PDA

View Full Version : A Problem with IE security



darkdestiny
2007-07-25, 15:19
I've been constantly receiving the same notification through frequent scans with Spybot S&D. The details are below.

Microsoft.Windows.Security.InternetExplorer
Settings
HKEY_USERS\S-1-5-21-1487884451-4009603759-282749768-1005\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplorerexe!=W=1
Problem: Registry Change

I've earlier adjusted the Security settings as according to the following website.

http://www.helpwithwindows.com/techfiles/ie-sp2-surf-safe.html

spybotsandra
2007-07-25, 15:31
Hello,

I suggest you "Fix selected problems" on those detections unless you experienced an issue such as the one described in the following article and intentionally changed those registry entries from their default setting:

* AutoShapes that were added to an HTML or an MHTML file in a Microsoft Office program do not appear when you open the file in Internet Explorer after you install Windows XP SP2
http://support.microsoft.com/default...b;EN-US;883969

The key "HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" (standard value is 1 with SP2) determines the ability to perform certain actions for local websites, i.e. websites saved on harddisk.

The value is set to 0 (zero) by some malicious applications in order to deminish the security settings for the zone "local computer". (see http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx for details).

There are several threads on the subject:

* Windows.Security.Internet Explorer
http://forums.spybot.info/showthread.php?t=6560
* Scan Result
http://forums.spybot.info/showthread.php?t=6749

If you want you can also tell Spybot-S&D to exclude those detections from further scans.

You can exclude a product from the search as follows:
First of all procede a scan with Spybot - Search & Destroy. Now, mark the item, you want to exclude from the search, with a left-click.
It is marked blue now. Then right-click this entry and select "exclude this product from further searches".

It is also possible to exclude it before the search. Please run Spybot - Search & Destroy in "Advanced Mode" and go to "Settings" -> "Ignore products". There you can tick the checkbox in front of the product you want to exclude from the search.

Best regards
Sandra
Team Spybot

darkdestiny
2007-07-26, 16:01
I've been constantly checking IE's Options > Advanced tab > Security every time I start it up, and I often notice that the box, "Allow active content to run in files on My Computer", is checked. Is there something that keeps checking that particular box? I've no idea, but I'll constantly check the TeaTimer for any changes allowed in the registry.

darkdestiny
2007-08-06, 18:33
To all spybot staff, is this problem related to Microsoft Office 2003? I've read from the link that one of your staff members had provided (above) about another forum thread, but it never really fixed the problem. I would need advice on how I can prevent this change from occurring again and again.

Just to note, TeaTimer did not detect any change with the registry I mentioned above in my laptop. The change had reportedly occurred in my laptop, but with the computer that have the same OS version, nothing had changed. I've also noted from the Microsoft webpage that it could have occurred in relation to Microsoft Office 2003.

Hope to receive an answer from the Spybot team soon.

md usa spybot fan
2007-08-06, 22:32
I've been constantly checking IE's Options > Advanced tab > Security every time I start it up, and I often notice that the box, "Allow active content to run in files on My Computer", is checked. Is there something that keeps checking that particular box? I've no idea, but I'll constantly check the TeaTimer for any changes allowed in the registry.
darkdestiny:

Have you tried checking/unchecking multiple options as described here in post #16 (http://forums.spybot.info/showpost.php?p=39175&postcount=16) and post #27 (http://forums.spybot.info/showpost.php?p=39830&postcount=27) of the following thread?
Scan Result
http://forums.spybot.info/showthread.php?t=6749

darkdestiny
2007-08-07, 02:27
I've unchecked all the options as described in both replies, but after some time (like when I start up my computer again) the options are checked again.

Does it got to do with another Advanced option checked? I suspect so, as my other computer did not face this problem at all. I'm going to attempt fixing the problem by setting the same settings as that of the second computer.

darkdestiny
2007-08-10, 09:49
At least for a couple of days. Anyway, I've been looking at the problem for some time. I've noticed that one of the 3 boxes are ticked each time I start up the computer. Does it mean that, before TeaTimer can be activated, the change had already occurred? Is that why no change have been detected by TeaTimer from the time it started up?

I hope the Spybot Team can look into this matter. I'll try to communicate with Microsoft to see how to rectify the problem.

md usa spybot fan
2007-08-10, 14:56
darkdestiny:

I do not believe that TeaTimer monitors changes to that registry key. When you manually change that setting are you getting TeaTimer registry change messages?

___________________________

Since it is not apparent what is changing the registry, about the only thing that you can do is run some registry monitoring program to try determine what is changing the registry.

One such program is Regmon:
RegMon for Windows v7.04
http://www.microsoft.com/technet/sysinternals/utilities/regmon.mspx
Note: If you use Regmon as soon as the program starts it will immediately start collecting registry entries, so I suggest that you review the following before using Regmon:
Start Regmon.exe
Immediately hit Ctrl+E or the click Blue Magnifying Glass symbol (second button from the left) to stop the data collection.
In the pull down Edit menu select Clear Display (Ctrl+X).
In the pull down Options menu select Filter/Highlight (Ctrl+L).
Make the following changes in the Regmon Filter window (see Note #1 below):
In the Include box type "FEATURE_LOCALMACHINE_LOCKDOWN" (no quotes) Uncheck everything at the bottom of the Regmon Filter except "Log Writes".
Click OK.
Hit Ctrl+E or the click Blue Magnifying Glass (second button from the left) to start the data collection.
Periodically check Regmon and see if you trapped what is changing the registry entry.

