PDA

View Full Version : How does SS&D work ?



Korrel
2008-07-04, 05:39
Hi,

Since you see the progressbar showing one nasty after the other, I wonder
how exactly SS&D works ?

I mean other security- and anti-malware programs work by checking each file after the other against the whole database of all nasty-fingerprints, while SS&D "seems to" check the whole system on a fingerprint-per-fingerprint way.

So I really wonder, how can SS&D check the whole system * (the amount of nasties checked) so fast ?

Or is this only because ss&d only checks the registry and no single file on the harddisk ?

:sick:

PepiMK
2008-07-04, 10:55
Take a look at your computer cases hard disk LED and you'll notice a lot of disk activity ;) Or just into Task Manager if you enable the I/O ops. TeaTimer complains when you run known malware executables as well ;)

Checking on a per-file basis takes hours for a complete scan if I look at the antivirus applications I've used over the time. Checking just on a per-fingerprint basis wouldn't be useful as well.

Spybot-S&D tends to more of the later though. Malware has to register somewhere in the registry (or a win.ini or similar file) to run on system startup, for example, and Spybot-S&D could go from there and find the associated file. Or vice versa, locate a known file and from that go to the corresponding registry items. A simplified but detailed documentation is available on the wiki (http://wiki.spybot.info/).

If you zip up some malware and put it in a custom folder, which is not listed in the download directories option, that would be part of the "whole system" it won't see. But that is what I would call storing of malware by user intention anyway - the malware that comes onto the system without your knowledge follows certain patterns, and after they've been analyzed, it can be found.

Here's (http://forums.spybot.info/showthread.php?t=281) also a nice description on how it protects live.

blues
2008-07-04, 12:34
there is just disc activity sometimes when i scan with spybot, but there is more disc activity when using other scanners, i think i have read somewhere that spybot scans mostly the registry, and scans for malicious files only after it detects something that belongs to that files in the registry, but i hear disc activity sometimes so it is scanning files without detecting anything on my computer.

i hope you understand what i write, there may be misspellings and other errors.

Korrel
2008-07-05, 23:35
Thanks, I'm a lot more "knowledged" now....

Although just this last question, so SS&D scans for known fingerprints in the registry...

BUT.... perhaps the most important one :

Does SS&D also scans all possible "autorun" and "drivers to load" items in the registry and thus also what files actually are being run on startup, as drivers, as added payload to any possible Windows configuration console, etc,etc...? IIRC, most malware doesn't add any fingerprint in the registry but only adds some autorun (even undocumented ways" of getting the malware to become active at system startup or at random (for example when opening the Device Manager/Power Options Console/Printing Configuration console, etc...etc...)