Microsoft.Windows.AppFirewallBypass - Safer-Networking Forums

pgroot · 2007-06-13, 19:04

Microsoft.Windows.AppFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

Microsoft.Windows.AppFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

The registry entries are both:
C:\WINDOWS\system32\usmt\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard

So not only is this a known Microsoft application, it is disabled.
I'm not sure why it is disabled. But this detection appears to be a false positive in 2007-06-13 Includes\Beta.sbi (*)

spy1 · 2007-06-17, 17:49

Yes, I got the same thing you did, but I let SBS&D go ahead and remove it with no ill effects that I could tell.

I figured that if it was off anyway, there wasn't any need for it to be there, period. Pete

**Yodama** · 2007-06-18, 09:11

hi,

normally you do not want your windows migration to be accessing incoming communication through the firewall unless you really do a migration.

So this should only be allowed if there is need to and disabled otherwise, since there are trojan horses which override the original file and act as servers under the unsuspicious name of the migwiz.exe.

greenhatch · 2007-06-20, 13:37

Excuse my slowness, but does this mean we should remove the two entries ticked by the Search & Destroy, or is it a false positive to be corrected in the next update?

**Yodama** · 2007-06-20, 13:51

This is not considered a false positive, though fixing it may be inconvenient if you mirgrate your windows over the network very often

If you let spybot fix this, the Windows Firewall will ask if you want to block migwiz.exe or not, usually it is no when you want to migrate over the network.

So the impact on the workflow is relatively small if you let Spybot fix this, while it gives you more security against a fake migwiz.exe that receives commands through the opened Windows Firewall.

ky331 · 2007-06-20, 15:35

How about these two?

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

nowellp · 2007-06-21, 00:43

I am in the same boat. Could you please tell me how I should handle these two detections; I'm obviously not a tech so please explain in relatively easy terms. I do not know what migrations are, have mcafee firewall and xp sp2.
Thank you

**Yodama** · 2007-06-21, 07:20

@ky331

the Internet Explorer does not need to get authorized for the Windows Firewall for internet surfing. The Windows Firewall only works one way, it does not block requests made from the host computer, it can only block access from outside.
There may be some special purpose where it may be required to have the Internet Explorer authorized for the Windows Firewall, which would basically make the Internet Explorer accept incoming transmissions like a server would.

@nowellp
Windows migration is used to transfer files, folders and settings from one computer to another. This is not bound to hardware and is usually used when the computer hardware is upgraded/exchanged.

greenhatch · 2007-06-21, 09:03

Yodama:

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

Sorry to be a bit dense, but if these two entries appear as detected items, do we (a) tick to delete or (b) are they false positives to be countered by a Spybot later update?

(a) or (b) please?

joe53 · 2007-06-21, 09:35

Yodama:

Like ky331 and greenhatch, I don't know what to do with these 2 Microsoft.Windows.IEFirewallBypass registry detections. Spybot offers me no option to ignore or exclude them in future searches, so I do nothing.

I suspect they are related to the fact that I have disabled Windows firewall, and am using a third-party firewall (in my case, Comodo).

2007-06-13, 19:04	#1
pgroot Junior Member Join Date: Jun 2006 Location: San Jose CA (Silicon Valley) Posts: 13	Microsoft.Windows.AppFirewallBypass Microsoft.Windows.AppFirewallBypass: Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe Microsoft.Windows.AppFirewallBypass: Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe The registry entries are both: C:\WINDOWS\system32\usmt\migwiz.exe::Disabled:Files and Settings Transfer Wizard So not only is this a known Microsoft application, it is disabled. I'm not sure why it is disabled. But this detection appears to be a false positive in 2007-06-13 Includes\Beta.sbi ()

2007-06-18, 09:11	#3
Yodama Member of Team Spybot Join Date: Oct 2005 Location: Buchenheim Posts: 935 Blog Entries: 1 Rated LASSHes: 119	hi, normally you do not want your windows migration to be accessing incoming communication through the firewall unless you really do a migration. So this should only be allowed if there is need to and disabled otherwise, since there are trojan horses which override the original file and act as servers under the unsuspicious name of the migwiz.exe. __________________ born in the shadow to die in the shadow, that is the fate of the shinobi Spybot S&D Downloads Please help us improve Spybot and download our distributed testing client.

2007-06-20, 13:37	#4
greenhatch Junior Member Join Date: May 2006 Posts: 18	so which is it? Excuse my slowness, but does this mean we should remove the two entries ticked by the Search & Destroy, or is it a false positive to be corrected in the next update?

2007-06-20, 13:51	#5
Yodama Member of Team Spybot Join Date: Oct 2005 Location: Buchenheim Posts: 935 Blog Entries: 1 Rated LASSHes: 119	This is not considered a false positive, though fixing it may be inconvenient if you mirgrate your windows over the network very often If you let spybot fix this, the Windows Firewall will ask if you want to block migwiz.exe or not, usually it is no when you want to migrate over the network. So the impact on the workflow is relatively small if you let Spybot fix this, while it gives you more security against a fake migwiz.exe that receives commands through the opened Windows Firewall. __________________ born in the shadow to die in the shadow, that is the fate of the shinobi Spybot S&D Downloads Please help us improve Spybot and download our distributed testing client.

2007-06-21, 00:43	#7
nowellp Member Join Date: Nov 2005 Posts: 39	slowness I am in the same boat. Could you please tell me how I should handle these two detections; I'm obviously not a tech so please explain in relatively easy terms. I do not know what migrations are, have mcafee firewall and xp sp2. Thank you

2007-06-17, 17:49	#2
spy1 Member Join Date: Nov 2005 Posts: 41	Yes, I got the same thing you did, but I let SBS&D go ahead and remove it with no ill effects that I could tell. I figured that if it was off anyway, there wasn't any need for it to be there, period. Pete

2007-06-20, 15:35	#6
ky331 Member Join Date: Jun 2007 Posts: 34	How about these two? Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

2007-06-21, 07:20	#8
Yodama Member of Team Spybot Join Date: Oct 2005 Location: Buchenheim Posts: 935 Blog Entries: 1 Rated LASSHes: 119	@ky331 the Internet Explorer does not need to get authorized for the Windows Firewall for internet surfing. The Windows Firewall only works one way, it does not block requests made from the host computer, it can only block access from outside. There may be some special purpose where it may be required to have the Internet Explorer authorized for the Windows Firewall, which would basically make the Internet Explorer accept incoming transmissions like a server would. @nowellp Windows migration is used to transfer files, folders and settings from one computer to another. This is not bound to hardware and is usually used when the computer hardware is upgraded/exchanged. __________________ born in the shadow to die in the shadow, that is the fate of the shinobi Spybot S&D Downloads Please help us improve Spybot and download our distributed testing client.

2007-06-21, 09:03	#9
greenhatch Junior Member Join Date: May 2006 Posts: 18	Yodama: Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE Sorry to be a bit dense, but if these two entries appear as detected items, do we (a) tick to delete or (b) are they false positives to be countered by a Spybot later update? (a) or (b) please?

2007-06-21, 09:35	#10
joe53 Junior Member Join Date: Oct 2005 Posts: 9	Yodama: Like ky331 and greenhatch, I don't know what to do with these 2 Microsoft.Windows.IEFirewallBypass registry detections. Spybot offers me no option to ignore or exclude them in future searches, so I do nothing. I suspect they are related to the fact that I have disabled Windows firewall, and am using a third-party firewall (in my case, Comodo).

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode