Microsoft.Windows.AppFirewallBypass
- Thread starter pgroot
- Start date
I have been following this thread and this is the alert that I am getting:
Microsoft.Windows.IEFirewallBypass:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
It seems to me that we are receiving this alert because of the recent update, but I do not understand what it is saying. In spite of everything that has been posted here I wonder if someone could explain in simple language exactly what this alert means. Your help would be appreciated.
Microsoft.Windows.IEFirewallBypass:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
It seems to me that we are receiving this alert because of the recent update, but I do not understand what it is saying. In spite of everything that has been posted here I wonder if someone could explain in simple language exactly what this alert means. Your help would be appreciated.
not an infection
It is not a new infection, it is a new detection that was in beta detections last week and is now under security. Perhaps it would be best described as a vulnerability if something is allowed to bypass the firewall. If it is Microsoft (migwiz.exe and iexplore.exe) it won't cause harm unless malicious code is substituted for the privileged executable, and Windows Firewall is your only firewall.
It is not a new infection, it is a new detection that was in beta detections last week and is now under security. Perhaps it would be best described as a vulnerability if something is allowed to bypass the firewall. If it is Microsoft (migwiz.exe and iexplore.exe) it won't cause harm unless malicious code is substituted for the privileged executable, and Windows Firewall is your only firewall.
This may be a case of the blind leading the blind, but here's my understanding of the situation:
1. This is a new detection, only added to the Spybot database in the last update (see here, under 'Security': http://forums.spybot.info/showthread.php?p=96665#post96665). That's why we haven't seen these alerts before.
2. The Windows firewall can be configured to 'authorize' certain programs to receive incoming requests from 'out there'. Usually there is no good reason why Internet Explorer should be one of these 'authorised' programs, and yet it apparently is, on many of our systems.
3. If Windows firewall is your only firewall, then this setting is a security risk. Spybot is offering to fix it by removing the authorization. It seems that in this case the correct action is to allow Spybot to fix it.
4. If your Windows firewall is disabled (because you're using another firewall instead) then it doesn't matter whether you let Spybot fix this or not, because you're not at risk.
I hope this is correct. If there's a mistake somewhere, please correct it, someone.
Interesting findings
I have 5 computers running spybot S&D 1.4 on xp
2 have avg pro with firewall and xp pro sp2
Both of these when doing the scan after the update did not show the vulnerability and in Windows Firewall they are NOT in the exceptions list.
1 is running xp home sp2 and Zone Alarm Free and after the update and scan it did show the vulnerability and in Windows Firewall IE Explorer is checked.
On that one I allowed the fix in Spybot and noticed when doing so the IE Explorer disappeared out of the exception list.
I have one notebook computer, xp pro sp2 running Windows Firewall only and yes IE explorer is in and checked in Windows Firewall exception list. I ran the scan in spybot and it also came up with the vulnerability. Before i ran the scan I went into the firewall and unchecked IE Explorer to see what would happen- then ran the scan. As said it still showed the vulnerability.
I allowed spybot to fix it. I checked to make sure i am still on the network and I am. I cannot find where you ask Windows Firewall to ask you for that specific file if i find I need to run any online scans so please tell me where this is besides IE Explorer is no longer in the list of exceptions so now what?
I have another xp pro computer on the network but it is in use right now and i cannot run the scan on it as of yet. Before i do I would like to understand how to configure the Windows Firewall to ask again for IE and not authorize permanently.
Also if one is NOT on a network and only running Windows Firewall I am safely to assume you can allow spybot to fix? and if on a network I am also safely to assume this should not effect the network if I allow it to fix too? correct?
thanks
Robin
I have 5 computers running spybot S&D 1.4 on xp
2 have avg pro with firewall and xp pro sp2
Both of these when doing the scan after the update did not show the vulnerability and in Windows Firewall they are NOT in the exceptions list.
1 is running xp home sp2 and Zone Alarm Free and after the update and scan it did show the vulnerability and in Windows Firewall IE Explorer is checked.
On that one I allowed the fix in Spybot and noticed when doing so the IE Explorer disappeared out of the exception list.
I have one notebook computer, xp pro sp2 running Windows Firewall only and yes IE explorer is in and checked in Windows Firewall exception list. I ran the scan in spybot and it also came up with the vulnerability. Before i ran the scan I went into the firewall and unchecked IE Explorer to see what would happen- then ran the scan. As said it still showed the vulnerability.
I allowed spybot to fix it. I checked to make sure i am still on the network and I am. I cannot find where you ask Windows Firewall to ask you for that specific file if i find I need to run any online scans so please tell me where this is besides IE Explorer is no longer in the list of exceptions so now what?
I have another xp pro computer on the network but it is in use right now and i cannot run the scan on it as of yet. Before i do I would like to understand how to configure the Windows Firewall to ask again for IE and not authorize permanently.
Also if one is NOT on a network and only running Windows Firewall I am safely to assume you can allow spybot to fix? and if on a network I am also safely to assume this should not effect the network if I allow it to fix too? correct?
thanks
Robin
Thank you all for your input.
As I understand it, as I have NAV as a firewall I can ignore this alert. If I relied on Windows, and the exception box for IE is not checked then the alert would not appear. If the exception box is checked then the alert would appear and the fix in Spybot would remove the check.
I hope that is right.
As I understand it, as I have NAV as a firewall I can ignore this alert. If I relied on Windows, and the exception box for IE is not checked then the alert would not appear. If the exception box is checked then the alert would appear and the fix in Spybot would remove the check.
I hope that is right.
So as I understand it, Spybot will 'detect' this vulnerability if IE is a listed exception in the Windows firewall configuration - whether or not the Windows firewall is disabled, and regardless of whether IE is selected in the Windows firewall authorisation list.
Which brings me to a question I asked earlier: If IE is in the Windows firewall configuration list, there are three options: tick the box; don't tick the box; or remove the entry altogether. The first two options don't affect the Spybot detection. It seems from what Robin says that the Spybot 'fix' effectively removes IE from the list. So I presume that an alternative to the Spybot fix is to manually remove IE from the list?
But if we do - what happens (as Robin says) if we need to put it back in at some future time?
Yes.
Not quite. If IE is in the list, then the alert will appear whether the box is ticked or not (I can't see why, but that does seem to be the case). The only way to stop the alert is to either remove IE from the list completely yourself, or to let Spybot do it for you. But in your case this is merely an academic point. It simply doesn't matter.
Last edited:
I'm not surprised. Trying to pin this down is like trying to catch the soap in the bath. I'm beginning to suspect that Spybot has got us all chasing our tails!!
Windows Firewall
Robin,
My first recommendation to you is to stop using Windows Firewall on the one notebook computer as it is pretty much garbage and not worth much in the way of protection. The AVG Pro and Zone Alarm are both good firewalls. I would put Zone Alarm on the notebook and stick with it, then let Spybot S & D fix the issue, then you don't have to worry about it. If you have a computer that is not on a network, but does access the internet, you still want to fix it if it is your only firewall. It will not effect how your network operates. The only thing this fixes is stopping inbound requests that you DID NOT initiate. Let Spybot fix it, then let your other firewall protect you. You're much better off that way. Hope this helps, if not, post again and I'll try to explain a bit better.
Tony
Robin,
My first recommendation to you is to stop using Windows Firewall on the one notebook computer as it is pretty much garbage and not worth much in the way of protection. The AVG Pro and Zone Alarm are both good firewalls. I would put Zone Alarm on the notebook and stick with it, then let Spybot S & D fix the issue, then you don't have to worry about it. If you have a computer that is not on a network, but does access the internet, you still want to fix it if it is your only firewall. It will not effect how your network operates. The only thing this fixes is stopping inbound requests that you DID NOT initiate. Let Spybot fix it, then let your other firewall protect you. You're much better off that way. Hope this helps, if not, post again and I'll try to explain a bit better.
Tony
owlscreech
New member
Got the same two IE Firewall Bypass detections -- no clear yes or no answer from the mods yet as to what to do about it. I use AVG security suite, not Windows Firewall, so went ahead and let the trusted Spybot fix what it found.
Spybot user since ~2001, thanx for this great security product and maintenance work. (yes, i donated
)
---
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
Spybot user since ~2001, thanx for this great security product and maintenance work. (yes, i donated
)---
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
Hi,
I am not at all saavy about any of this.
I just did a SBS&D and it gave me the following result:
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Help! What does this mean? I told SBS&D to fix it, since I assume that the program is suggesting to me that there is a problem that could compromise the security of my computer.
Can someone explain to me if I did the right thing, and what this means?
Thank you so much for your patience and assistance.
I am not at all saavy about any of this.
I just did a SBS&D and it gave me the following result:
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Help! What does this mean? I told SBS&D to fix it, since I assume that the program is suggesting to me that there is a problem that could compromise the security of my computer.
Can someone explain to me if I did the right thing, and what this means?
Thank you so much for your patience and assistance.
hi,
these :
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
are only of concern if you use the Windows firewall, all other firewalls are not affected by this.
Normally the Internet Explorer does not need to be authorized for the Windows firewall. It is only required for special purposes, like online virus scanners. If you just surf normally, you should let Spybot fix this, since it can be a security issue with malicious/hacked websites.
these :
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
are only of concern if you use the Windows firewall, all other firewalls are not affected by this.
Normally the Internet Explorer does not need to be authorized for the Windows firewall. It is only required for special purposes, like online virus scanners. If you just surf normally, you should let Spybot fix this, since it can be a security issue with malicious/hacked websites.
One of the things that has baffled many of us who have been alerted to this by Spybot is that we don't have any idea how IE came to be included in our Windows firewall exceptions list (we don't believe malware has been responsible). I wonder if here you might have given us an answer? Certainly in the past I have used several online scanners at a time when I was only using the Windows firewall - is this a possible explanation as to how this exception got into the list? If the online scanner requested access, and the Windows firewall asked for permission and we gave it, and if we then forgot that incident afterwards (very likely), the result would be the mysterious entry that we now see. Does this make sense?
hello,
yes this makes sense and is the most likely explanation. I hope you have not been too confused by this. The description will also be updated with the next update.
whitneymuse
New member
I'm very appreciative for all of these comments and the responsible way they are presented; I certainly was convicted to allow Spygot S&D to fix the problem and the internet is still alive and well; I haven't done a reboot yet, so I suppose that's the proof of the pudding so to speak; I have so many partitions and multiboot MBRs so I'll just have to remember to do this download again on the other MBR partitions; one thing I do with regularity and that is to get internet streaming radio from WABC in NYC...I'm on the west coast, that is.
We shall see.
whitneymuse
New member
Re-scanned and at least the problem is (((gone))))
So, I'm hoping that problem is cured and it was something relatively new and recent and is now, gone...I have a couple other bootable partitions that I'll try on another day and come back to this one.
So, I'm hoping that problem is cured and it was something relatively new and recent and is now, gone...I have a couple other bootable partitions that I'll try on another day and come back to this one.