Windows Firewall Again!
posted below is the log of last run of S&D. The last 4 times (days) have all been the same. Any idea why? Oh, and I checkd with MS (after looking thru their kb) and rec'd no answers their.
Besides the problem itself, I wonder what changed suddenly?
FPWD1
Helps if I actually add the log:
FPWD1
Windows Security Center.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1
Windows Security Center.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
--- Spybot - Search && Destroy version: 1.3 ---
2006-07-21 Includes\Cookies.sbi
2006-07-21 Includes\Dialer.sbi
2006-07-21 Includes\Hijackers.sbi
2006-07-21 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2006-07-21 Includes\Malware.sbi
2006-07-21 Includes\PUPS.sbi
2006-07-21 Includes\Revision.sbi
2006-07-21 Includes\Security.sbi
2006-07-21 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-07-21 Includes\Trojans.sbi
FPWD1:
This really has nothing to do with the actual detection you are getting, however:
You are running Spybot 1.3. You should consider upgrading to Spybot 1.4.
There are four (4) download sites for Spybot-S&D 1.4 here:
- Mirror Selection – The home of Spybot–S&D!
http://www.safer-networking.org/en/mirrors/index.html
Uninstall Spybot-S&D 1.3:Install Spybot-S&D 1.4:
- FAQ - Frequently Asked Questions
How to uninstall?
http://www.safer-networking.org/en/faq/27.html
- Execute spybotsd14.exe download above.
- Do not change the default installation path of:
- C:\Program Files\Spybot - Search & Destroy
- Make sure that you update Sptbot-S&D 1.4 before running a scan.
Note: If you upgrade and use TeaTimer be aware of the following:
There is currently a bug in TeaTimer 1.4. Portions of TeaTimer's popup dialog overlay the "Allow change" and "Deny change" buttons. On my system the very top edges of the "Allow change" button (on the left) and "Deny change" button (on the right) are showing and I am still able to select the options. I also can check "Remember this decision" since it is visible. If no portion of the "Allow change" and "Deny change" buttons are showing, you can answer TeaTimer's popup dialog (English language version) by pressing "A" on your keyboard for "Allow change" or "D" for "Deny change". Note: If you close the dialog without answering "Allow change" or "Deny change" the registry change is denied.
If you can't deal with the problem that way until it is fixed, you can:
- Apply one of the workarounds found in the following pinned (Sticky) thread that fixes the pop-up dialog so the buttons are visible:
Solution to fix the pop-ups in TeaTimer
http://forums.spybot.info/showthread.php?t=122
There are Three (3) fixes published in that thread. They are:
- The ResHacker fix published by ElPiedra here:
- The murdo patch published here:
- The patch originally by SyreneD that I published here:
Also republished by SyreneD himself here:
- Disable TeaTimer as follows:
- Go into Spybot > Mode > Advanced Mode > Tools > Resident.
- Uncheck the following:
- Resident "TeaTimer" (Protection of over-all system settings) Active.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
FPWD1:
re: the following detections:
I have never seen queries concerning those particular detections before, so:Code:Windows Security Center.FirewallDisabled: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1 Windows Security Center.FirewallDisabled: Settings (Registry change, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
- I assume that the detections are relatively new.
- I must defer any definitive answers to a "Member of Team Spybot".
However, as a matter of curiosity, I do have a couple of question if you don't mind answering them:
- Are you running Windows XP Pro?
- If so:
- Is this an independent implementation of Windows XP Pro?
--- or ---- Is this a system part of a network of systems, centrally controlled by an administrator?
- If not what OS are you running?
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
we also have started to get this. We also run 1.4 with the most recent updates. This machine is a XP pro on a network where updates are pushed down to us. Nothing in the past about this particular find.
before we started getting this one http://forums.spybot.info/showthread.php?t=356
However, as a matter of curiosity, I do have a couple of question if you don't mind answering them:
[list][*]Are you running Windows XP Pro?
md usa
Don't mind at all! No, I'm not not running Pro, just plain HE with SP2 and all currrent updates.
I also have been running "Windows One Care Live" but I've been runninng that for over a year now (mostly in beta format- as a lab rat for MS
FPWD1
md usa
Thanks, I'll get 1.4 and see if it changes anything although scoutt says he gets the same messages with 1.4
FPWD1
that is correct. I have update information as well. in our network, of ~1000 people, a hand full are getting it. I suspect more tomorrow as the updates don't get to the workstations until after the scan every morning. Thus tomorrow everybody will have fridays update so it will happen to all of them. I got it early cause I worked on sunday. We disable the windows firewall through policy and spybot "fixed"/saw as a security threat? Having spybot see it and fix it made the windows security center popup in the systray saying we have a security issues with the firewall being off. our policy takes that popup away also but spybot brought it back.
I can understand why spybot sees this, but in a network environment is there a way to push out a fix to each workstation to exclude this setting? I know we can't edit/change files and it doesn't appear to be a registery setting.
for a individual user it is safe to do this but in a network environment it should be a admin setting or something. it should be left up to the network admin, not each user.
Ok, upgraded to 1.4 and as was the general consensus, no change. Same message. I also understand why Spybot sees this, but why wasn't it seen all along? Just the last 5-6 times? Wierd, very wierd.
FPWD1
Posting Permissions
Reply With Quote