A Problem with IE security
I've been constantly receiving the same notification through frequent scans with Spybot S&D. The details are below.
Microsoft.Windows.Security.InternetExplorer
Settings
HKEY_USERS\S-1-5-21-1487884451-4009603759-282749768-1005\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplorerexe!=W=1
Problem: Registry Change
I've earlier adjusted the Security settings as according to the following website.
http://www.helpwithwindows.com/techf...surf-safe.html
Hello,
I suggest you "Fix selected problems" on those detections unless you experienced an issue such as the one described in the following article and intentionally changed those registry entries from their default setting:
* AutoShapes that were added to an HTML or an MHTML file in a Microsoft Office program do not appear when you open the file in Internet Explorer after you install Windows XP SP2
http://support.microsoft.com/default...b;EN-US;883969
The key "HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" (standard value is 1 with SP2) determines the ability to perform certain actions for local websites, i.e. websites saved on harddisk.
The value is set to 0 (zero) by some malicious applications in order to deminish the security settings for the zone "local computer". (see http://msdn.microsoft.com/security/p...llockdown.aspx for details).
There are several threads on the subject:
* Windows.Security.Internet Explorer
http://forums.spybot.info/showthread.php?t=6560
* Scan Result
http://forums.spybot.info/showthread.php?t=6749
If you want you can also tell Spybot-S&D to exclude those detections from further scans.
You can exclude a product from the search as follows:
First of all procede a scan with Spybot - Search & Destroy. Now, mark the item, you want to exclude from the search, with a left-click.
It is marked blue now. Then right-click this entry and select "exclude this product from further searches".
It is also possible to exclude it before the search. Please run Spybot - Search & Destroy in "Advanced Mode" and go to "Settings" -> "Ignore products". There you can tick the checkbox in front of the product you want to exclude from the search.
Best regards
Sandra
Team Spybot
Thanks for the suggestion, but...
I've been constantly checking IE's Options > Advanced tab > Security every time I start it up, and I often notice that the box, "Allow active content to run in files on My Computer", is checked. Is there something that keeps checking that particular box? I've no idea, but I'll constantly check the TeaTimer for any changes allowed in the registry.
The problem is still unanswered...
To all spybot staff, is this problem related to Microsoft Office 2003? I've read from the link that one of your staff members had provided (above) about another forum thread, but it never really fixed the problem. I would need advice on how I can prevent this change from occurring again and again.
Just to note, TeaTimer did not detect any change with the registry I mentioned above in my laptop. The change had reportedly occurred in my laptop, but with the computer that have the same OS version, nothing had changed. I've also noted from the Microsoft webpage that it could have occurred in relation to Microsoft Office 2003.
Hope to receive an answer from the Spybot team soon.
darkdestiny:Originally Posted by darkdestiny
Have you tried checking/unchecking multiple options as described here in post #16 and post #27 of the following thread?
- Scan Result
http://forums.spybot.info/showthread.php?t=6749
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Yes, I've done that
I've unchecked all the options as described in both replies, but after some time (like when I start up my computer again) the options are checked again.
Does it got to do with another Advanced option checked? I suspect so, as my other computer did not face this problem at all. I'm going to attempt fixing the problem by setting the same settings as that of the second computer.
Haven't been receiving any replies...
At least for a couple of days. Anyway, I've been looking at the problem for some time. I've noticed that one of the 3 boxes are ticked each time I start up the computer. Does it mean that, before TeaTimer can be activated, the change had already occurred? Is that why no change have been detected by TeaTimer from the time it started up?
I hope the Spybot Team can look into this matter. I'll try to communicate with Microsoft to see how to rectify the problem.
darkdestiny:
I do not believe that TeaTimer monitors changes to that registry key. When you manually change that setting are you getting TeaTimer registry change messages?
___________________________
Since it is not apparent what is changing the registry, about the only thing that you can do is run some registry monitoring program to try determine what is changing the registry.
One such program is Regmon:
- RegMon for Windows v7.04
http://www.microsoft.com/technet/sys...es/regmon.mspx
Note: If you use Regmon as soon as the program starts it will immediately start collecting registry entries, so I suggest that you review the following before using Regmon:
- Start Regmon.exe
- Immediately hit Ctrl+E or the click Blue Magnifying Glass symbol (second button from the left) to stop the data collection.
- In the pull down Edit menu select Clear Display (Ctrl+X).
- In the pull down Options menu select Filter/Highlight (Ctrl+L).
- Make the following changes in the Regmon Filter window (see Note #1 below):
- In the Include box type "FEATURE_LOCALMACHINE_LOCKDOWN" (no quotes)
- Uncheck everything at the bottom of the Regmon Filter except "Log Writes".
- Click OK.
- Hit Ctrl+E or the click Blue Magnifying Glass (second button from the left) to start the data collection.
- Periodically check Regmon and see if you trapped what is changing the registry entry.
Note #1: The options used in the Regmon Filter window may have to be modified somewhat. I believe that options that I outlined will work, but because I don't have the problem I am not 100% sure.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
So far none
I'm going to try running the process as soon as I log into Windows, as I figured the change may have occurred then. It will take some time. Thanks for the suggestion.
So far none, again.
I followed your instructions as you said, and restarted twice. However, the change had occurred before I could open RegMon.exe, and thus I couldn't see how the change was made.
I do have suspicions, but I can't really pinpoint the real problem. The thing is, before I even installed any of my security programs or connect to the Internet (no direct connection whatsoever), no change was noticed at all. So it is likely that one of my security programs had caused the change, or when I let Microsoft Update install certain critical updates.
I'll reply as soon as I get the results. Thanks for your help, Spybot Team!
Posting Permissions
Reply With Quote