G
Guest
Large update for Spybot - latest detection update : 6/20/07
G
Guest
My scan using the latest updates found two things I'm worried about :
(1) Microsoft.Windows. IE FirewallBypass
(2) Zlob. DNSChanger
I think i just removed the Zlob using Spybot in safe- mode, i havn't
re-scanned
yet to find out. But after googling the firewallbypass i can't seem to
figure out
if this is a malware or is Spybot telling me that i might have a security
problem
with my Windows firewall . Can't make head or tails from answers in the
forum.
Is anyone else showing this with todays update ? Ron
(1) Microsoft.Windows. IE FirewallBypass
(2) Zlob. DNSChanger
I think i just removed the Zlob using Spybot in safe- mode, i havn't
re-scanned
yet to find out. But after googling the firewallbypass i can't seem to
figure out
if this is a malware or is Spybot telling me that i might have a security
problem
with my Windows firewall . Can't make head or tails from answers in the
forum.
Is anyone else showing this with todays update ? Ron
G
Guest
Ron,
Just ran a test and found:
Microsoft.Windows. IE FirewallBypass
same as you. As I'm sure our browsing habits are different it is unlikely
we both got "hit" at the sametime. My guess is this is a false alarm.
Could someone with friends at Spybot report this.
?:-\
Tim
Just ran a test and found:
Microsoft.Windows. IE FirewallBypass
same as you. As I'm sure our browsing habits are different it is unlikely
we both got "hit" at the sametime. My guess is this is a false alarm.
Could someone with friends at Spybot report this.
?:-\
Tim
A
Anonymous Bob
Ron H said:
It runs without any problems here.
Bob Vanderveen
G
Guest
Okay, maybe it's Not a false alarm. It might just be a less than desirable
security setting.
It indicates that IE is on the Firewall exceptions list.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
I just checked with some of the machines in the office and no one else seems
to have IE on their exceptions list. I have removed it from the list and
will see what happens. I should be able to add it back fairly easily if I
have to.
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
security setting.
It indicates that IE is on the Firewall exceptions list.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
I just checked with some of the machines in the office and no one else seems
to have IE on their exceptions list. I have removed it from the list and
will see what happens. I should be able to add it back fairly easily if I
have to.
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
G
Guest
Tim, I don't see IE listed in exceptions in my fire wall settings. Where did
you
remove IE from a list.
you
remove IE from a list.
Tim Clark said:Okay, maybe it's Not a false alarm. It might just be a less than desirable
security setting.
It indicates that IE is on the Firewall exceptions list.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
I just checked with some of the machines in the office and no one else seems
to have IE on their exceptions list. I have removed it from the list and
will see what happens. I should be able to add it back fairly easily if I
have to.
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
--------
Tim Clark said:
G
Guest
Follow Up!!
Interesting, I just ran SB again and it still comes up.
It appears that removing IE from the exceptions list in the Control
Panel->Windows Firewall had NO EFFECT on the Registry setting being detected
by SB.
So if you don't have it in CP->Windows Firewall->exceptions it makes sense
(in a sense) that you are still getting the detection.
Now I really confused.
Feed back anybody ???
?:-\
Interesting, I just ran SB again and it still comes up.
It appears that removing IE from the exceptions list in the Control
Panel->Windows Firewall had NO EFFECT on the Registry setting being detected
by SB.
So if you don't have it in CP->Windows Firewall->exceptions it makes sense
(in a sense) that you are still getting the detection.
Now I really confused.
Feed back anybody ???
?:-\
Tim Clark said:Ron,
Start->Control Panel->Windows Firewall->Execptions [Tab]->selected
IE->pressed delete.
?
Tim
Ron H said:Tim, I don't see IE listed in exceptions in my fire wall settings. Where did
you
remove IE from a list.
Tim Clark said:Okay, maybe it's Not a false alarm. It might just be a less than desirable
security setting.
It indicates that IE is on the Firewall exceptions list.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
I just checked with some of the machines in the office and no one else seems
to have IE on their exceptions list. I have removed it from the list and
will see what happens. I should be able to add it back fairly easily if I
have to.
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
G
Guest
Ron,
Start->Control Panel->Windows Firewall->Execptions [Tab]->selected
IE->pressed delete.
?
Tim
Start->Control Panel->Windows Firewall->Execptions [Tab]->selected
IE->pressed delete.
?
Tim
Ron H said:Tim, I don't see IE listed in exceptions in my fire wall settings. Where did
you
remove IE from a list.
Tim Clark said:Okay, maybe it's Not a false alarm. It might just be a less than desirable
security setting.
It indicates that IE is on the Firewall exceptions list.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
I just checked with some of the machines in the office and no one else seems
to have IE on their exceptions list. I have removed it from the list and
will see what happens. I should be able to add it back fairly easily if I
have to.
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
A
Alan
Hi all,
For what it's worth, I just did a SpyBot scan with the latest updates and no
problems were found.
Alan
For what it's worth, I just did a SpyBot scan with the latest updates and no
problems were found.
Alan
G
Guest
Tim I'm not sure if you can pull this up, but if your registered with spybot
forum and you can check out this thread. I'm waiting for a responce from
spybot, and do you remember this name ?
http://forums.spybot.info/showthread.php?t=15126&highlight=firewallbypass
forum and you can check out this thread. I'm waiting for a responce from
spybot, and do you remember this name ?
http://forums.spybot.info/showthread.php?t=15126&highlight=firewallbypass
G
Guest
Ron,
I was able to read the thread.
So I guess it looks like it is being investigated.
Please keep an eye on this and let us know what you find out.
Not sure what you mean by remember this name?
Do you mean the Original Poster of that thread?
?:-\
Tim
I was able to read the thread.
So I guess it looks like it is being investigated.
Please keep an eye on this and let us know what you find out.
Not sure what you mean by remember this name?
Do you mean the Original Poster of that thread?
?:-\
Tim
R
Robinb
6 computers- 1 has vista -and spybot not installed on that
I just did the spybot update on 2 running xp pro sp2
those two are not using windows firewall but do have ie7
nothing suspcious found at all.
I will do the notebook later tonite (that runs windows firewall but only has
ie6
after the scan i will post its results here
I will do the others prolly on friday (those are running ie7 with windows
firewall and one with ZA free) because i have 2 clients back to back and
will be gone from 10am to about 6pm and will be brain dead when it comes to
computers by then <g> but i will test them on friday morning and let you
know
robin
I just did the spybot update on 2 running xp pro sp2
those two are not using windows firewall but do have ie7
nothing suspcious found at all.
I will do the notebook later tonite (that runs windows firewall but only has
ie6
after the scan i will post its results here
I will do the others prolly on friday (those are running ie7 with windows
firewall and one with ZA free) because i have 2 clients back to back and
will be gone from 10am to about 6pm and will be brain dead when it comes to
computers by then <g> but i will test them on friday morning and let you
know
robin
R
robinb
ok i took the plunge while i was eating dinner on 2
both run xp pro sp2
both use windows firewall and ie6
both got the Microsoft.Windows. IE FirewallBypass
both are uptodate on all scans for all antimalware/spyware programs, virus
protection and Windows security updates.
This has got to be a false positive. (I did not allow spybot to quarantine
this, i just unchecked it until spybot figures it to be a false positive.
Now somone from here who has an in with spybot needs to tell them
As said I will try it on the other ones if i have any time tomorrow but most
definetly friday
robin
both run xp pro sp2
both use windows firewall and ie6
both got the Microsoft.Windows. IE FirewallBypass
both are uptodate on all scans for all antimalware/spyware programs, virus
protection and Windows security updates.
This has got to be a false positive. (I did not allow spybot to quarantine
this, i just unchecked it until spybot figures it to be a false positive.
Now somone from here who has an in with spybot needs to tell them
As said I will try it on the other ones if i have any time tomorrow but most
definetly friday
robin
G
Guest
Well,
I just scanned the home computer with the "arsenal".
Those of you know me know what that means.
Nothing was found by any of the other programs.
I then scanned with Spybot and it found the "Firewall IE" setting.
Now, before we jump on Spybot for a false positive,
note the report that Spybot gave.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
It seems to indicate not an infection of malware, but a possible venue for
infection.
If someone could investigate the reg entry that I posted and find out if it
is a possible "weakness".
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
--------
Since I did not find it on another machine at work, and others have reported
it not being found, it must not be a default or mandatory setting in Windows.
I'm just not used to Spybot reporting "vulnerabilities" and this is
obviously a new detection.
Maybe it's not a good thing and should be evaluated, I don't know.
It might be something you "could" want if you knew what you were doing, but
might not usually want.
You should lock your doors, but there are times you might be justified in
leaving them unlocked.
I like to know what would happen if the reg entry was removed.
?:-\
Tim
Geek w/o Portfolio
I just scanned the home computer with the "arsenal".
Those of you know me know what that means.
Nothing was found by any of the other programs.
I then scanned with Spybot and it found the "Firewall IE" setting.
Now, before we jump on Spybot for a false positive,
note the report that Spybot gave.
SB S&D says:
============
Company:
Product: Microsoft.Windows.IEFirewallBypass
Threat: Security
Description
This is beeing flagged whenever the IE is configured to accept incoming
connections through the Windows Firewall. Normally the IE does not need to
accept incoming connections like servers do.
=============
It seems to indicate not an infection of malware, but a possible venue for
infection.
If someone could investigate the reg entry that I posted and find out if it
is a possible "weakness".
--------registry setting follows-------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program
Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
--------
Since I did not find it on another machine at work, and others have reported
it not being found, it must not be a default or mandatory setting in Windows.
I'm just not used to Spybot reporting "vulnerabilities" and this is
obviously a new detection.
Maybe it's not a good thing and should be evaluated, I don't know.
It might be something you "could" want if you knew what you were doing, but
might not usually want.
You should lock your doors, but there are times you might be justified in
leaving them unlocked.
I like to know what would happen if the reg entry was removed.
?:-\
Tim
Geek w/o Portfolio
A
Alan D
I'm getting this alert from Spybot too. I didn't get it last week, so it's
only arisen after todays' update.
Windows firewall is switched off, and Internet Explorer (6) is NOT selected
as an exception.
I don't understand any of the replies in the 'false positive' thread that's
been started on the Spybot forum here:
http://forums.spybot.info/showthread.php?t=14824
and I've asked for clarification. I'm very reluctant to let Spybot fix
something that doesn't actually seem to need fixing!
G
Guest
My Zlob DNSChanger seems to have been cleaned by Spybot in safe-mode and
also i read in SB forum and Lavasoft forum last night that a couple of people
let spybot fix the firewallbypass with no ill effects, but i will wait a
little longer.
Enjoy your day Ron
also i read in SB forum and Lavasoft forum last night that a couple of people
let spybot fix the firewallbypass with no ill effects, but i will wait a
little longer.
Enjoy your day Ron
G
Guest
Tim Clark said:
I think we have the answer here, Tim:
http://forums.spybot.info/showthread.php?p=96665#post96665
Under 'security' - this is obviously a new detection, only just added to the
Spybot database with the latest update, and that's why we've all been caught
unawares. It's merely a 'point of information' like the 'firewall/antivirus
disable notify' alert, and if Windows firewall is switched off anyway, it's
of no significance.
G
Guest
Ron H said:
Glad you got your Zlob fixed Ron.
As for the firewall bypass detection - see my reply to Tim's post. This
detection has only just been added to Spybot's database with the last update,
which is why we're suddenly all being alerted. Also, it appears that if
Windows firewall is switched off (because you're using your own alternative
firewall, as I am too), this is not a matter of any significance for us
whether Spybot 'fixes' it or not.
G
Guest
Alan,
I figured something like this. See my post above.
The question is "is it a True vulnerability"?
We should assume for the rest of the the thread that people are using the
Windows Firewall and will need to know how to proceed.
?
Tim
I figured something like this. See my post above.
The question is "is it a True vulnerability"?
We should assume for the rest of the the thread that people are using the
Windows Firewall and will need to know how to proceed.
?
Tim
R
Robinb
then it has to do with something between windows firewall and ie because all
the computers that are running 3rd party firewalls are not seeing this. I
did an experiment. I disabled the za firewall I have on my test computer .
Put Windows firewall back on. Ran spybot and walla got the vulnerbility.
Shut off Windows Firewall. Re inabled ZA and no more vulnerbility.
Now- do we allow spybot to fix this or do we just uncheck it and ignore it?
What will happen if we allow spybot to fix it?
robin
the computers that are running 3rd party firewalls are not seeing this. I
did an experiment. I disabled the za firewall I have on my test computer .
Put Windows firewall back on. Ran spybot and walla got the vulnerbility.
Shut off Windows Firewall. Re inabled ZA and no more vulnerbility.
Now- do we allow spybot to fix this or do we just uncheck it and ignore it?
What will happen if we allow spybot to fix it?
robin