Spybot detection

[Mike]

Hi
My Spybot detected two regestrykeys wich where modifiied.
See below.

--- Report generated: 2005-07-26 18:06 ---

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-07-22 Includes\Dialer.sbi
2005-07-22 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-07-22 Includes\Malware.sbi
2005-07-22 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-07-22 Includes\Security.sbi
2005-07-19 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-07-22 Includes\Trojans.sbi

WHY DOESNT MICROSOFT DETECT THIS IMPORTANT SECURITY ISSUES????????????????

 

[Robin Walker [MVP]]

My Spybot detected two regestrykeys wich where modifiied.

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0

WHY DOESNT MICROSOFT DETECT THIS IMPORTANT SECURITY
ISSUES????????????????

This is more of an anti-virus issue than an anti-spyware issue, and perhaps
handled more appropriately by anti-virus software. You might just as well
ask why your anti-virus did not spot this.

In any case, this issue about the Security Centre is overshadowed by the
more serious possibility that some malware might have stopped your
anti-virus software from running in the first place, otherwise there would
not be much point in disabling these Security Center options. Perhaps you
should check that your anti-virus software is still running.

There are plenty of other security issues that MSAS does not spot: for
instance, lowered settings in the Internet Explorer security zones. It took
an MBSA scan to show those up for me: the MSAS scan does not pick them up.

 

[plun]

Hí

I was cleaning up a PC today with same modified registry
keys. And this is of course important for MS to protect !
Everything within XPs security center must be better
protected.

Maybe MSAS team can make a better protection for this
within MSAS so send a suspected spywarereport to MS about
this. Menu tools within MSAS.

 

[Bill Sanderson]

This is much more useful feedback than much of what we see here daily.

Specifics about areas we'd like to see the product cover are a great topic.
It may be a little late in the game, but lets at least get the ideas out
there.

--

Hí

I was cleaning up a PC today with same modified registry
keys. And this is of course important for MS to protect !
Everything within XPs security center must be better
protected.

Maybe MSAS team can make a better protection for this
within MSAS so send a suspected spywarereport to MS about
this. Menu tools within MSAS.

 

[plun]

Hi

Yes and I believe its not so much work to include
"Security center" protection in a new agent.

It cannot be so many registry strings involved and only a
few executables, dlls etc..

 

[plun]

Forget one thing, Symantec must have fun to this
beacuse this is exactly what they warned about
when SP2 and the Security center was introduced.

They said that NIS must have its own integrity and
not be mixed with Security center. But they backed and
now all users depends on security center warnings.

But this is history and a new agent within MSAS is maybe
a easy solution.


;(

--
plun

-----Original Message-----
Hi

Yes and I believe its not so much work to include
"Security center" protection in a new agent.

It cannot be so many registry strings involved and only

a

 

[CurtB]

Spybot is just reporting as a security threat the fact
that the user has turned off some security center
notifications. It's not reporting found spyware.

 

[CurtB]

In case you missed the post above...

Spybot is just reporting as a security threat the fact
that the user has chosen to turn off some security center
notifications. It's an annoying nag message that doesn't
seem to provide any way of ignoring it in future scans.
But, it is not reporting the results of any malware. The
original poster misinterpreted the spybot "Security
threat" warning.

-----Original Message-----

My Spybot detected two regestrykeys wich where modifiied.

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0

WHY DOESNT MICROSOFT DETECT THIS IMPORTANT SECURITY
ISSUES????????????????

This is more of an anti-virus issue than an anti-spyware issue, and perhaps
handled more appropriately by anti-virus software. You might just as well
ask why your anti-virus did not spot this.

In any case, this issue about the Security Centre is overshadowed by the
more serious possibility that some malware might have stopped your
anti-virus software from running in the first place, otherwise there would
not be much point in disabling these Security Center options. Perhaps you
should check that your anti-virus software is still running.

There are plenty of other security issues that MSAS does not spot: for
instance, lowered settings in the Internet Explorer security zones. It took
an MBSA scan to show those up for me: the MSAS scan does not pick them up.

--
Robin Walker [MVP Networking]
(e-mail address removed)


.

 

[plun]

Hi

Did a user or was it malware turning off notifications ?

