Im pretty computer savy, and Id love to support the Spybot database.

What Im asking is...

1. What categorizes suspect files as "spyware" & not a virus for spybot.

2. What characteristics would one expect to suspect that there are gremlins still

3. What tools/means would one use to identify/isolate the suspect files.

My question is, how does one identify? Im a bit fuzzy, because spyware and viruses seem to be seperate area's and spybot deals with spyware. How does one know if its appropriate to send in a suspect file.

I assuming things to look out for would be high cpu usage caused by a particular file, nuisance popup's because of a undetected BHO entry.

Hmmm... if you're going to follow the beta announcements for the next three weeks, I think I could heap information on you, but since that is not available yet, I'll try to give a rough overview. Hope someone else will jump in and add to it soon ;)

1. I think Spybot-S&D has grown from purely "anti ad- and spyware" to to fight most kinds of "modern malware". The typical "virus" we don't usually target would be the type that probably affects only files, infects the boot sector or master boot record, etc..
That is classically already covered quite well by anti virus applications.
What we try to target is "any other kind" of malware. Examples would be dialers, or keyloggers, browser hijackers, adware, spyware in the sense of any software transmitting way more personal information than is necessary.
The typical virus is or was written for fame and/or doing damage. The typical malware is written for commercial or snoopy gain.

3. Many people, many different favorites ;)
I would for example suggest to take a look at the SysInternals Suite (http://www.sysinternals.com/); mostly FileMon, RegMon and ProcExp while are very helpful, yet still understandable. Personally, I use our own tools of course, RunAlyzer for an overview of system startup locations, malware often likes to use names that are quite similar to real system file names, or even identical ones in different folders. FileAlyzer to look deeper into files I suspect may be bad, RegAlyzer since I need more search features than the official regedit. Sometimes an ADS scanner, though that is integrated into RootAlyzer now. I don't really have a preferred firewall any more; using one that requests feedback on every application requesting internet connection and watching the URLs is helpful. For the full power of traffic sniffing, I use Wireshark (http://www.wireshark.org/), but for that, you might have to know quite a bit about TCP/IP communications to not get overwhelmed by all the data.

Your assumptions are correct, but there are so many more things to look out for. If you're really interested to learn, I would suggest taking a course at one of the online malware universities, I'm sure some other poster will provide more details right after me :)

I just stumbled across this article, which I think was written by Mr Kolla. It provides good grounds for classification. Is PepiMK Mr Kolla?

http://www.safer-networking.org/en/targetpolicy/index.html

Yes, he is. *g* :crowned:

That article is many years old though. Not that age would make it invalid of course ;) But here iss the official definition by the Anti-Spyware Coalition (http://antispywarecoalition.org/documents/DefinitionsJune292006.htm), which is kind of an industry-wide standard on naming these.