Spybot & Windows Security Centre.....warning

[debanks]

Spyboot keeps finding two suspicious and recuring files. Windows Security Centre Firewall\Disable Notify. There is a similar one for Firewall. These files are in Settings HKEY_LOCAL_MACHINE\Software\Microsoft\SecurutyCentre\Antivirus disable Notify!=dwordO.
I delete them but they recur. In windows security centre everything is switched on. I'm running McAfee Firewall and anti Virus plus AGV free anti virus on XP Home. My questions are : Are these files dangerous, what do they mean and how can I stop them recuring.

I did have a Bagle worm that slipped through undetected.

Derek Banks

[spybotsandra]

Hello,

Since the Detections Update from July 25, 2005, Spybot - Search & Destroy 1.4 has been detecting Security Risks (renamed to "Windows Security Center" on July 30) associated with Microsoft Security Center Registry changes. This is neither a false positive nor a bug. It is just an information.
Spybot-S&D only wants to bring to your attention that "someone" disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date. If you changed the settings yourself you can safely tell Spybot-S&D to exclude those detections from further scans.
In order to do so please right-click each in turn, then click "exclude this detection from future scans". That way, should any other part of security center settings change, Spybot-S&D will still detect those.
The same is true if you have another security solution installed (like McAfee Security Center or Norton Internet Security). These programs do also disable the Windows Security Center in order to take care of things themselves.
The reason why the changes are flagged by Spybot-S&D is that there are also malware programs that disable the notifications so the user doesn't take note of his security tools not being effective.

Best regards
Sandra
Team Spybot

[md usa spybot fan]

debanks:

Additional clarification:

Quote:

Originally Posted by debanks

In windows security centre everything is switched on.

If you go into Start > Control Panel > Security Center > Resources (on the left hand side of the window – expand if necessary) > click "Change the way Security Center alerts me". This brings up an "Alert Setting" window.

There are three possible alerts:

• Firewall
  Alert me if my computer might be at risk because of my firewall settings
• Automatic Updates
  Alert me if my computer might be at risk because of my Automatic Updates settings
• Virus Protection
  Alert me if my computer might be at risk because of my virus protection software settings

I believe that you will find that the first and third items are unchecked. This is the cause of the following Spybot detections:

Code:

Windows Security Center.FirewallDisableNotify: Settings
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

When the McAfee SecurityCenter is optionally selected as the default security center, it turns off these alerts within the Windows Security Center so that the Windows Security Center will no longer notify you if your firewall and/or antivirus are disabled. As indicated by spybotsandra, this is not a threat as long as McAfee SecurityCenter is running. However, from my perspective, McAfee has done a disservice to their users by not informing them that by selecting the McAfee SecurityCenter as the default Security Center these Windows Security Center alerts will be turned off. If you were to abandon McAfee products in the future they have left the features of the Windows Security Center in a compromised condition. I personally do not have my McAfee SecurityCenter running as the default security center.

[loctet]

[QUOTE=spybotsandra]Hello,

Quote:

In order to do so please right-click each in turn, then click "exclude this detection from future scans". That way, should any other part of security center settings change, Spybot-S&D will still detect those.

I have a problem, the contextual menu does not allow this modification. The line in is dimmed (not selectable).

Thanks.
Best regards

[md usa spybot fan]

If you want to exclude the item from future detections:

• Expand the detection if necessary (+ to the left of the detection).
• Select the item (entry) that you want to exclude by left clicking on it to highlight it.
• Then right click on highlighted detection.
• Select from the list of options in the menu.

In other words left click to select then right click to display options. If you don't select (highlight) the item first the options menu is for the entire detection list.

[nickW]

Bonjour loctet,

Il faut être en "Mode avancé" pour pouvoir effectuer cette manip.

Voir en haut, dans le menu Mode.

Salut.

[md usa spybot fan]

NickW:

I do not believe that you are correct. There is a difference between:

• "Exclude this detection from further searches"
  and
• "Exclude this product from further searches"

spybotsandra's original suggestion was to:

Quote:

Originally Posted by spybotsandra

… exclude those detections from further scans.
In order to do so please right-click each in turn, then click "exclude this detection from future scans".

To the best of my knowledge you can only "Exclude this detection from further searches" after you "Check for problems" and the detection is listed on the problem detection screen.

You can exclude "products" (or un-exclude them) by going into Spybot > Mode > Advanced mode > Settings > Ignore products.

If you have excluded a single detection you can remove it from the ignore list by going into Spybot > Mode > Advanced mode > Settings > Ignore single entries.

[loctet]

Effectivement je ne suis pas en mode avancé.
Merci de votre réponse et pour l'adresse du forum.
Salut.

[EloquentBaboon]

I received the same notification and asked spybot to fix it along with 4 instances of RealDownloadExpress --- now i'm having issues. If my machine idles too long, it locks up. Also sometimes the screen-saver is interrupted for no apparent reason. A friend of mine says it sounds like i've inadvertently deleted some registry files. Asked S&D to recover, the RealDownloadExpress came back, but not the Windows Security Centre Firewall\Disable Notify.

Can anyone tell me/speculate on what's going on here and what i can do to fix it?

Thanks very much in advance
EQB

Quote:

Originally Posted by debanks

Spyboot keeps finding two suspicious and recuring files. Windows Security Centre Firewall\Disable Notify. There is a similar one for Firewall. These files are in Settings HKEY_LOCAL_MACHINE\Software\Microsoft\SecurutyCentre\Antivirus disable Notify!=dwordO.
I delete them but they recur. In windows security centre everything is switched on. I'm running McAfee Firewall and anti Virus plus AGV free anti virus on XP Home. My questions are : Are these files dangerous, what do they mean and how can I stop them recuring.

I did have a Bagle worm that slipped through undetected.

Derek Banks

[Dragonphish]

The detections for Windows Security Virus scan and Firewall issues were easily verified and excluded per the instructions previously listed in this thread. Thanks to all who contributed.