SolutionBase: Anti-spyware apps use a variety of detection methods

Figuring out the most effective way to combat spyware rests in part on understanding how detection programs identify the parasites that have infiltrated your systems. Your best bet may be a program that uses a combination of techniques.

Spyware applications are installed and working their clandestine trade. You know it because pop-up ads appear every time you open a Web page, and your system is slower than a car running uphill on ice. Now what? First, you have to find a good spyware detection and removal tool. However, all detection applications are not created equal. Aside from interface differences, the particular methods that these programs use can greatly affect how well they identify rogue applications. In this article, we'll look at the differences in the detection methods employed by the most common spyware-detection applications. We'll also explain how spyware is different from viruses and why antivirus applications generally can't detect spyware.

Filename matching

The simplest form of spyware detection is filename matching. As the name suggests, this method scans the drive for specific filenames of known spyware. The files are then flagged for removal.

This form of detection works, but there is a considerable flaw in the theory. In an effort to subvert the detection software, spyware companies either change the filenames or employ a random naming strategy. Once the filenames are changed, the detection software is unable to recognize the spyware. Another problem with filename matching is that the detection software is unable to differentiate between a valid file and one associated with a spyware application. For example, suppose a popular adware program has a file named samplefile.dll associated with it. If a legitimate application also has an associated file named samplefile.dll, the detection software will flag the file for removal regardless of which application it is used for.

File properties

Another method of spyware detection compares the properties of the file with those of known spyware. This type of detection is usually combined with filename matching, making it a little more reliable than simply comparing filenames. When the detection software matches a filename, file properties such as the size, publisher, and version are compared to the known values in the spyware definition database. If one or more of the properties match the defined parameters, the file is flagged for removal.

Combining filename and file property matching makes the detection software more robust. However, spyware authors are able to get around this form of detection easily by renaming the files, changing the publisher, slightly modifying the file size, or updating the revision. But the chances of erroneously removing a valid file are lessened with this form of spyware detection.

File signatures

Filename and file property detection methods basically look at the wrapper around the program code. While this may be helpful in separating a Snickers from a Milky Way, the only way to know exactly what you're getting is to look inside the wrapper. In the spyware-detection world, this is done using file signatures to detect rogue files.

When searching for spyware, the detection software actually looks inside files for certain signatures, or patterns. When a matching signature is found, the file is flagged for removal. Although spyware authors may be able to easily change the filename or properties, modifying the program is a much more involved process. File-signature detection is a reliable method, and many popular detection software applications use it.


Heuristic detection is similar to file-signature scanning, except that the detection software searches for certain instructions or commands that are not part of normal applicationsï¿?such as a command to delete everything on the hard drive. Heuristic methods are generally used to detect malware and other malicious types of applications.

Heuristic detection is a good method for identifying spyware, but a purely heuristic system detects only malicious code, not things like cookies or adware. More effective spyware-detection applications usually combine heuristics with other methods, such as file sharing and filename matching.

Registry scanning

Like all applications, spyware modifies the system registry during installation. Over time, these values can clutter the registry and slow down the computer. The registry may also become corrupted. Virtually all detection applications scan the system registry for traces of spyware by matching values for known spyware applications with those in the application's definition database.

Comparing spyware and viruses

Spyware and viruses are completely different threats. Spyware is designed to collect demographic and personal information, display pop-up advertisements, or track shopping and surfing habits. Viruses rarely have any real purpose other than to annoy users or carry out malicious instructions.

Virus code is designed to propagate itself as often as possible. Although the program may try to hide itself inside another application, the virulent code is responsible for its own replication. Spyware also hides itself inside other applications, but it's not designed to propagate itself. Instead, it relies on the computer user to install the legitimate application. This is the fundamental difference between spyware and viruses.

Spyware- and virus-detection programs are also completely different, even though they use similar techniques to ferret out the offending code. Like some spyware-detection programs, antivirus packages use file signature and heuristic techniques, but the approach is different. Instead of searching only for known viruses, antivirus software uses heuristics to analyze code sequences in an effort to detect unknown viruses. This doesnï¿?t always work, but the attempt occasionally thwarts a virus outbreak before it becomes an epidemic.

Another difference between viruses and spyware is the size of the code. Virus code is usually quite small and easy to detect once the virulent code has been defined. Spyware is often quite large in comparison. Many spyware applications bring with them hundreds of files and additional traces, making it extremely difficult for the spyware-detection software to clean everything off the system. In addition, spyware authors are constantly changing their applications to avoid detection. In fact, many spyware authors use spyware-detection software to help them determine whether their changes are going to be caught. They work with the various detection packages to tweak the code until their application is no longer found. Thus, spyware-detection software must have a thorough understanding of each spyware application for successful detection and removal to take place. The detection application must know where all of the various folders, files, and registry entries are located and also know the dependencies between spyware elements and other associated applications.

Because virus- and spyware-detection applications are so different, you wonï¿?t typically find a single application performing both tasks. This is due partly to the complex nature of the applications and partly so that vendors can generate multiple revenue streams. However, this trend is changing, as vendors such as Norton, Symantec, and McAfee enter the spyware-detection field. In the next few months, several new software packages will have antivirus and spyware-detection modules combined into a single package.


Spyware detection and removal is a complex procedure. Spyware authors are constantly changing their applications to avoid detection, creating a never-ending cycle of identification and removal. Because spyware authors are always one step ahead in this game, detection methods must be constantly updated and changed. As the big-name vendors begin to focus their sights on spyware, integrated virus- and spyware-detection packages will become available. Combining the two functions into one package should bring even more technological advances to the spyware battle and make it easier to remove both types of offensive code from your machines.