Blocking processes (Spybot 1.5/TeaTimer beta)...
I was wondering if it was possible to add entries to the list of processes to be blocked in TeaTimer.
This would allow me to block certain things that get put back into the startup items when their parrent application is run, as well as block people from launching applications that I don't want to have running on my computer.
Yes, it's kind of possible. Not through the GUI, but through a custom .sbi file. There's a documentation out there somewhere on this forum... we probably should make it up-to-date and put it in an easier to find place
Create a GT500.sbi file, for example, with the following contents:
This somewhat easier .sbi plaintext format is exactly for purposes like yours - users defining their own rulesCode:// info: GT500s blocks :: SomeProductNameHere File:"Description","C:\Test\XYZ\HelloWorld.exe","filesize=X,md5=Y" AutoRunByFilename:"*\HelloWorld.exe","","filesize=X,md5=Y"Size and MD5 are easy to get through FileAlyzer; TeaTimer will also catch it through the first line, the second is to find startup entries on a regular scan.
You need to restart TeaTimer after creating this file.
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
Are the filesize and MD5 hash required, or can I leave those out (granted I'll probably have found the answer by the time you read this)? I would prefer to block the process by filename alone.
Also, is the filesize the size in bytes?
Last edited by GT500; 2007-06-26 at 14:28.
That thing between the quotes is actually quite flexible; next to filesize= and md5=, it understands dozens and dozens of different parameters. You can skip both of course, but probably should at least use some dummy "filesize>=1" or similar between those last quotes in each line, because TeaTimer might ignore silly "name-only" references as being to generic.
edit: And yes, file size is in bytes, no dots or commas as thousand separators please
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
It works perfectly.
I've been looking for something with this kind of functionality for many years, and it's nice to see my favorite anti-spyware software have it built-in.
Oddly enough I never made much use of TeaTimer, mostly because I always felt like it was asking me about the same thing over and over again. I like the improvements to TeaTimer in Spybot 1.5, and I look forward to using it on all of my Windows machines from now on.
BTW: Could an option be added to the right-click context menu for the TeaTimer system tray icon that launches Spybot's updater (preferably with administrative rights when needed)? Now that the updater is seperate from Spybot, it shouldn't be too hard to do.
Edit: Also, I've noticed that TeaTimer is not capable of blocking 64-bit applications. I assume that this is because TeaTimer is 32-bit?
Last edited by GT500; 2007-06-26 at 15:07.
It's not monitoring 64 bit processes?
Hmm... we basically have two modes to check processes; one is compatible to 64 bit, but responsible for some of the page faults people have noticed in task manager (which are not really "faults" in the context of errors). The other is 32 bit only. TeaTimer should use the appropriate one, so it should be able... I'll check that!
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
If you want to test out my definition file on a 64-bit version of Windows, and see what might be going on, you can download it here. It's a fairly simple file (basically block all processes named "iexplore.exe") so it should work for both 32 and 64 bit (as far as I know, that is).
Problem found and fixed
Btw, with the next release, you can make the full path clearer (right now that would accidently match to only one of the two versions):
Though that would let it find iexplore.exe during a normal Spybot scan as well, which might not be wantedCode:File:"Internet Explorer web browser","<$PROGRAMFILES>\Internet Explorer\iexplore.exe","filesize>=1"
There'll be a new Tools.dll, as well as an update to TeaTimer in the next 1.5 beta (and this was about the last thing on the list).
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
I'll make sure to look for the new beta when it's out, and try the new TeaTimer.
Thanks for the bug fixes.
Posting Permissions
