Possible Microsoft.Windows.IEFirewallBypass False Positive

md usa spybot fan · Oct 28, 2007

It appears that there may be a defect in the coding of the signature(s) for Microsoft.Windows_IEFirewallBypass. The problem was first reported by Barry in the following thread:

Tracking cookies are red
http://forums.spybot.info/showthread.php?t=19510

The following registry entry were Internet Explorer is added to the Windows Firewall exception list but is disabled:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"

Results in the following detection:

Code:

--- Report generated: 2007-10-28 02:00 ---

Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.5  (build: 20070924) ---

That detection is the same as if Internet Explorer is added to the Windows Firewall exception list and is enabled as follows:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

Code:

--- Report generated: 2007-10-28 02:03 ---

Microsoft.Windows.IEFirewallBypass: [SBI $FFF24D3C] Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE


--- Spybot - Search & Destroy version: 1.5  (build: 20070924) ---

tashi · Oct 29, 2007

Thank you md usa spybot fan, I made a note for the team.

Yodama · Oct 29, 2007

thanks for reporting,

this will be taken out of detection with the next update scheduled for the middle of this week.

JohnBurns · Nov 7, 2007

Thanks for posting this - I had the same problem on two home pc's. At least I am getting smart enough not to "fix" an item until I am SURE that it needs fixing. Appreciate the info.

md usa spybot fan · Nov 7, 2007

JohnBurns:

I have not re-tested the false positive. Did the 2007-10-31 or 2007-11-07 update fix the problem?

Regards,
md usa spybot fan

md usa spybot fan · Nov 7, 2007

Yodama:

Would you please check the Microsoft.Windows.IEFirewallBypass signatures again.

I retested the Microsoft.Windows.IEFirewallBypass detection as I had originally. It how appears that neither the Enabled nor the Disabled entries are detected.

In other words the false positive for the following registry entry (Disabled) has been corrected:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"

However, it now appears that there is a false negative (no detection) for following registry entry (Enabled):

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

JohnBurns · Nov 8, 2007

md usa spybot fan said:
JohnBurns:

I have not re-tested the false positive. Did the 2007-10-31 or 2007-11-07 update fix the problem?

Regards,
md usa spybot fan

Sorry for delay in reply - in answer to your question - no, the 2007-11-07 still has the problem.

Yodama · Nov 8, 2007

@md usa spybot fan

yes we currently deactivated the detection on this.
It will most likely be reactivated along the updates after the next main release.

@JohnBurns

could you post the date of the security.sbi on the computers still showing this issue?

you can find the date of the securityc.sbi and security.sbi after a scan in advanced mode - tools - view report - view report.

JohnBurns · Nov 8, 2007

Yodama said:
@md usa spybot fan

@JohnBurns

could you post the date of the security.sbi on the computers still showing this issue?

you can find the date of the securityc.sbi and security.sbi after a scan in advanced mode - tools - view report - view report.

Not sure exactly what you need. Here is what I can find:

Spybot - Search & Destroy 1.5.1.17
Latest Detection 11/7/2007

eSupport.FFBiosExt: [SBI $12D696B9] System file (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\TVICHW32.SYS

--- Spybot - Search & Destroy version: 1.5 (build: 20071005)

Hope this helps.

md usa spybot fan · Nov 8, 2007

JohnBurns:

JohnBurns said:
eSupport.FFBiosExt: [SBI $12D696B9] System file (File, nothing done)
C:\WINDOWS\SYSTEM32\drivers\TVICHW32.SYS

That detection looks more like the one in the following thread rather than the detection being discussed here in this thread:

Tvichw32.sys
http://forums.spybot.info/showthread.php?t=19916

Possible Microsoft.Windows.IEFirewallBypass False Positive

md usa spybot fan

Spybot Advisor Team [Retired]

tashi

Member of Team Spybot

Yodama

New member

JohnBurns

New member

md usa spybot fan

Spybot Advisor Team [Retired]

md usa spybot fan

Spybot Advisor Team [Retired]

JohnBurns

New member

Yodama

New member

JohnBurns

New member

md usa spybot fan

Spybot Advisor Team [Retired]