Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: 2007-06-06 ßTCP/IP Settings plugin

  1. #11
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    If the malware replaces your "official" DNS settings with malicious entries, just removing those would leave you without any DNS servers at all - thus disconnected from the net (unless you want know and want to type in IPs for all sites you want to visit ).

    For Spybot, it is quite difficult to guess which your settings where; it could remember what they were during installation (which would make the removal ineffective if the malware already was in place when you install Spybot), or it could look it up in one of those backup copies of settings (which also would just restore the same bad settings if you had the malware long enough to get backed up by Windows).

    Using benign settings inside our database might not result in as fast DNS servers as the ones from your provider might be, but they're safer than using machine backups that might have been compromised as well. Since the replacement takes only place when something bad was found, I think a better chance to have a clean DNS server is more important than to have the original one, but more danger of restoring a compromised setting.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  2. #12
    Junior Member
    Join Date
    Nov 2008
    Posts
    1

    Default

    Quote Originally Posted by magick View Post
    shouldnt it just remove the malware and leave our setttings alone
    If it left the setting alone, you would still be pointed to the compromised DNS for lookups. Meaning, you could fall victim to phishing and/or re-infection.

    Quote Originally Posted by magick View Post
    or does it set the dns to a benign setting and then we have to change the settings back outrselves?
    Exactly. If DNS lookups were working with a compromised machine, then that machine must not be firewalled outbound to the internet - so using OpenDNS will work fine.

    Alternatively, SB could set the DNS setting to automatic detection (if the IP address is also done via DHCP). This is probably what most people would want, but the solution they implemented is the only one that won't suddenly "break the internet" for a handful of users.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •