Many years ago, when the concept
of spyware was brand new, defending against attacks such as toolbars that stole
personal data was considered a different task than antivirus
In those long-ago days, Spybot – Search & Destroy ruled the spyware
protection field. Modern antivirus programs handle a wide variety of malware, including viruses, Trojans, ransomware, and yes, even spyware. Spybot doesn’t
aim to replace your antivirus, but rather to run alongside it in partnership. Our
testing suggests, however, that even if you do need that kind of support for your
antivirus, Spybot doesn’t provide it.
The web page for this free product says,
“Spybot is different. Spybot uses a unique technique to find the spyware,
adware and more unwanted software that threatens your privacy that others don’t
find.” The paid edition adds real-time protection, full-range antivirus
scanning, scheduled updates, and a collection of bonus tools.
Getting Started With Spybot
On the home page of Spybot’s
website, you’ll find Professional, Home, Corporate, and Technician editions of the
commercial Spybot, but not the free version. On the product page, the free
edition appears, but with a Donate button where the others have prices. Clicking
around the site, I didn’t manage to find a link to download the free edition
without a donation. Fortunately, Google turned it up easily enough.
The download page lists numerous
mirror sites that were totally unfamiliar to me, along with three owned by the
company, marked “ad-free.” I used one of those three. I’m accustomed to seeing
free products that nudge you to upgrade to a paid edition. Avast
Free Antivirus comes to mind. This combination of ad-supported downloads
and shareware-like donation requests is unusual.
I also must point out that some of
the donation requests embedded in the program are misleading. For example, one
says, “You know, a good horse is expensive…A Trojan horse even more so. Donate
now.” Given that the free product does not attempt to remove Trojan horse malware,
even if you donate, that’s not such a good message.
During installation you make a
clear choice of “I want to be protected without having to attend to it myself”
or “I want more control, more feedback and more responsibility.” The former is
the default. For testing purposes, I naturally chose the latter.
By default, Spybot checks for updated
malware signatures at first launch. That’s essential, because out of the box
the product doesn’t have any signatures. Updating is a manual affair, unless
you spring for a paid edition. You can apparently set an update task using the
very awkward Windows Task Scheduler, as you can with Microsoft
Windows Defender Security Center, but I doubt many users do.
Once you’ve finished that quick signature
update, you see the Start Center, Spybot’s main window. Three buttons let you
launch a scan, check for updates, or do something called Immunization. More
about Immunization later.
Scanning With Spybot
As noted, Spybot reserves automatic
updates for paying users. Don’t forget to update manually before each time you
run a scan.
A full scan of my standard clean
test system took 23 minutes, quite a bit less than the current average of a bit
over an hour. I could see in the scan progress display that it works
differently from most competitors. Where most antivirus products scan each file to see if
it’s malicious, Spybot apparently works through a list of spyware and adware to see if
they’re present, displaying a name like Fraud.SysGuard or PornBHO.ru for each.
Spybot didn’t find any spyware on
this clean system, naturally, but it did turn up a collection of browser
tracks, lists of recent files, and other potential targets for snoops. When I
clicked Fix Selected, it did the job in a flash.
I follow regular reports from four
independent antivirus testing labs, but none of the reports include data on
Spybot’s capabilities. In addition, my own hands-on malware
test isn’t relevant, because the free Spybot doesn’t include real-time
protection. As with Malwarebytes and FixMeStick, I had
to test Spybot by repeatedly letting a handful of samples install and then
challenging it to remove them. I didn’t use any ransomware samples, because
there’s no point in removing those after they’ve done their dirty deeds.
Limited Malware Removal
Normally I test malware protection
by invoking the antivirus product’s real-time protection. For some, scanning
kicks in as soon as I open a folder containing my samples. Others scan when I
click on the samples, or move them to a new folder. Still others, including McAfee
AntiVirus Plus and Avast, only scan when a program tries to
Spybot does none of these, as its
free edition doesn’t have a real-time protection component. Rather, you use it
to scan and remove malware that’s already present. That being the case, I
tested it by installing a few malware samples at a time and challenging it to
I got through more than half my
samples before seeing Spybot take any action other than removing usage traces.
