PDA

View Full Version : Immunisation Undo..doesn't totally



Greyfox
2008-11-06, 07:41
SpybotSD’s immunisation process (as at 1.6.1.33 and Detection updates 22/10/08) places registry entries in the 10 locations listed below. If starting from scratch with 0 entries present in these areas, when it immunises it puts 9353 entries in each. When it un-immunises (undo), it does not completely clear out all of these entries, leaving the same 46 entries in each location.

At some stage in the past, on two PC’s checked, the immunisation process appears to have also placed some additional entries, which are no longer in the 22/10/08 immunisation set, in the same locations, and these are also not removed by the present Undo.

The 10 locations are:-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 19 from previous = total 65)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 64 from previous = total 110)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 17 from previous = total 63)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 67 from previous = total 63)

HKEY_USERS\S-1-5-18 \Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\
Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 17 from previous = total 63)

HKEY_USERS\S-1-5-21–“Big number”\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Puts in 9353 entries – leaves 46 + 65 from previous = total 111)

HKEY_USERS\S-1-5-21-“Big number”\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\EscDomains (Puts in 9353 entries – leaves 46 + 19 from previous = total 65)

In addition, at some previous stage the immunisation process appears to have also placed a large number of entries (7,910) in two additional locations. The current process does not now put entries in these locations, nor does the present Undo remove them. These two locations are:-

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Entries left 7,910)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMaps\Domains (Entries left 7,910)

None of the above entries (beyond those that are removed by the Undo) are removed when/if SpybotSD is installed, even if the SpybotSD registry cleanup is run.

The above has been posted merely as an observation.

Greyfox
2008-11-09, 04:24
Typo


None of the above entries (beyond those that are removed by the Undo) are removed when/if SpybotSD is installed, even if the SpybotSD registry cleanup is run.

Should have been Uninstalled

md usa spybot fan
2008-11-09, 06:01
Greyfox:

Do the entries not being removed have or not have a value set as discussed here?
Possible defect in immunization "Undo" (Spybot 1.5).
http://forums.spybot.info/showthread.php?t=17867

Greyfox
2008-11-09, 17:49
Greyfox:

Do the entries not being removed have or not have a value set as discussed here?
Possible defect in immunization "Undo" (Spybot 1.5).
http://forums.spybot.info/showthread.php?t=17867

md usa spybot fan,
My apologies for the delay in answering. I had to restore an operating system partition from an image that applied when I did the original tests so I could establish a count for the "*"=dword:00000004 entries.


In the start from 0 situation, of the 46 Domain entries not removed by the undo of the same immunisation set, none were blocking ("*"=dword:00000004) entries, however of the 65 Domain entries orphaned prior to this, 62 were "*"=dword:00000004 entries.

In the start from 0 situation, of the 46 EscDomain entries not removed by the undo of the same immunisation set, again none were blocking ("*"=dword:00000004) entries, however of the 19 EscDomain entries orphaned prior to this, 15 were "*"=dword:00000004 entries.

In the case of the S-1-5-19 (local service) and S-1-5-20 (Network service), if I remember correctly not all that long ago it was decided to no longer immunise these. If that is correct then the 7910 Domain entries in each of these two categorys have been orphaned in the process. Of the 7910 in each category 7876 are "*"=dword:00000004 entries.

I can understand the case Yodama makes in his post for not removing Domain entries that have no assigned value, assuming there might be a subdomain entry with a trusted value in addition to the one with a restricted value that is being removed, however over time this is going to result in a buildup of non used entries (just in the one immunisation set above, and ignoring any previous left overs, it amounts to 10 x 46 = 460 registry entries).

The problem of the 15752 orphaned "*"=dword:00000004 entries in S-1-5-19 and 20 is another thing again.

md usa spybot fan
2008-11-09, 18:27
Greyfox:

In regards to the following:


... The problem of the 15752 orphaned "*"=dword:00000004 entries in S-1-5-19 and 20 is another thing again.
Yes it is. That is partially why I always recommended completely uninstalling Spybot 1.4, including an immunization undo, before upgrading. For example: See this post (http://forums.spybot.info/showthread.php?p=199444#post199444).

Greyfox
2008-11-10, 00:53
md usa spybot fan,

I don't know whether the S-1-5-19 & 20 entries were originally from v1.4 or one of the later versions, or a combination of both. I generally undo immunisations before uninstalling prior to moving to a newer version, but I may have missed doing that at some stage. I don't know whether an undo with the old version prior to installation of the later versions would have removed all or some of these particular entries, but I do I agree with your description of how one should go about updating.

Unfortunately the Spybot "this very small fix" does not address this particular problem at all, and Spybot Sandra's statement in one of the posts from your link that "Now all entries that belong to Spybot - Search & Destroy will be deleted from the registry" is not correct.

For those comfortable with working with registry entries it isn't a huge problem, albeit one has to be careful with permissions if taking the quickest approach, however for many this will not be an option.