During the IMMUNIZE function of Spybot, a registry entry is added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000} (DWORD binary: 400 ; hex: 1024)

Can you shed some light on the logic behind this setting? How is setting this registry setting protecting my machine from Spyware, and what risks specifically are mitigated with this setting?

We've found this setting to be incompatable with several Office 2007 proggies, and Microsoft recommends removing this key that was added by Spybot S&D. I need some info so we can make a decision. Thanks in advance!

someguy:

GUID/CLSID ={00000000-0000-0000-0000-000000000000} is null GUID/CLSID (Globally Unique Identifier/Class Identifier). Both Spybot and SpywareBlaster set the following registry entry to prevent the use of a null GUID/CLSID in ActiveX processes:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}]
Compatibility Flags=dword:00000400

It appears the Sharepoint 2007 and possibly other Microsoft programs are now using a null GUID/CLSID.

The pertinent question is why Microsoft has chosen to use a null GUID (Globally Unique Identifier) in their latest software rather than a GUID that should be unique (by definition) to their application.

Thanks for the response.

Could you please expand on "...to prevent the use of a null GUID/CLSID in ActiveX processes" a little bit? Can you provide examples of specific threats that utilize all zero CLSIDs?

Microsofts Defender doesn't add that reg entry, so is their product vulnerable to threats that Spybot can prevent?

Again, thanks for your help...

Could you please expand on "...to prevent the use of a null GUID/CLSID in ActiveX processes" a little bit?

Microsoft Knowledge Base Article - 240797
How to Stop an ActiveX Control from Running in Internet Explorer
http://support.microsoft.com/default.aspx?kbid=240797


Can you provide examples of specific threats that utilize all zero CLSIDs?
Although I did not find any ActiveX using that GUID, here are some threats that do that use that GUID:
Commonname adware
http://www.castlecops.com/tk3-CnbarIE_dll_Cnbabe_dll.html
CoolWebSearch parasite variant
http://www.castlecops.com/tk1186-msxmlpp_dll_msxslab_dll.html
TencentAddressBar adware - bundled with the Tencent_QQ instant messaging client
http://www.castlecops.com/tk35145-QQIEHelper02_dll.html

found this thread through google this morning and was amazed that someone else was looking at the same key we were.

what's the danger of having a null clsid on an activex control?

does anyone know if security changes for IE 7 fixes whatever that key is meant to protect us against?

:banghead:

One side-effect of having the killbit set for the Null GUID is that Office applications may disable .Net add-ins like SharePoint workflows. It appears that all addins pass through the same safety check but since the .Net add-ins have no ActiveX Control/ClassId they get mapped against the Null GUID.