Twelve years ago “spyware” wasn’t in most people’s vocabulary, so early antispyware products like Ad-Aware and Spybot had to work on education. It’s not entirely clear which of them had the first full-scale antispyware—even Spybot’s creator isn’t sure. But Spybot was definitely one of the first. Spybot – Search & Destroy 2.0 is the first update in a long, long time. It’s now billed as a full antivirus that promises to destroy “spyware, malware, adware and other malicious software.” It does no such thing.
Spybot is free for non-commercial use, though the company solicits donations. The $13.99 Home edition adds scheduled scan and a couple other features, and eliminates the nag screens. For $24.99 you get the Professional edition which, among other things, gets you access to the protected repair environment and the ability to create rescue CDs. The core antivirus protection is the same.
Some earlier editions of the product included the oddly-named TeaTimer module for realtime protection against new malware attacks. The current edition is strictly a cleanup tool.
Spybot’s main window includes icons for common tasks like checking for updates, launching a scan, and checking files in quarantine. It even has an icon to donate money to the designers. Checking a box for Advanced User Mode reveals almost a dozen more icons, though not all of them are functional in the free edition.
I had no trouble installing Spybot on my twelve malware-infested test systems. Avira Antivirus Free 2013, AhnLab V3 Click, and several others had difficulty with installation on a system that will only boot in Safe Mode. V3 Click actually wouldn’t install at all. Spybot sailed through that installation just as it did the other eleven.
I frequently encounter problems after a scan due to over-zealous deletion of system files. F-Secure and VIPRE Antivirus 2013 needed tons of tech support work to restore damaged test systems. Spybot didn’t do any damage, but that’s because it didn’t do much of anything.
Dismal Malware Removal
I ran an initial update on each test system. Wow, the Spybot updater is loaded with unnecessary detail, including the precise version of every component file. Once the update completed, I launched a full system scan. Spybot offers to clean up temporary files before starting a scan; I accepted its offer.
My impression of a typical virus scan is that the antivirus looks at each file and checks whether it matches a signature, or a behavior pattern, or a heuristic signature. Judging from its progress display, Spybot instead goes through its list of known malware and checks whether each is present. I noticed some venerable names like Aureate and Virtumonde in the display.
On completion, Spybot displays everything it found. This includes various types of malware, but also includes insecure system settings, tracking cookies, recently-used file lists, and other distractions. It looks like a lot, but in fact on two of my test systems Spybot missed all three of the installed malware samples.
At the end of each scan, a window pops up explaining what to do “if you suspect that Spybot might not have detected some issues that other scanners have detected.” It offers to disable third party cookies (for whatever good that would do) or submit files for analysis.
Spybot detected just 32 percent of my current malware samples, knocking Anvi Smart Defender (which got 60 percent) out of last place. It did a terrible job removing the few samples it did find. Fully half of those were still running after Spybot’s supposed cleanup. Spybot’s overall score of 1.5 points is also a new low.
Terrible Rootkit Removal
Rootkit removal isn’t part of the main system scan. You have to enable advanced mode and launch it separately. It starts with a quick scan to see whether rootkits might be present. This scan came back positive on all of my test systems, even though only three actually contain samples that use rootkit technology. I continued to the deep scan on those three.
The rootkit scanner comes with a warning that it will find any program using rootkit technology, and that some may not be malicious. In fact, it found just one of my rootkit samples. I had to ask tech support what to do at this point. It turns out you need to double-click the item and choose to delete it. Spybot warns that the rootkit removal process may crash other programs; it did.
Spybot reported that it couldn’t delete the found item, but that it would be deleted upon reboot. Not true, unfortunately. After reboot the malware sample in question was still fully active. Spybot’s 0.6 points for rootkit removal isn’t the lowest score; that goes to Anvi, with a big fat zero. But it’s still impressively bad. For a description of my malware removal testing regimen, see How We Test Malware Removal.
Spybot – Search & Destroy 2.0 malware removal chart
The closest Spybot comes to realtime protection is a feature it calls Immunization. Clicking the icon puts you through a confusing welter of choices. First you choose full or customized immunization. If you go for the latter, you can preselect Firefox, Internet Explorer, Opera, or Windows. Do note that it’s still not at all clear what “Immunization” even means.
I believe that you’re supposed to get a further chance to fine-tune choices, choosing either Preselect or Select & Immunize. However, whichever button I chose, Spybot proceeded in the exact same way. This process seems way more complex than it needs to be.
The most important thing the immunization process does is add a list of known malware-hosting sites to the restricted list in your browsers. I tested it by attempting to download my current collection of malware again. It didn’t block access to any of the malware URLs involved.
Spybot packs a number of advanced features, some of them useful. It includes a startup program analyzer that tracks just about every Registry and file system location capable of causing a program to launch at startup. It’s very similar to the Microsoft tool Autoruns 9. A secure deletion tool will overwrite files from one to 35 times before deletion, preventing forensic recovery.
The system repair tool looks for errors and inconsistencies in the Registry, problems like Registry values that point to non-existent files. However, using it to clean up the found problems is an exercise in tedium. You must click Delete for each individual item. Worse, the dialog box changes size depending on current item’s the Registry key length, so the Delete button moves around. You can’t even button-mash to eliminate all items; you have to chase the moving Delete button. This is impressively dreadful interface design.
Anything but Spybot
The purpose of a cleanup-only antivirus is to power through situations where your full antivirus won’t install or can’t scan. Spybot passes one test for such a program, in that it had no trouble installing on infested systems. However, every other cleanup-only tool I’ve tested is vastly more effective than Spybot.
Any one of them would be a better choice, but Comodo Cleaning Essentials is our Editors’ Choice for free, cleanup-only antivirus. Malwarebytes’ Anti-Malware Free 1.51 is also effective.
More Antivirus reviews:
|Tech Support||Forum, email, and wiki.|
|OS Compatibility||Windows Vista, Windows XP, Windows 7|
Copyright © 2012 Ziff Davis, Inc