Blocking processes (Spybot 1.5/TeaTimer beta)...

G

GT500

New member
I was wondering if it was possible to add entries to the list of processes to be blocked in TeaTimer.

This would allow me to block certain things that get put back into the startup items when their parrent application is run, as well as block people from launching applications that I don't want to have running on my computer.
 
Yes, it's kind of possible. Not through the GUI, but through a custom .sbi file. There's a documentation out there somewhere on this forum... we probably should make it up-to-date and put it in an easier to find place ;)

Create a GT500.sbi file, for example, with the following contents:
Code: 
// info: GT500s blocks

:: SomeProductNameHere
File:"Description","C:\Test\XYZ\HelloWorld.exe","filesize=X,md5=Y"
AutoRunByFilename:"*\HelloWorld.exe","","filesize=X,md5=Y"
This somewhat easier .sbi plaintext format is exactly for purposes like yours - users defining their own rules :) Size and MD5 are easy to get through FileAlyzer; TeaTimer will also catch it through the first line, the second is to find startup entries on a regular scan.

You need to restart TeaTimer after creating this file.
 
Are the filesize and MD5 hash required, or can I leave those out (granted I'll probably have found the answer by the time you read this)? I would prefer to block the process by filename alone. ;)

Also, is the filesize the size in bytes?
 
Last edited:
That thing between the quotes is actually quite flexible; next to filesize= and md5=, it understands dozens and dozens of different parameters. You can skip both of course, but probably should at least use some dummy "filesize>=1" or similar between those last quotes in each line, because TeaTimer might ignore silly "name-only" references as being to generic.

edit: And yes, file size is in bytes, no dots or commas as thousand separators please :)
 
It works perfectly. ;)

I've been looking for something with this kind of functionality for many years, and it's nice to see my favorite anti-spyware software have it built-in.

Oddly enough I never made much use of TeaTimer, mostly because I always felt like it was asking me about the same thing over and over again. I like the improvements to TeaTimer in Spybot 1.5, and I look forward to using it on all of my Windows machines from now on. :bigthumb:
 
BTW: Could an option be added to the right-click context menu for the TeaTimer system tray icon that launches Spybot's updater (preferably with administrative rights when needed)? Now that the updater is seperate from Spybot, it shouldn't be too hard to do. ;)

Edit: Also, I've noticed that TeaTimer is not capable of blocking 64-bit applications. I assume that this is because TeaTimer is 32-bit?
 
Last edited:
It's not monitoring 64 bit processes?
Hmm... we basically have two modes to check processes; one is compatible to 64 bit, but responsible for some of the page faults people have noticed in task manager (which are not really "faults" in the context of errors). The other is 32 bit only. TeaTimer should use the appropriate one, so it should be able... I'll check that!
 
If you want to test out my definition file on a 64-bit version of Windows, and see what might be going on, you can download it here. It's a fairly simple file (basically block all processes named "iexplore.exe") so it should work for both 32 and 64 bit (as far as I know, that is).
 
Problem found and fixed :) Thanks for reporting this, did help find another small bug as well ;)
Btw, with the next release, you can make the full path clearer (right now that would accidently match to only one of the two versions):
Code: 
File:"Internet Explorer web browser","<$PROGRAMFILES>\Internet Explorer\iexplore.exe","filesize>=1"
Though that would let it find iexplore.exe during a normal Spybot scan as well, which might not be wanted ;)


There'll be a new Tools.dll, as well as an update to TeaTimer in the next 1.5 beta (and this was about the last thing on the list).
 
I'll make sure to look for the new beta when it's out, and try the new TeaTimer.

Thanks for the bug fixes. ;)
 
SBI file for registry change

There's a process (webshots) that insists on adding a startup entry in the registry every time I use it. I'd rather not have it running in the background, nor adding the entry every time I remove it. Teatime doesn't see it AT ALL, so someone pointed me to this thread. However, I see that the example is for running a file. I run Webshots once every day or two, so I don't want the application blocked; only the registry change.

1) Can the SBI file force Teatimer to see the process?
2) How would I add the registry change to the blacklist using an SBI file?

Thanks for your help.
 
You must log in or register to reply here.
Back
Top