PDA

View Full Version : query WinINet



mikey
2012-02-07, 22:01
Been a while since I last looked at SSD so I thought I'd check it. Now, after only a few moments with it, I have a couple of queries;

In 2.0b4, how do you disable 'Live Protection'? I don't need a residency.

Why is it constantly polling WinINet regardless of browser add-on disability(disabled)? Ref; http://forums.voiceofthepublic.com/smf2/gallery/1_07_02_12_1_02_17.png

Is it because I told it to use my local proxy settings? I just assumed that was just for update checks.

That really makes a mess for netstat/IDS/FW/capture tools? Is this really by design or did I do something wrong? If by design, then I'd rather uninstall it than create new filters for all my admin tools.

TIA

drghughes
2012-02-08, 04:03
In 2.0b4, how do you disable 'Live Protection'? I don't need a residency.

See http://forums.spybot.info/showthread.php?t=64325&p=415641

mikey
2012-02-08, 04:51
Thx for the response. :appreciate: I'll try that when I reinstall.

It creates many sessions per second. It could be problematic/slow for some or just irritating for the rest of us. Here's a sampling of the flow;


GET http://127.0.0.1:21324/integrity-local HTTP/1.1
User-Agent: snlWinAPIWinINet
Host: 127.0.0.1:21324
Pragma: no-cache


HTTP/1.1 502 Fiddler - Connection Failed
Content-Type: text/html; charset=UTF-8
Connection: close
Timestamp: 19:37:59.170

[Fiddler] The socket connection to 127.0.0.1 failed. <br /> No connection could be made because the target machine actively refused it 127.0.0.1:21324


GET http://127.0.0.1:21321/integrity-local HTTP/1.1
User-Agent: snlWinAPIWinINet
Host: 127.0.0.1:21321
Pragma: no-cache


HTTP/1.0 200
Content-type: text/plain
Content-length: 40
Connection: close
Date: Tue, 7 Feb 2012 19:37:59 -0600
Server: Spybot S&D 2.0

da39a3ee5e6b4b0d3255bfef95601890afd80709


GET http://127.0.0.1:21322/clients HTTP/1.1
User-Agent: snlWinAPIWinINet
Host: 127.0.0.1:21322
Pragma: no-cache


HTTP/1.0 200
Content-type: text/plain
Content-length: 1
Connection: close
Date: Tue, 7 Feb 2012 19:37:59 -0600
Server: Spybot S&D 2.0

1


GET http://127.0.0.1:21324/integrity-local HTTP/1.1
User-Agent: snlWinAPIWinINet
Host: 127.0.0.1:21324
Pragma: no-cache


HTTP/1.1 502 Fiddler - Connection Failed
Content-Type: text/html; charset=UTF-8
Connection: close
Timestamp: 19:38:01.463

[Fiddler] The socket connection to 127.0.0.1 failed. <br /> No connection could be made because the target machine actively refused it 127.0.0.1:21324


GET http://127.0.0.1:21321/integrity-local HTTP/1.1
User-Agent: snlWinAPIWinINet
Host: 127.0.0.1:21321
Pragma: no-cache


HTTP/1.0 200
Content-type: text/plain
Content-length: 40
Connection: close
Date: Tue, 7 Feb 2012 19:38:01 -0600
Server: Spybot S&D 2.0

da39a3ee5e6b4b0d3255bfef95601890afd80709


GET http://127.0.0.1:21322/clients HTTP/1.1
User-Agent: snlWinAPIWinINet
Host: 127.0.0.1:21322
Pragma: no-cache


HTTP/1.0 200
Content-type: text/plain
Content-length: 1
Connection: close
Date: Tue, 7 Feb 2012 19:38:01 -0600
Server: Spybot S&D 2.0

1

mikey
2012-02-08, 22:11
Now with B5, after killing all svcs as suggested, things are just as bad but different.

Over 500 requests in the time between starting a capture and being able to hit the screencap. Ref; http://forums.voiceofthepublic.com/smf2/gallery/1_08_02_12_1_14_11.png Notice that all requests are now denied when the svcs are down.

Kill the SDTray process and cut the flow by about a third.

I notice all the choices are still greyed out in the installer. Oh well.

mikey
2012-02-09, 18:51
After a better look, I have more concerns;

Who is deving this thing? Where is Patrick?

This featureless thing certainly doesn't look like his work. Patrick was always fanatical about betas. They were invariably always better deved than most folk's production releases. The comparison that comes to mind is the difference between college work and that of elementary school. Did politics finally consume all his time?

Oh well, I guess we can always just consider v1 to be his legacy. It was a great run while it lasted.

Mike

Former SSD User
Former Team Lavasoft
Former Team Spybot
(formerly someone who cared)

PepiMK
2012-02-10, 13:08
The WinINet issue is it polling the status of the update and file scanner background services, as done by the tray icon (and the Start Center).

We've already got a separate inter-process communication model to avoid this being done over http. The whole thing with IPC is that we try to make this as walled as possible (e.g. we also have a module that runs Spybot on a separate desktop environment, similar to UAC, which also runs on a separate desktop; see our YouTube channel for a demo in about two or three weeks I think) to give malware little influence to interact. HTTP would also allow remote cleaning where malware prevents GUI elements, but not yet services (this cannot be used in current betas, but the tech is there).

Usually, I probably wouldn't have released these betas, that might be right. But with so many people thinking we're "dead", we decided to do this "about every six weeks release cycle" to get external feedback. We test a lot here, but every test our detectives do takes away time from writing new signatures. Which means we've sometimes still got a few dozen of tickets open when releasing a beta. After analysing the last few betas we started thinking about a closed beta with qualified feedback, but building the structures for such a thing is time consuming and needs planing.

mikey
2012-02-10, 23:54
I'm really sorry for my harsh words. I should never have let my disappointment take control. You certainly don't owe us and it is your life.


We've already got a separate inter-process communication model to avoid this being done over http. The whole thing with IPC is that we try to make this as walled as possible (e.g. we also have a module that runs Spybot on a separate desktop environment, similar to UAC, which also runs on a separate desktop; see our YouTube channel for a demo in about two or three weeks I think) to give malware little influence to interact. HTTP would also allow remote cleaning where malware prevents GUI elements, but not yet services (this cannot be used in current betas, but the tech is there).
Thx for the explanation even tho I still have no clue. I guess I should feel a little silly thinking it was just an ordinary badly botched local-loopback connection.

I wouldn't be here now if someone hadn't asked me to explain the odd behavior in his CurrPorts(netstat). We don't even employ conventional sig scanners anymore. Then when I looked around the board, I saw folks being given lame meaningless answers when asking about it.

None of this seems like the guy I used to watch in awe. Well, I don't know what's been going on around here and I don't want to. However, I find this "But with so many people thinking we're "dead", ..." very saddening.

If the guy I used to know hasn't been too beat down, he'll find a way to turn it around...if he wants to.