PDA

View Full Version : Spybot Live Protection Annoying



dj.turkmaster
2013-05-25, 00:38
Hello, I have been a fan of Spybot for a long time, I even translated the old 1.x version of spybot to turkish.
So I have purchased Spybot Professional edition v 2.1 without hesitation. But the live protection is very annoying. I have enabled live protection and checked all the checkboxes in there. (Scan programs before they start, scan using AS, scan using AV)


Now it displays a popup on the lower left corner of the screen, whenever it scans a process. I think this is not needed. As it is the main job of AV applications to scan all started processes. And I do not need to be notified of each scanned process. So here is your scrum user story ( agile developers will know what I mean :) ) As a user I already assume that all processes are being scanned and that I am in safety so I dont need a notification.

Also the scan progress is too slow. It almost takes up to 10 seconds in a 4 core 2.3 ghz machine with 8 gb ram. And this situation delays programs startup time. For instance all chrome tabs are opened as a new process. So when I open a new tab spybot starts scanning and int he mean time I write a Url and hit enter but it doesn't have any effect. To be able to open a web page the scan process must be completed which is unbearably slow.

And I do not think disabling the live protection is a workaround :) It should be blazing fast.

P.S : In the mean time spybotAV detected my own keylogger which I coded :)

bbnetwork
2013-05-27, 12:27
Hello, I have been a fan of Spybot for a long time, I even translated the old 1.x version of spybot to turkish.
So I have purchased Spybot Professional edition v 2.1 without hesitation. But the live protection is very annoying. I have enabled live protection and checked all the checkboxes in there. (Scan programs before they start, scan using AS, scan using AV)


Now it displays a popup on the lower left corner of the screen, whenever it scans a process. I think this is not needed. As it is the main job of AV applications to scan all started processes. And I do not need to be notified of each scanned process. So here is your scrum user story ( agile developers will know what I mean :) ) As a user I already assume that all processes are being scanned and that I am in safety so I dont need a notification.

Also the scan progress is too slow. It almost takes up to 10 seconds in a 4 core 2.3 ghz machine with 8 gb ram. And this situation delays programs startup time. For instance all chrome tabs are opened as a new process. So when I open a new tab spybot starts scanning and int he mean time I write a Url and hit enter but it doesn't have any effect. To be able to open a web page the scan process must be completed which is unbearably slow.

And I do not think disabling the live protection is a workaround :) It should be blazing fast.

P.S : In the mean time spybotAV detected my own keylogger which I coded :)

Hi dj.turkmaster,

the problem (not sure if you can call it this) of "the scan progress is too slow" is as old as there are Realtime-Protection into AntiVirus-Solutions.
Actually Spybot only scans executables, and not like other AV, any file created or readet, so its not too worse for spybot. About the time of 10 seconds in a 4 core 2.3 ghz machine with 8 gb ram, i dont knew if 10 seconds are really a long time... but it also may be depending on the size and style of the application, which is actually getting scanned.

About the notification-windows, which you mention, well somehow you are right, its not really needed, but i dont think the scan would be very more faster, if the notification would not be there. And since you correctly mention the delay (caused from the scan) when an Application starts, mayn users would be wondering, why their application dont start, if there would be no notification visible.

The Issue about Chrome-Tabs, i can confirm, but this is related to how Google designed their Browser.

And their is still the option of creating a whitelist on a new system - once completed this, it helps a few.

dj.turkmaster
2013-05-27, 19:29
Hi dj.turkmaster,

the problem (not sure if you can call it this) of "the scan progress is too slow" is as old as there are Realtime-Protection into AntiVirus-Solutions.
Actually Spybot only scans executables, and not like other AV, any file created or readet, so its not too worse for spybot. About the time of 10 seconds in a 4 core 2.3 ghz machine with 8 gb ram, i dont knew if 10 seconds are really a long time... but it also may be depending on the size and style of the application, which is actually getting scanned.

About the notification-windows, which you mention, well somehow you are right, its not really needed, but i dont think the scan would be very more faster, if the notification would not be there. And since you correctly mention the delay (caused from the scan) when an Application starts, mayn users would be wondering, why their application dont start, if there would be no notification visible.

The Issue about Chrome-Tabs, i can confirm, but this is related to how Google designed their Browser.

And their is still the option of creating a whitelist on a new system - once completed this, it helps a few.


Hi bbnetwork,

We all have used other av solutions and I have never encountered my chrome tabs being useless for seconds. And 10 seconds is really to much for an executable. It must be under a second, even if it must take seconds to compelete a scan there must be a workaround other than blocking the executable for seconds. I am also a developer in a network security company so I count my self somewhat knowledgable in this area, and I will try to suggest a solution for this particular problem.

I think that spikes and peaks like this must not happen. I mean blocking an executable for seconds. This is not acceptable. But in my opinion a steady high memory usage of a program is acceptable. Or a continious %5 usage of a cpu is much more acceptable rather than blocking an executable for seconds.
Maybe spybot should scan the executables on background all the time. And it should automatically whitelist clean executables (maybe storing the md5 of the executable on memory). And when the executable is run, spybot should just check the md5 of the executable, and if it hasn't changed, there is no need to scan it. There may be faster and more correct approaches than the md5 method.

And by the way I would like to know more about how live protection works if I may.

I have unchecked the option "Scan programs before they start" but live protection is still active. If it doesn't scan programs before they start, what does live protection actually do?