It is really easy to set this registry string with some
sort of malware......

Symantec warned about this when SP2 came out.

 

[CurtB]

It is common practice for these notifications to be
turned off to eliminate the SP2 nag messages where they
don't apply. Now Spybot is generating a nag mesage about
the notifications that were turned off (not a desirable
option in my opinion). If a user uses McAfee's security
center, they would not want SP2 nagging them because SP2
security center is not monitoring viruses. That is the
primary function for McAfee, Norton, etc. so it is only
logical to let the Virus software handle everything
dealing with viruses.

 

[Michael Seidner]

Amen to what CurtB said. I let SpyBot fix the registry settings and a few
minutes later I checked for my McAfee updates. After the new definitions
installed, there was a McAfee alert window that said that it was not to my
advantage to have both SP2 security center and McAfee's security center
running at the same time. It then asked me to choose McAfee Security Center
only (by pressing a "no" button to disable the SP2 security center) or
having both running (by clicking the "yes" button) So it does indeed seem
that it was McAfee's virus software that changed the registry.
BTW, I chose to only have McAfee's Security Center active. I will ignore
the SpyBot warning when it appears again.

 

[plun]

Well, common practise ?

This is a basic function within Security center to
check if antivirus program are running.

And it is not a common practise to disable
notifications about this. (Except when SP2 came out and
Symantec refused to make it compatible with Security center)

I cant see any logic to let other applications handle it.

And was this notification disabled by a user, program or malware ?

If it is malware Security center must be better protected maybe
with a new MSAS "agent".

IMHO

 

[Guest]

Yes, it is a common practice and no it is not malware.
Check out some other newgroup besides this one sometime
and you will see the question frequently asked about how
to stop the SP2 warning messages. I manually turned off
those notifications as have a lot of other people who
choose options other than what Microsoft recommends.
Otherwise, you will be nagged to death that some
recommended options are not set. I know they are not set
because I chose an option that I control rather than go
on auto-pilot. I don't want the constant warning
messages. I choose to manually check for Windows updates
too and I do keep my machine current with updates.
Consequently, I turned off that notification and now
Spybot is nagging me about that. I will just ignore
those Spybot "Security Threat" warnings. The last thing
I need is MSAS nagging me about it too. So, please do
NOT add an MSAS agent to report this. Geez. As for the
comment about the logic of letting other applications
handle it... I chose to let McAfee security center
control virus software because Virus protection is what
they do. It's their reason for being. If Windows
security center is used to monitor virus software it will
be monitoring another vendor's software. Ar least that
is the case until such time as Microsoft rolls out its
own virus software. Then, it might make sense to have
Windows security center monitor virus software. In the
meantime, how would using Windows security center to
monitor McAfee virus software possibly make more sense
than letting McAfee monitor its own software?

 

[CurtB]

I forgot to include the sender's name. The previous
anonymous post was mine.

 

[plun]

Yes, it is a common practice and no it is not malware.

Well, It is NOT common practise

Every antivirus program from "partners" to MS signals to Security
center. And these notificatons should NOT be turned off.

But maybe some of them changed this ? I can see that if it is so
easy to change Security center notifications with malware MS
can remove it from XP or it must be better protected

But this can also be a Spybot bug !

Nevertheless its important that newbies, normal users trust
Security center and notifications.

 

[plun]

Well, the only program I run from McAfee is Stinger and
if they haven´t solved this yet I would directly choose another
anti virus program.

It is a Microsoft OS and I believe it´s important to follow MS
standards, what a mess otherwise ! And for Security Center it is a
"must".

Some long time trials which all of them (except McAfee) works with
Security center, I recommend F-Secure or TrendMicro.

http://www.microsoft.com/athome/security/downloads/default.mspx

And I believe you

--
plun

CurtB brought next idea :

Plun, I'm going from memory here because my home machine
has SP2 but this one does not. Do you have SP2
installed? Unless you do, this will not apply to you and
will explain a little why I am apparently unable to make
you understand. I know you don't have McAfee so that
explains why the firewall alert setting in Windows
Security Center is not an issue for you. But, for people
with SP2 and McAfee, turning on this alert setting will
cause McAfee to display an alert about conflicting
security centers. That is the only such alert I am
receiving from McAfee. So, no, there is NOT anything
wrong with my virus software. Another alert setting is
about automatic updates. I have automatic updates turned
off because it is my personal preference to handle
updates myself. I manually turned off this alert setting
in Windows Security Center to keep SP2 from nagging me
about not using automatic updates. The last alert
setting is about virus software. As I explained
previously, I choose to have McAfee handle my virus
software monitoring because it is their software. So, I
chose to turn off that alert setting in Windows Security
Center too. There was a reason why I chose to turn off
each of these alert settings. So, it is annoying now to
be getting "Security Threat" warnings from Spybot that
these alert settings are turned off. I am simply trying
to persuade Microsoft not to repeat the same mistake with
MSAS that Spybot made. I am not trying to convince you.
Your mind is made up anyway.

-----Original Message-----
CurtB has brought this to us :

Dude, check out some other newsgroups besides this one
some time. You are out of touch with reality. Of course
Microsoft recommends these alert settings should be
turned on because they are targeting the wide population
of users who have no idea how to properly maintain their
own computer systems. But those of us who do know what
needs to be done don't want to be constantly nagged with
irrelevant warning messages.

Hi

Well, I have no notifications from my TrendMicro antivirus program.
It is just running and updates well. Also within other PCs with
F-Secure
AVG everything is running with default Security center settings.

Something must be wrong with your antivirus program ! I have met this
with Norton antivirus program infected with virus, Live update and real
time protection off beacuse of this malware, then the user shut off the
security center alarms beacuse of this.

That is why Windows
Security Center provides the option to turn them off. If
you have SP2, open Windows Security Center and check
out "Change the way Security Center alerts me" in the
Resources section. It is pure nonsense to assume that
malware is the reason those alert settings are off. What
you are proposing is that MSAS should provide an alert
telling users that some other user configurable alert
settings have been turned off. I already know they are
turned off. I intentionally did it with the means
provided by Windows Security Center for that very purpose.

Andy and Robin gives this:

This is strange Ive just updated Spybot and run a scan
and I've now got the same two security risks listed but
as you can see from my reg information above these are
not set to dword:0

Yes, if you look closely at the SpyBot report, it is complaining that
they are NOT zero (!=0), not that they ARE zero (=0). As you posted,
your entries are non-zero because of the Symantec anti- virus. So you
are observing the same effect as the others who recently posted on the
new SpyBot alert.

It looks as if this SpyBot check is going to come up with everyone
using McAfee or Symantec suites.
--
Robin Walker [MVP Networking]
(e-mail address removed)

BTW, there is no "s" in "practice". Every time you
misspell it, I wonder if I'm talking to a kid.

English is not my native language but it seems that you understand.



--
plun

-----Original Message-----
(e-mail address removed) wrote on 2005-07- 28 :
Yes, it is a common practice and no it is not malware.

Well, It is NOT common practise

Every antivirus program from "partners" to MS signals to Security
center. And these notificatons should NOT be turned off.

But maybe some of them changed this ? I can see that if it is so
easy to change Security center notifications with malware MS
can remove it from XP or it must be better protected

But this can also be a Spybot bug !

Nevertheless its important that newbies, normal users trust
Security center and notifications.

--
plun





Check out some other newgroup besides this one sometime
and you will see the question frequently asked about how
to stop the SP2 warning messages. I manually turned off
those notifications as have a lot of other people who
choose options other than what Microsoft recommends.
Otherwise, you will be nagged to death that some
recommended options are not set. I know they are not set
because I chose an option that I control rather than go
on auto-pilot. I don't want the constant warning
messages. I choose to manually check for Windows updates
too and I do keep my machine current with updates.
Consequently, I turned off that notification and now
Spybot is nagging me about that. I will just ignore
those Spybot "Security Threat" warnings. The last thing
I need is MSAS nagging me about it too. So, please do
NOT add an MSAS agent to report this. Geez. As for the
comment about the logic of letting other applications
handle it... I chose to let McAfee security center
control virus software because Virus protection is what
they do. It's their reason for being. If Windows
security center is used to monitor virus software it will
be monitoring another vendor's software. Ar least that
is the case until such time as Microsoft rolls out its
own virus software. Then, it might make sense to have
Windows security center monitor virus software. In the
meantime, how would using Windows security center to
monitor McAfee virus software possibly make more sense
than letting McAfee monitor its own software?

