October 3, 2006
There's a war of words happening between antivirus vendor Symantec and the makers of Spybot Search & Destroy. At the heart of the controversy is a recommendation in Norton Internet Security 2007 to uninstall Spybot S&D due to incompatibilities. So is Symantec the big bully some are claiming? Or, like most things in life, is there more to this story?
Where the problems lie
TeaTimer is a valuable feature in Spybot S&D that can help prevent malicious software from getting a foothold on the system, alerting when certain types of modifications are made to the system registry. However, it is purely behavior-based, meaning it's the behavior that gets alerted upon - whether the application exhibiting that behavior is good or bad.
If Spybot S&D is installed on the system and the TeaTimer feature is enabled, alerts will be triggered when any software installation occurs that makes modifications which allows the software to initiate during system startup.
Whether those modifications are allowed is entirely up to the user, who must decide whether the application making the modifications is good or bad. Ideally, if the behavior were unexpected or undesired, a savvy user will deny the modification. And if the behavior was expected and was desired - as is the case during an installation of Norton Internet Security - a savvy user would allow the modification.
But it's not quite that simple.
Major bug in TeaTimer
Spybot S&D's TeaTimer has long had an acknowledged bug in their TeaTimer product. The alert dialog is badly misconfigured, with overlapping and largely undecipherable Allow and Deny buttons. This means even if the user wanted to allow the action, they may not - and likely would not - be able to do so. Thus, a user who has TeaTimer enabled and tries to install Norton Internet Security, will likely end up with a botched install with at least some components of the NIS protection disabled.
This will continue to be a problem until the bug in Spybot S&D is fixed.
Symantec has responded to the problem by recommending users uninstall Spybot Search & Destroy prior to installing Norton Internet Security 2007. This in turn has led to accusations from Partrick Kolla, creator of Spybot S&D, who is now threatening to include detection for Symantec products in their signature database as retaliation.
To bolster his argument, Kolla claims that Symantec had a knowledgeabase article on its website advising users that having Spybot installed alongside Norton Ghost could result in corrupted drive images. Assuming there was such a knowledgebase article, it doesn't appear to be public any longer and it's difficult to ascertain any of the details behind the allegation.
Regardless of whether there was or wasn't an incompatibility between Ghost and Spybot S&D, there certainly is an incompatibility with Spybot S&D's TeaTimer and ANY application that needs to make certain modifications to the system registry in order to work properly. To date, Kolla's response to that problem has been to post a diatribe about Borland Delphi, ironically titled "Small bugs in TeaTimer".
This bug is anything but small, as it strips the user of the ability to make the proper decision regarding the alerts. And responding to the alert is the core, fundamental purpose behind TeaTimer. Though Spybot has posted a workaround for the bug - which includes pressing "A" for allow and "D" for deny - no fix has been forthcoming for this bug which was first introduced in Spring 2005.