View Full Version : The mysterious "SD Helper"
Spybot says it is IE "bad download blocker". A bit vague .
Spybot's real time protection has URL blocking (HOSTS file), Active-X execution protection and URL restriction ("Immunize') and Registry change monitoring and malious process blocking (Tea Timer). So what exactly is SD Helper monitoring when Spybots real time protection has the above covered? What exactly is SD Helper blocking? Certain files with certain extentions? Websites? Even more processes then Tea Timer blocks? The documention is scarce it seems.
I use a few other real time protection tools (IE-Spyad, MVP HOSTS, Process Guard, SpywareBlaster) and am trying to predict any real time conflicts with Spybot real-time. Not an easy thing not knowing SD Helper's actual funtionality.
Any information is appreaciated.
spybotsandra
2006-10-25, 13:32
Hello,
The resident section of Spybot - Search & Destroy is devided into two parts: the SDHelper and the TeaTimer.
The *Resident TeaTimer* is a Spybot-S&D tool perpetually monitoring the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options how to deal with this process in the future: You can set TeaTimer to:
- be informed, when the process tries to start again
- automatically kill the process
- or generally allow the process to run
There is also an option to delete the file associated with this process.
In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change.
As TeaTimer is always running in the background, it takes some resources of about 5 MB.
The *SDHelper/Immunize*
Beginning with version 1.2, Spybot-S&D allows you to immunize your computer against some spyware. It currently offers three different immunities:
Permanent Internet Explorer immunity: Similar to JavaCools SpywareBlaster, this allows you to tweak some internal Internet Explorer settings to block the installation of known spyware (and similar threats) installers via ActiveX. Spybot-S&D is able to set all entries for those that are in its database to be blocked. If you want to distinguish, you should install SpywareBlaster.
Permanently running bad download blocker for Internet Explorer: This is a second layer of protection for IE. While the Permanent Immunity blocks installers by their ActiveX ID, this one blocks anything that should come through by different aspects.
Thatīs the way to activate it: run Spybot-S&D, switch to the "Advanced mode" via the menu bar item "Mode" --> hit "YES" --> select "Tools" in the navigation bar on the left --> "Resident" and there you can tick the checkboxes in front of the two tools. There you can also view a log of blocked installers.
Best regards
Sandra
Team Spybot
Permanently running bad download blocker for Internet Explorer: This is a second layer of protection for IE. While the Permanent Immunity blocks installers by their ActiveX ID, this one blocks anything that should come through by different aspects.
Perhaps a user could shed some light on exactly, just what exactly these "different aspects" might be. Anyone have any log entries on what SD Helper has blocked for you?
Seems like all the other aspects of Spybots real-time protection are well and fully documented, however the SD Helper function remains a mystery to me. I am sure I am not the only one.
I just don't want to have a duplication of protection with my other real time protections.