SpybotWiki - User contributions [en]

SBI file format

2008-05-31T13:01:14Z

CCRDude: improved descriptions; line by line now

SBI files are detection databases than can be used to tell Spybot - Search & Destroy where and how to look for malware.

This document describes the [[OpenSBI]] format, which is a plain text format that can be used by anyone.

==Usage==
Inside the Spybot - Search & Destroy program files folder, you'll find a subfolder named ''Includes''. This folder contains the standard detection databases distributed by [[Safer Networking Ltd.]], but you can also create your own files in here.
Every file here will be shown inside the application on the ''Filesets'' page (you may have to switch to ''Advanced Mode'' to see this).

===Example===
// info: This is an example fileset
// info|Deutsch: Dies ist ein Beispiel-Datensatz
// date: 2008-02-17 (1.5)

:: IAmSpyware|This is just an invented bot
// {Cat:Test}{Cnt:1}
// {Det:myname,2008-02-17}
File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize>=10"
File:"<$FILE_DATA>","<$SYSDIR>\WayTooSmall.txt","filesize=5"
// this is just for fun

:: SecondProduct
// {Cat:Test}{Cnt:0}
// {Det:myname,2008-02-17}
NoOp:"setenv=silly:example"

===Description===
The first thing you'll notice in the example above are the comment lines; every line beginning with two dashes are comment lines, and may appear everywhere in the file. These are the only lines that you can freely use, along with empty lines as fillers to make the text easier to read.
There are a few special comment lines:

====File information====
// info: This is an example fileset
// info|Deutsch: Dies ist ein Beispiel-Datensatz

The first comment in every file should be of the ''info'' type, which is the information shown inside the application on the ''Filesets'' page. These are localizable as shown in the second line, where ''Deutsch'' is the localized name of the ''German'' language.

====Timestamp====
// date: 2008-02-17 (1.5)

Specifiying a date, optionally with a minimum Spybot-S&D version in brackets behind it, is also recommended. We use the date format ''yyyy-mm-dd'' ('yyyy'' being the year in four digits, 'mm'' the month and ''dd'' the day, both with trailing zeros where necessary to make them two digits long) wherever possible.

====Products====
:: IAmSpyware|This is just an invented bot

Each product is started with two colons followed by a space, then the product name, which may, but should not, contain spaces.

An upright line can be used to add an optional description shown on the ''Ignore Products'' page inside the application. This description may be used for adding alternative names, in case a malware is known under various other names as well.

====Detection blocks====
// {Cat:Test}{Cnt:1}
// {Det:myname,2008-02-17}

Inside a product, various blocks can be defines, as seen by the first two comment lines in the examples products. These blocks list a ''category'', the number of samples analyzed to write this block (''Cnt''), the name of the ''detective'' creating this block, and the date.

Whenever you add additional detection code at a later point under the same product name, it is recommended you add another such block header.

// this is just for fun

Regular comments can be used anywhere in the file to allow you to write down details that might not be apparent by reading just the code.

//i: this is just information
//e: this is an erroneous line
//fp: this line did cause a false positive

If you use many comments, it might make sense to use the above formats to indicate the type of comment; these will also be highlighted differently in the code editor for a quicker overview.

File:"<$FILE_DATA>","<$WINDIR>\Malware.txt","filesize>=10"
File:"<$FILE_DATA>","<$SYSDIR>\WayTooSmall.txt","filesize=5"

All other lines are intepreted as [[SBI Commands]], defining what exactly is to be detected.

=====Categories=====
* Adware
* Cookie (used for defining pseudo-blocks for cookie domains actually defined in ''Cookies.sbs'')
* Dialer
* Hijacker
* Keylogger
* Malware
* PUPS (Possibly UnPopular Software)
* Security (for changing dangerous official system settings even if they were not caused by malware)
* Spyware
* Test
* Tracks
* Trojan
* Worm

RegAlyzer

2008-05-31T12:45:34Z

CCRDude: reduced screenshot sizes

[[Image:RegAlyzer-main.png|thumb|200px|Main view]]
RegAlyzer is a tool to browse and change the registry. It was created because of a few features we missed in the original regedit tool, from support for exotic value types over background and regular expression search to better bookmarks, displaying .reg files in the accustomed style and a history view.

==Features==
[[Image:RegAlyzer-search.png|thumb|200px|Search dialog]]
* Undo and Redo logs in .reg format
* Improved search function (results list, regular expressions)
* Hierarchical bookmark support
* Jump to key by command line parameter
* Jump to key by typing/copying it into dialog (instead of browsing)
* DWord editing with parallel hex/decimal/binary display
* Support of QWord (64 bit integer)
* Display of .reg file contents without importing it
* Support of version 5 files (Unicode) even with Windows 95/NT
* Low-level display of security settings with option to export it
* [[OpenSBI]] support

==OpenSBI==
RegAlyzer supports OpenSBI by offering to create SBI code from any registry key or value.

# When you right-click a registry value and select the OpenSBI option, you will get a dialog that allows you to choose between [[RegyValue]], [[RegyChange]], [[RegyRemove]] or [[RegyFix]], including details.
# When you select the same option on keys, right now it will copy a corresponding [[RegyKey]] command to the clipboard. In the future, this may be extended by a dialog allowing you to point'n'click [[Advanced registry parameters|advanced registry parameters]].

==References==
* [http://www.safer-networking.org/en/regalyzer/index.html Product site]

Spybot - Search & Destroy

2008-05-31T12:42:55Z

CCRDude: First draft

Spybot - Search & Destroy is an anti-malware application designed for on-access and on-demand scanning and removal of various kinds of malware, including spyware, adware, hijackers and trojan horses.

==History==
Spybot-S&D started in 2000 when Patrick Kolla, the author, needed to get rid of some adware that was responsible for triggering the dial up rooter to establish connections when none were needed. As a student of applied computer sciences, he quickly hacked together a tool to deal with this problem, to save some time should it reappear.

Made sensitive of the issue, he read an article in German computer magazine [http://www.heise.de/ct/ c't] shortly afterwards, and mailed the author of that article about some different behaviour that he experienced in the adware in question. c't printed that email as a readers letter, which started the first future users asking where to get that software.

==Open SBI==
We at [[Safer Networking Ltd.]] (the company behind Spybot-S&D), have always recognized that the trust users have in our products needs to be earned, and tried to make our products as open as possible. There's a clear problem when becoming too open though: if the information on how exactly we detect threats is too open, the bad guys will be able to counteract even faster, which would cause even more work for our relatively small team.

A compromise at detection database level came up quite early: we added an option that allowed users to add their own custom detection files so that people who would miss detection for some products, or suspect partiality for some malware companies on our part could write and distribution their own additional databases. Due an outdated documentation file (that hasn't even been announced but appeared only as an answering post to a discussion in the older support forum long gone) being the only source of information, that happened quite ralely; with our Italian translator Enrico Maria Biancarelli, who provided probably the most content of the usage tracks database, being the special exception.

[[OpenSBI]] is our attempt to finally introduce this technology to the public, with up-to-date information, useful tools and a community to share your efforts with. Let's all make it harder for malware to persist!

RegAlyzer

2008-05-30T16:05:38Z

CCRDude: First draft

[[Image:RegAlyzer-main.png|thumb|300px|Main view]]
RegAlyzer is a tool to browse and change the registry. It was created because of a few features we missed in the original regedit tool, from support for exotic value types over background and regular expression search to better bookmarks, displaying .reg files in the accustomed style and a history view.

==Features==
[[Image:RegAlyzer-search.png|thumb|300px|Search dialog]]
* Undo and Redo logs in .reg format
* Improved search function (results list, regular expressions)
* Hierarchical bookmark support
* Jump to key by command line parameter
* Jump to key by typing/copying it into dialog (instead of browsing)
* DWord editing with parallel hex/decimal/binary display
* Support of QWord (64 bit integer)
* Display of .reg file contents without importing it
* Support of version 5 files (Unicode) even with Windows 95/NT
* Low-level display of security settings with option to export it
* [[OpenSBI]] support

==OpenSBI==
RegAlyzer supports OpenSBI by offering to create SBI code from any registry key or value.

# When you right-click a registry value and select the OpenSBI option, you will get a dialog that allows you to choose between [[RegyValue]], [[RegyChange]], [[RegyRemove]] or [[RegyFix]], including details.
# When you select the same option on keys, right now it will copy a corresponding [[RegyKey]] command to the clipboard. In the future, this may be extended by a dialog allowing you to point'n'click [[Advanced registry parameters|advanced registry parameters]].

==References==
* [http://www.safer-networking.org/en/regalyzer/index.html Product site]

File:RegAlyzer-search.png

2008-05-30T16:05:16Z

CCRDude: RegAlyzer search dialog showing an example regular expression.

[[RegAlyzer]] search dialog showing an example regular expression.

File:RegAlyzer-main.png

2008-05-30T16:04:10Z

CCRDude: Main view of RegAlyzer, showing the registry key tree and a list of values.

Main view of [[RegAlyzer]], showing the registry key tree and a list of values.

RegAlyzer

2008-05-30T16:03:24Z

CCRDude: First draft

[[Image:RegAlyzer-main.png|thumb|300px|Main view]]
RegAlyzer is a tool to browse and change the registry. It was created because of a few features we missed in the original regedit tool, from support for exotic value types over background and regular expression search to better bookmarks, displaying .reg files in the accustomed style and a history view.

==Features==
* Undo and Redo logs in .reg format
* Improved search function (results list, regular expressions)
* Hierarchical bookmark support
* Jump to key by command line parameter
* Jump to key by typing/copying it into dialog (instead of browsing)
* DWord editing with parallel hex/decimal/binary display
* Support of QWord (64 bit integer)
* Display of .reg file contents without importing it
* Support of version 5 files (Unicode) even with Windows 95/NT
* Low-level display of security settings with option to export it
* [[OpenSBI]] support

==OpenSBI==
RegAlyzer supports OpenSBI by offering to create SBI code from any registry key or value.

# When you right-click a registry value and select the OpenSBI option, you will get a dialog that allows you to choose between [[RegyValue]], [[RegyChange]], [[RegyRemove]] or [[RegyFix]], including details.
# When you select the same option on keys, right now it will copy a corresponding [[RegyKey]] command to the clipboard. In the future, this may be extended by a dialog allowing you to point'n'click [[Advanced registry parameters|advanced registry parameters]].

==References==
* [http://www.safer-networking.org/en/regalyzer/index.html Product site]

OpenSBI

2008-05-30T15:56:30Z

CCRDude: added RegAlyzer and RunAlyzer

OpenSBI is our initiative to make Spybot - Search & Destroy a more open platform for malware fighting. There are five major components that define OpenSBI:

# ''[[Spybot - Search & Destroy]] 1.6'' - this release fully supports OpenSBI files as an additional source of detections.
# ''[[FileAlyzer]] 1.6 OpenSBI Edition'' - our file analysis tool now offers dozens of functions to create detection patterns for files. [[RegAlyzer]] and [[RunAlyzer]] also have 1.6 OpenSBI Editions with support for creating OpenSBI code.
# ''[[OpenSBI Edit Lite]]'' - a full text editor for OpenSBI files, including syntax highlighting, import of InCtrl5 and HijackThis logs, and context sensitive help.
# This ''Wiki'' - a documentation wiki with hundreds of pages explaining the usage of the OpenSBI file format.
# The ''[http://forums.spybot.info/ Community]'' - integrated into our support forums is a system that allows you to share your OpenSBI files with other Spybot-S&D users, and comment theirs.

Some advantages we created this for are

# ''Diversity'' - everyone can create detection templates for any software, without depending on a central authority to acknowledge its threat.
# ''Neutrality'' - we cannot be bought to remove detections from our database, but if you do not believe us, you can simply publish your own rules against some malware.
# ''Continuity'' - OpenSBI ensures that you'll get updates as long as someone is interested in updating the database (which does not mean we intend to do less work in adding new detections).

RunAlyzer

2008-05-29T14:12:23Z

CCRDude: First draft

RunAlyzer is a multi-installation autostart & configuration management tool. It was designed to list as many possible autostart locations as possible, with special support for inactive installations, so one would for example be able to use it when booting from a Windows PE CD.

RunAlyzer includes a classification list of entries known as good or bad, and is able to update this information online. It may, when the user chooses to do so, also upload information about yet unknown entries for future classification.

It is able to export logs in [[Spybot - Search & Destroy]] as well as [[HijackThis]] format.

==Locations==
RunAlyzer shows its information roughly categorized as:
* Autorun
* Advanced Startups
* Services
* Winsock LSPs
* Scheduled Tasks
* Explorer Plugins
* Installed Software
* Process List

==OpenSBI==
RunAlyzer supports [[OpenSBI]] in that it allows to create [[SBI Commands|SBI command]] drafts from some of its categories:

* Creates rules for autorun entries
* Creates rules for LSPs
* Creates rules for scheduled tasks
* Creates rules for explorer plugins

RegyKey

2008-05-29T14:05:42Z

CCRDude: info about HKCU

{{SbiCmdInfo
|SYNTAX = RegyKey
|PENAME = SpybotSD.exe
|PEVERSION = 0.95 or later<br />1.5.3 for adv. file
|GROUP = Registry
|MINUPDATE = n/a
|ADVFILEPARAMS = yes (sixth)
|ADVREGPARAMS = yes (fifth)
|ADVBUILDPARAMS = yes (fifth)
|ADVSPECIALPARAMS = no
}}Searches for the defined registry key and adds it to the results list, if found.

==Usage==
RegyKey:<description(string)>,<rootkey(enum)>,<keypath(string)>,<key(string)>[[,advanced registry parameters][,advanced file parameters]]

To flag any things located in HKEY_USERS, just add one rule with HKEY_CURRENT_USER as the root key. During a scan, rules for HKEY_CURRENT_USER will be applied to all detected users, not just the ''current'' one.

===Examples===
RegyKey:"User settings",HKEY_CURRENT_USER,\SOFTWARE\,"Spyware"

===Description===
Detects a registry key and flags it for removal.

# First, a description. Using a [[Description templates|description template]] instead of plain text is recommended so that the user will receive a localized version.
# The root key, where HKEY_CURRENT_USER stands for all users actually.
# The path to the value, starting with a backslash. This may not include the actual subkey you want to remove. {{PathTemplates}}
# The name of the key to detect. You may use a [[AlgoPrefix|Algo-Prefix]] here. {{AlgoPrefix}} {{PathTemplates}}
# To refine detection, you can use [[Advanced registry parameters|advanced registry parameters]] to check the actual data of the value, as well as [[Advanced build parameters|advanced build parameters]]. You may use [[AlgoPrefix|Algo-Prefixes]] here. {{AlgoPrefix}} {{PathTemplates}}
# Starting with 1.5.3, [[Advanced file parameters|advanced file parameters]] for [[:Category:Advanced_file_parameters_for_Flow_Control|Flow Control]] can be specified. {{PathTemplates}}

===Scan Results===
* The identified registry key(s).

==See also==
* [[Advanced file parameters]]
* [[Advanced build parameters]]
* [[Advanced registry parameters]]
* [[AlgoPrefix]]
* [[Description templates]]

===Similar commands===
* [[RegyChange]]
* [[RegyFix]]
* [[RegyValue]]
* [[RegyRemove]]

[[Category:SBI Commands]]

Winsock

2008-05-29T09:47:37Z

CCRDude: /* Similar commands */ added WinSecCenter

{{SbiCmdInfo
|SYNTAX = Winsock
|PENAME = SpybotSD.exe
|PEVERSION = 1.3 or later
|GROUP = Windows API
|MINUPDATE = n/a
|ADVFILEPARAMS = no
|ADVREGPARAMS = no
|ADVBUILDPARAMS = yes (fourth)
|ADVSPECIALPARAMS = no
}}Can be used to remove Layered Service Providers.
Special care needed. Do not use without asking official advise!

==Usage==
Winsock:<drivername(string)>,<anywhere(boolean)>,<filename(string)>[,advanced build parameters]

===Examples===
Winsock:"MalwareLSPName","0"
Would detect all drivers whose names begin with MalwareLSPName.

===Description===
This is a very powerful command, allowing you to remove Winsock driver entries, which is an absolute necessity before removing the associated files, since otherwise Internet access will be broken. Take special care with generic names; often, both malware and legit applications have just copied sample code without even changing the default driver name.

# The first parameter may be either a full or partial name.
# The second parameter needs to be set to ''1'' to allow substring matching anyway, set to ''0'' to have the matching begin at the first letter.
# The filename field supports [[AlgoPrefix|Algo-Prefixes]].

===Scan Results===
* A special entry allowing you to properly remove the problem using the Windows API.

==See also==
* [[Advanced build parameters]]
* [[AlgoPrefix]]

===Similar commands===
* [[HostRedirect]]
* [[TCPIPAddress]]
* [[WinSecCenter]]

[[Category:SBI Commands]]

Skipcount

2008-05-29T09:46:58Z