Re: Spybot and BHO
Vanguard
Date: 03/27/05
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: MS05-002 on 9x and ME"
- Previous message: Rick T: "Re: MS05-002 on 9x and ME"
- In reply to: JD: "Re: Spybot and BHO"
- Next in thread: JD: "Re: Spybot and BHO"
- Reply: JD: "Re: Spybot and BHO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 26 Mar 2005 23:32:13 -0600
"JD" <Erehwon@Example.com> wrote in message
news:%23BcnpfmMFHA.3960@TK2MSFTNGP12.phx.gbl...
> So do I correctly infer that the "immunize feature" is protection
> against malware, so that a system scan should never find any?
> Is it your view that enabling this feature is a good idea, or is it
> ever problematic? If the latter, how does one disable it--short of
> uninstalling and reinstalling Spybot?
> <Vanguard> wrote in message news:YvSdnZqJjPa7c9jfRVn-rg@comcast.com...
>> "JD" <Erehwon@Example.com> wrote in message
>> news:%23GlGiPlMFHA.3228@TK2MSFTNGP12.phx.gbl...
>>>I just installed Spybot S+D, and I notice that a BHO called "Bad
>>>download blocker" was installed in IE.
>>> I don't see anything about this in Help, and I'm curious as to what
>>> this add-on does.
>>> Is it a "real time" protection of some sort? Will it prevent the
>>> downloading of malware?
>>> Additionally, I wonder if someone can enlighten me regarding another
>>> BHO. This one is called Research, and it shows no name under
>>> Publisher and none under File name.
>>>
>>
>>
>> You enabled the Immunize feature in Spybot, so you told Spybot to
>> install its BHO.
>>
>> Use BHO Demon to list the BHOs that are installed. They also have a
>> database of known BHOs and maybe your's is one of them, so it will
>> show some vendor info for the BHO in its display listing the BHOs.
Catching changes is not the same as scanning files. Changes are
current. That won't detect an existing infection. Spybot's Immunize
feature does not block against spyware infiltrating into your system.
It adds sites to the Restricted Zone to neuter them when visited with
your browser. It also adds cookies to the Block list so that that
Spybot deemed are "bad" don't get put onto your hard drive - but there
are better methods of managing cookies than using someone else's
blacklist. The Immunize feature also adds registry entries known as
kill-bits to block the execution of "bad" ActiveX controls, but
SpywareBlaster is better for that. However, unlike what Spybot and
SpywareBlaster claim, the use of kill-bit registry entries does NOT
prevent the installation of these "bad" AX control but only in them
getting registered and being used (and not from preventing them from
actually existing on your drive). Adding domains to the cookie block
list, adding domains to the Restricted Sites list, and adding registry
kill-bit entries to thwart the execution of AX controls are all static
functions and don't require Spybot's BHO.
According to Spybot's own help about its Immunize feature, "This is a
second layer of protection for IE. While the Permanent Immunity blocks
installers by their ActiveX ID, this one blocks anything that should
come through by different aspects. You can view a log of blocked
installers in the Tools / Resident section." By different aspects? Oh
yeah, that's informative. The option reads, "Enable permanent blocking
of bad addresses in Internet Explorer". Of the times that I have seen
its Immunize BHO alert, it was for a cookie from a site on its "bad"
list. It doesn't look like the BHO exercises any of the spyware
signatures against an AX control download but instead just looks at the
domain from which it originates (and probably claims it is a bad AX
control if it came from a bad domain which means AX controls from other
sites are allowed despite being bad or good). Personally I don't care
just about the "bad" domains proliferating their BHOs but also want to
monitor BHOs coming from non-bad domains. Configure the Internet
security zone to always prompt when a site wants to download an AX
control. Use BHO Demon to list the BHOs and use its database of known
good and bad BHOs to let you identify the ones that are installed.
Actually scan for malware.
Spybot has its TeaTimer utility which acts as an IDS (intrustion
detection system) but it isn't that effective. Use Prevx instead (the
Home version is free) but knowing what the alerts means requires
initiative and not something for newbies.
-- ____________________________________________________________ Post your replies to the newsgroup. Share with others. E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject. ____________________________________________________________
- Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: MS05-002 on 9x and ME"
- Previous message: Rick T: "Re: MS05-002 on 9x and ME"
- In reply to: JD: "Re: Spybot and BHO"
- Next in thread: JD: "Re: Spybot and BHO"
- Reply: JD: "Re: Spybot and BHO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
