Sophos's own AV products have received all the independent lab certifications I look for and more. Now Virus Bulletin has awarded VB100% certification to SSAV itself, and ICSA Labs has certified it for virus detection - as of this writing testing for removal certification hasn't finished. West Coast Labs hasn't finished evaluating SSAV, but the corresponding Sophos product received Checkmark certification for virus detection and removal, as well as the additional Trojan-horse-detection Checkmark. Sounds good to me!
You won't notice much difference in the combined virus/spyware scan. But the real-time protection "Shields" have changed a bit. The new System Services shield prevents unauthorized changes to the numerous system services that are essential for correct operation of Microsoft Windows, and the Email Attachments Shield catches threats in e-mail. The old Spy Installation Shield is replaced by the dynamic duo of Execution Shield and File System Shield, which block malicious programs from executing and from reading or changing files. And the Behavioral Genotype protection mentioned above also helps keep malware off your system. At least, that's the theory. How well does all this new code work, and does it play well together? I fired up my test machines to check just that.I fired up my test machines to check just that.
I loaded SSAV on a set of virtual machines infested with my latest collection of malware—adware, spyware, Trojans, rootkits, even rogue antispyware programs. This must be a tougher gang than my previous collection, as I had to install SSAV in Safe Mode on two of the systems because the malware interfered with normal installation. I had to run the scan in Safe Mode on a third because malware interacting with SSAV put the system into a blue-screen death spiral. Fortunately SSAV has no problem at all with installing or running in Safe Mode.
I give a product full credit for removal if it eliminates all the executable elements of a threat, even if it leaves behind data files or Registry keys. Products get half-credit for detecting a threat but not managing to clean out the executables. Total annihilation of the baddies is worth 10 points. On that scale, SSAV initially scored a disappointing 7.9. Webroot advised me to turn on rootkit detection and a couple of other normally disabled settings and retest. That raised the score to 9.0—much better! Webroot leaves these settings off by default because they can make the scan take longer; also, in rare instances, rootkit detection can turn up legitimate programs using rootkit-style techniques. Spyware Doctor 5.0 scored 9.1 against that same set of threats. I did notice that SSAV left behind the vast majority of the Registry keys associated with my samples. I'd prefer a more thorough cleanup. In a similar test using commercial keyloggers SSAV scored 6.3 (compared with 7.1 for Outpost and 7.9 for Spyware Doctor)—not the most impressive of results. But then, I don't give nearly as much weight to removal of commercial keyloggers. If someone has managed to get physical access and install one of these on your system, you've got problems that software alone can't handle.
A combined spyware and virus scan took just under 30 minutes using default settings (about the same as a similar scan by Norton Internet Security 2007). And although Webroot mentioned that turning on the rootkit detection and other recommended options might slow the scan, I couldn't measure any difference. The latest version of Spyware Doctor took over an hour for a similar scan, so a half-hour doesn't seem too bad.
I ran into one oddity that I don't remember from previous versions. Like many other antispyware products, Spy Sweeper often finds it necessary to reboot in order to clean out pernicious malware. Each time I accepted its offer to reboot automatically, the system gagged, reporting that SSAV itself didn't want to shut down. But if I declined the automatic reboot and chose to restart manually, there was no problem. That's clearly a glitch that needs fixing, especially if Webroot wants to appeal to the mom-and-pop type of customers who will doubtless be put off by this kind of hi-jinks.
As always, Spy Sweeper's "Shields" offer multiple layers of protection to keep malware from installing on a clean system. For testing I used all of the recommended shields as well as the keylogger shield, which is turned off by default. The first line of defense is the Internet Communication Shield. This shield blocks your browser (or any other program) from accessing sites associated with malware. ICS blocked access to only about a quarter of the sites hosting my samples—it has done better on my tests in the past. About half the samples got whacked by the Execution Shield the moment they tried to launch or by the File System shield when they tried to install files. The BHO Shield, ActiveX shield, and others kicked in as needed. Overall, SSAV scored 8.1 out of 10 in the spyware-blocking test. That sounds pretty good, but both Outpost and Avira AntiVir Premium Security Suite scored 9.1 against this same collection, and Spyware Doctor racked up an amazing 9.8 points.
I expected SSAV to do especially well against my separate set of commercial keyloggers, since it has a shield specifically designed to protect against them. It came in with a disappointing 6.4 points. Fully half of the samples installed at least enough to log keystrokes; not one was blocked by the keylogger shield. Other products didn't do a lot better—Outpost and Spyware Doctor both got 7.1 points. I don't give as much weight to protection against commercial keyloggers, but I did expect Spy Sweeper's keylogger shield to do something.
For each threat that was knocked out before installation by the Execution Shield, I tried again using a modified version of the installer. I renamed each installer, changed some non-executable bytes, and appended null bytes to the end to change the size. In the past Spy Sweeper has fared well in this type of test, but apparently the size change threw off its ability to identify these threats on sight. Almost every one of them at least started to install. Fortunately the other layers of protection kicked in, and only two of sixteen modified samples managed to install.
Though the antivirus portion of SSAV gets accolades from the independent testing labs, it was better at blocking and removing existing spyware infestations that at preventing new ones. Spyware Doctor 5.0 was slightly more effective both at removing entrenched spyware and more effective at preventing malware installations. But Spyware Doctor 5.0 is a complete rewrite and has just too many "new product" problems to be Editors' Choice material. Its scan is very slow, it seemed to impair performance, and it detected a simple text file as a malicious executable, among other problems. Spy Sweeper 5.5 with Antivirus remains our Editors' Choice—but just barely. It'll be very interesting to see what happens with the next iteration of these two leading apps.