Many years ago, when the concept of spyware was brand new, defending against attacks such as toolbars that stole personal data was considered a different task than antivirus protection. In those long-ago days, Spybot – Search & Destroy ruled the spyware protection field. Modern antivirus programs handle a wide variety of malware, including viruses, Trojans, ransomware, and yes, even spyware. Spybot doesn’t aim to replace your antivirus, but rather to run alongside it in partnership. Our testing suggests, however, that even if you do need that kind of support for your antivirus, Spybot doesn’t provide it.
The web page for this free product says, “Spybot is different. Spybot uses a unique technique to find the spyware, adware and more unwanted software that threatens your privacy that others don’t find.” The paid edition adds real-time protection, full-range antivirus scanning, scheduled updates, and a collection of bonus tools.
Getting Started With Spybot
On the home page of Spybot’s website, you’ll find Professional, Home, Corporate, and Technician editions of the commercial Spybot, but not the free version. On the product page, the free edition appears, but with a Donate button where the others have prices. Clicking around the site, I didn’t manage to find a link to download the free edition without a donation. Fortunately, Google turned it up easily enough.
The download page lists numerous mirror sites that were totally unfamiliar to me, along with three owned by the company, marked “ad-free.” I used one of those three. I’m accustomed to seeing free products that nudge you to upgrade to a paid edition. Avast Free Antivirus comes to mind. This combination of ad-supported downloads and shareware-like donation requests is unusual.
I also must point out that some of the donation requests embedded in the program are misleading. For example, one says, “You know, a good horse is expensive…A Trojan horse even more so. Donate now.” Given that the free product does not attempt to remove Trojan horse malware, even if you donate, that’s not such a good message.
During installation you make a clear choice of “I want to be protected without having to attend to it myself” or “I want more control, more feedback and more responsibility.” The former is the default. For testing purposes, I naturally chose the latter.
By default, Spybot checks for updated malware signatures at first launch. That’s essential, because out of the box the product doesn’t have any signatures. Updating is a manual affair, unless you spring for a paid edition. You can apparently set an update task using the very awkward Windows Task Scheduler, as you can with Microsoft Windows Defender Security Center, but I doubt many users do.
Once you’ve finished that quick signature update, you see the Start Center, Spybot’s main window. Three buttons let you launch a scan, check for updates, or do something called Immunization. More about Immunization later.
Scanning With Spybot
As noted, Spybot reserves automatic updates for paying users. Don’t forget to update manually before each time you run a scan.
A full scan of my standard clean test system took 23 minutes, quite a bit less than the current average of a bit over an hour. I could see in the scan progress display that it works differently from most competitors. Where most antivirus products scan each file to see if it’s malicious, Spybot apparently works through a list of spyware and adware to see if they’re present, displaying a name like topdeblogs.comuard or topdeblogs.com for each.
Spybot didn’t find any spyware on this clean system, naturally, but it did turn up a collection of browser tracks, lists of recent files, and other potential targets for snoops. When I clicked Fix Selected, it did the job in a flash.
I follow regular reports from four independent antivirus testing labs, but none of the reports include data on Spybot’s capabilities. In addition, my own hands-on malware protectiontest isn’t relevant, because the free Spybot doesn’t include real-time protection. As with Malwarebytes and FixMeStick, I had to test Spybot by repeatedly letting a handful of samples install and then challenging it to remove them. I didn’t use any ransomware samples, because there’s no point in removing those after they’ve done their dirty deeds.
Limited Malware Removal
Normally I test malware protection by invoking the antivirus product’s real-time protection. For some, scanning kicks in as soon as I open a folder containing my samples. Others scan when I click on the samples, or move them to a new folder. Still others, including McAfee AntiVirus Plus and Avast, only scan when a program tries to launch.
Spybot does none of these, as its free edition doesn’t have a real-time protection component. Rather, you use it to scan and remove malware that’s already present. That being the case, I tested it by installing a few malware samples at a time and challenging it to remove them.
I got through more than half my samples before seeing Spybot take any action other than removing usage traces. That first hit was a keylogger, the kind of thing you’d expect an antispyware program to handle. In the end, it detected just 15 percent of my samples, and for all but one of those it left behind two-thirds or more of the associated executable files. On a scale from 0 to 10 points, it earned less than one point.
To be fair, my samples cover all types of malware, many of them not covered by Spybot. I did leave out the ransomware, but the collection includes Trojans, droppers, spyware, adware, and more. It’s not fair to score Spybot against full-scale antivirus tools such as Webroot SecureAnywhere AntiVirus, which earned a perfect 10 points. But even looking just at adware, spyware, and such, Spybot only detected half the samples.
It’s really not clear to me what benefit you’d get by adding this to a product like Norton, McAfee, G Data Antivirus, or any of the other products that scored in the high 90s for malware detection.
Spybot’s Immunization tool configures your system and your browsers to block almost 200,000 known malware-hosting URLs. Using the Windows HOSTS file, it redirects these addresses to a local-only URL, making it impossible for any program to connect with them. It also configures your browsers to block these sites.
When I clicked to enable Immunization, the program offered to do a full job, or let me customize. There’s no reason to customize, so I chose the full job. I accidentally clicked to check immunization status before running the immunization process. Confusingly, it reported that zero of 192,168 entries were immunized, leaving 191,974 unprotected. Why weren’t those numbers the same?
In any case, modern malware coders don’t use static domains to distribute their nasty software. Many change domains regularly. Some serve up a slightly different URL every time. I thought that a comment at the end of the HOSTS file states that the list is “Copyright 2000-2017” meant the list might be three years out of date. My company contact explained that despite this line the signature database is up to date.
My malicious URL blocking test starts with a feed of recent malware-hosting URLs found by researchers at MRG-Effitas. I launch each one and note whether the antivirus blocks access to the URL, recognizes and eliminates the malware download, or does nothing. Since Spybot doesn’t have real-time malware detection, I simply recorded whether it blocked URL access.
Usually I go for 100 verified URLs before running the numbers, but in Spybot’s case I stopped at 50, because it didn’t block even one. To be sure I wasn’t missing something, I redirected PCMag’s website using the HOSTS file, the same way the immunization process did for known bad sites. When I tried to visit PCMag, I got an error saying, “The site can’t be reached,” as expected. That didn’t happen with any of the test URLs.
Skimming the HOSTS file, I noticed that the listed URLs mostly had simple names like topdeblogs.com or topdeblogs.com. The real-world malware-hosting URLs in my test ran to a few like that, but most were visibly more complex, things like topdeblogs.com or topdeblogs.com or topdeblogs.com.
My company contact did state, “Malware URLs often live only a few days, so URL blocking most often is outdated these days.” That may be so, but some products do extremely well in this test. McAfee, Sophos Home Free, and Vipre all managed 100 percent protection.
Note, too, that not all of these success stories stem from reliance on real-time antivirus scanning. Vipre Antivirus Plus in particular blocked 95 percent of the nasty URLs by keeping the browser away from them.
Products like Vipre and Trend Micro Antivirus+ Security(which detected 96 percent of risky URLs) definitely don’t rely on a three-year-old static list. They’ll block a known and blacklisted site, of course, but they also use heuristic detection to block brand new sites with dangerous contents.
Ineffective File Scan
When I last reviewed the free Spybot tool, I reported on a variety of other scan choices. I thought at first that the company had removed these, since the Advanced User Mode option that revealed them no longer appears. It turns out that in the current edition, you must first click a small link labeled Show details and then turn on Advanced User mode.
With Show details enabled, you see that Spybot includes a File Scan module in addition to the full system scan. You simply drop the files you want scanned onto this module. I dropped my folder of malware samples onto it and got a warning: “The scanner queue might get quite large,” even though I only dropped four dozen files! As the scan ran, the status for each file changed from “queued” to “clean.” Yes, it reported all of them as clean and safe. Spybot didn’t merely express that the files weren’t known to be trouble, it actively reported them as safe.
This erroneous greenlight activity included the static installers for the spyware samples that it detected in earlier testing. It also included almost a dozen virulent ransomware samples.
In the Show details mode, you get direct access to the Quarantine folder. Here you can review the files quarantined by Spybot, as well as the usage tracks removed. If necessary, you can undo the quarantine action for specific items.
When you check the box for Advanced User mode, icons for nearly a dozen additional features appear. Some of them aren’t available in the free edition, but these are not identified in any way, not like the lock icon you see in products such as Avast, AVG AntiVirus Free, and Kaspersky’s free version. You find out they’re unavailable when you attempt to launch them. Restricted components include System Repair, Secure Shredder, Phone Scan, Boot CD Creator, Script Editor, and Repair Environment. Annoyingly, launching any of the available advanced modules requires an additional User Account Control confirmation, sometimes more than one.
A speedy Rootkit Scan checks for programs hiding from view by the operating system, though it notes that these may not be malware. There’s an option to run a deeper scan for rootkits. You can launch Report Creator to generate a log that you can share with tech support.
Most malware must launch every time Windows boots, so a tool that reports on everything that launches at startup can be handy for malware experts. This isn’t like the simple startup management found in Norton AntiVirus Plus and G Data. Clicking Startup Tools gets you an overwhelming list of absolutely everything that launches at startup. You can reversibly disable items, but you don’t get the option to have them launch after a delay. If you’re not a malware expert, you can still use it to generate two kinds of logs for analysis by tech support.
This mode also offers clear access to the program’s configuration settings. There are 13 tabs in the settings dialog, but most users should take a hands-off policy. The one tab that might prove useful to the non-techie customer is called Dialogs. It lets you suppress unwanted notifications or restore popup notifications for which you clicked “Don’t show this again.”
In a strange turn, Spybot offers the OpenSBI Editor. This tool is not just for malware experts—it’s for Spybot experts. The help system says nothing more than “This is an editor for the detection database,” and the tool itself is thoroughly opaque. Just leave it alone!
There Are Better Choices
Spybot – Search & Destroy is a tool specifically aimed at removing spyware and other threats to privacy. It doesn’t promise to handle any other kind of malware. In testing, it missed the types of malware it doesn’t claim to catch, which is fine. But it also didn’t catch all the spyware and other privacy risks. For those it did detect, it left behind lots of executable traces. Note, too, that unless you adjust its configuration, installing Spybot removes the protection of Windows Defender, for a net loss in protection. Don’t even think of using it without a powerful third-party antivirus for backup.
If you want a free product that cleans up malware on your computer, try Malwarebytes Free. Kaspersky Security Cloud Free gives you full, award-winning antivirus protection at no cost—it’s our Editors’ Choice for free antivirus. If you’re willing to pay for full-on antivirus protection, we’ve defined several Editors’ Choice products. Kaspersky Anti-Virus and Bitdefender Antivirus Plus routinely earn top scores from the testing labs around the world. Webroot SecureAnywhere AntiVirus handles all types of malware, including ransomware, and it’s amazingly tiny. And a subscription to McAfee AntiVirus Plus lets you install protection on every device in your household. With any of these in place, you don’t need Spybot.