Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Spybot’s immunization function REMOVES items

  1. #1
    Junior Member Synetech's Avatar
    Join Date
    Jun 2008
    Location
    my home
    Posts
    27

    Exclamation Spybot’s immunization function REMOVES items

    It seems that when you apply Spybot’s immunization definitions, it will actually remove several items from the HOSTS file (and likely other locations as well).

    I suspect that this is due to some sort false-positive white-list, but even then, it should only avoid adding those items to the list; it should not remove items that are already present because it may not have been the one to put them there in the first place. For example, google.com would ostensibly be a false positive in most cases, but if someone chooses to block it, then Spybot must not remove the entry (at least not automatically).

    I tried to check the Spybot files to see if there is a list of URLs that Spybot lets through, but it uses a proprietary format so I could not find out, however here is a list of URLs that I have noticed Spybot allows:

    • -h-n7y15mc.firoli-sys.com
    • cloudfront.net
    • www.cloudfront.net
    • one2mail.com
    • www.one2mail.com
    • websearch.com
    • www.websearch.com

    One or two of those have been mentioned in the forums as false-positives, a couple have not, and that first one looks outright suspicious, so it is questionable why Spybot would remove it.

  2. #2
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,483

    Default

    I have 3 sites I keep blocked in my Hosts file,besides the ones added by Spybot.
    Checking just now,I immunized 2 items Spybot showed as unprotected,removed immunization completely,and then readded immunization,and the three sites I keep in my hosts file remained.
    I'm not sure why.About the only thing I can think of is that I keep the 3 sites outside of the sites enclosed in Spybot's comments.
    So,if you think you may have added the sites you keep in there into the sites enclosed within Spybot's comments,when you readd the sites into hosts,try scrolling down hosts until you see:
    # This list is Copyright 2000-2010 Safer-Networking Ltd.
    # End of entries inserted by Spybot - Search & Destroy
    and then add your sites below that comment,to try to see if the sites you add on your own aren't removed next time.

  3. #3
    Junior Member Synetech's Avatar
    Join Date
    Jun 2008
    Location
    my home
    Posts
    27

    Default

    It has nothing to do with the comments; in fact, I strip out comments, sort, and de-dupe the HOSTS file whenever a change is made.

    The items you added were kept because they were not on Spybot’s false-positive/white-list. Try the ones I listed and you will see that they get removed.

  4. #4
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,483

    Default

    Ok,gotcha.I didn't try adding them yet.
    I never really thought about it before.But if they were listed as false positives in the forum,then it kind of makes sense if the sites would be removed by Spybot.
    To use your example,somebody may well want google.com blocked in their hosts file,yes.
    But if Spybot accidentally placed Google.com in everybody's hosts file and did not remove it,then that would leave hundreds,thousands,or millions(whatevs Spybot has for users) with no access to Google,and many might not even know how come,since not all people would understand what happened.That could be potentially disastrous,really,if it were a really well known site.
    Or less well-known.....I start memyselfandI.com,and it starts becoming better known,when all of a sudden Spybot mistakenly puts it in the hosts file.Suddenly I've got folks on the internet not able to get there,then people are saying it's a malware site on the internet,or they just think it's gone under.
    No offense,I wasn't even aware Spybot did that with the hosts file,but it is another opinion,and maybe something to think about.

  5. #5
    Junior Member Synetech's Avatar
    Join Date
    Jun 2008
    Location
    my home
    Posts
    27

    Lightbulb

    Yes, handling false-positives is tricky, but like I said, Spybot may not have been the one to put them in there, so it should not be removing them. Another way to think about it is that google.com wouldn’t normally be redirected in the HOSTS file, so should Spybot take the liberty of finding and removing any references to it? No. A person may have added it to block Google (or a porn site or whatever) or to add a IP address directly to avoid risking DNS poisoning or something.

    It’s not the immunization function’s place to (automatically) remove entries from the HOSTS file (or the P3P and Zone Domain registry entries or Firefox and Opera’s blocking files), it should only add items to them. Removing (potentially) false positives should only be done by the scanning/check-for-problems function. That way, users can select what they want to remove, and add them to a whitelist of entries to be ignored.

  6. #6
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,483

    Default

    I added -h-n7y15mc.firoli-sys.com and cloudfront.net to hosts,and yes,upon removing and readding immunization to hosts those were removed.

    I see your point if you placed the sites in hosts by yourself.But,in the case of false positives or if somebody had a site that was formerly listed,but they worked with the Spybot folks to have it de-listed,there has to be a functioning way for that site to be removed from the hosts file and other immunization after it was placed there by Spybot.We're going to have to agree to disagree.

    Team Spybot isn't usually around much on the weekends.They might not see this if they don't happen to look in Monday,but there is a contact form here,if you would like to discuss this with them further:
    http://www.safer-networking.org/contact/

  7. #7
    Junior Member Synetech's Avatar
    Join Date
    Jun 2008
    Location
    my home
    Posts
    27

    Exclamation

    I added -h-n7y15mc.firoli-sys.com and cloudfront.net to hosts,and yes,upon removing and readding immunization to hosts those were removed.
    Actually, you don’t have to remove anything. The problem is that if you have those entries in the HOSTS file and then simply applying/adding the immunization will strip them out.

    Do not un-check the box, leave the HOSTS item checked and simply apply the immunization and it will still remove them. That doesn’t make sense. (See screenshot.)

    But,in the case of false positives or if somebody had a site that was formerly listed,but they worked with the Spybot folks to have it de-listed,there has to be a functioning way for that site to be removed from the hosts file and other immunization after it was placed there by Spybot.
    There already is: the scanner. It is the scanner’s job to check for problems including false-positives and hijacks, not the immunization’s job. The scanner allows you to examine the list of potential problems and select which ones you want reverted and also add them to a white-list. The immunization function has no such functionality and will automatically, unilaterally, and always remove them whether you want it to or not.



    Attached Images Attached Images

  8. #8
    Translator Team bbnetwork's Avatar
    Join Date
    Feb 2012
    Location
    Germany- Saxony
    Posts
    595

    Default

    Is the hostfile protected against changes?



    לשונות רעות שנפגעו שלוש פעמים: למי שמדבר, שדברו עליהם ומי שמקשיב.

    שלום

  9. #9
    Junior Member Synetech's Avatar
    Join Date
    Jun 2008
    Location
    my home
    Posts
    27

    Default

    Quote Originally Posted by bbnetwork View Post
    Is the hostfile protected against changes?
    Do you mean read-only? Yes, but that doesn’t matter, I don’t want to prevent Spybot from adding new items, I just want it to not automatically remove anything.

  10. #10
    Junior Member Synetech's Avatar
    Join Date
    Jun 2008
    Location
    my home
    Posts
    27

    Exclamation

    If I were prone to paranoia, I would suspect that it is purposely letting those domains through for “some reason”. There is no reason for the immunization function to automatcally, and secretly remove a small handful of select domains from the HOSTS file when there is already a proper, better, more thorough, more controllable way to do exactly the same thing:

    Attached Images Attached Images

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •