PDA

View Full Version : Question about immunizing after update



voltra
2008-11-07, 19:42
Hi, I just updated today and Spybot said I should "re-do immunization". I was wondering what exactly it meant since it doesn't say that every time I update. Do I hit "Undo" and then immunize again, or just hit immunize like I normally do after updating?

ky331
2008-11-07, 20:00
the weekly Spybot updates normally contain "a few" immunization updates... and it's always a good idea to re-immunuize after each weeks update.

in contrast, the update on 2008-11-05 contained a MAJOR immunization database update, which is why, to stress its importance, it included the "re-do immunization" prompt.

voltra
2008-11-07, 20:07
Okay, I still just hit immunize like normal, Spybot just told me that because it was an important update. That right?

ky331
2008-11-07, 20:12
to the best of my knowledge, yes, just do it as normal.
at least, that's what i did.

md usa spybot fan
2008-11-07, 20:47
voltra:

This is speculation, although based in knowledgeable assumptions.

The updates contained an update to the Immunization database:
Immunization database - !Updated Immunization database (546 KB) - 2008-11-05
That update affects the CLSIDs.sbs file that provides the CLSIDs for the Internet Explorer immunization items listed as "Plugins" (which block the download/execution of ActiveX processes).

The last update to that database appears to have been:
Immunization database - !Updated Immunization database (546 KB) - 2007-07-25
Updates to the CLSIDs.sbs file appear to be the only updates that have an "Actions=immunize". So I assume that is what generates the message (now that is pure speculation) and is that is why you have not seen the message on a regular basis.

In regards to doing an immunization "Undo". The update of 2008-11-05 appears to have reduced the number of immunization "Plugins" immunizations from 895 to 894. If you do not do an immunization "Undo" before downloading the updates, normally Spybot will leave entries that have been eliminated in new updates and not remove them during a subsequent immunization "Undo". I personally consider that a deficiency (defect) in the immunization process.

ps: I have not had time to do an analysis of CLSIDs.sbs to see the exact changes that occurred between the 2007-07-25 and 2008-11-05.

ky331
2008-11-07, 21:09
md wrote: "If you do not do an immunization "Undo" before downloading the updates, ... Spybot will leave entries... ; I ... consider that a... (defect) ".

The problem, however, is that [presumably] no-one thinks to UNDO the old immunization before getting each week's update... and as you noted, after the fact, it's too late. Which is why I believe "normal" immunization --- without an UNDO --- is the only reasonable course for a user to follow at that point.

md usa spybot fan
2008-11-08, 16:37
It appears that the following entry was eliminated from the "Plugins" immunization during the 2008-11-05 updates:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}]
Compatibility Flags=dword:00000400
See the following CastleCops discription of that CLSID:
CastleCops® zeropop.dll FCADDC14-BD46-408A-9842-CDBE1C6D37EB
http://www.castlecops.com/tk1962-zeropop_dll.html

voltra
2008-11-08, 22:44
Wow, so I should have actually been hitting Undo before every update since I installed Spybot? And wait, does that mean Undo doesn't actually remove everything Spybot has done when you're trying to completely uninstall it, for example, if you don't Undo before every update?

md usa spybot fan
2008-11-09, 00:24
voltra:

True.

Since Spybot does not keep a separate file of everything that it has ever been immunized nor a file of items once immunized by Spybot but no longer immunized, the "Undo" only removes the items in its current immunization files. This can result in orphaned immunization entries that will no longer be remove with an immunization "Undo".

Greyfox
2008-11-09, 04:08
voltra,md usa spybot fan,

Refer my post
http://forums.spybot.info/showthread.php?t=36039

I don't believe it is possible for undo to remove all past Spybot immunisations without using somthing akin to a wild card removal, and that would possibly remove entries from other software which would not be considered polite.

Certainly, doing an undo each time before reimmunising might reduce the number of old immunisation entries being orphaned, but as you can see from my post, even if one starts with none present, and immunises from a single issue, the undo from the same issue doesn't remove them all.

ky331
2008-11-09, 15:14
Voltra,

to try to pacify your mind as to what's happening here:

I don't believe that anyone --- short of outright paranoia --- undoes immunization before each weekly update. (and as just pointed out, even taking this extreme measure might not suffice in removing 100% of all entries)

So what happens when an entry is left over ("orphaned")? One recent example [a dispute between SpyBot and SpywareBlaster] was immunization offering protection from a website which had been discontinued by its owner. One of these programs (I don't recall the details) removed it, on the basis that the website was no longer "alive"; the other program retained it, saying blocking against a "dead" site couldn't hurt anything.

in the case of this particular update, which md...fan has identified as blocking zeropop.dll, the only reason to be concerned is if you are actually using [or at some future point, wish to use] its underlying program, which is apparently some form of "parental control" package to control/restrict use of internet explorer.

Granted, this might be deemed "rationalizing" what some will claim to be a defect --- ideally, a program should be able to remove all traces of anything it put there in the first place. But what I'm trying to say is that, unless you plan on using that particular parental control program [in which case, you might need to remove the immunization via editing your registry], there's really nothing to be concerned about here.

voltra
2008-11-09, 19:13
Voltra,

to try to pacify your mind as to what's happening here:

I don't believe that anyone --- short of outright paranoia --- undoes immunization before each weekly update. (and as just pointed out, even taking this extreme measure might not suffice in removing 100% of all entries)

So what happens when an entry is left over ("orphaned")? One recent example [a dispute between SpyBot and SpywareBlaster] was immunization offering protection from a website which had been discontinued by its owner. One of these programs (I don't recall the details) removed it, on the basis that the website was no longer "alive"; the other program retained it, saying blocking against a "dead" site couldn't hurt anything.

in the case of this particular update, which md...fan has identified as blocking zeropop.dll, the only reason to be concerned is if you are actually using [or at some future point, wish to use] its underlying program, which is apparently some form of "parental control" package to control/restrict use of internet explorer.

Granted, this might be deemed "rationalizing" what some will claim to be a defect --- ideally, a program should be able to remove all traces of anything it put there in the first place. But what I'm trying to say is that, unless you plan on using that particular parental control program [in which case, you might need to remove the immunization via editing your registry], there's really nothing to be concerned about here.

I'm not concerned about this particular update, more the fact that some point in the future it could affect me and then I might have to play around in the registry to fix it. The immunization feature is, in my opinion, the most important feature of Spybot (Malwarebytes' Anti-Malware is what I usually scan with), so I was surprised to find out it has a defect like that.