Possible false positive in 2007-05-09 Includes\Beta.sbi.

[md usa spybot fan]

I am running ZoneAlarm firewall and received the following detections using the 2007-05-09 Includes\Beta.sbi.

__________________

Checks.070509-0923.log

Code:

--- Report generated: 2007-05-09 09:23 ---

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall!=dword:1


--- Spybot - Search & Destroy version: 1.4  (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2006-05-01 TeaTimer.exe (1.4.0.2)
2006-01-16 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-04-18 advcheck.dll (1.5.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-05-09 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti
2007-05-09 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-05-09 Includes\DialerC.sbi
2007-04-04 Includes\Hijackers.sbi
2007-05-09 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-05-09 Includes\KeyloggersC.sbi
2007-03-21 Includes\Malware.sbi
2007-05-09 Includes\MalwareC.sbi
2007-03-21 Includes\PUPS.sbi
2007-05-09 Includes\PUPSC.sbi
2007-05-09 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-05-09 Includes\SecurityC.sbi
2007-03-21 Includes\Spybots.sbi
2007-05-09 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2007-05-02 Includes\Trojans.sbi
2007-05-09 Includes\TrojansC.sbi

__________________

Registry entries:

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000000

[Rednose]

I am running Comodo Firewall Pro and have the same issue.

Greetz, Red.

[tashi]

Thanks, I will make a notification for our detectives.

[pgroot]

I am running Zone Alarm Pro and have shut off Windows Firewall for that reason. I get the same notification with 2007-05-09 beta.sbi.

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall!=dword:1

[Yodama]

hi,

this is actually not a false positive, it shows that the Windows Firewall is not running. Usually it does not run if another personal firewall has been installed.

Recently we encountered more malware able to disable the Windows Firewall, this of course poses a security risk for users without another personal firewall.
So they should be notified about this.

Do you guys have any thoughts on labeling this in a clearer way or do you think this may be ok this way?

Maybe like this?
Microsoft.WindowsSecurityCenter.WindowsFirewallDisabled

[FAUST]

Perhaps check for 3rd party firewalls and only display this if there isn't one.

[md usa spybot fan]

Yodama:

I suspected that was the intent of the detection and that is why I titled the thread "Possible false positive in 2007-05-09 Includes\Beta.sbi"

I foresee this detection raising more questions than the problems it could possibly solve.

Recently we encountered more malware able to disable the Windows Firewall, this of course poses a security risk for users without another personal firewall.
So they should be notified about this.

Correct me if wrong, but between the detections already in place and Windows Security Center itself, shouldn't a user be adequately warned that their Windows Firewall is disabled.

I did not try to do a "Fix selected problems" on these detections and therefore do not know what happens if I did. However, if fixing these detections does actually enables the Windows Firewall, then the possibility of a conflict between the Windows Firewall and a user's personal firewall exists.

The problem with just trying to name a detection to indicate that it should only be optionally fixed is that Spybot-S&D automatically checks all Malware detections for fixing and the Spybot-S&D help facility states:

If the scan has found something, the list will show it. There are two basic kinds of results:

• Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed.

Regards,
md usa spybot fan

[Yodama]

Thank you for your thoughts on this.

I think we will remove this detection for now, and change it later so it will only be flagged if certain criteria are met, like when the respective malware is installed.

[Rosenfeld]

The alternative would be to put the info that is now in the info pane under the detection on the main scan page (not many users seem to realise that clicking on that big grey box on the side slides open the info pane).