Spycar - Test for anti-malware software

Has anyone come across Spycar: this claims to be a suite of tools designed to mimic spyware-like behavior created so anyone could test the behavior-based defenses of an anti-spyware tool.

I have not tried it yet as I thought it may be wise to see if anyone else has tested it. May be a good test for the new Beta?

This is the website:



I tried one of their tests before with Spyware Terminator. It basically adds certain keys to your registry among other things like changing your IE home page. You have to at least allow it to run to test the effectiveness of your anti-spyware, otherwise to block it from running or detect it as malware by your scanner will be no different from any virus test.

Thanks sotabeaner,

Wonder if CAVS would detect it as malware if one clicked allow on HIPS pop-up.?
Also, might be interesting to see if spybot and others can react well to this - I might give it a try, could be fun.

Don’t suppose you have come accross buffer zone?



I don’t use a lot of security products and have never tried virtualization ones (currently only have CFP running real-time). Since I don’t have CAVS I can’t tell if it’ll detect spycar as malware, but if the HIPS is anything similar to Spyware Terminator then it should at least prompt on its first execution.

I will find out over the weekend. If my pc is still working next week i’ll post the results.


If? Hmm…seems like your pc is already infected or something else… ;D

Just a little joke after recent events, my pc will be fine, after all I am protected by Comodo.


Don’t worry. It’s not real spyware. But true, you have Comodo in case something will happen ;D.

Note: I remember after deleting/uninstalling spycar there were still remnants in the C:\Documents and Settings…(forgot which ones) directory. You might want to delete it.

Thanks for the warning,


Strangely, after running all the spycar tests (CAVS 2 HIPS caught all attempted run attempts) and then running towtruck.exe (their intrusion evaluation module), towtruck reported that there was no spycar profile and that I had to run some tests to get some results.

I’m assuming that a score of ZERO is still a perfect score, but I’ve emailed them anyway.

Ewen :slight_smile:

towtruck? You must have advanced to a high level to reach something like that! Seriously, I don’t know what that is ;D. I only tried the home page-changing test and didn’t know there was a scoring system. Maybe it’s been updated since and if zero is what we think it is, then congrats to CAVS (:CLP).

Sounds like CAVS did well, I will try the test over the weekend (won’t be at my main test pc till then).

Here are some more tests for the brave:

  1. advanced process termination test

  2. the simple process termination test from SSM

  3. the keylogger test from SSM

  4. morgud’s threat simulator

  5. gentlesecurity’s threat test

  6. spycar’s browser hijack tests

  7. ghostsecurity’s registry tests

8 ) martin’s keylogger (see if your HIPS program can stop it from recording keystrokes)


Ahh, another guy that doesn’t read the readme. :slight_smile: From the website:

"run TowTruck 1.0 to see how well your anti-spyware tool defended you, and to clean up all Spycar alterations.

TowTruck will measure whether Spycar was able to make the changes (in a benign form) often made by spyware tools. In your TowTruck output, you will see one of three items:

  1. • “Spycar change allowed” – Sorry, but your anti-spyware tool did not block this test. You are not protected against this kind of behavior
  2. • “Spycar change blocked” – Your anti-spyware tool blocked this test. That’s a good thing.
  3. • “Spycar test not performed” – Either you did not run this element of Spycar, or your anti-spyware tool blocked it so thoroughly that Spycar cannot even determine that it was run. The former just means you need to do the test. The latter is a good thing."


Thanks for the highlights, adric. I did skim through it afterwards, but I guess I’m not interested in spyware tests. Right now I would undoubtedly fail any test because I have no anti-spyware running (re: my 2nd post here).

Lets talk about Virtualization…

What are the pros and cons that you see?

Ok, the way that I see is: its a way of quarantining some applications. it gives you ability to be cautious. But still relies on the user to make the decision about whether something is trusted or not eg: some app you run that looks ok but then turns out to be a malware (after you trusted the app).

what are the real benefits?
what are the real problems?

lets have a good brain storming session on this…


For Spycar, I know that Arovax Shield passes all its tests.

Does any of CAVS’s HIPS stop the tests?

No, not attempted execution, that kind of HIPS is worthless. I mean allowing the execution, does CAVS stop the actual changes?

I’m pretty sure I read somewhere on the forum that the HIPS in V3 will be application-centric (detecting the apps trying to execute) AND entry vector aware (monitoring and controlling access to critical vectors in the system). At least I hope it’s going to be like that, anyway. ;D

Ewen :slight_smile: