Hello folks, this is my first time posting on this forum.

I've always understood Spybots real-time protection (Tea Timer) to be a registry monitor. According to the helpfile the current version of the Tea Timer extends beyond the registry:
Spybot-S&D Resident watches all applications that are being started on your computer. It knows the same bad files as the on-demand scanner of Spybot-S&D, and if it encounters an application that is known as a threat, it will automatically terminate this application.

Does this mean that Tea Timer now functions as a full blown on-access scanner comparable to other real-time spyware scanners?

Regards,

hank07:


... Does this mean that Tea Timer now functions as a full blown on-access scanner comparable to other real-time spyware scanners? ...
I don't know exactly what you assumed in asking that question, so I can only offer the following:

Since TeaTimer was introduced in Sptbot 1.3 (spring 2004) it always had two functions:
The monitoring of changes to certain system Registry keys such as System Startup, ActiveX Distribution Unit, Browser page and Browser Helper Object, etc. When any change is detected to these Registry keys a pop-up dialog is issued asking you to allow or deny the change and if you want TeaTimer to remember the decision.
The monitoring of processes that are initiated in the system. If the process being initiated matches a list of processes in Spybot's detection files, the process is terminated and a dialog is issued to notify you and allows you to make choices as to how to handle the same process during future detections.
In the most resent versions of Spybot, it appears that the second function has been extended (expanded) to scan processes already running in the system when TeaTimer starts as well as new process started.

___________

I'm not exactly sure what you mean by "... now functions as a full blown on-access scanner ..." and "…comparable to other real-time spyware scanners".

If you can define what you mean by "... a full blown on-access scanner ...", perhaps someone can provide additional help.

In addition if you could indicate what other "… real-time spyware scanners" you were referencing, perhaps someone familiar with both products could provide a comparison.

___________

I'm not exactly sure what you mean by "... now functions as a full blown on-access scanner ..." and "…comparable to other real-time spyware scanners".

If you can define what you mean by "... a full blown on-access scanner ...", perhaps someone can provide additional help.

In addition if you could indicate what other "… real-time spyware scanners" you were referencing, perhaps someone familiar with both products could provide a comparison.

It is possible that hank07, was referring to real-time protection offered by some anti-virus/spyware products. It is not specifically narrowed down to anti-virus products.

I think what hank07 meant was that he/she thought Spybot-SD's Resident TeaTimer was like a real-time protection, scanning files on write and open.

Example: You open a malicious file (unknown attachment) named "airlineticket07.pdf.exe" then your anti-virus/spyware will prompt you that the file is malicious with several options:
Delete the File
Attempt to Quarantine
Ignore

Thanks all for replying.

I was indeed trying to understand if Spybots expanded Tea Timer behaves in a way comparable to real-time signature-based anti-spyware scanners such Spyware Doctor (to name just one).
As drragostea explained these scanners will compare the file on access (open/write ) against their signature database and tag the files accordingly (malicious, suspicious etc.)

From what I now understand Tea Timer does not work with a signature database that recognises malware by its code, but with a list of allowed/forbidden processes. I assume that Spybot will recognise these processes by their executables and perhaps dll's.

Hank07,

Reading through this thread will also add to your understanding of Teatimer.
http://forums.spybot.info/showthread.php?t=30994

Also, if you hover over the TeaTimer icon in the taskbar, you can see this amount of entries blacklisted. One example of why TeaTimer uses the blacklist is to prevent the execution of "dialers". Since dialers connect to the Internet and start charging, it is time critical for TeaTimer to halt it's actions.

TeaTimer monitors critical registry entries (new BHOs, startup entry, toolbars, homepage, etc.) too.