The following came through after the most recent 6/20/07 update of Spybot S&D.

Security
++ Microsoft.Windows.AppFirewallBypass++ Microsoft.Windows.IEFirewallBypass


What is this and should I ignore it on future scans?

Thank you.

You have disabled your firewall (whether you did it or another application did it). If you have a third party firewall (such as Zone Alarm, Norton Internet Security, McAfee Firewall or one of the numerous free firewalls), then they may have disabled it and it is not as much of an issue as they are protecting you better than the Windows firewall anyway. Also, if you are in a work environment, your administrator may have disabled the firewall so that maintenance can be done on computers remotely, etc.

If neither of the above 2 scenarios describe your situation, open your Security Center and see if the firewall is running, if not, start it. If you cannot start it, you need to find out why... There are many reasons why this may be, lots of them legitimate and some of them not-so-legitimate.

There may actually be an ongoing discussion about one of the two detections that you appear to be questioning. However, I can not tell from the information you posted. Please post a log of the actual detections you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.

Thanks. I do have McAfee Firewall, so that is probably what is going on here. Thanks again.

In any case though, here is the exact detection message I got:

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-20 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-20 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-06-20 Includes\HijackersC.sbi (*)
2007-06-20 Includes\Keyloggers.sbi (*)
2007-06-20 Includes\KeyloggersC.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-06-20 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-20 Includes\PUPSC.sbi (*)
2007-06-20 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-20 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-06-20 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-06-20 Includes\Trojans.sbi (*)
2007-06-20 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Pgroot:

There actually is a ongoing discussion concerning the "Microsoft.Windows.IEFirewallBypass" that you actually received (as well as the "Microsoft.Windows.AppFirewallBypass" that you indicated in your first post that you also received) in this thread:
Microsoft.Windows.AppFirewallBypass
http://forums.spybot.info/showthread.php?t=14824
Those detections do not indicate that:


You have disabled your firewall ..
The detections indicate that, if you were using the Windows firewall instead of the McAfee Firewall, Windows Internet Explorer (iexplore.exe) would be authorized to receive unsolicited incoming traffic which would be a potential security problem.

Since you are using the McAfee Firewall there is no current threat. However, the normal default setting of the Windows firewall does include authorizing Windows Internet Explorer to receive unsolicited incoming traffic. Since the detection indicates an abnormal setting for the Windows firewall that may have been introduced by malware at some point in time, I suggest that you fix the detections with Spybot so that if the same detections return in the future you may be able to trace the source in the change to the Windows firewall.

the normal default setting of the Windows firewall does include authorizing Windows Internet Explorer to receive unsolicited incoming traffic. Since the detection indicates an abnormal setting for the Windows firewall that may have been introduced by malware at some point in time, I suggest that you fix the detections with Spybot


I thought I had this straight, but if you're right, then I'm baffled again.

My understanding was that if IE is in the Windows firewall configuration list (whether authorised or not), then Spybot would give an alert and offer to remove it (which is in fact what happens if you apply the Spybot fix). In other words, my understanding was that Spybot is not responding to an 'abnormal setting', but to the mere presence of IE in the list when it actually doesn't need to be in it. In other words, the default setting would itself be enough to trigger the Spybot alert. (Indeed, as far as I can remember, IE has always been present in my Windows firewall authorisation list.)

But in your second sentence you suggest that what is triggering Spybot is some kind of 'abnormal' setting, perhaps made by some unknown malware at some time. Are you sure that's right? If it is, then I'm back to square one, and don't understand what the heck is going on, after all.

Alan D:

Terribly sorry, my typo, thanks for catching it. My statement should read:

However, the normal default setting of the Windows firewall does not include authorizing Windows Internet Explorer to receive unsolicited incoming traffic.

Regards,
md usa spybot fan

However, the normal default setting of the Windows firewall does not include authorizing Windows Internet Explorer to receive unsolicited incoming traffic.


Phew. Well, thanks for correcting that, md usa s.f., but now I'm even more baffled.

When I look in my AVG firewall exception list, I find Internet Explorer listed as 'allowed' - as it has to be, in order to connect out without asking me every time. But also because the only option is to 'allow' regardless of direction, then I presume it's allowed also in the opposite, inward direction. So my AVG firewall is leaving me open to the very vulnerability that Spybot is trying to warn me against. In other words, to protect myself from this particular vulnerability, I need to remove IE from the Windows firewall exception list, enable Windows firewall, and get rid of the AVG firewall.

That just doesn't make sense to me. If I go to Steve Gibson's Shield's up website, it finds no vulnerability to incoming probes.

I thought I understood this, but I don't. I'm beginning to think that this new Spybot detection is creating more trouble than it's solving.

Alan D:

All communication is two way (request > response). Windows Internet Explorer must be able accept inbound traffic, but it should only be in response to an outbound request. The two detections (Microsoft.Windows.AppFirewallBypass and Microsoft.Windows.IEFirewallBypass) that Spybot added are looking for Windows Firewall registry entries that allow programs to accept unsolicited incoming traffic. In other words, registry entries that could allow a program to respond to an incoming request.

I'm sorry but I am not familiar with the AVG firewall. However, most firewalls only allow an inbound response to an outbound request. Is there also an indication within your AVG firewall if Internet Explorer is/isn't allowed to act as a Server in addition to the one "Allow" you cited? If there is, than that setting would allow Internet Explorer to respond to an inbound request (like the detections Spybot is picking up in the Windows Firewall).
____________________

Last September Spybot added a Windows Firewall open port detection (Microsoft.Windows.Security.FirewallOpenPorts). That detection was designed to detect Windows Firewall registry entries that open communication ports. That detection as well as the two new detections are designed to alert people to the fact that there may be weaknesses in their implementation of the Windows Firewall or that malware has altered the default settings within the Windows Firewall.

Alan D:

All communication is two way (request > response). Windows Internet Explorer must be able accept inbound traffic, but it should only be in response to an outbound request. The two detections (Microsoft.Windows.AppFirewallBypass and Microsoft.Windows.IEFirewallBypass) that Spybot added are looking for Windows Firewall registry entries that allow programs to accept unsolicited incoming traffic. In other words, registry entries that could allow a program to respond to an incoming request.

Ah... light is dawning slowly. Thanks for this. The issue is not about the direction of traffic, but about the direction of the request that initiates the traffic. And that means that what I was saying in my previous post is wrong, because I wasn't understanding a basic firewall principle.


However, most firewalls only allow an inbound response to an outbound request. Is there also an indication within your AVG firewall if Internet Explorer is/isn't allowed to act as a Server in addition to the one "Allow" you cited?

I can't find any information about that within the firewall options, and indeed the only options given for any program in the list are block/allow/ask. So I guess it's reasonable to assume that the AVG firewall will follow the general principle you mention, and only allow inbound responses to outbound requests.

There's still the question of how it has come about that so many of us have IE entered in the Windows firewall authorisation list. You suggest that malware has done this at some point, but the people I've discussed this with on the Windows Defender newsgroup are very security-conscious folk, and it does seem odd that so many of us turn out to have IE in our lists. I can't help wondering if there isn't some perfectly innocent explanation that we haven't been able to pinpoint yet.

Thanks for your patience in dealing with this. It's not a simple matter for us ordinary mortals to grapple with, as you can see from the confused and anguished posts it has generated.

Hi, I just received the same detection. According to the Windows Security Center, my Windows Firewall is enabled. I tried reading this thread, and I'm still not sure what to do. I have AVG Pro, SBS&D and Ad-Aware SE, all recently updated. Nothing has changed ( that I know of on the Admin account) since last week, other than new updates. Thanks in advance for any help. Sorry for not getting it from this thread...patmac

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

patmac:

Just do a "Fix select problems" let Spybot correct the entries.

md usa spybot fan,
Thank you.
I still have a few questions regarding this.
First, reading this thread I got the feeling something had happened to make the firewall notices appear. Is this so, and how do I find out? I have WINXP Home SP2, and the Windows firewall is enabled.
In general, I have read of people running scans in Safe Mode. As far as Spy Bot is concerned, when should I run it in Safe Mode? Is Safe Mode only for when it needs to fix something, or fix something that didn't go away in normal mode?
Thanks for your time,
patmac

First, reading this thread I got the feeling something had happened to make the firewall notices appear. Is this so, and how do I find out?
The detections were just added so those settings could have been there for a while. No one seems to have discovered the cause of the setting being there.


In general, I have read of people running scans in Safe Mode. As far as Spy Bot is concerned, when should I run it in Safe Mode? Is Safe Mode only for when it needs to fix something, or fix something that didn't go away in normal mode?
Others may have different opinions, but personally I would only run Spybot in safe mode if I were have problems removing something while running in normal mode.

I found the same thing (Microsoft.Windows.IEFirewallBypass) during my last SpyBot scan. The only change on my computer since my last SpyBot scan is that I have installed Carbonite's automatic online backup software. My Windows firewall is turned on and I do not use any other firewall software.

Could the recent installation of Carbonite automatic back up be the reason SpyBot is flagging the Microsoft.Windows.IEFirewallBypass? The Carbonite software backs up my computer automically and continuously online, so it would need access...

What would be the thing to do to allow Carbonite access but close ports to other malware traffic?

winniehouston:

The detections for the following items appear to have been added starting with the 2007-06-13 detection updates:
Microsoft.Windows.AppFirewallBypass
Microsoft.Windows.IEFirewallBypass
If the registry entries detected by those detections preexisted prior to doing an update and scan that included the 2007-06-13 or later detection updates, then it would be difficult to determine a cause and effect.

When was your last Spybot update and scan prior to installing Carbonite's automatic online backup software?

ok got the same thing going on but not sure if i want to fix it because i play ddo and had to allow this i think to send a help thing in game (open ie from within the game not a seperate ie window)

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE




--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-04-04 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-05-23 advcheck.dll (1.5.3.0)
2007-07-31 Tools.dll (2.1.2.0)
2004-11-29 Includes\LSP.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-08 Includes\PUPS.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-01 Includes\Trojans.sbi (*)
2007-08-08 Includes\Cookies.sbi (*)
2007-08-08 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-08-08 Includes\TrojansC.sbi (*)
2007-08-08 Includes\SpybotsC.sbi (*)
2007-08-08 Includes\SecurityC.sbi (*)
2007-08-08 Includes\PUPSC.sbi (*)
2007-08-08 Includes\MalwareC.sbi (*)
2007-08-08 Includes\KeyloggersC.sbi (*)
2007-08-08 Includes\HijackersC.sbi (*)
2007-08-08 Includes\DialerC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

This is very interesting to me because I update and run SBSD regularly and this morning is the first time I've gotten this IE notice. I haven't knowingly changed my security settings or my virus protection (McAfee). The only thing I've done is allow HP updates to run.