-----Original Message-----
Well, common practise ?

This is a basic function within Security center to
check if antivirus program are running.

And it is not a common practise to disable
notifications about this. (Except when SP2 came out and
Symantec refused to make it compatible with Security center)

I cant see any logic to let other applications handle it.

And was this notification disabled by a user, program or malware ?

If it is malware Security center must be better protected maybe
with a new MSAS "agent".

IMHO

--
plun


CurtB wrote :
It is common practice for these notifications to be
turned off to eliminate the SP2 nag messages where they
don't apply. Now Spybot is generating a nag mesage about
the notifications that were turned off (not a desirable
option in my opinion). If a user uses McAfee's security
center, they would not want SP2 nagging them because SP2
security center is not monitoring viruses. That is the
primary function for McAfee, Norton, etc. so it is only
logical to let the Virus software handle everything
dealing with viruses.

-----Original Message-----
Hi

Did a user or was it malware turning off notifications ?

It is really easy to set this registry string with some
sort of malware......

Symantec warned about this when SP2 came out.

--
plun


-----Original Message-----
Spybot is just reporting as a security threat the fact
that the user has turned off some security center
notifications. It's not reporting found spyware.

-----Original Message-----
Hi
My Spybot detected two regestrykeys wich where modifiied.
See below.

--- Report generated: 2005-07-26 18:06 ---

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

Security Risks: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-07-22 Includes\Dialer.sbi
2005-07-22 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-07-22 Includes\Malware.sbi
2005-07-22 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-07-22 Includes\Security.sbi
2005-07-19 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-07-22 Includes\Trojans.sbi

WHY DOESNT MICROSOFT DETECT THIS IMPORTANT SECURITY
ISSUES????????????????


.

.

.


.


.

.

 

[CurtB]

Dude, check out some other newsgroups besides this one
some time. You are out of touch with reality. Of course
Microsoft recommends these alert settings should be
turned on because they are targeting the wide population
of users who have no idea how to properly maintain their
own computer systems. But those of us who do know what
needs to be done don't want to be constantly nagged with
irrelevant warning messages. That is why Windows
Security Center provides the option to turn them off. If
you have SP2, open Windows Security Center and check
out "Change the way Security Center alerts me" in the
Resources section. It is pure nonsense to assume that
malware is the reason those alert settings are off. What
you are proposing is that MSAS should provide an alert
telling users that some other user configurable alert
settings have been turned off. I already know they are
turned off. I intentionally did it with the means
provided by Windows Security Center for that very purpose.

BTW, there is no "s" in "practice". Every time you
misspell it, I wonder if I'm talking to a kid.

 

[plun]

CurtB has brought this to us :

Dude, check out some other newsgroups besides this one
some time. You are out of touch with reality. Of course
Microsoft recommends these alert settings should be
turned on because they are targeting the wide population
of users who have no idea how to properly maintain their
own computer systems. But those of us who do know what
needs to be done don't want to be constantly nagged with
irrelevant warning messages.

Hi

Well, I have no notifications from my TrendMicro antivirus program.
It is just running and updates well. Also within other PCs with
F-Secure
AVG everything is running with default Security center settings.

Something must be wrong with your antivirus program ! I have met this
with Norton antivirus program infected with virus, Live update and real
time protection off beacuse of this malware, then the user shut off the
security center alarms beacuse of this.

That is why Windows
Security Center provides the option to turn them off. If
you have SP2, open Windows Security Center and check
out "Change the way Security Center alerts me" in the
Resources section. It is pure nonsense to assume that
malware is the reason those alert settings are off. What
you are proposing is that MSAS should provide an alert
telling users that some other user configurable alert
settings have been turned off. I already know they are
turned off. I intentionally did it with the means
provided by Windows Security Center for that very purpose.

Andy and Robin gives this:

This is strange Ive just updated Spybot and run a scan
and I've now got the same two security risks listed but
as you can see from my reg information above these are
not set to dword:0

Yes, if you look closely at the SpyBot report, it is complaining that
they are NOT zero (!=0), not that they ARE zero (=0). As you posted,
your entries are non-zero because of the Symantec anti-virus. So you
are observing the same effect as the others who recently posted on the
new SpyBot alert.

It looks as if this SpyBot check is going to come up with everyone
using McAfee or Symantec suites.
--
Robin Walker [MVP Networking]
(e-mail address removed)

BTW, there is no "s" in "practice". Every time you
misspell it, I wonder if I'm talking to a kid.

English is not my native language but it seems that you understand.


[/QUOTE]

 

[Robin Walker [MVP]]

BTW, there is no "s" in "practice".

This is one instance where US English differs from British English.
In Britain, the noun is "practice" and the verb is "to practise".
In the US, the "practise" spelling is widespread in both usages.

Amyway, plun is Swedish, so he's doing well either way.

 

[CurtB]

Plun, I'm going from memory here because my home machine
has SP2 but this one does not. Do you have SP2
installed? Unless you do, this will not apply to you and
will explain a little why I am apparently unable to make
you understand. I know you don't have McAfee so that
explains why the firewall alert setting in Windows
Security Center is not an issue for you. But, for people
with SP2 and McAfee, turning on this alert setting will
cause McAfee to display an alert about conflicting
security centers. That is the only such alert I am
receiving from McAfee. So, no, there is NOT anything
wrong with my virus software. Another alert setting is
about automatic updates. I have automatic updates turned
off because it is my personal preference to handle
updates myself. I manually turned off this alert setting
in Windows Security Center to keep SP2 from nagging me
about not using automatic updates. The last alert
setting is about virus software. As I explained
previously, I choose to have McAfee handle my virus
software monitoring because it is their software. So, I
chose to turn off that alert setting in Windows Security
Center too. There was a reason why I chose to turn off
each of these alert settings. So, it is annoying now to
be getting "Security Threat" warnings from Spybot that
these alert settings are turned off. I am simply trying
to persuade Microsoft not to repeat the same mistake with
MSAS that Spybot made. I am not trying to convince you.
Your mind is made up anyway.

-----Original Message-----
CurtB has brought this to us :

Dude, check out some other newsgroups besides this one
some time. You are out of touch with reality. Of course
Microsoft recommends these alert settings should be
turned on because they are targeting the wide population
of users who have no idea how to properly maintain their
own computer systems. But those of us who do know what
needs to be done don't want to be constantly nagged with
irrelevant warning messages.

Hi

Well, I have no notifications from my TrendMicro antivirus program.
It is just running and updates well. Also within other PCs with
F-Secure
AVG everything is running with default Security center settings.

Something must be wrong with your antivirus program ! I have met this
with Norton antivirus program infected with virus, Live update and real
time protection off beacuse of this malware, then the user shut off the
security center alarms beacuse of this.

That is why Windows
Security Center provides the option to turn them off. If
you have SP2, open Windows Security Center and check
out "Change the way Security Center alerts me" in the
Resources section. It is pure nonsense to assume that
malware is the reason those alert settings are off. What
you are proposing is that MSAS should provide an alert
telling users that some other user configurable alert
settings have been turned off. I already know they are
turned off. I intentionally did it with the means
provided by Windows Security Center for that very

purpose.

Andy and Robin gives this:

This is strange Ive just updated Spybot and run a scan
and I've now got the same two security risks listed but
as you can see from my reg information above these are
not set to dword:0

Yes, if you look closely at the SpyBot report, it is complaining that
they are NOT zero (!=0), not that they ARE zero (=0). As you posted,
your entries are non-zero because of the Symantec anti- virus. So you
are observing the same effect as the others who recently posted on the
new SpyBot alert.

It looks as if this SpyBot check is going to come up with everyone
using McAfee or Symantec suites.
--
Robin Walker [MVP Networking]
(e-mail address removed)

BTW, there is no "s" in "practice". Every time you
misspell it, I wonder if I'm talking to a kid.

English is not my native language but it seems that you understand.

.