++ Microsoft.Windows.AppFirewallBypass++ Microsoft.Windows.IEFirewallBypass

[leday]

The following came through after the most recent 6/20/07 update of Spybot S&D.

Security
++ Microsoft.Windows.AppFirewallBypass++ Microsoft.Windows.IEFirewallBypass


What is this and should I ignore it on future scans?

Thank you.

[t001z]

You have disabled your firewall (whether you did it or another application did it). If you have a third party firewall (such as Zone Alarm, Norton Internet Security, McAfee Firewall or one of the numerous free firewalls), then they may have disabled it and it is not as much of an issue as they are protecting you better than the Windows firewall anyway. Also, if you are in a work environment, your administrator may have disabled the firewall so that maintenance can be done on computers remotely, etc.

If neither of the above 2 scenarios describe your situation, open your Security Center and see if the firewall is running, if not, start it. If you cannot start it, you need to find out why... There are many reasons why this may be, lots of them legitimate and some of them not-so-legitimate.

[md usa spybot fan]

There may actually be an ongoing discussion about one of the two detections that you appear to be questioning. However, I can not tell from the information you posted. Please post a log of the actual detections you are getting. To do that:

• Run another scan.
• When the scan completes, right click on the results list, select "Copy results to clipboard".
• Then paste (Ctrl+V) those results to a new post in this thread.

[leday]

Thanks. I do have McAfee Firewall, so that is probably what is going on here. Thanks again.

In any case though, here is the exact detection message I got:

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-01-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-20 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-20 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-06-20 Includes\HijackersC.sbi (*)
2007-06-20 Includes\Keyloggers.sbi (*)
2007-06-20 Includes\KeyloggersC.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-06-20 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-20 Includes\PUPSC.sbi (*)
2007-06-20 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-20 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-06-20 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-06-20 Includes\Trojans.sbi (*)
2007-06-20 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

[md usa spybot fan]

Pgroot:

There actually is a ongoing discussion concerning the "Microsoft.Windows.IEFirewallBypass" that you actually received (as well as the "Microsoft.Windows.AppFirewallBypass" that you indicated in your first post that you also received) in this thread:

• Microsoft.Windows.AppFirewallBypass
  http://forums.spybot.info/showthread.php?t=14824

Those detections do not indicate that:

You have disabled your firewall ..

The detections indicate that, if you were using the Windows firewall instead of the McAfee Firewall, Windows Internet Explorer (iexplore.exe) would be authorized to receive unsolicited incoming traffic which would be a potential security problem.

Since you are using the McAfee Firewall there is no current threat. However, the normal default setting of the Windows firewall does include authorizing Windows Internet Explorer to receive unsolicited incoming traffic. Since the detection indicates an abnormal setting for the Windows firewall that may have been introduced by malware at some point in time, I suggest that you fix the detections with Spybot so that if the same detections return in the future you may be able to trace the source in the change to the Windows firewall.

[Alan D]

the normal default setting of the Windows firewall does include authorizing Windows Internet Explorer to receive unsolicited incoming traffic. Since the detection indicates an abnormal setting for the Windows firewall that may have been introduced by malware at some point in time, I suggest that you fix the detections with Spybot

I thought I had this straight, but if you're right, then I'm baffled again.

My understanding was that if IE is in the Windows firewall configuration list (whether authorised or not), then Spybot would give an alert and offer to remove it (which is in fact what happens if you apply the Spybot fix). In other words, my understanding was that Spybot is not responding to an 'abnormal setting', but to the mere presence of IE in the list when it actually doesn't need to be in it. In other words, the default setting would itself be enough to trigger the Spybot alert. (Indeed, as far as I can remember, IE has always been present in my Windows firewall authorisation list.)

But in your second sentence you suggest that what is triggering Spybot is some kind of 'abnormal' setting, perhaps made by some unknown malware at some time. Are you sure that's right? If it is, then I'm back to square one, and don't understand what the heck is going on, after all.

[md usa spybot fan]

Alan D:

Terribly sorry, my typo, thanks for catching it. My statement should read:

However, the normal default setting of the Windows firewall does not include authorizing Windows Internet Explorer to receive unsolicited incoming traffic.

Regards,
md usa spybot fan

[Alan D]

However, the normal default setting of the Windows firewall does not include authorizing Windows Internet Explorer to receive unsolicited incoming traffic.

Phew. Well, thanks for correcting that, md usa s.f., but now I'm even more baffled.

When I look in my AVG firewall exception list, I find Internet Explorer listed as 'allowed' - as it has to be, in order to connect out without asking me every time. But also because the only option is to 'allow' regardless of direction, then I presume it's allowed also in the opposite, inward direction. So my AVG firewall is leaving me open to the very vulnerability that Spybot is trying to warn me against. In other words, to protect myself from this particular vulnerability, I need to remove IE from the Windows firewall exception list, enable Windows firewall, and get rid of the AVG firewall.

That just doesn't make sense to me. If I go to Steve Gibson's Shield's up website, it finds no vulnerability to incoming probes.

I thought I understood this, but I don't. I'm beginning to think that this new Spybot detection is creating more trouble than it's solving.

[md usa spybot fan]

Alan D:

All communication is two way (request > response). Windows Internet Explorer must be able accept inbound traffic, but it should only be in response to an outbound request. The two detections (Microsoft.Windows.AppFirewallBypass and Microsoft.Windows.IEFirewallBypass) that Spybot added are looking for Windows Firewall registry entries that allow programs to accept unsolicited incoming traffic. In other words, registry entries that could allow a program to respond to an incoming request.

I'm sorry but I am not familiar with the AVG firewall. However, most firewalls only allow an inbound response to an outbound request. Is there also an indication within your AVG firewall if Internet Explorer is/isn't allowed to act as a Server in addition to the one "Allow" you cited? If there is, than that setting would allow Internet Explorer to respond to an inbound request (like the detections Spybot is picking up in the Windows Firewall).
____________________

Last September Spybot added a Windows Firewall open port detection (Microsoft.Windows.Security.FirewallOpenPorts). That detection was designed to detect Windows Firewall registry entries that open communication ports. That detection as well as the two new detections are designed to alert people to the fact that there may be weaknesses in their implementation of the Windows Firewall or that malware has altered the default settings within the Windows Firewall.

[Alan D]

Alan D:

All communication is two way (request > response). Windows Internet Explorer must be able accept inbound traffic, but it should only be in response to an outbound request. The two detections (Microsoft.Windows.AppFirewallBypass and Microsoft.Windows.IEFirewallBypass) that Spybot added are looking for Windows Firewall registry entries that allow programs to accept unsolicited incoming traffic. In other words, registry entries that could allow a program to respond to an incoming request.

Ah... light is dawning slowly. Thanks for this. The issue is not about the direction of traffic, but about the direction of the request that initiates the traffic. And that means that what I was saying in my previous post is wrong, because I wasn't understanding a basic firewall principle.

However, most firewalls only allow an inbound response to an outbound request. Is there also an indication within your AVG firewall if Internet Explorer is/isn't allowed to act as a Server in addition to the one "Allow" you cited?

I can't find any information about that within the firewall options, and indeed the only options given for any program in the list are block/allow/ask. So I guess it's reasonable to assume that the AVG firewall will follow the general principle you mention, and only allow inbound responses to outbound requests.

There's still the question of how it has come about that so many of us have IE entered in the Windows firewall authorisation list. You suggest that malware has done this at some point, but the people I've discussed this with on the Windows Defender newsgroup are very security-conscious folk, and it does seem odd that so many of us turn out to have IE in our lists. I can't help wondering if there isn't some perfectly innocent explanation that we haven't been able to pinpoint yet.

Thanks for your patience in dealing with this. It's not a simple matter for us ordinary mortals to grapple with, as you can see from the confused and anguished posts it has generated.