Skip to content

Why donate?

Which type of operating system are you running?

What is SDFSSvc.exe?

SDFSSvc.exe is part of Spybot - Search & Destroy and developed by Safer-Networking Ltd. according to the SDFSSvc.exe version information.

SDFSSvc.exe's description is "Scanner Service"

SDFSSvc.exe is digitally signed by Safer Networking Ltd..

SDFSSvc.exe is usually located in the 'C:\Program Files (x86)\Spybot - Search & Destroy 2\' folder.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

Product nameSpybot - Search & Destroy
Company nameSafer-Networking Ltd.
File descriptionScanner Service
Original filenameSDFSSvc.exe
Legal copyright© 2009-2011 Safer-Networking Ltd. A..
Legal trademarkSpybot® and Spybot - Search & Destr..
Product version2.0.3.0
File version2.0.3.160

The following is the available information on SDFSSvc.exe:

Product nameSpybot - Search & Destroy
Company nameSafer-Networking Ltd.
File descriptionScanner Service
Original filenameSDFSSvc.exe
Legal copyright© 2009-2011 Safer-Networking Ltd. All rights reserved.
Legal trademarkSpybot® and Spybot - Search & Destroy® are registered trademarks.
Product version2.0.3.0
File version2.0.3.160

Digital signatures [?]

This file has a valid digital signature.

Signer nameSafer Networking Ltd.
Certificate issuer nameVeriSign Class 3 Code Signing 2004 CA
Certificate serial number1e9298a426d948125bc1acf39622d735

Hashes [?]


Error Messages

These are some of the error messages that can appear related to sdfssvc.exe:

sdfssvc.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

sdfssvc.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.

Scanner Service has stopped working.

End Program - sdfssvc.exe. This program is not responding.

sdfssvc.exe is not a valid Win32 application.

sdfssvc.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.

What will you do with SDFSSvc.exe?

To help other users, please let us know what you will do with SDFSSvc.exe:

What did other users do?

The poll result listed below shows what users chose to do with SDFSSvc.exe. 74% have voted for removal. Based on votes from 92 users.

User vote results: There were 68 votes to remove and 24 votes to keep

NOTE: Please do not use this poll as the only source of input to determine what you will do with SDFSSvc.exe.

Malware or legitimate?

If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.

Please select the option that best describe your thoughts on the information provided on this web page

Free online surveys

And now some shameless self promotion ;)

A screenshot of FreeFixer's scan result.Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/20008/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.

If you have questions, feedback on FreeFixer or the website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.


Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

Ali As writes

3 thumbs

Comodo firewall shows that SDFSSvc.exe makes internet connection and sends data to an external IP => this is a privacy infringement as often connecting to a certain IP with a anti-virus program that is able to identify your computer. Even if Spybot does nothing with this info, many others can spy on the line at several stages and track a users everywhere and ant anytime using the same computer / Windows ID / network name / DHCP ID

# 16 Feb 2012, 9:50

cactuspat writes

2 thumbs

On Win XPPro SP3 machine this file causes Comodo to constantly monitor its activity, thus Comodo is constantly using between 9% and 99% of CPU.

sdfssvx.exe was also sending info every few seconds to IP, which is interestingly in a block of IP addresses ( - IANA has assigned for "special use"... (;q=

For now I've uninstalled Spybot S&D ver 2 and gone back to old reliable ver 1.6 until more info is forthcoming on WTF info is being reported to who at the mystery IP address and the software conflict with Comodo is resolved!

# 1 Jan 2013, 15:56

hartl writes

2 thumbs

IP is a multicast address and is used to announce spybot to other instances in the same network, just like a lot of other products do. multicasts won't cross router boundaries unless the router or firewall has explicitely been instructed to do so.

# 5 Mar 2013, 3:44

Der Wecker writes

1 thumb

1. A program / service which opens a connection to another (remote) computer in the background
- without informing me about what and why it is doing this or
- without beeing explicitely forced to do that by me i. e. by clicking on an "update" button,
is generally suspicious.

2. A (remote) machine which is not explicitely listet in the ICAN or clearly assignet to a person / company in the whois-server of its ISP is very suspicious!

3. A program / service which opens a connection to such a machine and sends data to it acts like a trojan horse or keylogger.

4. A program / service which informs an unknown remote machine about a program (itself) is actually running on your machine in a specified version, which informs that remote machine about your operating system, too, may help an intruder (human or machine), because these facts are a valid information about where to search for possible entries into your system!

Someone who still thinks that spybots service is something else than possible spyware / trojan horse should clearly read the 'answers' from the spybot team member 'sandra' in their forum: About the reasons for that connection she wrote:
"One of them [the reasons] is that parts of Spybot-S&D temporarily try to verify their certification via internet."
A lie!: By sending the name of your computer to another, covered, unknown remote computer? Without any answers?? Verifying certificates works in a different manner!

"Another one is that SDWelcome tries to connect with the Spybot Services and communicates with them via HTTP."
Again a lie: The spybot service communicates via the protocol UDP and the ports 56821 (local) to 21328 (remote). Http connections uses the http protocol and port 80 in both directions!

"Or the Updater searches for updates and connects with the internet."
Again a lie: By sending the name of your computer to another, covered, unknown remote computer? Without any answers?? TWICE A SECOND??? And: It is not the update service, which communicates with that machine with the ip adress!

"None of these connections are bad, they are only for your security."
Yeah, I believe in the Osterhase too! Every malware tries to suggest everyone that it is a security software!
For security reasons it is much better (and real security software does this),
- not to send any data to unknown machines via unchipered channels!
- not to communicate to remote, unknown machines, which are listed just for "special use": no owner, no company, no country!
- not to inform third parties on the line about what software and what operating system you are using in this moment!

Another 'response' of that 'Sandra' is:
"That is the client count feature which uses this port. We will improve this intervall in the new version Spybot 2.1. which we are currently working on.".
A 'client count feature' which sends the name and ip of your computer TWICE A SECOND to another, unknown machine which is not part of the spybot server farm??? This 'feature' informs not only the owner of that covered remote machine; it informs everyone on the line that YOU are using spybot in a version higher than 1.6 an lower 2.1. on a Windows based system. There is in fact only one existing major version. And: The ongoing 'count' informs the owner of that covered machine as everyone else on the line about the fact, that your computer is NOW in use, how long it is in use, when you uses your computer, how often you do ... do you really want to give all these informations to unknown third parties???

And there is another problem: It is possible that the spybot service program sends sensible data from your machine to a remote computer; in each sended packet there are a few bytes of 'content'. Who owns and uses that remote machine? Who collects which data from it? And: Who else could monitor the (open) connection and collects data, too?

The spybot service does not inform you, the spybot team does not inform you about real reasons and real facts, nor about the fact that the spybot program works without any problems if that service is completely blocked from the internet! Even the regular update part works without problems!

So there could be only these suggestions:
- If you really (and still) believe that the rest of the spybot programm does what it should do (and does not do anything else!): block that service from connecting to ANY machine in the internet by creating rules in your firewall; in Windows 7 or 8 (or later) you could do this without any third party program.
- Or: Uninstall that suspicious Version 2.x and use Version 1.6.
- Or: Swith to another malware shield and scanner!

# 15 Jul 2014, 4:00

Leave a reply