Fixed: Detection rules for Delf.Spool.cn and/or the file ntdoss04.sys

md usa spybot fan

md usa spybot fan

Spybot Advisor Team [Retired]
Team Spybot:

There appears to be a strange coincidence between posts by two different users related to a file "ntdoss04.sys" during Spybot scans:
  1. The first series of posts by Lancer in this thread indicate they are receiving:

    Lancer said:
    Error message = "There were problems in the include file C:\Program Files\Spybot - Search Destroy\Includes\TrojansC.sbi"

    My Include errors.log:

    C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
    C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
    Click to expand...
    It appears that Lancer is running Spybot 1.4 (although that was not clearly stated). The thread is:The dialogue concerning the problem are in these posts:
  2. The second series of posts are by bentelk in this thread:
    The indication in that thread is that COMODO Firewall is indication that Spybot is attempting to created a file C:\Windows\ntdoss04.sys (which is the same file as reported by Lancer in their "Include errors.log".
I am unable to recreate either problem and am asking that you check out the rule set for the detection of "Delf.Spool.cn" or rule sets related to the file ntdoss04.sys to make sure that it is written properly and not causing the problems reported above.
 
The problem appears in 1.4 because the only rule related to ntdoss04.sys uses one of the anti-rootkit things; in this case one that exists in the main application, not a plugin.

The exact surroundings look complicated, will have to wait for the person who wrote this rules for complete details, but it looks like a) Spybot-S&D does not want to write this file, but move it (which is a first method applied when not being able to delete a file), and b) the conditions under which this file was attempted to be moved might have to be checked again (just checking if a file exists before moving it would be useless when fighting rootkits which might block the detection whether a file exists, but often do not block other operations, like for example moving).
 
PepiMK:

Thanks for the feedback. That helps me understand the two problems that were reported as well as my observation when I removed the anti-rootkit plugins and successful scanned with the Delf.Spool.cn rule set.
 
hello,

these are the 2 issues:

A) Spybot S&D 1.4
  • Spybot S&D 1.4 will always show/log the error since it does not recognize the command.
  • Other detections are not compromised by this, users should update do Spybot S&D 1.5.2 if possible.

B) Syntax Error
  • a syntax error caused Spybot S&D 1.5.2 to always try to access the ntdoss04.sys file, parameters were ignored.
  • this error will be fixed with the next update
  • here is a part of a filemon log on what Spybot S&D does
    Code: 
    2234	08:10:55	SpybotSD.exe:1924	OPEN	E:\WINDOWS\system32\ntdoss04.sys	SUCCESS	Options: Open  Access: All	
2235	08:10:55	SpybotSD.exe:1924	QUERY INFORMATION	E:\WINDOWS\system32\ntdoss04.sys	SUCCESS	FileAttributeTagInformation	
2236	08:10:55	SpybotSD.exe:1924	QUERY INFORMATION	E:\WINDOWS\system32\ntdoss04.sys	SUCCESS	Attributes: A	
2238	08:10:55	SpybotSD.exe:1924	CLOSE	E:\WINDOWS\system32\ntdoss04.sys	SUCCESS
    these are the only operations Spybot S&D 1.5.2 does for ntdoss04.sys if the file is not present. With the fixed rule these operations will only occur if the file is present and some other parameters are met.
 
Yodama:

Thanks for looking into the problems encountered, clarifying what was occurring in each case and correcting the Syntax Error in the detection rules.

Regards,
md usa spybot fan
 
You must log in or register to reply here.
Back
Top