PDA

View Full Version : Teatimer and Virtumonde



molngab
2008-04-26, 12:43
Hello!

My question: Spybot SD can detect the Virtumonde type infection.
The resident shield - teatimer- use the same definition base as the main scanner of SD.
If SD can detect the Virtumonde-the Tematimer why can't in real time?


Thanks

honda12
2008-04-27, 03:05
Hi molngab

From spybot faqs: What is the Resident TeaTimer?
(http://www.spybot.info/en/faq/33.html)

What is the Resident TeaTimer?

The Resident TeaTimer is a tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future. You can set TeaTimer to:

* be informed, when the process tries to start again
* automatically kill the process
* or generally allow the process to run

There is also an option to delete the file associated with this process.

In addition, TeaTimer detects when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either Allow or Deny the change.

The TeaTimer is always running in the background.

***

From: How Spybot-S&D protects against the installation of Spyware/Malware (http://forums.spybot.info/showthread.php?t=281)

The third level of protection is the TeaTimer. TeaTimer is an active protection that monitors changes to certain system Registry keys such as System Startup, ActiveX Distribution Unit, Browser page and Browser Helper Object, etc. When any change is detected to these Registry keys a pop-up dialog is issued asking you to allow or deny the change and if you want TeaTimer to remember the decision. TeaTimer also monitors processes that are initiated in the system. If the process being initiated matches a list of processes in Spybot's detection files, the process is terminated and a dialog is issued to notify you and allow you to make choices as to how to handle the same process during future detections.




According to this information it seems that teatimer does use Spybot's database to detect known malware :euro: