View Full Version : Determine if malware or just normal settings
Hi!
Although I read this thread <http://forums.spybot.info/showthread.php?t=75&page=2>, I do not understand how do I determine if the following findings below are caused by spyware or malware or if they are OK. (I followed the suggestions on that thread and changed the settings in Security notifications tab to notify me about changes in firewall and antivirus.) I did have a virus recently which was simply referred to "virus found exploit." Since then I have run virus scans, and no virus was detected.
Thanks,
--- Search result list ---
Microsoft.Windows.Security.FirewallOpenPorts: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
Microsoft.Windows.Security.FirewallOpenPorts: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
I have a question about this thread about detection of antivirus and Windows Firewall settings:
md usa spybot fan
2007-02-16, 23:08
None of the detections that you received are "normal settings" but that is not necessarily an indication that malware caused these settings.
What anti-virus and firewall are you running?
Re:
Microsoft.Windows.Security.FirewallOpenPorts: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
Microsoft.Windows.Security.FirewallOpenPorts: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
These entries are related to the Windows Firewall and indicate that ports in the Windows Firewall have been opened. Nornally these ports are closed. Configuring Windows Firewall by opening ports is not recommended, allowing applications access is better for most users. Malware and trojan may open the ports to enable remote access to an infected computer.
For more information on Configuring the Windows Firewall, see:
How to Configure Windows Firewall in Windows XP Embedded with Service Pack 2
http://msdn2.microsoft.com/en-us/embedded/aa731196.aspx
Re:
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
If you did not intentionally disable these alerts or are running some internet security that does, there may be reason for concern if the alerts continue to be disabled. Note: Both Norton Internet Security and McAfee Security Center turn off the Windows Security Center firewall and virus protection alerts and handle the alerts within their own product under certain conditions.
Hi Thank you for responding. I use AVG, and Windows Firewall. I use a dial up service. I actually think in my case these detections were an indication that something was wrong. About a week ago 80 word documents were infected by an exploit. And I think perhaps it may have been the day-zero malware for word. SInce then I closed the ports and made changes to be notified about my antivirus or firewall via Control panel.
One thing worth mentioning is that my automatic updates only updated windows xp. I forgot to also update office. These updates are really important especially given these day-zero malware.
None of the detections that you received are "normal settings" but that is not necessarily an indication that malware caused these settings.
What anti-virus and firewall are you running?
Re:
Microsoft.Windows.Security.FirewallOpenPorts: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
Microsoft.Windows.Security.FirewallOpenPorts: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
These entries are related to the Windows Firewall and indicate that ports in the Windows Firewall have been opened. Nornally these ports are closed. Configuring Windows Firewall by opening ports is not recommended, allowing applications access is better for most users. Malware and trojan may open the ports to enable remote access to an infected computer.
For more information on Configuring the Windows Firewall, see:
How to Configure Windows Firewall in Windows XP Embedded with Service Pack 2
http://msdn2.microsoft.com/en-us/embedded/aa731196.aspx
Re:
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
If you did not intentionally disable these alerts or are running some internet security that does, there may be reason for concern if the alerts continue to be disabled. Note: Both Norton Internet Security and McAfee Security Center turn off the Windows Security Center firewall and virus protection alerts and handle the alerts within their own product under certain conditions.