Spybot’s immunization function REMOVES items

Status
Not open for further replies.
S

Synetech

New member
It seems that when you apply Spybot’s immunization definitions, it will actually remove several items from the HOSTS file (and likely other locations as well).

I suspect that this is due to some sort false-positive white-list, but even then, it should only avoid adding those items to the list; it should not remove items that are already present because it may not have been the one to put them there in the first place. For example, google.com would ostensibly be a false positive in most cases, but if someone chooses to block it, then Spybot must not remove the entry (at least not automatically).

I tried to check the Spybot files to see if there is a list of URLs that Spybot lets through, but it uses a proprietary format so I could not find out, however here is a list of URLs that I have noticed Spybot allows:

  • -h-n7y15mc.firoli-sys.com
  • cloudfront.net
  • www.cloudfront.net
  • one2mail.com
  • www.one2mail.com
  • websearch.com
  • www.websearch.com
One or two of those have been mentioned in the forums as false-positives, a couple have not, and that first one looks outright suspicious, so it is questionable why Spybot would remove it.
 
I have 3 sites I keep blocked in my Hosts file,besides the ones added by Spybot.
Checking just now,I immunized 2 items Spybot showed as unprotected,removed immunization completely,and then readded immunization,and the three sites I keep in my hosts file remained.
I'm not sure why.About the only thing I can think of is that I keep the 3 sites outside of the sites enclosed in Spybot's comments.
So,if you think you may have added the sites you keep in there into the sites enclosed within Spybot's comments,when you readd the sites into hosts,try scrolling down hosts until you see:
# This list is Copyright 2000-2010 Safer-Networking Ltd.
# End of entries inserted by Spybot - Search & Destroy
Click to expand...
and then add your sites below that comment,to try to see if the sites you add on your own aren't removed next time. :)
 
It has nothing to do with the comments; in fact, I strip out comments, sort, and de-dupe the HOSTS file whenever a change is made.

The items you added were kept because they were not on Spybot’s false-positive/white-list. Try the ones I listed and you will see that they get removed.
 
Ok,gotcha.I didn't try adding them yet. :)
I never really thought about it before.But if they were listed as false positives in the forum,then it kind of makes sense if the sites would be removed by Spybot.
To use your example,somebody may well want google.com blocked in their hosts file,yes.
But if Spybot accidentally placed Google.com in everybody's hosts file and did not remove it,then that would leave hundreds,thousands,or millions(whatevs Spybot has for users) with no access to Google,and many might not even know how come,since not all people would understand what happened.That could be potentially disastrous,really,if it were a really well known site.
Or less well-known.....I start memyselfandI.com,and it starts becoming better known,when all of a sudden Spybot mistakenly puts it in the hosts file.Suddenly I've got folks on the internet not able to get there,then people are saying it's a malware site on the internet,or they just think it's gone under.
No offense,I wasn't even aware Spybot did that with the hosts file,but it is another opinion,and maybe something to think about. :)
 
Yes, handling false-positives is tricky, but like I said, Spybot may not have been the one to put them in there, so it should not be removing them. Another way to think about it is that google.com wouldn’t normally be redirected in the HOSTS file, so should Spybot take the liberty of finding and removing any references to it? No. A person may have added it to block Google (or a porn site or whatever) or to add a IP address directly to avoid risking DNS poisoning or something.

It’s not the immunization function’s place to (automatically) remove entries from the HOSTS file (or the P3P and Zone Domain registry entries or Firefox and Opera’s blocking files), it should only add items to them. Removing (potentially) false positives should only be done by the scanning/check-for-problems function. That way, users can select what they want to remove, and add them to a whitelist of entries to be ignored.
 
I added -h-n7y15mc.firoli-sys.com and cloudfront.net to hosts,and yes,upon removing and readding immunization to hosts those were removed.

I see your point if you placed the sites in hosts by yourself.But,in the case of false positives or if somebody had a site that was formerly listed,but they worked with the Spybot folks to have it de-listed,there has to be a functioning way for that site to be removed from the hosts file and other immunization after it was placed there by Spybot.We're going to have to agree to disagree. :)

Team Spybot isn't usually around much on the weekends.They might not see this if they don't happen to look in Monday,but there is a contact form here,if you would like to discuss this with them further:
http://www.safer-networking.org/contact/
 
I added -h-n7y15mc.firoli-sys.com and cloudfront.net to hosts,and yes,upon removing and readding immunization to hosts those were removed.
Click to expand...
Actually, you don’t have to remove anything. The problem is that if you have those entries in the HOSTS file and then simply applying/adding the immunization will strip them out.

Do not un-check the box, leave the HOSTS item checked and simply apply the immunization and it will still remove them. That doesn’t make sense. (See screenshot.)

But,in the case of false positives or if somebody had a site that was formerly listed,but they worked with the Spybot folks to have it de-listed,there has to be a functioning way for that site to be removed from the hosts file and other immunization after it was placed there by Spybot.
Click to expand...
There already is: the scanner. It is the scanner’s job to check for problems including false-positives and hijacks, not the immunization’s job. The scanner allows you to examine the list of potential problems and select which ones you want reverted and also add them to a white-list. The immunization function has no such functionality and will automatically, unilaterally, and always remove them whether you want it to or not.



attachment.php
 

Attachments

  • Immunization.png
    Immunization.png
    38.6 KB · Views: 31
If I were prone to paranoia, I would suspect that it is purposely letting those domains through for “some reason”. There is no reason for the immunization function to automatcally, and secretly remove a small handful of select domains from the HOSTS file when there is already a proper, better, more thorough, more controllable way to do exactly the same thing:

attachment.php
 

Attachments

  • HOSTS.PNG
    HOSTS.PNG
    41.8 KB · Views: 24
I have this problem too

I'm running Spybot 2.7.65.0 on Windows 7 Home SP1. Spybot's immunisation function removed all the entries I added to the hosts file, which were outside the Spybot block of entries. Is there any way to stop this happening?
 
No, I don't believe there is. You could ask about it on the contact form here:
https://www.safer-networking.org/support/#contactform

Spybot usually makes a backup of the hosts file after immunizing. You should see them in C:\Windows\System32\drivers\etc as .backup files. You might be able to recover the sites you had added to your hosts file that way.
 
Last edited:
Status
Not open for further replies.
Back
Top