The Meaning of the Immunization Entries

[lewisje]

I haven't found them documented well, but I think I figured all of them out...

Firefox and derivatives (like SeaMonkey and old Flock and Netscape)
everything: cookperm.txt (before Fx was released), hostperm.1 (before Fx3/Gecko 1.9), or permissions.sqlite

Internet Explorer
Cookies: cookie policy, as visible in the "Privacy" tab of Internet Options
Plugins: ActiveX Killbits, the best part of the program
everything else: Restricted Sites list, may make IE launch more slowly (but only Domains and Secure Domains are made redundant by the HOSTS file immunization)

Opera
Cookies: cookies4.dat (only detected if Opera6.ini is in same directory)
Content: urlfilter.ini (same as above), the third-best part of the program
Plugins: plugin-ignore.ini (same as above, except that %ProgramFiles%\Opera\defaults\plugin-ignore.ini is also scanned)

Global
HOSTS: the HOSTS file, usually %WinDir%\System32\etc\drivers\hosts (%WinDir%\hosts in ME or earlier), the second-best part of the program

It appears as if the immunizations for Cookies are the same across the browsers and all other immunizations for Firefox have the same lists as each other and as the HOSTS file and IE Domains and Secure Domains; then again the Restricted Sites list does allow wildcards while the HOSTS file does not, so maybe they aren't totally redundant.


I think a future version of Spybot could also immunize the adblock.ini file used by SRWare Iron in a similar manner to Opera's urlfilter.ini; unfortunately adblock.ini does not allow wildcards, so some entries would need to be tweaked, and no other derivative of Chromium offers any similar interface for external immunization...

[Gopher John]

PepiMK has said that SpyBot Search & Destroy will handle immunizations using browser plug-ins. See this post in Immunization Settings for Firefox Lost Every Time Browser Opened

Also, Opera 11 does not generate an Opera6.ini file in a new clean install. If it's in an Opera 11 install it is a left over from updating from an earlier version of Opera. SpyBot Search & Destroy does find plugin-ignore.ini in %ProgramFiles%\Opera\defaults\ and immunizes it. See Recent update.

[Eagle2a]

Great job! It looks spot on. I didn't realize that it updated ActiveX Kill Bits. I periodically load the AKB updates from Microsoft as they release them.

@Gopher John:
opera6.ini is a holdover from the Opera 9.xx days. It's used as a workaround for successful immunization with Opera 10.xx (and 11.xx I presume). Read my previously referenced thread thoroughly for a more detailed discussion:

http://forums.spybot.info/showthread.php?t=58535

[Eagle2a]

@lewisje, et al.

I found that 3 cookies items couldn't be immunized with the latest (delayed) definitions released today even after repeated attempts. Did anyone else have the same experience? This is the first time I can recall this happening.

[lewisje]

Now let's be more specific about the IE Immunizations...
The unlabeled user refers to the HKEY_CURRENT_USER (HKCU) logical Registry hive.
Local Machine (Global) refers to the HKEY_LOCAL_MACHINE (HKLM) hive.

The two hives above are all that Spybot will refer to unless started with the "--allhives" command-line switch; below are the other hives, all of which are under HKEY_USERS (HKU)

Default User (from which the hives for new users are copied): HKU\.Default
Local System (service account used by the OS): HKU\S-1-5-18
NT Authority/Local Service: HKU\S-1-5-19
NT Authority/Network Service: HKU\S-1-5-20

All relevant information is found under software, which for HKLM and HKU\.Default is in all caps as SOFTWARE and for all other logical hives is Software; information about the 32-bit compatibility layer on 64-bit Windows is found under HKLM\SOFTWARE\Wow6432Node

Using the above as a guide to the proper prefix (calling it PFX, so for example the current user's hive would have PFX equal to HKCU\Software while the Default User hive would have PFX equal to HKU\.Default\SOFTWARE), the various immunizations can be found below...

Plugins (HKLM only): PFX\Microsoft\Internet Explorer\ActiveX Compatibility
Under here, there will be many keys named with the GUIDs of ActiveX controls, with values below them named "Compatibility Flags"; the ones with values equal to 0x00000400 in hexadecimal are for disabled controls, and you should see at least 860 of them after immunization, or many many more if you also use SpywareBlaster (recommended): http://support.microsoft.com/kb/240797

Cookies: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
Under the History key, there will be keys for many domains if you've Immunized properly; the unnamed value should be set equal to 0x00000005 to indicate that cookies are not permitted from that domain.

IPs: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
There will be numerous keys for named ranges, and within them you should see which IP-address ranges have been added to the Restricted Sites zone for all protocols (like http and https), as indicated by a value with name "*" and value 0x00000004 in hexadecimal.

Domains: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
There should be well over 14000 keys for various domains, ideally with information about subdomains listed under the base domains, if both are in the immunization list; all should be added to the Restricted Sites zone.

Secure Domains: PFX\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
This is related to the Enhanced Security Configuration, which is mostly for Web servers that may need to communicate with external websites.


The preceding information is most useful for people like me who wish to use various sources of data to extend the Spybot-initiated immunization process, or even to easily clean out the relevant parts of the Registry, as with the following two scripts (right-click and choose Install) to clear out the zones (Trusted, Restricted, and otherwise, on all accounts that exist for sure in NT-based Windows, so use with caution)...
For 32-bit Windows: https://jansal.googlecode.com/svn/tr...DelDomains.inf
For 64-bit Windows: https://jansal.googlecode.com/svn/tr...lDomains64.inf
These themselves were expanded from MVPs, the creators of a famously huge and false-positive-ridden HOSTS file: http://winhelp2002.mvps.org/restricted.htm

[Eagle2a]

Just wanted to thank you for the excellent technical info.