It appears that there may be a defect in the coding of the signature(s) for Microsoft.Windows_IEFirewallBypass. The problem was first reported by Barry (http://forums.spybot.info/member.php?u=30319) in the following thread:
Tracking cookies are red
http://forums.spybot.info/showthread.php?t=19510
The following registry entry were Internet Explorer is added to the Windows Firewall exception list but is disabled:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
Results in the following detection:


--- Report generated: 2007-10-28 02:00 ---

Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.5 (build: 20070924) ---
That detection is the same as if Internet Explorer is added to the Windows Firewall exception list and is enabled as follows:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"



--- Report generated: 2007-10-28 02:03 ---

Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.5 (build: 20070924) ---

Thank you md usa spybot fan, I made a note for the team.

thanks for reporting,

this will be taken out of detection with the next update scheduled for the middle of this week.

Thanks for posting this - I had the same problem on two home pc's. At least I am getting smart enough not to "fix" an item until I am SURE that it needs fixing. Appreciate the info.

JohnBurns:

I have not re-tested the false positive. Did the 2007-10-31 or 2007-11-07 update fix the problem?

Regards,
md usa spybot fan

Yodama:

Would you please check the Microsoft.Windows.IEFirewallBypass signatures again.

I retested the Microsoft.Windows.IEFirewallBypass detection as I had originally. It how appears that neither the Enabled nor the Disabled entries are detected.

In other words the false positive for the following registry entry (Disabled) has been corrected:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
However, it now appears that there is a false negative (no detection) for following registry entry (Enabled):


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

JohnBurns:

I have not re-tested the false positive. Did the 2007-10-31 or 2007-11-07 update fix the problem?

Regards,
md usa spybot fan

Sorry for delay in reply - in answer to your question - no, the 2007-11-07 still has the problem.

@md usa spybot fan

yes we currently deactivated the detection on this.
It will most likely be reactivated along the updates after the next main release.

@JohnBurns

could you post the date of the security.sbi on the computers still showing this issue?

you can find the date of the securityc.sbi and security.sbi after a scan in advanced mode - tools - view report - view report.

@md usa spybot fan


@JohnBurns

could you post the date of the security.sbi on the computers still showing this issue?

you can find the date of the securityc.sbi and security.sbi after a scan in advanced mode - tools - view report - view report.
Not sure exactly what you need. Here is what I can find:

Spybot - Search & Destroy 1.5.1.17
Latest Detection 11/7/2007

eSupport.FFBiosExt: [SBI $12D696B9] System file (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\TVICHW32.SYS


--- Spybot - Search & Destroy version: 1.5 (build: 20071005)

Hope this helps.

JohnBurns:




eSupport.FFBiosExt: [SBI $12D696B9] System file (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\TVICHW32.SYS
That detection looks more like the one in the following thread rather than the detection being discussed here in this thread:
Tvichw32.sys
http://forums.spybot.info/showthread.php?t=19916