Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 43

Thread: Microsoft.Windows.AppFirewallBypass

  1. #21
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    @jerome1951
    yes you are right it is actually a security information, acutally an information with an advice

    @greenhatch
    Please fix the entries and if you are using the Windows Firewall configure your Windows Firewall to ask you wether to block application in future or not.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  2. #22
    Junior Member
    Join Date
    Oct 2005
    Posts
    13

    Default

    I have been following this thread and this is the alert that I am getting:

    Microsoft.Windows.IEFirewallBypass:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

    Microsoft.Windows.IEFirewallBypass:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

    It seems to me that we are receiving this alert because of the recent update, but I do not understand what it is saying. In spite of everything that has been posted here I wonder if someone could explain in simple language exactly what this alert means. Your help would be appreciated.

  3. #23
    Junior Member
    Join Date
    Jun 2006
    Location
    San Jose CA (Silicon Valley)
    Posts
    13

    Default not an infection

    It is not a new infection, it is a new detection that was in beta detections last week and is now under security. Perhaps it would be best described as a vulnerability if something is allowed to bypass the firewall. If it is Microsoft (migwiz.exe and iexplore.exe) it won't cause harm unless malicious code is substituted for the privileged executable, and Windows Firewall is your only firewall.

  4. #24
    Member
    Join Date
    Jan 2007
    Location
    UK
    Posts
    39

    Default

    Quote Originally Posted by Judesman View Post
    I wonder if someone could explain in simple language exactly what this alert means.
    This may be a case of the blind leading the blind, but here's my understanding of the situation:

    1. This is a new detection, only added to the Spybot database in the last update (see here, under 'Security': http://forums.spybot.info/showthread...6665#post96665). That's why we haven't seen these alerts before.

    2. The Windows firewall can be configured to 'authorize' certain programs to receive incoming requests from 'out there'. Usually there is no good reason why Internet Explorer should be one of these 'authorised' programs, and yet it apparently is, on many of our systems.

    3. If Windows firewall is your only firewall, then this setting is a security risk. Spybot is offering to fix it by removing the authorization. It seems that in this case the correct action is to allow Spybot to fix it.

    4. If your Windows firewall is disabled (because you're using another firewall instead) then it doesn't matter whether you let Spybot fix this or not, because you're not at risk.

    I hope this is correct. If there's a mistake somewhere, please correct it, someone.

  5. #25
    Junior Member
    Join Date
    Jun 2007
    Posts
    4

    Default Interesting findings

    I have 5 computers running spybot S&D 1.4 on xp

    2 have avg pro with firewall and xp pro sp2
    Both of these when doing the scan after the update did not show the vulnerability and in Windows Firewall they are NOT in the exceptions list.

    1 is running xp home sp2 and Zone Alarm Free and after the update and scan it did show the vulnerability and in Windows Firewall IE Explorer is checked.
    On that one I allowed the fix in Spybot and noticed when doing so the IE Explorer disappeared out of the exception list.

    I have one notebook computer, xp pro sp2 running Windows Firewall only and yes IE explorer is in and checked in Windows Firewall exception list. I ran the scan in spybot and it also came up with the vulnerability. Before i ran the scan I went into the firewall and unchecked IE Explorer to see what would happen- then ran the scan. As said it still showed the vulnerability.

    I allowed spybot to fix it. I checked to make sure i am still on the network and I am. I cannot find where you ask Windows Firewall to ask you for that specific file if i find I need to run any online scans so please tell me where this is besides IE Explorer is no longer in the list of exceptions so now what?

    I have another xp pro computer on the network but it is in use right now and i cannot run the scan on it as of yet. Before i do I would like to understand how to configure the Windows Firewall to ask again for IE and not authorize permanently.

    Also if one is NOT on a network and only running Windows Firewall I am safely to assume you can allow spybot to fix? and if on a network I am also safely to assume this should not effect the network if I allow it to fix too? correct?

    thanks
    Robin

  6. #26
    Junior Member
    Join Date
    Oct 2005
    Posts
    13

    Default

    Thank you all for your input.

    As I understand it, as I have NAV as a firewall I can ignore this alert. If I relied on Windows, and the exception box for IE is not checked then the alert would not appear. If the exception box is checked then the alert would appear and the fix in Spybot would remove the check.

    I hope that is right.

  7. #27
    Member
    Join Date
    Jan 2007
    Location
    UK
    Posts
    39

    Default

    Quote Originally Posted by robinb9 View Post
    I allowed spybot to fix it. I checked to make sure i am still on the network and I am. I cannot find where you ask Windows Firewall to ask you for that specific file if i find I need to run any online scans so please tell me where this is besides IE Explorer is no longer in the list of exceptions so now what?
    So as I understand it, Spybot will 'detect' this vulnerability if IE is a listed exception in the Windows firewall configuration - whether or not the Windows firewall is disabled, and regardless of whether IE is selected in the Windows firewall authorisation list.

    Which brings me to a question I asked earlier: If IE is in the Windows firewall configuration list, there are three options: tick the box; don't tick the box; or remove the entry altogether. The first two options don't affect the Spybot detection. It seems from what Robin says that the Spybot 'fix' effectively removes IE from the list. So I presume that an alternative to the Spybot fix is to manually remove IE from the list?

    But if we do - what happens (as Robin says) if we need to put it back in at some future time?

  8. #28
    Member
    Join Date
    Jan 2007
    Location
    UK
    Posts
    39

    Default

    Quote Originally Posted by Judesman View Post
    Thank you all for your input.

    As I understand it, as I have NAV as a firewall I can ignore this alert.
    Yes.

    If I relied on Windows, and the exception box for IE is not checked then the alert would not appear. If the exception box is checked then the alert would appear and the fix in Spybot would remove the check.
    Not quite. If IE is in the list, then the alert will appear whether the box is ticked or not (I can't see why, but that does seem to be the case). The only way to stop the alert is to either remove IE from the list completely yourself, or to let Spybot do it for you. But in your case this is merely an academic point. It simply doesn't matter.
    Last edited by Alan D; 2007-06-21 at 23:59.

  9. #29
    Junior Member
    Join Date
    Oct 2005
    Posts
    13

    Default

    Thanks Alan D. Having read the other thread that is now running I still find this a little confusing.

  10. #30
    Member
    Join Date
    Jan 2007
    Location
    UK
    Posts
    39

    Default

    Quote Originally Posted by Judesman View Post
    Thanks Alan D. Having read the other thread that is now running I still find this a little confusing.
    I'm not surprised. Trying to pin this down is like trying to catch the soap in the bath. I'm beginning to suspect that Spybot has got us all chasing our tails!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •