Microsoft.Windows.AppFirewallBypass

P

pgroot

New member
Microsoft.Windows.AppFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

Microsoft.Windows.AppFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

The registry entries are both:
C:\WINDOWS\system32\usmt\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard

So not only is this a known Microsoft application, it is disabled.
I'm not sure why it is disabled. But this detection appears to be a false positive in 2007-06-13 Includes\Beta.sbi (*)
 
Yes, I got the same thing you did, but I let SBS&D go ahead and remove it with no ill effects that I could tell.

I figured that if it was off anyway, there wasn't any need for it to be there, period. Pete
 
hi,

normally you do not want your windows migration to be accessing incoming communication through the firewall unless you really do a migration.

So this should only be allowed if there is need to and disabled otherwise, since there are trojan horses which override the original file and act as servers under the unsuspicious name of the migwiz.exe.
 
so which is it?

Excuse my slowness, but does this mean we should remove the two entries ticked by the Search & Destroy, or is it a false positive to be corrected in the next update?
 
This is not considered a false positive, though fixing it may be inconvenient if you mirgrate your windows over the network very often ;)
If you let spybot fix this, the Windows Firewall will ask if you want to block migwiz.exe or not, usually it is no when you want to migrate over the network.

So the impact on the workflow is relatively small if you let Spybot fix this, while it gives you more security against a fake migwiz.exe that receives commands through the opened Windows Firewall.
 
How about these two?


Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE
 
slowness

I am in the same boat. Could you please tell me how I should handle these two detections; I'm obviously not a tech so please explain in relatively easy terms. I do not know what migrations are, have mcafee firewall and xp sp2.
Thank you
 
@ky331

the Internet Explorer does not need to get authorized for the Windows Firewall for internet surfing. The Windows Firewall only works one way, it does not block requests made from the host computer, it can only block access from outside.
There may be some special purpose where it may be required to have the Internet Explorer authorized for the Windows Firewall, which would basically make the Internet Explorer accept incoming transmissions like a server would.


@nowellp
Windows migration is used to transfer files, folders and settings from one computer to another. This is not bound to hardware and is usually used when the computer hardware is upgraded/exchanged.
 
Yodama:

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

Sorry to be a bit dense, but if these two entries appear as detected items, do we (a) tick to delete or (b) are they false positives to be countered by a Spybot later update?

(a) or (b) please?
 
Yodama:

Like ky331 and greenhatch, I don't know what to do with these 2 Microsoft.Windows.IEFirewallBypass registry detections. Spybot offers me no option to ignore or exclude them in future searches, so I do nothing.

I suspect they are related to the fact that I have disabled Windows firewall, and am using a third-party firewall (in my case, Comodo).
 
It is not a false positives unless you want your Internet Explorer to accept incoming requests. The normal use for the IE is to sent request not to accept them, meaning that it is acting as a client not a server.
In some cases however it may be required for the IE to accept incoming requests, for instance if you make an online scan. But the IE should only be able to accept requests for such special purposes, after that you should unauthorize the IE for the Windows Firewall , so that you are aware if a website tries to make requests to your browser.
If you scan online often you may want to set
Microsoft.Windows.IEFirewallBypass
to the ignored products list. You can also configure the Windows Firewall to ask again and not authorize permanently.
 
I'm getting this alert too (but only after today's update), but even after reading the above posts I don't understand what it means, nor what to do about it.

1. I don't use the Windows firewall. It's switched off. I use the AVG firewall.
2. Internet Explorer is not selected as an exception in Windows Firewall.

Could someone please explain clearly why we are getting this alert (even when Windows firewall is off, and IE is NOT a selected exception) and explain precisely what action we should take about this alert?
 
Yodama:
Sorry I don't know if it's a matter of English or how I'm expressing myself. Please indicate your recommendation: (a) or (b) please. I just surf the net, I don't do anything special or clever.
 
@Alan D

Spybot looks for what has been entered into the list of authorised applications, it does not matter if the entry is disabled or enabled, even if the Windows Firewall is deactivated.

Fixing this will remove the IE from the list of authorized applications for the Windows Firewall only, it will have no effet on the AVG Firewall.

And it will have no effect on the normal internet browsing with the IE.
 
About IEFirewallBypass

Hello, I am just new on this forum and, more, I am french, so sorry for my poor english...
As others, I have this dection since yesterday update:
Microsoft.Windows.IEFirewallBypass: Réglages (Valeur du registre, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Réglages (Valeur du registre, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

I read the different posts and have understood the problem, I think.
But my question is:
1. Is it necessary to fix it? A security necessity? (I use McAfee fire wall)
2. Or just exclude it of next scans by right-click?
Thank you and regards.
 
Last edited:
Hello jerome1951,

if you have a personal firewall like the McAfee or AVG firewall running, there is no necessity in terms of security to have Spybot fix this. Your personal firewall already watches over incoming and outgoing connections, and there no need to use the Windows Firewall and another personal firewall.

This is only of concern if only the Windows Firewall is being used.
 
Thanks Yodama, I'm starting to understand a bit more now what's going on.

1. Are we getting this alert (which has never appeared before) ...
(a) because something has changed in our computers? or
(b) because this is a new detection only recently added to Spybot' database?

2. If I were to delete the Internet Explorer exception entry in the Windows firewall configuration, rather than merely untick it as at present, would that do basically the same job as letting Spybot fix the 'issue'?
 
Thank you Yodama for your quick answer.
So, according to you, can I exclude the detection of next scans by right-click to recover serenity and a clean scan?
It seems to be more an INFORMATION than an INFECTION, am I right? More or less the same thing that "Windows Security Center"?
Regards.
 
Last edited:
You must log in or register to reply here.
Back
Top