I think your supposition is somewhat misleading. Some of the most
effective detection techniques, such as monitoring registry changes,
would not be applicable, but that is true of all malware scanners.
I think the difference between detecting adware versus other malware
(worms) is that in general the former is mutating at a much faster rate,
with companies bundling new versions as time goes by. That is a lot of
software, in comparison to the half dozen worms that really take off
every month which antiviruses routinely add to their signatures.
As a result, antiviruses can cover most viruses and worms, without the
need to monitor registry changes (at the point in time when a change is
attempted), but detect them by scanning the package for certain strings
(which in turn can be fooled by realtime unpackers) BEFORE they are
installed.
Also being bundled inside software ,makes it tougher to detect, and
probably a real 'emulation' type detection method would be the best bet
,but it would be slow.
If you think about it, software like adware and Spybot are more geared
towards post-installation removal of malware. The only pre-installation
measures are , activeX blacklists (immunziation) which you can't do on a
ondemand scanner obviously and teatimer which is mostly a registry
monitor. The only part which I consider as being signature based (in a
weak sense) is the process blacklist in teatimer and again that works
only at the point of installation.
That is probably why detection of spyware,adware tends to be more generic
and also weaker. When was the last time, you downloaded something to your
computer (without installing), scanned manually with spybot, and it told
you the download was adware? Compare this to the number of times, someone
did a weekly scan, and it found adware/spyware installed on their system
already.
Part of the reason I had for asking is that VirusTotal and
VirusScan.Jotti provide an easy way to obtain immediate feedback for my
own use.
There are services that scan your whole system for spyware, however I
know of none that allow you to submit specific files for scanning.
Compare this to antivirus based services where "submit a file" services
are more common than "scan your whole computer" type services.
The reason for this difference is clear if you realise that it is easier
to detect spyware/adware AFTER they are installed.
Another significant advantage is that these sites allow me to
submit a suspect file to several vendors (albeit indirectly). For
example, if Ad-aware correctly identifies a tracking cookie but
PestPatrol, Spybot, and Spy Sweeper miss it, then I would like to
inform them of this threat as well -- with minimal effort by me.
Cookies? I thought you were talking about something really serious.
