PDA

View Full Version : AdwCleaner detects some elements of immunization as PUPs



IzNoGud78
2023-01-22, 18:10
I ran scans on several occasions with the AdwCleaner tool and each time it detected the following registry entries as PUPs



PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com


I believe there is a correlation between the detection of these items and the immunization tool, also because they are always detected following the application of immunization and if removed or quarantined via AdwCleaner, doing a subsequent scan with the immunization tool results in incomplete immunization.

I'm so sure of this that I decided to add the items to the list of AdwCleaner exclusions (also making a report as likely false positives on their forum), but I would be more comfortable if I had confirmation of this, thanks.

Zenobia
2023-01-23, 08:46
I see you received a reply there:
https://forums.malwarebytes.com/topic/294187-false-positive-detection-after-immunization-with-spybot-sd/
Spybot would add those entries to the registry shown in your logfile as part of immunization, but they would be given a dword value of 4 to place them in the Restricted Sites Zone, and not the Trusted Sites Zone.
https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries

You could contact Spybot support for further clarification, if you like. :)
https://www.safer-networking.org/support/#contactform
You might like to include a link to this topic to help with explanation.

PepiMK
2023-01-23, 10:52
Both are entries that are indeed blocked by the immunization, since around 2012.

It's like Zenobia said - it all depends on the value inside these registry keys. I have no idea why AdwCleaner does not check the content, since entries like these are a constant source of false positives.

You could simply run regedit (or RegAlyzer (https://www.safer-networking.org/products/regalyzer/)) to verify the actual value.

Not sure if this is documented inside RegAlyzer, will update the RegAlyzer database with useful information and post again :)

PepiMK
2023-01-24, 22:36
Not sure why exactly you wrote on the MalwareBytes forums that you haven't received a comment yet? :)

IzNoGud78
2023-01-25, 03:06
Not sure why exactly you wrote on the MalwareBytes forums that you haven't received a comment yet? :)

I apologize but I just saw now the reply on this forum. Anyway, I thank you all for the replies, at least I'm sure I did the right thing by adding the detections among the eclusion rules and reporting the false positive.