That first hit was a keylogger, the kind of thing you’d expect an antispyware
program to handle. In the end, it detected just 15 percent of my samples, and
for all but one of those it left behind two-thirds or more of the associated
executable files. On a scale from 0 to 10 points, it earned less than one
To be fair, my samples cover all
types of malware, many of them not covered by Spybot. I did leave out the
ransomware, but the collection includes Trojans, droppers, spyware, adware, and
more. It’s not fair to score Spybot against full-scale antivirus tools such as Webroot SecureAnywhere AntiVirus,
which earned a perfect 10 points. But even looking just at adware, spyware, and
such, Spybot only detected half the samples.
It’s really not clear to me what
benefit you’d get by adding this to a product like Norton,
McAfee, G Data Antivirus, or any
of the other products that scored in the high 90s for malware detection.
Spybot’s Immunization tool
configures your system and your browsers to block almost 200,000 known
malware-hosting URLs. Using the Windows HOSTS file, it redirects these
addresses to a local-only URL, making it impossible for any program to connect
with them. It also configures your browsers to block these sites.
When I clicked to enable
Immunization, the program offered to do a full job, or let me customize.
There’s no reason to customize, so I chose the full job. I accidentally clicked
to check immunization status before running the immunization process.
Confusingly, it reported that zero of 192,168 entries were immunized, leaving
191,974 unprotected. Why weren’t those numbers the same?
In any case, modern malware coders
don’t use static domains to distribute their nasty software. Many change
domains regularly. Some serve up a slightly different URL every time. I thought that a comment at the end of the HOSTS file states that the list is
“Copyright 2000-2017” meant the list might be three years out of date. My company contact explained that despite this line the signature database is up to date.
My malicious URL blocking test
starts with a feed of recent malware-hosting URLs found by researchers at MRG-Effitas. I
launch each one and note whether the antivirus blocks access to the URL, recognizes
and eliminates the malware download, or does nothing. Since Spybot doesn’t have
real-time malware detection, I simply recorded whether it blocked URL access.
Usually I go for 100 verified URLs
before running the numbers, but in Spybot’s case I stopped at 50, because it
didn’t block even one. To be sure I wasn’t missing something, I redirected PCMag’s
website using the HOSTS file, the same way the immunization process did for known
bad sites. When I tried to visit PCMag, I got an error saying, “The site can’t
be reached,” as expected. That didn’t happen with any of the test URLs.
Skimming the HOSTS file, I noticed
that the listed URLs mostly had simple names like 1sexparty.com or greataudioconverter.com.
The real-world malware-hosting URLs in my test ran to a few like that, but most
were visibly more complex, things like dl2.soft-lenta.ru or eroblog.best or d.0dlbh4.cn.
My company contact did state, “Malware URLs often live only a few days, so URL blocking most often is outdated these days.” That may be so, but some products do extremely well in
this test. McAfee, Sophos Home Free, and
Vipre all managed 100 percent protection.
Note, too, that not all of these
success stories stem from reliance on real-time antivirus scanning. Vipre
Antivirus Plus in particular blocked 95 percent of the nasty
URLs by keeping the browser away from them.
Products like Vipre and Trend Micro Antivirus+ Security
(which detected 96 percent of risky URLs) definitely don’t rely on a
three-year-old static list. They’ll block a known and blacklisted site, of
course, but they also use heuristic detection to block brand new sites with
Ineffective File Scan
When I last reviewed the free
Spybot tool, I reported on a variety of other scan choices. I thought at first
that the company had removed these, since the Advanced User Mode option that
revealed them no longer appears. It turns out that in the current edition, you
must first click a small link labeled Show details and then turn on Advanced
With Show details enabled, you see
that Spybot includes a File Scan module in addition to the full system scan.
You simply drop the files you want scanned onto this module. I dropped my folder
of malware samples onto it and got a warning: “The scanner queue might get
quite large,” even though I only dropped four dozen files! As the scan
ran, the status for each file changed from “queued” to “clean.”
Yes, it reported all of them as clean and safe. Spybot didn’t merely express
that the files weren’t known to be trouble, it actively reported them as safe.
This erroneous greenlight activity included
the static installers for the spyware samples that it detected in earlier
testing. It also included almost a dozen virulent ransomware samples.
In the Show details mode, you get
direct access to the Quarantine folder. Here you can review the files
quarantined by Spybot, as well as the usage tracks removed. If necessary, you
can undo the quarantine action for specific items.
When you check the box for Advanced
User mode, icons for nearly a dozen additional features appear. Some of them
aren’t available in the free edition, but these are not identified in any way,
not like the lock icon you see in products such as Avast, AVG
AntiVirus Free, and Kaspersky’s free version. You find out they’re
unavailable when you attempt to launch them. Restricted components include System
Repair, Secure Shredder, Phone Scan, Boot CD Creator, Script Editor, and Repair
Environment. Annoyingly, launching any of the available advanced modules
requires an additional User Account Control confirmation, sometimes more than
A speedy Rootkit Scan checks for
programs hiding from view by the operating system, though it notes that these
may not be malware. There’s an option to run a deeper scan for rootkits. You
can launch Report Creator to generate a log that you can share with tech
Most malware must launch every time
Windows boots, so a tool that reports on everything that launches at startup
can be handy for malware experts. This isn’t like the simple startup management
found in Norton AntiVirus Plus and G
Data. Clicking Startup Tools gets you an overwhelming list of absolutely
everything that launches at startup. You can reversibly disable items, but you
don’t get the option to have them launch after a delay. If you’re not a malware
expert, you can still use it to generate two kinds of logs for analysis by tech
This mode also offers clear access
to the program’s configuration settings. There are 13 tabs in the settings
dialog, but most users should take a hands-off policy. The one tab that might
prove useful to the non-techie customer is called Dialogs. It lets you suppress
unwanted notifications or restore popup notifications for which you clicked
“Don’t show this again.”
In a strange turn, Spybot offers
the OpenSBI Editor. This tool is not just for malware experts—it’s for Spybot
experts. The help system says nothing more than “This is an editor for the
detection database,” and the tool itself is thoroughly opaque. Just leave it
There Are Better Choices
Spybot – Search & Destroy is a
tool specifically aimed at removing spyware and other threats to privacy. It
doesn’t promise to handle any other kind of malware. In testing, it missed the
types of malware it doesn’t claim to catch, which is fine. But it also didn’t
catch all the spyware and other privacy risks. For those it did detect, it left
behind lots of executable traces. Note, too, that unless you adjust its
configuration, installing Spybot removes the protection of Windows Defender,
for a net loss in protection. Don’t even think of using it without a powerful third-party antivirus for backup.
If you want a free product that
cleans up malware on your computer, try Malwarebytes Free. Kaspersky Security
Cloud Free gives you full, award-winning antivirus protection at no cost—it’s
our Editors’ Choice for free antivirus. If you’re willing to pay for full-on
antivirus protection, we’ve defined several Editors’ Choice products. Kaspersky
Anti-Virus and Bitdefender
Antivirus Plus routinely earn top scores from the testing labs
around the world. Webroot SecureAnywhere AntiVirus handles all types of
malware, including ransomware, and it’s amazingly tiny. And a subscription to McAfee
AntiVirus Plus lets you install protection on every device in your household.
With any of these in place, you don’t need Spybot.
Spybot – Search & Destroy Specs
|On-Demand Malware Scan||Yes|
|On-Access Malware Scan||No|
|Malicious URL Blocking||Yes|