Google doesn't seem to know much about the file (3 results?), so I thought I'd ask here: what reason does Spybot Search & Destroy have for creating the file called ntdoss04.sys in \WINDOWS\? what does it do?

I noticed because COMODO Firewall alerted me. I figured that if it's something SS&D wants to do, it's probably fine, but it still made me wonder.

bentelk:

What version of Spybot - Search & Destroy are you running (Spybot > Help > About)?

What were you doing with Spybot when you received the alert? If you were doing a scan, did you receive and messages from Spybot (see Note #1).

I am not a COMODO Firewall user so I would like to know what leads you to beleive that Spybot was trying to create the file rather than just access the file?

__________

Note #1: There seems to be errors that Lancer (http://forums.spybot.info/member.php?u=35411) reported during a scan after the 2008-05-28 updates in this thread (http://forums.spybot.info/showthread.php?t=27194). Those error dealt with detection of "Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys".

I was scanning for spyware at the time, although I didn't notice what bot/spyware it was checking for when the notification from COMODO came up.

ah, and I have version 1.5.2.20 of SS&D.

[after reading that thread you referred to] what I have experienced doesn't seem to adversely affect SS&D in any way, or affect it at all. everything ran OK, except for the pause COMODO enforced while it waited for me to decide what to do about creating this file in a system directory. also, I looked for the file just now, and couldn't find it. perhaps it's part of the scan? to create and delete this file? although that seems odd to me. I guess I shouldn't worry about it, it just all strikes me as kind of odd, is all. I'm increasingly of the opinion that super-sensitive firewall software like this mainly serves to make people more paranoid, rather than less :P

if it's really important, I can attempt to recreate the behavior.

bentelk:

I created a thread in the False Positives (http://forums.spybot.info/forumdisplay.php?f=16) forum asking if there is a possibility that the problem you encountered is related to the detection rule that caused an error for Lancer (http://forums.spybot.info/member.php?u=35411):
Detection rules for Delf.Spool.cn and/or the file ntdoss04.sys
http://forums.spybot.info/showthread.php?t=28867
I'm sorry that I can't personally resolve your query. However, keep your eye on that thread and see if someone from Team Spybot can shed some light on what is/was happening.

Added with edit:

ps: They are off for the weekend so it may take a while to get a response to that thread.

ah, okay. thanks :)

hello,

thank you for reporting this issue.
There is a syntax error in the rule relating to this issue. The error will be fixed with the next update. However this error only causes Spybot S&D to always check for the ntdoss04.sys, Spybot S&D does not try to create the file.