Results 1 to 6 of 6

Thread: The Meaning of the Immunization Entries

  1. #1
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Lightbulb The Meaning of the Immunization Entries

    I haven't found them documented well, but I think I figured all of them out...

    Firefox and derivatives (like SeaMonkey and old Flock and Netscape)
    everything: cookperm.txt (before Fx was released), hostperm.1 (before Fx3/Gecko 1.9), or permissions.sqlite

    Internet Explorer
    Cookies: cookie policy, as visible in the "Privacy" tab of Internet Options
    Plugins: ActiveX Killbits, the best part of the program
    everything else: Restricted Sites list, may make IE launch more slowly (but only Domains and Secure Domains are made redundant by the HOSTS file immunization)

    Opera
    Cookies: cookies4.dat (only detected if Opera6.ini is in same directory)
    Content: urlfilter.ini (same as above), the third-best part of the program
    Plugins: plugin-ignore.ini (same as above, except that %ProgramFiles%\Opera\defaults\plugin-ignore.ini is also scanned)

    Global
    HOSTS: the HOSTS file, usually %WinDir%\System32\etc\drivers\hosts (%WinDir%\hosts in ME or earlier), the second-best part of the program

    It appears as if the immunizations for Cookies are the same across the browsers and all other immunizations for Firefox have the same lists as each other and as the HOSTS file and IE Domains and Secure Domains; then again the Restricted Sites list does allow wildcards while the HOSTS file does not, so maybe they aren't totally redundant.


    I think a future version of Spybot could also immunize the adblock.ini file used by SRWare Iron in a similar manner to Opera's urlfilter.ini; unfortunately adblock.ini does not allow wildcards, so some entries would need to be tweaked, and no other derivative of Chromium offers any similar interface for external immunization...
    Last edited by lewisje; 2011-01-25 at 07:35. Reason: Firefox's cookies.sqlite and Chrome's "Cookies" file just hold cookies, not cookie permissions.

  2. #2
    Senior Member
    Join Date
    May 2009
    Posts
    236

    Default

    PepiMK has said that SpyBot Search & Destroy will handle immunizations using browser plug-ins. See this post in Immunization Settings for Firefox Lost Every Time Browser Opened

    Also, Opera 11 does not generate an Opera6.ini file in a new clean install. If it's in an Opera 11 install it is a left over from updating from an earlier version of Opera. SpyBot Search & Destroy does find plugin-ignore.ini in %ProgramFiles%\Opera\defaults\ and immunizes it. See Recent update.

  3. #3
    Junior Member
    Join Date
    Jul 2010
    Posts
    27

    Default

    Great job! It looks spot on. I didn't realize that it updated ActiveX Kill Bits. I periodically load the AKB updates from Microsoft as they release them.

    @Gopher John:
    opera6.ini is a holdover from the Opera 9.xx days. It's used as a workaround for successful immunization with Opera 10.xx (and 11.xx I presume). Read my previously referenced thread thoroughly for a more detailed discussion:

    http://forums.spybot.info/showthread.php?t=58535
    Last edited by Eagle2a; 2011-01-26 at 23:00.

  4. #4
    Junior Member
    Join Date
    Jul 2010
    Posts
    27

    Default

    @lewisje, et al.

    I found that 3 cookies items couldn't be immunized with the latest (delayed) definitions released today even after repeated attempts. Did anyone else have the same experience? This is the first time I can recall this happening.

  5. #5
    Senior Member
    Join Date
    May 2010
    Posts
    114

    Lightbulb

    Now let's be more specific about the IE Immunizations...
    The unlabeled user refers to the HKEY_CURRENT_USER (HKCU) logical Registry hive.
    Local Machine (Global) refers to the HKEY_LOCAL_MACHINE (HKLM) hive.

    The two hives above are all that Spybot will refer to unless started with the "--allhives" command-line switch; below are the other hives, all of which are under HKEY_USERS (HKU)

    Default User (from which the hives for new users are copied): HKU\.Default
    Local System (service account used by the OS): HKU\S-1-5-18
    NT Authority/Local Service: HKU\S-1-5-19
    NT Authority/Network Service: HKU\S-1-5-20

    All relevant information is found under software, which for HKLM and HKU\.Default is in all caps as SOFTWARE and for all other logical hives is Software; information about the 32-bit compatibility layer on 64-bit Windows is found under HKLM\SOFTWARE\Wow6432Node

    Using the above as a guide to the proper prefix (calling it PFX, so for example the current user's hive would have PFX equal to HKCU\Software while the Default User hive would have PFX equal to HKU\.Default\SOFTWARE), the various immunizations can be found below...

    Plugins (HKLM only): PFX\Microsoft\Internet Explorer\ActiveX Compatibility
    Under here, there will be many keys named with the GUIDs of ActiveX controls, with values below them named "Compatibility Flags"; the ones with values equal to 0x00000400 in hexadecimal are for disabled controls, and you should see at least 860 of them after immunization, or many many more if you also use SpywareBlaster (recommended): http://support.microsoft.com/kb/240797

    Cookies: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
    Under the History key, there will be keys for many domains if you've Immunized properly; the unnamed value should be set equal to 0x00000005 to indicate that cookies are not permitted from that domain.

    IPs: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
    There will be numerous keys for named ranges, and within them you should see which IP-address ranges have been added to the Restricted Sites zone for all protocols (like http and https), as indicated by a value with name "*" and value 0x00000004 in hexadecimal.

    Domains: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
    There should be well over 14000 keys for various domains, ideally with information about subdomains listed under the base domains, if both are in the immunization list; all should be added to the Restricted Sites zone.

    Secure Domains: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
    This is related to the Enhanced Security Configuration, which is mostly for Web servers that may need to communicate with external websites.


    The preceding information is most useful for people like me who wish to use various sources of data to extend the Spybot-initiated immunization process, or even to easily clean out the relevant parts of the Registry, as with the following two scripts (right-click and choose Install) to clear out the zones (Trusted, Restricted, and otherwise, on all accounts that exist for sure in NT-based Windows, so use with caution)...
    For 32-bit Windows: https://jansal.googlecode.com/svn/tr...DelDomains.inf
    For 64-bit Windows: https://jansal.googlecode.com/svn/tr...lDomains64.inf
    These themselves were expanded from MVPs, the creators of a famously huge and false-positive-ridden HOSTS file: http://winhelp2002.mvps.org/restricted.htm

  6. #6
    Junior Member
    Join Date
    Jul 2010
    Posts
    27

    Default

    Just wanted to thank you for the excellent technical info.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •