I really like your product but it could use a couple really minor improvements.
1. The splash screen....
Get Rid of the Splash Screen!! It is more annoying than anything. My clients use your product regularly but they want to work, not look at splash screens. Mcafee did that in earlier versions and I quit selling it. It was extremely annoying.

Make it appear for shorter time and have option to disable.
I think this would be a great improvement

2. It sucks too much memory on slower computers (less than 512 meg ram)

3. When it is up for renewal, I would like to be able to make money on or get "points" for the resale. This could be done several different ways. If I knew that I would make another $5-$10 on every renewal, YOU BET I'd sell it!!!

4. Send me, the reseller an email when the client's subscription is expiring, that way I can make a service call to renew and clean the PC!

Overall, I think that SD is a great program. But there is alays room for improvement or added conveniences!

I would like the next version of Spyware Doctor to add an on demand scanning function to WINDOWS. So that when I right click on a file, an option is available to scan with Spyware Doctor.

My antivirus does this.

Spysweeper does this.

i wish that SD's BHO's would not constantly cause SD's "common.ini" file to be opened (when IE is running)..

One of the antivirus companies out there has implemented a new idea to increase scanning speed. That idea is to only scan new files or files that have changed since the last scan.

So after the first scan which might take significantly longer, the following scans should take almost no time at all.

This sounds like a pretty neat idea. Not sure what the risks are though.

One thing I used to like about Spybot's Tea Timer function was that any time a change was getting ready to be made to the registry, the program alerted you.

Does Spywae Doctor already do this? If not, it was definitely a feature that I enjoyed having.

I think it would be neat if Spywae Doctor to change all cookies that my computer receives to "session cookies" that get erased when the browser is shut down.

Would it be possible to create a BHO that accomplishes this?

I would also like to see SD eventaully add an optional guard that monitors all executeable files. When SD is installed on the PC, it "white lists" all the .exe files that are present. These files are permitted to be run. However, if any of these are altered, SD would prompt you to give that program permission to run or to block it from running. If any new .exe or any .exe file that is not on the whitre list tries to run (ie: malware), the end user would also get prompted to permit or block the program.

This would provide a high level of security. But would need to be optional as many users would not want all those prompts.

I think another good idea is to have an optional guard or BHO that filters internet content for Active X. This filter would put up an alarm whenever an active X is run, giving the user the option to block it, allow it, block it once, block it always, or allow it always.

Again, this would create a lot of popups while surfing the web and would need to be optional.

Many people really like the detection and removal ability of Spyware Doctor but don't like the amount of resources it uses or don't really want all the "active protections". Why not have an on-line scan and remove feature. For an annual subcription fee, allow people to log on to your website and scan/clean their computers. This eliminates the problem of having your program slow down their systems.

If someone doesn't want to sign up for a years access to the scanner/cleaner, offer a "per use" option so that people can pay to clean their systems once or twice a year or as needed.

Of course, many people like myself would rather have the full flledged program on their PC. I would opt to keep Spyware Doctor on my PC, but I bet you would gain many new customers who simply want to use the scan and clean service without downloading the software to their machines.

Process Execution
The Software alerts you whenever any unknown process (a process not on your whitelist) tries to execute and gives you a choice. For most software you have the choice to

Allow it to start (once)
Allow it to start and add it to the white list of approved applications
Block it from starting (once)
Block it from starting and add it to blacklist

[edit]Records command line parameters
Another difference between HIPS with respect to execution control is in their handling of command line parameters. Some HIPS totally ignores the command line parameters when creating rules. This means that for a few processes which are highly dependent on command line parameters e.g rundll32.exe,Microsoft Management Console (mmc.exe) or svchost , the choice is between creating an overly wide permanent rule or being prompted every time it is used.

[edit]Children parent control
Allows you to specify not only which processes can start, but also which processes can be started by which. Can be helpful against leak tests.

[edit]Dll loading
Many programs rely on dynamic link libraries (dlls) to provide common functionality. Instead of putting all the functionality into the program( typically exe) itself (a process known as statically linking), the executable 'links' to a seperate DLL (many of which are common system dlls) which contains the functionality. When the process starts it checks to see if the dll is already loaded in memory and if not it loads the dlls up.

[edit]Process Termination
One important sign of possible malicious behavior is if a termination attempt of a critical process (typically security software like firewall, antivirus) is attempted. HIPS can offer protection to specified processes from termination attempts (including thread suspension methods) or give you a chance to intercept such termination attempts.

[edit]Process Modification
Similar to process termination, this feature protects critical processes from being manipulated and modified. This includes attacks such as code/memory/ injections (protect vm of process from being read, written) as well as protection against remote thread creation/suspension/injection .

[edit]Access to physical memory
Blocks access to physical memory, which allows kernel access.

[edit]Global hook control
Provides control of hooking done by windows program, that is often but not always associated with keylogging. Some HIPS also provide blocking of other keylogging polling techniques like GetKeyState, AsyncKeyState.

[edit]Service/Driver control
Blocks installs of software that require drivers and services. Such programs if malicious can be dangerous because they work in ring zero (kernel access).

[edit]Network control
Allows control of outgoing and sometimes incoming network connections by process. I.e Personal firewall capabilities.

[edit]Startup control-registry
Monitors and blocks changes to registry relating to auto startups. Note, there are literally hundreds of such locations in the registry and it is impossible to block all of them. Some security software allow you to add new registry keys to monitor, those will be marked as configurable in the table.

[edit]Startup control-files
Entries in registry keys are not the only way for malware to register themselves for autostartups. Security software with this feature monitors such file and directory locations as well (e.g startup folder or old style win.ini type files).

[edit]Browser monitor
Monitors browser (mostly Internet explorer) related configurations for changes. This includes areas such as homepage, Activex controls, BHOs, toolbars, trusted zones, hidden internet options, proxy settings etc.
[edit]Other registry entries

Other registry entries that are monitored because changes are fishy. File associations, disabing of regedit, changes to default locations of host files etc

[edit]Web filter
Security software filters content before it reaches the browser. Some merely remove all scripts, Java, Activex etc , while the better ones tries to remove only known harmful ones.

[edit]Anti-Phishing
Provides warning when phishing might be in progress. This can be done by a combination of methods, known blacklists, a heuristic analysis of the url etc. The much rarer anti-DNS spoofing feature is also included in this feature.

[edit]Monitor of sensitive areas
Provides warning when files (win.ini or hosts, or in a sensitive area (typically the system directory, c:\windows\system32 sometimes c:\program files are being modified/deleted or if new files are being added.

[edit]Restrict permissions by processes
Allows you to restrict what files/directories a process can read/write/create. Typically used when running some suspect or untrustworthy application. A feature of sandboxes.

[edit]Restrict permissions by directories
This typically allows you to set some directories (or files) as 'secure' zones so no other process (unless explictly approved) can read/write etc. This can help protect security programs from being neutralised by 'replacement attacks' where critical files are replaced by dummy or even trojanised files as well as shielding sensitive files from being read (by restricting read access). Also can be used to provide control over Startup control-files

[edit]Block low level disk access
Provides warning when low level disk access e.g access to \Device\Harddisk0\DR0 occurs. This can prevent Killdisk type trojans that trash your hard-disk.

[edit]Password protection
Offers password protection to protect changes to your HIPS settings. Password protection is important because it can protect against attempts to shut down your protection via simulated mouse clicks.

[edit]Heuristic Algorithm or IDS
In HIPS products this typically refers to some black box anomaly detection system whose rules are not explicitly stated unlike all the features mentioned above or some pattern matching system. Or includes clever algorthims for anti-keylogging (not just detecting hooks to WH_Hook). HIPS with this feature may not alert on each and every system change depending on the expert system rules.

[edit]Configurable IDS
Allows you to set your own series of states/behaviors to monitor and warn about. Example, alert me if any process that isn't in the security software group that deletes X files in Y seconds. Or a system where you can set configurable penalty points for suspicious behavior and flag processes once the process score above some configurable threshold.

[edit]Learning mode
In learning mode, the security software will automatically create rules as required without prompting by any process that starts on your computer. Another method would be to scan your system (or the start menu) for executables and approve those immediately. Learning modes can be very helpful to ease setup, however this is advisable only if your system is known to be clean otherwise your system might learn to allow malware to work. It might be wise to check what rules are added by the learning mode.

[edit]Default whitelist
Some security software have a large (typically at least 100) list of known trust worthy software (windows components, well known browsers, utilities and software) and these will automatically be given the proper previlages without borthering you with prompts. Some whitelists automatically give known safe program full previlages (trusted status) without borthering to analyze what previlages are necessary.

[edit]Blacklisting
In practice HIPS programs aren't in the business of telling you which processes are dangerous. However many such products have started adding blacklists of known dangerous processes or have embeded optional antiviruses modules.

[edit]Community database
Given that software is constantly being updated, even a default whitelist that comes with the software can be quickly outdated. A community database, allows users of the product to share their findings of the types of processes they encounter and the decisions they make. Their decisions on whether to allow or not allow can provide some guidance. This information can also help malware analysts to spot fast spreading malware.

[edit]Virtualization/roll back
Many virtualization based software can enable you to reverse any changes made to a fixed basic side when required. Typically the virtualization is carried out on a limited scale, e.g on a browser.

Hi ejr,

I have passed this on to the development team and they can analyze this further.

Some of these may have been implemented in version 5.0 and others at a later stage version release.

Wow, very comprehensive list, thanks!

As Anthony mentioned some of this is coming in Spyware Doctor 5.0, but I've sent the link of this post to our lead SD architect to have a look at as well.

Thanks.

Simon