My second question is that I may check "Scan programs before they start" option, but I may leave the other two checkboxes (scan using AV and scan using AS) unchecked. What happens in this case?

Thanks
Alptugay Değirmencioğlu

bbnetwork
2013-05-28, 14:57
I think that spikes and peaks like this must not happen. I mean blocking an executable for seconds. This is not acceptable. But in my opinion a steady high memory usage of a program is acceptable. Or a continious %5 usage of a cpu is much more acceptable rather than blocking an executable for seconds.
Maybe spybot should scan the executables on background all the time. And it should automatically whitelist clean executables (maybe storing the md5 of the executable on memory). And when the executable is run, spybot should just check the md5 of the executable, and if it hasn't changed, there is no need to scan it. There may be faster and more correct approaches than the md5 method.

I suggested during the Beta for Spybot 2.1 that Applications should be scanned only once or if they changed there signature or checksums and that there should be a list of know-good-applications (with a valid didgital siganture) that are not scanned. Maybe into a next release of Spybot this will be possible.




And by the way I would like to know more about how live protection works if I may.

I have unchecked the option "Scan programs before they start" but live protection is still active. If it doesn't scan programs before they start, what does live protection actually do?

My second question is that I may check "Scan programs before they start" option, but I may leave the other two checkboxes (scan using AV and scan using AS) unchecked. What happens in this case?

Thanks
Alptugay Değirmencioğlu

To Question 1:
The live-protection works in 3 steps, 1. the live-protection-driver needs to be installed; 2. the live-protection needs to be running in background and 3. the live-protection needs to be active.
If you unchecked the option "Scan programs before they start" this means, the live-protection is still running in background (its still also needed for a full system-scan) but does not scan stating applications.

To Question 2:
This is actually a good question (Lol :) ) - im not sure - i think, Spybot only looks if it knew the application or not, else nothing happens, atleast i have not seen Spybot doing anything with this selection - but maybe someone official, from the Spybot-Stuff can give you a better answer on this, because im also only an user.

dj.turkmaster
2013-05-28, 22:26
I suggested during the Beta for Spybot 2.1 that Applications should be scanned only once or if they changed there signature or checksums and that there should be a list of know-good-applications (with a valid didgital siganture) that are not scanned. Maybe into a next release of Spybot this will be possible.

That would be nice. However I wonder what @PepiMK thinks about this?



To Question 1:
The live-protection works in 3 steps, 1. the live-protection-driver needs to be installed; 2. the live-protection needs to be running in background and 3. the live-protection needs to be active.
If you unchecked the option "Scan programs before they start" this means, the live-protection is still running in background (its still also needed for a full system-scan) but does not scan stating applications.

Okay the live-protection is still running in background but does not scan starting applications. So what does it do? What kind of protection does it do?





To Question 2:
This is actually a good question (Lol :) ) - im not sure - i think, Spybot only looks if it knew the application or not, else nothing happens, atleast i have not seen Spybot doing anything with this selection - but maybe someone official, from the Spybot-Stuff can give you a better answer on this, because im also only an user.

I hope @PepiMK will write something to this post than.

Thanks for your replies bbnetwork :)

PepiMK
2013-05-29, 11:53
I have unchecked the option "Scan programs before they start" but live protection is still active. If it doesn't scan programs before they start, what does live protection actually do?

My second question is that I may check "Scan programs before they start" option, but I may leave the other two checkboxes (scan using AV and scan using AS) unchecked. What happens in this case?

Actually, the Scan using... checkboxes were intended to be removed in the final, but must have slipped through somehow. Scan using AS is the culprit that slows down a lot; using just Scan using AV, which is the default, it should be much faster. And without less protection - it scans just files really, but including AS files, and as soon as something was actually found, the additional full AS engine is included anyway (but doesn't need there when protecting starting apps). I apologize for that not having been removed from the user interface and the confusion it created!

With the Scan programs before they start checkbox unchecked, the Live Protection is still in place, but will simply allow programs to be started without any delays. This will come in useful in a later release when the Live Protection will not just monitor process starts (e.g. we have Live Protection hooks ready for scanning downloads of the typical wininet.dll malware downloader stub type). Currently, it's mostly a fast (no reboot needed) on/off method.

The notification window will only appear if the scan takes longer than a certain time, meaning if you've got the AV option checked, but not the AS one, it won't usually appear.

You can control it using unofficial settings by changing these registry settings:

HKEY_CURRENT_USER\Software\Safer Networking Limited\Spybot - Search & Destroy 2\OnAccess\
ShowPopup = 0/1
PopupShowDelay = <number of milliseconds>
PopupMinimumDuration = <milliseconds>
Location = 0=nowhere, 1=top, 2=bottom, 3=top left, 4=top right, 5 = bottom left, 6 = bottom right

Some types of optimization:

OS whitelist checks - if a file to be scanned is known to us as belong to an OS (by hash, files analyzed and listed by us), it won't be scanned. This works only on English, German, partially french Windows releases currently (and others where the language is MUI only).
Software whitelist checks - we've got a growing list of analyzed "good" software. Files identified as such won't be scanned.
MRU background scans - when the system is idle, Spybot will check various lists of most recently used programs and scan these in the background. There's a Windows Scheduled Task you can use to fine-tune the schedule for this.
Chrome shouldn't delay since once a process has been scanned, unless it was modified, it won't be fully scanned again. Unless there are updates downloading in the background - with each updated file, the cache remembering the sessions results is cleared (new signatures might indentify something that was previously missed)!