Microsoft Windows IE Firewall Bypass

[northstar]

:::spider:Two recent scans revealed Microsoft Windows IE Firewall bypass
hkey_local_machine\system\controlset002\service\shared\access\p

I really would appreciate knowing what this scan result means and how it should be handled. Thank you for your assistance!

 

[Zenobia]

That doesn't look like the whole thing.Was it this?
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Program Files\Internet Explorer\IEXPLORE.EXE

If so,please see here:
http://forums.spybot.info/showthread.php?t=14824
Microsoft.Windows.IEFirewallBypass begins to be addressed around post 6 and then post 8,and beyond.

 

[northstar]

Firewall Bypass Message Continued

My scan only gave me the info which I reported. I read the responses however was not clear to me what Spybot suggests as result. If this is a common problem, what is the resolve? Or if it is a false positive, can we just say to delete result? I have windows firewall turned on if that makes a difference.

I just ran the scan again and it didn't come up in result. However if it comes back please advise what previously was concluded what entry means and what measure to take. Thank you.

 

[Zenobia]

Hmmm...to be truthful,I was only half paying attention to the threads about Microsoft.Windows.IEFirewallBypass,so I didn't really get the full gist of it myself.From what I'm reading,I wouldn't say it's a false positive,more of a security alert.
So,here are a couple simple explanations:
Yodama
http://forums.spybot.info/showpost.php?p=100359&postcount=35

hi,

these :
Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

Microsoft.Windows.IEFirewallBypass: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE

are only of concern if you use the Windows firewall, all other firewalls are not affected by this.

Normally the Internet Explorer does not need to be authorized for the Windows firewall. It is only required for special purposes, like online virus scanners. If you just surf normally, you should let Spybot fix this, since it can be a security issue with malicious/hacked websites.

And md usa spybot fan(better to read the whole thread through):
http://forums.spybot.info/showthread.php?t=15170

The detections indicate that, if you were using the Windows firewall instead of the McAfee Firewall, Windows Internet Explorer (iexplore.exe) would be authorized to receive unsolicited incoming traffic which would be a potential security problem.

Since you are using the McAfee Firewall there is no current threat. However, the normal default setting of the Windows firewall does not include authorizing Windows Internet Explorer to receive unsolicited incoming traffic. Since the detection indicates an abnormal setting for the Windows firewall that may have been introduced by malware at some point in time, I suggest that you fix the detections with Spybot so that if the same detections return in the future you may be able to trace the source in the change to the Windows firewall.

Alan D....
http://forums.spybot.info/showpost.php?p=97038&postcount=24

This may be a case of the blind leading the blind, but here's my understanding of the situation:

1. This is a new detection, only added to the Spybot database in the last update (see here, under 'Security': http://forums.spybot.info/showthread...6665#post96665). That's why we haven't seen these alerts before.

2. The Windows firewall can be configured to 'authorize' certain programs to receive incoming requests from 'out there'. Usually there is no good reason why Internet Explorer should be one of these 'authorised' programs, and yet it apparently is, on many of our systems.

3. If Windows firewall is your only firewall, then this setting is a security risk. Spybot is offering to fix it by removing the authorization. It seems that in this case the correct action is to allow Spybot to fix it.

4. If your Windows firewall is disabled (because you're using another firewall instead) then it doesn't matter whether you let Spybot fix this or not, because you're not at risk.

I hope this is correct. If there's a mistake somewhere, please correct it, someone

Also,if you highlight Microsoft.Windows.IEFirewallBypass after it's found by a Spybot scan and then click the grey button to the right,there should be info about it there,to help you to decide whether to fix it or ignore it.

Here is how you can show on the forum about what Spybot is finding,if you have a question about it:
Produce a short log (showing items flagged)

1. Open SpyBot.
2. Check for problems.
3. When finished, right click and choose copy results (not the full report) to clipboard and post that into topic.

Hope that helps.If not let me know,and I'll have another go at it.

 

[Alan D]

Just to add to this excellent roundup of information: the real concern for me (and others) was how it had come about in the first place - in other words, how had Internet Explorer found its way into the Windows firewall exception list? Had malware been responsible at some point? Yodama solved this by pointing out that an online AV scanner may require such access to Internet Explorer. So if you've ever used an online scanner at a time when you were using the Windows firewall, that may well be how it got there. It doesn't automatically imply that your system's been compromised.

 

[northstar]

I ran another scan and again it was clean. Because it is intermittant, not sure if I understand from the posts what to do if I receive this same message again? What is recommended action(s)? Is system at any risk? I have run Kaspersky online AV scans recently and Windows firewall is on. Thank you for all the help.