Possible Microsoft.Windows.IEFirewallBypass False Positive

**md usa spybot fan** · 2007-10-28, 07:44

It appears that there may be a defect in the coding of the signature(s) for Microsoft.Windows_IEFirewallBypass. The problem was first reported by Barry in the following thread:

Tracking cookies are red
http://forums.spybot.info/showthread.php?t=19510

The following registry entry were Internet Explorer is added to the Windows Firewall exception list but is disabled:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"

Results in the following detection:

Code:

--- Report generated: 2007-10-28 02:00 ---

Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.5  (build: 20070924) ---

That detection is the same as if Internet Explorer is added to the Windows Firewall exception list and is enabled as follows:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

Code:

--- Report generated: 2007-10-28 02:03 ---

Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.5  (build: 20070924) ---

**tashi** · 2007-10-29, 04:49

Thank you md usa spybot fan, I made a note for the team.

**Yodama** · 2007-10-29, 13:34

thanks for reporting,

this will be taken out of detection with the next update scheduled for the middle of this week.

**JohnBurns** · 2007-11-07, 16:20

Thanks for posting this - I had the same problem on two home pc's. At least I am getting smart enough not to "fix" an item until I am SURE that it needs fixing. Appreciate the info.

**md usa spybot fan** · 2007-11-07, 16:29

JohnBurns:

I have not re-tested the false positive. Did the 2007-10-31 or 2007-11-07 update fix the problem?

Regards,
md usa spybot fan

**md usa spybot fan** · 2007-11-07, 18:12

Yodama:

Would you please check the Microsoft.Windows.IEFirewallBypass signatures again.

I retested the Microsoft.Windows.IEFirewallBypass detection as I had originally. It how appears that neither the Enabled nor the Disabled entries are detected.

In other words the false positive for the following registry entry (Disabled) has been corrected:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"

However, it now appears that there is a false negative (no detection) for following registry entry (Enabled):

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

**JohnBurns** · 2007-11-08, 01:53

Originally Posted by md usa spybot fan

JohnBurns:

I have not re-tested the false positive. Did the 2007-10-31 or 2007-11-07 update fix the problem?

Regards,
md usa spybot fan

Sorry for delay in reply - in answer to your question - no, the 2007-11-07 still has the problem.

**Yodama** · 2007-11-08, 07:53

@md usa spybot fan

yes we currently deactivated the detection on this.
It will most likely be reactivated along the updates after the next main release.

@JohnBurns

could you post the date of the security.sbi on the computers still showing this issue?

you can find the date of the securityc.sbi and security.sbi after a scan in advanced mode - tools - view report - view report.

**JohnBurns** · 2007-11-08, 15:16

Originally Posted by Yodama

@md usa spybot fan

@JohnBurns

could you post the date of the security.sbi on the computers still showing this issue?

you can find the date of the securityc.sbi and security.sbi after a scan in advanced mode - tools - view report - view report.

Not sure exactly what you need. Here is what I can find:

Spybot - Search & Destroy 1.5.1.17
Latest Detection 11/7/2007

eSupport.FFBiosExt: [SBI $12D696B9] System file (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\TVICHW32.SYS

--- Spybot - Search & Destroy version: 1.5 (build: 20071005)

Hope this helps.

**md usa spybot fan** · 2007-11-08, 15:50

JohnBurns:

Originally Posted by JohnBurns

eSupport.FFBiosExt: [SBI $12D696B9] System file (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\TVICHW32.SYS

That detection looks more like the one in the following thread rather than the detection being discussed here in this thread:

Tvichw32.sys
http://forums.spybot.info/showthread.php?t=19916

Thread: Possible Microsoft.Windows.IEFirewallBypass False Positive

Thread Tools

Display

Possible Microsoft.Windows.IEFirewallBypass False Positive

Posting Permissions