Stop Spoybot from picking up firewall settings

[rodbibeau]

I have a script that I use to run SBSD on my machines.

I use a default configuration.ini file to setup pre-defined settings.

Lately, I have been having a problem with false positives for these two entries:

Code:

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

then.....

Code:

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, fixed)
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

These errors also occur for windows updates


I want to leave the firewall disabled and when I manually change it, spybot picks it up and fixes it.

Has anyone modified the default config file to eliminate these false positives?
(and yes, in my case they are false positives)




EDIT: this also happens with security updates.

Code:

Windows Security Center.UpdateDisableNotify: Settings (Registry change, fixed)
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

I want to have spybot ignore everything gaving to do with windows security center.

[spybotsandra]

Hello,

Spybot - Search & Destroy 1.4 has been detecting Security Risks (renamed to "Windows Security Center" on July 30) associated with Microsoft Security Center Registry changes. This is neither a false positive nor a bug. It is just an information.
Spybot-S&D only wants to bring to your attention that "someone" disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date. If you changed the settings yourself you can safely tell Spybot-S&D to exclude those detections from further scans.
In order to do so please right-click each in turn, then click "exclude this detection from future scans". That way, should any other part of security center settings change, Spybot-S&D will still detect those.
The same is true if you have another security solution installed (like McAfee Security Center or Norton Internet Security). These programs do also disable the Windows Security Center in order to take care of things themselves.
The reason why the changes are flagged by Spybot-S&D is that there are also malware programs that disable the notifications so the user doesn't take note of his security tools not being effective.

Some more information is also available in our forum:
http://forums.spybot.info/showthread.php?t=87

Best regards
Sandra
Team Spybot

[md usa spybot fan]

Additional notes:

The entries for "Exclude this detection from further searches" are not stored in the Configuration.ini file they are stored in Single.sbe in one of the following locations:

• Windows 95/98
  C:\Windows\Application Data\Spybot - Search & Destroy\Excludes
• Windows ME
  C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Excludes
• Windows NT/2000/XP
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes

Spybot will not recognize external changes to the Single.sbe file. I assume that this is to prevent malware from excluding itself by manipulating that file. If any changes are made to the Single.sbe file outside of Spybot the file will be emptied the next time Spybot is loaded.

[rodbibeau]

awesome.

That is exactly what I was looking for. I will modify my scripts to push the excludes!

Thank you.

[md usa spybot fan]

Please note:

Spybot will not recognize external changes to the Single.sbe file. I assume that this is to prevent malware from excluding itself by manipulating that file. If any changes are made to the Single.sbe file outside of Spybot the file will be emptied the next time Spybot is loaded.

[rodbibeau]

hmmmm......that may not solve my problem then.

ill see what happens.

[rodbibeau]

Any idea what type of check it uses?


If I were to exclude the keys I wanted on my machine and then grabbed my sbe file and pushed it to the other machines before running the program, it may think it created the file itself. All my machines have the exact same version on them.