file must contain one entry: "127.0.0.1 localhost". The IP address 127.0.0.1 is the local machine. Windows checks the HOSTS file before it queries any DNS (Domain Name System) servers, which enables entries in the HOSTS file to override addresses in the DNS. Adding an entry such as “127.0.0.1 malware.com” to the HOSTS file prevents the access of “malware.com” through IE because any connection attempts are redirected back to the local machine. HOSTS file entries can also be used to block other applications from connecting to the Internet.