I just installed IE7 on my other computer and WD thinks it is spyware

  • Thread starter Thread starter robinb
  • Start date Start date
R

robinb

Last computer to update- update went fine for IE7 but WD went nuts.
Popped up saying IE7 was spyware.
Of course I allowed it but it really should know that one of its own
products is not spyware and worse it is not even classified yet.
robin
 
Had you recently installed Defender and was it fully up to date? I'd expect
this kind of response if Defender didn't have the current definitions at the
time IE 7 was installed, since it was released so recently.

Could you cut and paste the detection here so we could take a look?
Unfortunately, the History only keeps a limited set of information, but it'd
be interesting to see what it tells us.
 
here is some of it in event viewer- btw after speaking to MS on another
issue today- the tech informed me that on some computers WD did not play
nice with IE7. Again this seemed to only happen to me on one computer. I
took out the username for security so you will see ***

Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {E383347F-AA23-4515-AA74-5442A7CAE158}

User: ***

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: iemain:HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search
Page

Alert Type: Unclassified software

Detection Type:



Type: Warning
Date: 11/2/2006
Time: 8:57:32 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer: **

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {0F8EAC90-5EC9-439C-8808-2FF365C3D18D}
User: ***
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: iemain:HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start
Page
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:32 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer: ***

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {E383347F-AA23-4515-AA74-5442A7CAE158}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: iemain:HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search
Page
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:30 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer: ***

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {8422E75D-911E-496E-A9F6-9B21AEA9BE26}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: iemain:HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local
Page
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:30 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer: ***

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {AE6F8D39-1220-434B-AEFD-7EC5F27720B8}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: iemain:HKLM\SOFTWARE\Microsoft\Internet
Explorer\Main\\Default_Page_URL
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:30 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer:

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {C57D0503-4CD3-4491-8D94-CADA0F05893E}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: iemain:HKLM\SOFTWARE\Microsoft\Internet
Explorer\Main\\Default_Search_URL
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:28 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer: ***'

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {B8ABD110-A013-4842-B470-AF4C7D224D3A}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: ieabout:HKLM\SOFTWARE\Microsoft\Internet
Explorer\AboutURLs\\SecurityRisk
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:28 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer:

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {98004B3C-0F35-45DF-9350-C829C762F342}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: ieabout:HKLM\SOFTWARE\Microsoft\Internet
Explorer\AboutURLs\\PostNotCached
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:28 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer:

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {27C9572C-A200-403A-A175-9904FCCE5899}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: ieabout:HKLM\SOFTWARE\Microsoft\Internet
Explorer\AboutURLs\\NoAdd-onsInfo
Alert Type: Unclassified software
Detection Type:

Type: Warning
Date: 11/2/2006
Time: 8:57:28 AM
Event: 3004
Source: WinDefend
Category: None
User: N/A
Computer:

Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {8E725E3E-6875-4AE2-8263-16F499C3BC18}
User:

Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: ieabout:HKLM\SOFTWARE\Microsoft\Internet
Explorer\AboutURLs\\NavigationFailure
Alert Type: Unclassified software
Detection Type:

Type: Warning
 
OK, that makes a bit more sense than Defender not recognizing IE 7 at all.

What Defender detected was the creation or modification of Registry
StartPage/SearchPage and other keys, not Internet Explorer itself. In fact,
it doesn't seem to be able to identify what software it's associated with, so
the issue is that it can't identify the software that caused the changes at
all, not that it's rejecting IE.

That's still not good, but since it only happens on some systems, it points
towards a timing or installation process race condition within the Defender
Real-time process that detected it. Maybe these registry settings are made by
the installer or maybe !E 7 itself, but whichever it is in this case Defender
didn't receive the information required to identify the source.

As I stated above, this makes more sense than Defender not knowing the
actual identity of IE 7, since that is embedded in the Digital Signatures of
the main executable files. Thanks for posting the log entries.

Bitman
 
After reading the threads just before and after your's and reviewing your log
entries, I wonder if it isn't the values in these registry entires that are
Unknown or 'not yet classified'.

If that PC has some Home Page information that isn't the IE 7 default or
common items like 'about:Blank', then it might be flagging these unknown
URLs. Maybe Mr Cat has some input since he seems to understand these types of
entries and their causes.

Bitman
 
[Top posting corrected]
After reading the threads just before and after your's and reviewing your log
entries, I wonder if it isn't the values in these registry entires that are
Unknown or 'not yet classified'.
Click to expand...

By contextualizing the answer to postings (not top-posting), a user is
less likely to miss details. It's proof that had you contextualized on
your first posting, you may not have missed this point.
If that PC has some Home Page information that isn't the IE 7 default or
common items like 'about:Blank', then it might be flagging these unknown
URLs. Maybe Mr Cat has some input since he seems to understand these types of
entries and their causes.
Click to expand...

I will volunteer a guess along the same lines that it has something to
do with the actual values of those entries - it seems to be the simplest
explanation (rather than a race condition with an IE7 install).

Could the Original Poster (not top) post what is in those fields?
 
An archaic useless [web forum] interface attempting to mimic a modern service
is what causes top posting, which I will continue precisely due to the
supplied interface. It also has nothing to do with either response I made,
since the entire original post was read completely initially, it was the
reading of other posts that precipitated my second post as I stated here:It was never appropriate for Microsoft to use the Newsgroup service for a
wider audience, since it isn't suited to the larger number of visitors it
could expecct and the attempt to support a web interface is lame. This
service and it's associated interface should have remained the bastion of the
techies it was originally designed to serve with a true web forum format
supplied instead.

Bitman

SpamFighter said:
[Top posting corrected]
After reading the threads just before and after your's and reviewing your log
entries, I wonder if it isn't the values in these registry entires that are
Unknown or 'not yet classified'.
Click to expand...

By contextualizing the answer to postings (not top-posting), a user is
less likely to miss details. It's proof that had you contextualized on
your first posting, you may not have missed this point.
If that PC has some Home Page information that isn't the IE 7 default or
common items like 'about:Blank', then it might be flagging these unknown
URLs. Maybe Mr Cat has some input since he seems to understand these types of
entries and their causes.
Click to expand...

I will volunteer a guess along the same lines that it has something to
do with the actual values of those entries - it seems to be the simplest
explanation (rather than a race condition with an IE7 install).

Could the Original Poster (not top) post what is in those fields?
Click to expand...
 
I can only go on empirical observations. It seems that the real time agents
are selective in the types of registry entries that are monitored.
Modification of the hosts file is a perfect example. WD could never identify
the program making the modifications (try it with Spybot hosts file). A
similar situation occurs with the TCP/UDP port monitoring agents. Again, no
indication of the listener program. I observed early in the Beta that
Microsoft seemed reluctant to change real time protection. It is good, but
too confusing for the average Joe and sometimes for the Tekkie. I'm getting
off topic, but the lack of allows allow in the final WD is baffling.
So really nothing has changed. WD still lacks the ability in most cases to
identify the program making the changes.
 
Bitman said:
An archaic useless [web forum] interface attempting to mimic a modern service
is what causes top posting, which I will continue precisely due to the
supplied interface.
Click to expand...

I know what you mean about web forum software. I use Thunderbird or
Outlook Express, as they both work with NNTP and this forum.
 
Back
Top