It appears that there may be a defect in the coding of the signature(s) for Microsoft.Windows_IEFirewallBypass. The problem was first reported by Barry in the following thread:
The following registry entry were Internet Explorer is added to the Windows Firewall exception list but is disabled:
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
Results in the following detection:
Code:
--- Report generated: 2007-10-28 02:00 ---
Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- Spybot - Search & Destroy version: 1.5 (build: 20070924) ---
That detection is the same as if Internet Explorer is added to the Windows Firewall exception list and is enabled as follows:
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
Code:
--- Report generated: 2007-10-28 02:03 ---
Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- Spybot - Search & Destroy version: 1.5 (build: 20070924) ---