Note #1: The options used in the Regmon Filter window may have to be modified somewhat. I believe that options that I outlined will work, but because I don't have the problem I am not 100% sure.

darkdestiny
2007-08-10, 16:45
I'm going to try running the process as soon as I log into Windows, as I figured the change may have occurred then. It will take some time. Thanks for the suggestion.

darkdestiny
2007-08-10, 17:12
I followed your instructions as you said, and restarted twice. However, the change had occurred before I could open RegMon.exe, and thus I couldn't see how the change was made.

I do have suspicions, but I can't really pinpoint the real problem. The thing is, before I even installed any of my security programs or connect to the Internet (no direct connection whatsoever), no change was noticed at all. So it is likely that one of my security programs had caused the change, or when I let Microsoft Update install certain critical updates.

I'll reply as soon as I get the results. Thanks for your help, Spybot Team!

md usa spybot fan
2007-08-10, 17:20
darkdestiny:

In Regmon > Options there is a "Log Boot". However, if I remember correctly the filter does not appear to be in affect with this option and it creates thousands of entries.

darkdestiny
2007-08-11, 04:29
I'm not quite sure how that function works, but that function is enabled. Maybe I'll check out the Log file which it mentioned in the pop-up.

md usa spybot fan
2007-08-11, 07:03
From the Regmon's help facility:


Monitoring Boot-Time Registry Access (Windows NT/2K only)

To use Regmon's boot logging feature simply select the "Log Boot" menu entry. Regmon will indicate that starting the next time the system boots Registry activity will be monitored and recorded to a log file named REGMON.LOG in your system root directory. When you make this selection Regmon configures itself as the very first driver to initialize in the system, enabling it to capture the Registry startup activity of all other device drivers and services, including critical boot drivers such as SCSI miniport drivers and boot file system drivers.

Regmon stops recording to the log file when you start the Regmon GUI, and it will only log a single boot. Logging is therefore also stopped when the system shuts down, unless you have re-enabled boot-time logging for the subsequent boot. The format of the log file is the same tab-delineated text as a standard Regmon output file that can be viewed with any editor.

Before you use the boot-logging feature you should ensure that there is ample free space on your system drive. Capturing Registry activity from startup to shutdown on an NT 4.0 system will generate a log file with 90,000-120,000 records (7-10 MB in size), whereas an identically configured NT 5.0 system (Beta 2) will generate 140,000-160,000 records (15-25 MB's of log data). If Regmon fills the disk while writing to the log it will truncate the log file and leave a message in it indicating that the disk did not have enough free space. Regmon aborts logging and cleans up the log in such cases so that lack of disk space will not prevent a successful boot.

darkdestiny
2007-08-11, 10:52
I tried twice to view the log file you mentioned, but the file developed is too big (400+ MB). I tried opening RegMon as soon as I logged in, and did managed to get a much smaller file. This is what I found.

NOTE: Below are all the related entries of the raw data I've collected. There are some that have nothing to do with the problem.

248062: tvtsched.exe:2952 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

248063: tvtsched.exe:2952 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tvtsched.exe NOT FOUND

248067: tvtsched.exe:2952 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

248074: tvtsched.exe:2952 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

572328: explorer.exe:1280 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

572329: explorer.exe:1280 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Explorer.EXE NOT FOUND

572330: explorer.exe:1280 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

572331: explorer.exe:1280 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

572332: explorer.exe:1280 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

572333: explorer.exe:1280 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Explorer.EXE SUCCESS 0x1

572334: explorer.exe:1280 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

648956: SynTPEnh.exe:3788 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1


648957: SynTPEnh.exe:3788 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SynTPEnh.exe NOT FOUND
NOTE: This is somewhat irrelevant, but I just want to state it in case it has anything to do with the change.

648959: SynTPEnh.exe:3788 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

648961: SynTPEnh.exe:3788 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

648962: SynTPEnh.exe:3788 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

648963: SynTPEnh.exe:3788 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SynTPEnh.exe NOT FOUND

648964: SynTPEnh.exe:3788 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

648965: SynTPEnh.exe:3788 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

701629: rrservice.exe:2896 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

701631: rrservice.exe:2896 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\rrservice.exe NOT FOUND

701633: rrservice.exe:2896 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

701635: rrservice.exe:2896 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

This is as much as I can find. Sorry if it doesn't give much help, but if I left the computer to load completely, the data could have been too much.

I have quite a number of programs, and so I can't really give much of a help with the RegMon log gathering too much data.

darkdestiny
2007-08-12, 17:40
Although it's pretty much the same with the other log I received, it showed the entire log of what's happening during and just after Windows boot (it's about 290MB!!!)

Nothing found in relation to the problem. The closest one I've noticed is "explorer.exe", but no "iexplorer.exe"

I'll check with the Microsoft support regarding the problem.

darkdestiny
2007-08-13, 05:45
Below is a part of the log which I'd noted that have changed the registry.

934347: ASMonitor.exe:3164 CreateKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x20006
934348: ASMonitor.exe:3164 SetValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe SUCCESS 0x0
934349: ASMonitor.exe:3164 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

Culprit: ASMonitor.exe (AOL Security Monitor)

I'll uninstall the program and see if the problem is fixed.

darkdestiny
2007-08-13, 06:06
After uninstalling Active Security Monitor (sorry, I mad a mistake. It's not AOL, it's Active) and rebooting my computer (which I did a while ago), the problem did not occur again.

So, for those who have the problem whereby the option "Allow active content to run in files in My Computer" (in IE > Internet Options... > Advanced tab > Security) is checked each time you boot, check if you have Active Security Monitor installed.

Thanks, Spybot Team, for the help.