Passive Protection Part Failure?

[Traveller11]

Hi,

I am encountering a part failure when running Immunization as I get '4 Unprotected' in: Windows 'Global (Hosts) (C:\WINDOWS\System32\drivers\etc\hosts.)'

Can anyone tell me how to rectify this please, as re-running Immunization fails to protect these 4 'problems'
While I am at a loss to establish exactly what they are.

Thanks

 

[Zenobia]

Hi.
There were two others who also had 4 unprotected in the hosts file recently, so perhaps you are having the same or a similar issue:
https://forums.spybot.info/showthread.php?74701-Temporary-Immunization
I couldn't find what was causing it, so you could open a Support ticket to talk to Team Spybot if you would like:
https://www.safer-networking.org/support/ticket/technical/

 

[Traveller11]

Hi.
There were two others who also had 4 unprotected in the hosts file recently, so perhaps you are having the same or a similar issue:
https://forums.spybot.info/showthread.php?74701-Temporary-Immunization
I couldn't find what was causing it, so you could open a Support ticket to talk to Team Spybot if you would like:
https://www.safer-networking.org/support/ticket/technical/

Hello Zenobia,

Many thanks for your reply and the link to the other two SpyBot users.

While I too have Malware Bytes installed which i believe is running in the background, running a scan on it produces 'Nothing found'.

I also have Zone Alarm which I must say is much better behaved than AVG which I had and was very glad to see the back of as like Norton it was attempting to take control of my laptop!

The Zone Alarm is for both Virus protection and Firewall but again when a full scan is run like Malware I get the result of 'Nothing found'

I had a look at the file I mentioned in my original post, and there are 35 files of this type........All 'Backup'
'hosts.20160714-222619.backup 30/10/2015 BACKUP FILE 1KB

While I wrote the details of the first BACKUP file the remainder are around 448KB in size.

So I am wondering if they might be 'interfering' with the immunization process and should be 'Deleted'?

If you are unsure of the answer then I will raise a ticket as you suggest as the other 2 users have not posted any update, so I presume they still have the issue/problem.

Cheers

 

[Zenobia]

You're welcome.

By the way, could you let me know which version of Windows are you on, is it Windows 10?

The hosts.20160714-222619.backup files are all backup files created by Spybot when it immunizes your hosts file. No need to delete them, they won't interfere with immunization.

It is possible that another program with real-time protection might be removing the hosts file entries made by Spybot, but if that were happening you would likely be notified by the security program.

I see Malwarebytes has real-time protection with the premium version only:
https://www.malwarebytes.com/premium/
Do you have the premium or the free version? If you have the free version, that should rule out Malwarebytes.

I do see that Zone Alarm Antivirus and Firewall does have some kind of on-access scanning and/or also real-time protection?
http://download.zonealarm.com/bin/inclient/ZA_HelpCenter/adv_onaccess.html
http://download.zonealarm.com/bin/inclient/ZA_HelpCenter/av_spy_overview.html
Does that notify you if it finds anything?
If this page is up to date, I see there are logged Virus events. I'm not 100% sure if it shows anything found by on-access scanning or not, but you could look at the Virus Events and see if they correspond to times when you have been immunizing Spybot:
http://download.zonealarm.com/bin/inclient/ZA_HelpCenter/aspy_progress_scan.html

 

[Traveller11]

Hi Zenobia,

I am using Win10 64bit.

I will have a look at those points you made while I made this 'find' this morning but not sure if it is causing the 'problem'.

I tried running Immunization in Spybot without any updates and it came back telling me that I needed to 'Close' Firefox(SYSTEM)?

I opened up Task Manager and looked at all running 'Processes' and there was nothing there.

So I closed down Spybot and then opened up Firefox, which is taking a heck of a long time to open up!

I then ran CCleaner which told me Firefox needed to be closed down so I allowed CCleaner to close it and continue, except it struggled and found it was taking a long time to close down so CCleaner then forced it to close.

I then closed down CCleaner and opened Spybot and ran Immunization directly with no update and lo and behold the 'Close Firefox(System)' message came up again while the 4 'Unprotected' items remain in place. (File attached)

Seems weird but having I am not sure if the 4 'Unprotected' are related to Firefox.

Hope this throws some more light on the 'problem' or maybe it gets more 'confusing'!

Cheers

Oops......Forgot to mention that I have the free version of Malwarebytes, while Zone Alarm does notify me of anything. The logged 'Virus Events' are from when Zone Alarm AV 'found' a suspected virus which is a false positive as it is the program for the activation code for Microsoft Office 2010, so I chose to allow it, but the virus event remains in place, while this was never a 'problem' when using AVG and Spybot, but the activation program was also allowed to remain in place and be active when it was found by AVG.

 

[Zenobia]

Hi.

I am using Win10 64bit.

Okay, thanks. I guess this is not Operating System related somehow, because I have Windows 10 64bit also, and my hosts file immunization is complete. I see by your screenshot that you are being prompted to run as administrator when you run Immunization, so that is as it should be.

Spybot will prompt you to close Firefox to make sure immunization is successful because sometimes Firefox immunization will fail when Firefox is open while Spybot is immunizing it. That should not affect the hosts file immunization, though.
But just to be on the safe side, could you please try rebooting your computer, leave Firefox closed, then opening Spybot immunization once again, just to confirm that the "Open browsers detected! You should close "Firefox(System)" to make sure immunization is successful" is no longer there?

Okay, that should eliminate Malwarebytes removing hosts file entries with real-time protection since it is the free version, and since there is only one false positive with Zone Alarm Antivirus and Firewall, if it does log On-Access events, then that should eliminate On-Access scanning and/or any real-time protection that it has as the culprit, barring unforeseen circumstances in either case.

 

[Traveller11]

Hi Zenobia,

I will say now that my default browser is Chrome and not Firefox which I only use infrequently.

The laptop has been shut down for the last 6 hours and switching on I went into Chrome and the Forum to see if there was a reply and there was from you.

I then opened Spybot and went straight into Immunization and guess what?

Nope it didn't work as I got that same message 'You should close "Firefox (SYSTEM)" to make sure an immunization is successful'

Nice to know that the other programs should not affect the immunization process.

I am just wondering if I should try taking a backup of the URL's and security from Firefox and stick it on a memory stick, then remove the Firefox program including the folders that are sometimes left behind, then clean out the Registry, then shut the laptop down, reboot and open Spybot first and try the immunization.

Decided I will and will let you know the result...........soon!

 

[Traveller11]

Hi again Zenobia,

Well I now have a laptop that does not have 'Firefox' anywhere in it...............

BUT
Unbelievably I am still getting that same message when I open up Spybot & Immunization!
'You should close "Firefox (SYSTEM)" to make sure an immunization is successful'

I am now 'Up a creek without a paddle' as I don't know where to go next or what else to try.

It looks like that Technical Support Ticket is getting very close!

Look forward to your thoughts.......

Cheers

 

[Traveller11]

NEW UPDATE!

Hi once again Zenobia,

It looks like some elements of the Firefox Program remained as I just did a reinstall of the browser from a new download and when I opened it up I found all my Bookmarks and 'security' items still in place!

While I had 5 entries in the Registry it looks like some folders on the 'C' drive still had Firefox files in place, but interestingly a Windows Search did not identify them.

So I guess I need to do it again and look for the folders where the other bits are!

Watch this space!
Cheers

 

[Traveller11]

Hello Zenobia,

I don't know if the attached Log File from Spybot Search & Destroy can throw any light on this 'problem' but in reading it through there does not seem to be any 'errors' identified regarding the operation of Mozilla/Firefox?

Oops!.......

While I am supposed to be able to Upload 'txt' files in the Attachments I am getting a message on here via 'Manage Attachments' that the 'Immunization-Browsers.txt'
is Invalid for Upload!

I converted the file to a '.doc' file which is also supposed to be able to be Upload-able but that was also refused saying 'Invalid file'

I am beginning to think that the 'problem' is somewhere in Spybot.

Any ideas would be welcome as I am once again totally stumped!

Cheers

 

[Zenobia]

Wow, you've been busy, you uninstalled Firefox and everything, that is above and beyond the call of duty.

It looks like some elements of the Firefox Program remained as I just did a reinstall of the browser from a new download and when I opened it up I found all my Bookmarks and 'security' items still in place!

Firefox usually does leave behind the profile folder when it's uninstalled so that users don't lose their bookmarks, etc. I'm not 100% certain, but I don't think the profile folder being left behind would cause Spybot to detect it as an open browser, though.

Not to be distracted from the 4 unimmunized hosts file entries, but just to go over some things about Firefox I find a bit odd, and I've been unable to find anything about them online anywhere.

'You should close "Firefox (SYSTEM)" to make sure an immunization is successful'

I notice that says System. If I am remembering this right (and it's very possible I'm not, so don't let this alarm you.), when Spybot detects Firefox open browser before immunization, the name in brackets is the name of the account that it is being run on, while looking in Immunization itself shows the profile name instead. In that case, it would look like Spybot might be possibly running from an account named System. I don't imagine the Windows account you are logged into now is called System, is it? I also find it odd that when you went to shut down Firefox the first time, it wasn't available in Task manager, and I also find it odd that after you uninstalled Firefox Spybot still detected Firefox as an open browser. This could well be a technical problem with Firefox, I'm sure. And you have ran scans and they have come up clean, so that is good. And everything is running okay on your computer? You haven't noticed anything different happening lately?

 

[Traveller11]

Wow, you've been busy, you uninstalled Firefox and everything, that is above and beyond the call of duty.

Firefox usually does leave behind the profile folder when it's uninstalled so that users don't lose their bookmarks, etc. I'm not 100% certain, but I don't think the profile folder being left behind would cause Spybot to detect it as an open browser, though.

Not to be distracted from the 4 unimmunized hosts file entries, but just to go over some things about Firefox I find a bit odd, and I've been unable to find anything about them online anywhere.

I notice that says System. If I am remembering this right (and it's very possible I'm not, so don't let this alarm you.), when Spybot detects Firefox open browser before immunization, the name in brackets is the name of the account that it is being run on, while looking in Immunization itself shows the profile name instead. In that case, it would look like Spybot might be possibly running from an account named System. I don't imagine the Windows account you are logged into now is called System, is it? I also find it odd that when you went to shut down Firefox the first time, it wasn't available in Task manager, and I also find it odd that after you uninstalled Firefox Spybot still detected Firefox as an open browser. This could well be a technical problem with Firefox, I'm sure. And you have ran scans and they have come up clean, so that is good. And everything is running okay on your computer? You haven't noticed anything different happening lately?

Hi Zenobia,

The above and beyond the call of duty is from this end I just want to see if we can resolve this issue.

The account I am running from now using Chrome is not called 'System'. According to 'Task Manager' in Processes it is in a list under a heading called 'Apps'

'System' I found also in Task Manager which is under a heading 'Windows processes'

I reinstalled Firefox and left it open while I then opened and tried Spybot, Immunization.
The message I then got was, different!.........

'You should close "Firefox (***PC)" to make sure an immunization is successful'

The ***PC is the name of my laptop.

I am not sure if when you install Spybot S&D if the choice of location for the installation is automatic so it is installed in the 'Program Files(86)' or you can select another location?
So need to pick your brains on that one please?
Then I could uninstall Spybot S&D 2 download a new install file and if it allows me to choose another Folder like 'Programs' as opposed to Programs(86) then install to that folder and see what happens after updating and running Immunization?

Cheers

 

[Zenobia]

Hello, hope you're having a good afternoon.

I am not sure if when you install Spybot S&D if the choice of location for the installation is automatic so it is installed in the 'Program Files(86)' or you can select another location?
So need to pick your brains on that one please?
Then I could uninstall Spybot S&D 2 download a new install file and if it allows me to choose another Folder like 'Programs' as opposed to Programs(86) then install to that folder and see what happens after updating and running Immunization?

Yes, you can select another location to install Spybot, though the default location on a 64-bit Windows would be Program Files (x86). However, I don't recommend installing Spybot to the Program Files folder because 64-bit applications go there and 32-bit Programs go into Program Files (x86) You can see more about that here:
https://www.quora.com/What-is-the-difference-between-program-files-and-program-files-x86
Also, installing Spybot to another location is unlikely to fix any immunization issues, so while it's a good idea to try different things, in this case you ought to skip doing that.

'System' I found also in Task Manager which is under a heading 'Windows processes'

That's normal to see in task manager, and is unrelated to the 'You should close "Firefox (SYSTEM)" to make sure an immunization is successful' message.

The reason I found the "You should close "Firefox (SYSTEM)" to make sure an immunization is successful'" odd is because usually, as I recall, the name in brackets is usually the name of your account on Windows. So, if I saw that message when opening immunization, I would likely see "You should close "Firefox (Zenobia)" to make sure an immunization is successful'

'You should close "Firefox (***PC)" to make sure an immunization is successful'

The ***PC is the name of my laptop.

Firefox (***PC) would also be something that was normal to see, too.

Firefox running from a System account seems unusual, and I couldn't find any info on that online, so I wanted to ask you about it to see if you knew about it running from there, etc., as I was worried Firefox running from there might be a Firefox technical or perhaps malware related type of issue or problem. But perhaps where you now are seeing Firefox (***PC), then maybe the "Firefox (SYSTEM)" was just a bit of a glitch.

So, since we haven't uncovered any insight into the hosts file not having four of the hosts file entries from Spybot, then it would be best to contact Spybot support now.
https://www.safer-networking.org/support/ticket/technical/
Good luck with support. I hope the hosts file issue is resolved.

 

[Traveller11]

Hi Zenobia.

I am having to use my mobile to reply to your message as which uses Safari as the browser.
My laptop and Google Chrome are blocking access to the Forum telling me there is a Privacy issue with the website!
So I have sent a request to Tech Support and hopefully they can sort it out as it looks like a Certificate issue, as I can access other Secure Forums that use https!

Hope it's not long as I can't stand using the mobile for this!
Cheers

 

[Zenobia]

Hello.
Yes, when I saw your post I opened Chrome and came to these forums, and I got a "Your connection is not private" error, too. I don't get the error when I use Firefox or Edge, though. On Firefox I see "secure connection" when I click on Safer-Networking Ltd. in the upper left corner and then when clicking the arrow it says verified by: Startcom Ltd. I'm not sure why that is happening on Chrome. I'm not sure who to contact about that, so I'll send a message to the moderator and let her know.

 

[Traveller11]

Hello.
Yes, when I saw your post I opened Chrome and came to these forums, and I got a "Your connection is not private" error, too. I don't get the error when I use Firefox or Edge, though. On Firefox I see "secure connection" when I click on Safer-Networking Ltd. in the upper left corner and then when clicking the arrow it says verified by: Startcom Ltd. I'm not sure why that is happening on Chrome. I'm not sure who to contact about that, so I'll send a message to the moderator and let her know.

Hi Zenobia,

This was weird as this morning I could not get in with either Chrome or Firefox.
Now I can get into the Forum using Firefox, but Chrome still rejects any attempt which makes me think that Chrome is being 'nasty' as it has with other programs.

I have opened a support request to see if a solution can be provided to the Passive Protection 'problem' and will let you know the outcome when the guys get back to me.

Thanks.

 

[Zenobia]

Hi, Traveller11.

Yes, when I checked earlier, besides the Chrome error, when I used Edge to come to the Spybot Forums it took an unusual amount of time to connect to the forums, though Firefox was just normal. I messaged the moderator about the Chrome error, and she'll pass it along for us.

I have opened a support request to see if a solution can be provided to the Passive Protection 'problem' and will let you know the outcome when the guys get back to me.

Okay, thank you very much.

 

[Traveller11]

Hello Zenobia,

I got a reply to my 'Ticket' which is as follows.........

To ensure that Immunization is applied correctly, Please disable all other security programs that you run and close all browsers and any other programs during the work with Spybot - Search & Destroy.

You need to run the immunization with elevated privileges, otherwise all global immunizations will fail.

To Immunize your browser:

- Open Spybot "Start Center" by right clicking on the icon and choosing "Run as administrator".

- Go to "Immunization"

- Click "Check System" then click "Apply Immunization"

The main reasons why Immunization would fail are:

- A path is not detected.

- The object is blocked by something e.g a security program.

- The user does not have appropriate rights for Immunizing an object.

I followed it to the letter and at the end of running Immunization I got the same result '4 remain unprotected'!

The results have been sent back to Spybot.

Meanwhile I have got access to the Forum on Chrome after going back to a previous Back-up Image and re-installing it.
So I think the 'problem' with the access coming up 'Unsecure' was a corruption somewhere.

Feels a bit like 3 steps forward and 2 back at the moment!

Cheers

 

[Zenobia]

Good morning.

Meanwhile I have got access to the Forum on Chrome after going back to a previous Back-up Image and re-installing it.
So I think the 'problem' with the access coming up 'Unsecure' was a corruption somewhere.

I heard back from tashi, and that error is all fixed now.

After they reply the next time, if the hosts file is still not immunized, if you hadn't mentioned it already, you could tell them that you, and two others have 4 items that will not be immunized in the hosts file, and include links to those posts and the link to this post in the email you write back to them if you would like to:
https://forums.spybot.info/showthread.php?74701-Temporary-Immunization
https://forums.spybot.info/showthread.php?74784-Passive-Protection-Part-Failure&p=477003
Three people each having 4 items in hosts that won't stay immunized could just be a coincidence, or it could be some sort of common reason. I noticed Team Spybot is pretty good about attempting to reproduce issues like this whenever I read their posts on the forums, so it's possible they might do some testing on it or something like that. Though that's pure speculation on my part, of course.

 

[Traveller11]

Good morning.

I heard back from tashi, and that error is all fixed now.

After they reply the next time, if the hosts file is still not immunized, if you hadn't mentioned it already, you could tell them that you, and two others have 4 items that will not be immunized in the hosts file, and include links to those posts and the link to this post in the email you write back to them if you would like to:
https://forums.spybot.info/showthread.php?74701-Temporary-Immunization
https://forums.spybot.info/showthread.php?74784-Passive-Protection-Part-Failure&p=477003
Three people each having 4 items in hosts that won't stay immunized could just be a coincidence, or it could be some sort of common reason. I noticed Team Spybot is pretty good about attempting to reproduce issues like this whenever I read their posts on the forums, so it's possible they might do some testing on it or something like that. Though that's pure speculation on my part, of course.

Good afternoon!

I did wonder if the 'security compromise' was due to an 'Accounting Error' where the fee for the security certificate had been overlooked?
Hush my :lip::lip:

IMMUNIZATION.........!

I will pick up the other members having 'Trouble in't Mill' as they say across the Pennines which is a mountain range in the UK!
BUT I can make that even more as my good lady has got the exact same 'problem' on her laptop which was a Win 8.1 Free Upgrade to Win 10 and to be honest it is 'different' when it runs!
So now we have 4 while I bet there are others not in the Forum??

I also tried the answer that I got from SB Technical Support exactly as written which one again 'failed' and the 4 Musketeers are still 'operating'!
OK I know the film says 3 Musketeers but I remember hearing that there were originally 4!!: