BleepingComputer.com: Microsoft Anti-spyware Beta 1

Brief Comments at Langa.com got me thinking, maybe a preview would be good for our members.
Microsoft Anti-spyware Beta 1
Part I
"getting started"

Seems like it might be helpful to show screenshots of the newly released product.
Numbers link to pictures of the screens.
Sequentially.

1. Download and install this & it will appear as a 15.72MB program in Add/Remove programs.

2. Welcome screen introduces four key points which include:
A. Automatic Updates. B. Real-time Protection. C. SpyNet Community D. Scan

3. For testing purposes, I chose not to automatically update.

4. Real-time Protection is introduced as a Team of Security Agents working over 50 Security Checkpoints
while using your computer(s).

5. Here you are offered an opportunity to be involved in "the world's first anti-spyware network".
Automatically alert the community .

6. The final step in initial configuration.
All configurations can be changed later using either tools or the bold icons.

7. The Scan screen. Default setting is Quick Scan.
Two minutes estimated completion time.

8. The Scan screen. Optional Full system scan.
28 minutes estimated on my PC to completion.

At this point you are ready to scan & fix problems.
I thought I'd pause and check into the additional features more.
Starting with the files on the upper left.
Just curious.

9. Dropdown menu offers two choices. Check for updates is shown.

10. Choose to update, and this sorta thing will likely happen the first time.
It connects to www.giantcompany.com now.

Help menu on the toolbar might come in handy.
Overviews of what can be done are explained.
It turns out to be fairly comprehensive.
Informative in such a way that sheds light on the entire subject of Internet Security in fact.

11a. Select topics include:

• How do you get spyware?
  
• How does anti-spyware work?
  
• Maintaining protection from spyware.
  
• What to do when spyware is discovered.
  
• Is all spyware hazardous?

11b. and continue with:

• Understanding what is running on your computer.
  
• Running Tracks Eraser for privacy.
  
• Keeping spyware definitions current.
  
• Microsoft Anti-spyware features: Security Agents-->Application Agents.

11c. A good list of vulnerabilities needing attention continues:

• Microsoft Anti-spyware featurs: Security Agents-->Internet Agents
  
• Microsoft Anti-spyware featurs: Security Agents-->System Agents

11d. Further explanations are available...

• The use of Advanced Tools include a dozen specific problem resolvers.
  
• System Explorers are used to target more specific malfunctions.
  
• Terminology & Definitions involving spyware issues.
  
• The basic Help Appendix.

11e. Ending with the EULA & Privacy Statements.

12. Click About Microsoft Anti-spywre Beta 1 and learn they do not offer technical support.

• What they do offer is a outline of sensitive areas found within windows.
  
• Much like HijackThis!, only specific enumeration is offered in this highly granular program.

Microsoft Anti-spyware is available free to windows OS users

BTW, Brief Comments at Langa.com are available to anyone who wants to recieve an email from a subscriber.
That'd be me.
phawgg"at"gmail.com.
PM me or let me know your address if you're interested in what was said.

You can subscribe yourself, also.
Visit his well-respected site for details.

This post has been edited by phawgg: 15 January 2005 - 10:06 PM

More screenshots of the newly released product.

Microsoft Anti-spyware Beta 1
Part II
"settings"

The file and help toolbar buttons have been clicked & briefly examined.
There is more to see & learn.

The toolbar also contains options and tools, and three big icons.
Open the program (after having used it a few times) and you'll see this screen.
1. Options dropdown menu is highlighted.
Settings = Options since it is your only choice.

2. Settings include:

• Startup options. Good programs will allow you to control these yourself.
  
• Real-time Protection
  
• Script-Blocking options

On the left are additional big icons.

• AutoUpdater.
  
• Real-time Protection.
  
• Alerts.
  
• SpyNet Anti-spyware Community.
  
• Spyware Scan.
  
• General.

3. AutoUpdater. Two types are involved here:

• New spyware definitions, or signatures.
  
• Software updates.

Included also on this page:

• Option stating "new spyware definitions can be applied without interupting you." or
  
• you will be aleted to manually update.
  
• Choice regarding notification of software updates is available.

4. Real-time Protection. Several options exist:

• Startup at reboot (or not)
  
• Real-time protection enabled or disabled.
  
• Script-blocking involving .vbs or .reg files set either on alert or prevent running.

5. Alerts. Three basic types of alerts.

• Alerted to the preventation of action. Enable or Disable.
  
• Alerted to changes that occur when known non-malware acts. Enable or Disable.
  
• Alerted to Ignored Threat not being prevented. Enable or Disable.

6. SpyNet Anti-spyware Community. More or less an error reporting feature.

7. Scan Settings. Two.

• Display Results of scan. Enable or Disable.
  
• A place to copy/paste threats to ignore in future scans.
  
• False positives & tolerable positives, perhaps belong here.

8. General Settings. Three final settings:

• Select mode: Knowledgeable User or Novice User
  
• Include technical Information in selection details? Yes or No
  
• Hide Microsoft Anti-spyware tray icon (if applicable)? Yes or No.

That about does it for the settings.
They are accessible from other clicks.
A wide variety of uses can be arranged to suit user preferences with this program.

This post has been edited by phawgg: 15 January 2005 - 10:07 PM

Microsoft Anti-spyware Beta 1
Part III
"tools"

1. Dropdown menu tools has five options:

• Summary
  
• Spyware Scan
  
• Real-time Protection
  
• Advanced Tools
  
• Suspected Spyware Report...

1. Summary shows six areas are identified as requiring attention:

• Date of Last Scan
  
• Results of Last Scan
  
• Scan Schedule.
  
• Status of Real-time Coverage.
  
• Date of Last Definitions Downloaded
  
• Status of AutoUpdater.

Additional links to other screens of course are included.
I think all screens can be accessed from the toolbar.

2. Spyware Scan yields a flyout menu with four additional options:

• 2a. Run a scan now (Quick)
  
• 2b. Run a scan (Full)
  
• 2c. Manage Spyware Quarantine.
  
• 2d. Manage Spyware Scan Schedule.
  
• 2e. View Spyware Scan History.

3. Real-time Protection will allow you to choose from five subjects:

• Internet Agent
  
• System Agent
  
• Application Agent
  
• View All Blocked Events
  
• View Security Agent Events

This is where things get real interesting, IMO.
The 50+ areas of involvement, that malware can foul up in the operating system, are brought into the light.
Logically and with adequate definitions, for the most part.

This post has been edited by phawgg: 15 January 2005 - 11:35 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

Basically the real-time protection, or resident protection is against spyware/malware.
Resident protection also is a feature of several other applications, or programs.

• Anti-virus programs use resident protection against viruses.
  
• They reside in your PC and monitor specific functions of it.
  
• Blocks things.
  
• Firewalls provide resident protection.
  
• They block files or "traffic" coming in & going out while connected online.
  
• Host file programs offer a form of resident protection.
  
• They block individual website access.
  
• ActiveX & some Java downloads are blocked by SpywareBlaster/SpywareGuard.
  
• SpywareGuard does this running as a resident program.
  
• Dynamic Library Link (.dll) changes are identified by Spybot S&D's Tea Timer.
  
• It is a resident protection program, allowing a user to accept or deny the changes,
  
• whether they be good, bad or unknown to the user.

A wide variety of Internet Security programs are no different.
Variations on the theme, so to speak,
and essentially effective to varying degrees of success.
The updating of signatures & definitions of the specific
problems they intend to combat largely influence the effectiveness.

Microsoft's purchase and re-introduction of this product reflects
an effort to illuminate the concepts involved of what seems to be a complex issue.

If for no other reason, the help menus and the documentation of
options available create a good opportunity to learn some hows & whys of security software.
Presently it is available at no charge.
I recommend downloading it.

Once again,
Real-time Protection will allow you to choose from five subjects:

• Internet Agent.
  
• System Agent.
  
• Application Agent.
  
• View All Blocked Events.
  
• View Security Agent Events.

I think each should be examined exactly as they are presented in the sequential screens.
Each offers malware authors an opportunity to foul up our PC's.

1. Internet Agent. Nine checkpoints are listed & defined in the "detail" column. 1a

• Dialup Connection.
  
• Monitors for unauthorized dialup activity on your computer modem(s).
  
  
  
• Helps to prevent dialer spyware from running.
  
• Dialer spyware is software that dials a phone number over your computer's modem.
  
• Most dialer programs connect to toll numbers without your knowledge
  or permission and incur phone charges on your phone bill.
  
  
  
• WiFi Connection.
  
• The WiFi Connection Agent monitors access from other users on your wireless network.
  
  
  
• When a new user enters your WiFi network, the agent notifies you.
  
  
  
• Internet Safe Sites.
  
• The Internet Safe Sites agent monitors to prevent unauthorized Web sites
  from being added to your list of Internet safe sites.
  
  
  
• Safe sites are Web sites that you trust not to damage your computer.
  
• When you visit a safe site, IE uses a lower security setting and allows scripts,
  including potentially dangerous ones, to run on your computer.
  
  
  
  
• Winsock Layered Service Providers.
  
• Monitors additions and modifications to Windows Winsock layered service providers.
  
  
  
• Layered service providers are sometimes manipulated by spyware applications known as Winsock redirectors.
  
• Layered service providers are a way to connect a piece of software to the Winsock implementation on your computer.
  
  
  
• Because the layered service providers are connected together, when Winsock is used,
  the data is transported through each layered service provider in the chain.
  
  
• Spyware can use layered service providers to view all traffic transported over your Internet connection.
  
• You should use extreme caution when deleting these objects,
  because if it is removed without properly fixing the gap in the chain, you can lose Internet access.
  
  
  
• Windows Messenger Service.
  
• Monitors the Windows Messenger service.
  
  
  
• Messenger service protection helps prevent Windows Messenger service spam on your computer.
  
• The Windows Messenger service, also known as net send,
  can be exploited to spread unsolicited commercial e-mail.
  
  
  
• There is no update to prevent receiving such spam, although most firewall software prevents it.
  
• Disabling the Windows Messenger Service will also prevent such spam.
  
• The Windows Messenger Service,
  not to be confused with the Microsoft MSN Messenger chat client,
  is enabled by default on Windows 2000 and Windows XP operating systems.
  
  
  
• Unauthorized users of your computer can use the Windows Messenger Service
  to cause a pop-up window to appear on your computer.
  
• Every Windows XP and Windows 2000 computer has a service running
  in the background called the Messenger service.
  
• This is a part of the operating system that is used by network administrators
  to send messages to users on a company network.
  
• The Messenger service allows the net send function to communicate across networks.
  
  
  
• Alerters are another function that can use the Messenger service to communicate across networks.
  
• If you have ever received a message from the uninterruptible power supply—
  that it has passed a self-test,
  or went to battery for a moment due to a spike in the power supply—
  then you have received an alerter message.
  
  
  
  
• Spam Zombie Protection.
  
• Prevents spyware from sending spam from your computer.
  
• It prevents your computer from becoming a source of spam.
  
  
  
• Spammers take advantage os security exploits and spyware to
  install spam "zombies" on personal computers with the intention
  of sending out spam emails from that computer without your knowledge.

1b each of these targeted areas can be activated or made inactive dependent on the user's preference.

• Internet Proxy Server.
  
• Monitors unauthorized changes or additions to your Internet Explorer proxy server.
  
  
  
• A proxy server is a server between your Internet Explorer Web browser and a network server.
  
• It intercepts all requests to the network server to check whether the proxy server can fulfill the requests.
  
• If not, the proxy server forwards the request to the network server.
  
• Proxy servers have two main purposes: improve performance and filter requests.
  
  
  
• Name Server Protection.
  
• There is a file on your computer that Internet Explorer uses when you reset options to the Windows default.
  The file c:\windows\inf\iereset.inf contains the default settings for your computer.
  
  
  
• When you reset a setting, Windows reads the file and changes the setting to whatever is in the file.
  
• If spyware changes the information in the file, your computer is re-infected each time you attempt to reset
  the settings.
  
• A copy of the original file needs to be installed
  or the default settings must be manually reentered.
  
• Computer manufacturers or system administrators can change
  the default Internet settings according to corporate requirements.
  
  
  
  
• TCPIP Parameters.
  
• Monitors spyware threats that can modify
  various TCP/IP parameters used by Windows to send and receive network data.
  
  
  
• TCP/IP configuration parameters are registry parameters
  that are used to configure the protocol driver (Tcpip.sys)
  and implements the standard TCP/IP network protocols.
  
  
  
• Some spyware threats such as CoolWebSearch can modify
  these parameters and take advantage of your computer.
  
  
  
• There may be unusual circumstances in customer installations
  where changes to certain default values are appropriate.
  
• To handle these cases, optional registry parameters can be created
  to modify the default behavior of some parts of the protocol drivers.
  
• The Windows TCP/IP implementation is largely self-tuning.
  
  
  
• Adjusting registry parameters without careful study may reduce your computer's performance.

This post has been edited by phawgg: 16 January 2005 - 06:03 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

2. System Agent.

1 of 25 checkpoints are listed & defined in the "detail" column.
one of twenty-five, seems to teach the concept fairly well
(Not all of these are available at this time, it seems)

• Windows Hosts File
  
  
  
• Monitors changes to your system hosts file.
  
• If a new entry is made, or an older entry is modified or deleted,
  
• an alert prompts you to confirm the change.
  
  
  
• The host file is used to perform domain-name-to-IP-address translation,
  
• also known as host file redirection, for Web sites.
  
  
  
• Assume the following entry is in the hosts file: 192.168.0.12 www.microsoft.com.
  
• If you enter www.microsoft.com in the Internet Explorer address bar,
  
• Windows uses the hosts file to resolve the entry to IP address 192.168.0.12
  
• and the browser is directed to that address.
  
  
  
• However, the Web site may not be the one you expected;
  
• some spyware applications attempt to change your hosts file
  
• to redirect your browser to a different Web site.
  
  
  
• If spyware adds an entry like 192.168.0.12 www.woodgrovebank.com to the hosts file
  
• (and 192.168.0.12 is not the correct IP address for Woodgrove Bank),
  
• when you type www.woodgrovebank.com in the address bar
  
• you would be redirected to 192.168.0.12 and not to www.woodgrovebank.com.
  
  
  
• Some redirectors use this technique to redirect browsers from popular sites to their own sites.
  
  
  
• It's possible to redirect all popular search engines to a Web site of your choice.
  
  
  
• This kind of attack can be difficult to fix, and repair often requires special software
  
• or detailed instructions from a technical support person.
  
  
  
• Another attacker might change auto.search.msn.com to redirect the browser to his Web site.
  
  
• Then, whenever you enter an incorrect URL, your browser is redirected to auto.search.msn.com.
  
  
• The name is then resolved to a different IP address.
  
  
  
• Resetting browser settings does not repair this issue because this sets your search page
  
• back to auto.search.msn.com, and leaves the hosts file unaltered.

This post has been edited by phawgg: 16 January 2005 - 05:50 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

2. System Agents.

Numbers 2-6 of 25 checkpoints
listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)

• Windows Services
  
  
• Prevents unauthorizes programs from adding themselves to Windows Services.
  
  
• A Windows service is a process or processes that add functionality by providing support to other programs.
  
• These services can run in the background without any user interaction and load a boot intialization, prior to logon.
  
  
  
• Context Menu Handler
  
  
• Monitors unauthorized changes to Windows Context menus.
  
  
• A context menu handler is a shell extension handler that adds commands to an existing context menu.
  
• They are associated with a particular file class.
  
• They're called on any time a context menu is displayed for a member of that class.
  
  
• While you can add items to a file class context menu with the registry,
  
• those items are the same for all members of the class.
  
  
• By implementing and registering a handler, you can dynamically add items to an object's context menu,
  
• customized for the particular object.
  
  
  
• Shell Execute Hook
  
  
• Monitors changes to the system Shell Execute Hooks.
  
  
• A shell execute hook is a program that is loaded into the Windows shell, Explorer.exe.
  
  
• Any shell execute hook program will receive all execute commands that are run on the computer.
  
  
• This type of integrated program can either accept or reject a command to start a particular program.
  
  
  
• Shell Open Commands
  
  
• Monitors changes to the system shell open commands.
  
  
• Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the registry.
  
• Any command imbedded here will open when any .exe file is executed.
  
• If keys don't have the "\"%1\" %*" value as shown, and are changed to something like
  
• "\"somefilename.exe %1\" %*" they willautomatically run the specified file.
  
  
  
• As part of their routine, many worms and Trojans make changes to the registry.
  
• Some change one or more of the shell\open\command keys.
  
• If these keys are changed, the worm or Trojan will run each time that you run certain files.
  
  
• For example, if the \exefile\shell\open\command key is changed,
  
• the threat will run each time that you run any exe file.
  
• This may also stop you from running the Registry Editor to try to fix this.
  
  
  
• Windows System.ini File
  
  
• Monitors additions and modifications to the Windows
  system.ini file.
  
  
• The C:\windows\system.ini file is an initialization file
  
• used by the OS to initialize system settings.
  
• Including the fonts, keyboard, language and various other settings.
  
  
• The shell = statement in the system.ini is used to designate
  
• which program will act as the shell for the operating system.
  
  
• The Shell is the program that would load your desktop,
  
• handle window management, and allow you to interact with the system.
  
  
• Any program listed after the shell statement will be loaded when Windows starts, and act as the default shell.
  
  
• It is also possible to list other programs that will run as Windows loads in the same Shell = line,
  
• For example Shell=explorer.exe spyware.exe.
  
• This line will make both programs start when Windows loads.

This post has been edited by phawgg: 16 January 2005 - 05:49 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

3. System Agents.

Numbers 7-12 of 25 checkpoints
listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)

• Windows Directory Trojans
  
  
• Monitors spyware threats that can load a particular file when Windows starts.
  
  
  
• A common technique that spyware, viruses, keyloggers, and others use to hide the damage
  
• being done is to drop files that use the same name as a legitimate OS file.
  
• Trojans using names such as spoolsv.exe or csrss.exe have been found.
  
  
  
• Windows Extensions
  
  
• Monitors unauthorized changes to the system's list of Windows extensions.
  
  
  
• Windows Win.ini File
  
  
• monitors additions and modifications to the Windows Win.ini file.
  
  
  
• The Windows initialization file is located at C:\windows\win.ini.
  
• Win.ini is used to load various settings each time Windows starts.
  
  
• The communications drivers, wallpaper, screen saver, languages, and fonts,
  
• are loaded each time win.ini is initialized.
  
• If this file becomes corrupt, Windows will either not load, or will have several errors as it loads.
  
  
• Any programs listed after run= or load= in win.ini will load when Windows starts.
  
  
• This run= statement was used with older versions of Windows and is included for backward compatibility.
  
• Most programs today do not use this setting, and if you do not use older programs these entries should not exist.
  
• The load= statement was used to load drivers for hardware but is no longer used.
  
  
  
• Control.ini Policy
  
  
• Monitors for changes to the controls in Control Panel.
  
  
  
• It's possible to disable controls in Control Panel by adding an entry to the C:\windows\control.ini file.
  
• In Control.ini, you can specify which control panels can be viewed.
  
• If inetcpl.cpl=no, your settings may have been changed by software or by your system administrator.
  
  
  
• Ini File Mapping
  
  
• Monitors applications that install in an .ini file mapping location.
  
  
  
• Win2000, WinXP, and other more recent Microsoft OS versions, don't generally use the system.ini and win.ini files.
  
• For backward compatibility, they use a function called IniFileMapping.
  
  
• IniFileMapping puts all the contents of an .ini file in the registry with keys for each line in the .ini file.
  
• When you run a program that normally reads settings from an .ini file, Windows first checks the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping for an .ini mapping.
  
• If found, Windows reads the settings from the registry instead of the .ini file
  
  
  
• Shared TaskScheduler
  
  
• Monitors unauthorized programs that can add themselves as start values when
  Windows loads.
  
  
  
• The files listed in Shared TaskScheduler run automatically when you start Windows.
  
• Windows executes instructions in the Windows Task Scheduler,
  
• or any other scheduler that supplements or replaces the Task Scheduler.
  
• The Task Scheduler is part of all Windows versions except the first version of Windows 95,
  
• but is included in Windows 95 if the Microsoft Plus Pack was installed

This post has been edited by phawgg: 16 January 2005 - 05:46 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

4. System Agents.

Numbers 13-17 of 25 checkpoints listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)

• Approved Shell Extensions
  
  
• Monitors unauthorized changes to Windows shell extensions.
  
  
  
• Shell extensions enable developers to add functionality to the existing Windows shell.
  
  
  
• Examples of shell extensions are context menus
  
• (menus that change based on what object has focus when you right-click),
  
  
  
• property sheet handlers
  
• (tabbed pages that appear when the Properties menu item is selected from an object’s context menu),
  
  
  
• icon overlays
  
• (the arrow on top of an icon that points to a shortcut or the hand that appears on shared folders),
  
  
  
• or folder customizations.
  
  
  
  
• Shell Service Object Delay Load
  
  
• Monitors unauthorized programs that add themselves as start values when Windows loads.
  
  
  
• Files listed in ShellServiceObjectDelayLoad are loaded automatically by Explorer.exe at startup.
  
• Because Explorer.exe is the shell for your PC, it always starts loading the files under this key.
  
• These files are loaded early in the startup process, before any human intervention occurs.
  
  
  
• The ShellServiceObjectDelayLoad registry is
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad,
  
• and it contains values in a way similar to the Run key.
  
• The difference is that instead of pointing to the file itself, it points to the CLSID InProcServer,
  
• which contains the information about the particular .dll file that is being used.
  
  
  
• User Shell Folders
  
  
• monitors unauthorized changes to the system's User Shell Folder settings.
  
  
  
• Shell folders indicate the default location for many types of settings and data.
  
• These folders are usually common system folders such as My Documents, My Pictures, Program Files,
  
• and other standard Windows folders.
  
  
  
• The default user shell folders location is in %USERPROFILE% which is C:\Documents and Settings\user.
  
  
• Some common shell folders include:
  
  
• CD Burning
  
  
• Desktop
  
  
• Document Templates
  
  
• Favorites
  
  
• Installation Path Windows Installer default install folder location
  
  
• My Documents
  
  
• My Music
  
  
• My Pictures
  
  
• Programs
  
  
• SendTo
  
  
• Shared Documents
  
  
• Shared Music
  
  
• Shared Pictures
  
  
• Start Menu
  
  
• Startup
  
  
• Common Admin Tools
  
  
• Common AppData
  
  
• Common Desktop
  
  
• Common Favorites
  
  
• Common Programs
  
  
• Common Start Menu
  
  
• Common Startup
  
  
• Common Templates
  
  
  
• Winlogon Shell
  
  
• Monitors unauthorized changes to your Winlogon Shell setting.
  
  
  
• The Winlogon Shell is automatically loaded when you log on to Windows.
  
• The shell is the main user interface (UI) that you use to manage Windows.
  
  
  
• In most cases, this is Windows Explorer (Explorer.exe).
  
• However, the Windows shell can be changed to point to another program.
  
• If this is the case, that program will start every time you log on.
  
  
  
• Winlogon Userinit
  
  
• Monitors unauthorized changes to your Winlogon Userinit setting.
  
  
  
• The Winlogon Userinit setting specifies the programs that Winlogon runs when you log on.
  
• By default, Winlogon runs Userinit.exe, which runs logon scripts,
  
• reestablishes network connections,
  
• and starts Explorer.exe, the Windows user interface.
  
  
  
• You can change the value of this entry when you add or remove programs.
  
  
  
• For example, to have a program run before the Windows Explorer user interface starts,
  
• substitute the name of that program for Userinit.exe in the value of this entry,
  
• then include instructions in that program to start Userinit.exe.
  
• You might also substitute Explorer.exe for Userinit.exe if working offline and are not using logon
  scripts.
  
  
  
• Note: The entry remains in the registry to support programs designed for Windows NT 4.0 or earlier.

This post has been edited by phawgg: 16 January 2005 - 07:02 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

5. System Agents.

Numbers 18-22 of 25 checkpoints listed & defined in the "detail" columns of the system agents screen.
(Not all of these are available at this time, it seems)

• AppInit DLL
  
• Monitors unauthorized changes or additions to the AppInit_DLL files registry value.
  
  
  
• The AppInit_DLL files registry value contains a list of .dll files that are loaded when user32.dll is loaded.
  
  
  
• Because most Windows executables use user32.dll,
  
• any .dll file that is listed in the AppInit_DLL files registry key is also loaded.
  
• This makes it difficult to remove the .dll file because it is loaded with multiple processes,
  
• some of which cannot be stopped without causing operating system instability.
  
• User32.dll is also used by processes that are automatically started when you log on.
  
• This means the files loaded in the AppInit_DLL files value are loaded early in the Windows startup routine,
  
• allowing the spyware to hide itself or protect itself before you have access to the system.
  
  
  
  
• The AppInit_DLL files are loaded with LoadLibrary during the DLL_PROCESS_ATTACH of User32.dll.
  
• As a result, executables that don't link with User32.dll do not load the AppInit_DLL files.
  
• Very few executables do not link with User32.dll.
  
• Because of their early loading, only API functions exported from Kernel32.dll are safe to use within the initialization of the AppInit DLL files.
  
  
  
  
• The AppInit_DLL files value is type REG_SZ.
  
• This value should specify a NULL- terminated string of .dll files,
  
• which is delimited by spaces or commas.
  
• Because spaces are used as delimiters, no long file names should be used.
  
• The system does not recognize semicolons as delimiters for these .dlls.
  
  
  
  
• Only the first 32 characters of the AppInit_DLL files value are picked up by the system.
  
• Because of this 32-character limit, all the AppInit_DLL files should be located within the system32 directory.
  
• This eliminates the need to include a path, thus allowing multiple .dll files to be specified.
  
  
  
• Normally, only the Administrators group and the LocalSystem account have write access to the key containing the AppInit_DLL files value.
  
  
  
  
• Explorer Trojan
  
• Monitors known explorer Trojans.
  
  
  
• Windows loads the file explorer.exe, typically located in the Windows directory, at startup.
  
• However, if the file C:\explorer.exe exists, it is executed instead of the Windows explorer.exe.
  
• If C:\explorer.exe is corrupt, you can effectively be locked out of your computer.
  
  
  
• If C:\explorer.exe is a Trojan, it is executed.
  
• Unlike other autostart methods, there is no need for any file or registry changes—the Trojan just has to be named
  
• C:\explorer.exe to be disruptive.
  
  
  
  
• Windows Password Protection
  
• Monitors unauthorized changes to your Windows auto-logon preferences.
  
  
  
• In Windows XP Professional you can automate the logon process by storing your password
  
• and other pertinent information in the registry.
  
• Using this feature, other users can start your computer and use your account to log on automatically.
  
  
  
  
• Enabling auto-logon can make it more convenient to use WinXP Pro, but this feature is a security risk.
  
• Setting for auto-logon means anyone who can physically access to computer can access all of the computer's content,
  
• including access to any networks it is connected to.
  
  
  
• Another risk is that enabling auto-logon causes the password to be stored in the registry in plain text.
  
• The registry key that stores this value is remotely readable by the Authenticated Users Group.
  
• As a result, this setting is appropriate only when the computer is physically secured,
  
• and unauthorized users are prevented from remotely accessing the registry.
  
  
  
  
• Windows Update Service
  
• Monitors modifications to your Windows Update access settings.
  
  
  
• Newer versions of Windows OS include an Automatic Updates feature,
  which can automatically download the latest security and application updates
  from Microsoft while your computer is on and connected to the Internet.
  
• Windows Update access restriction prevents computers from connecting to the Windows Update Web site.
  
• This restriction would prevent the computer from receiving the latest Windows updates from Microsoft.
  
  
  
  
• Windows Protocols
  
• Monitors redirector (hijacker) threats from overriding standard protocol drivers.
  
  
  
• One spyware technique is to take control of the Windows protocol filters and handlers
  used to send and receive information.
  
  
  
• IE uses two mechanisms to register new URL protocol handlers.
  
• The first method is to register a URL protocol and its associated application --
  
• All attempts to navigate to a URL using that protocol launch the application.
  
• For example, registering applications to handle mailto or news URLs.
  
  
  
• The second method uses the Asynchronous Pluggable Protocols API,
  which enables you to define new protocols by mapping the protocol scheme to a class.

This post has been edited by phawgg: 16 January 2005 - 07:03 PM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

6. System Agents.

Numbers 23-25 of 25 checkpoints listed & defined in the "detail" columns of the system agents screen.

• Windows Restrict Anonymous
  
• Monitors modifications to your Windows Restrict Anonymous settings.
  
  
  
• Windows has a feature where anonymous users can list domain user names and enumerate share names.
  
• Users who want enhanced security can restrict this functionality.
  
• Windows provides a mechanism for administrators to restrict the ability for anonymous logon users,
  also known as NULL session connections, to list account names and enumerate share names.
  
• Listing account names from domain controllers is required by the Windows NT ACL editor, for example,
  to obtain the list of users and groups to select who a user wants to grant access rights.
  
• Listing account names is also used by Windows NT Explorer to select from lists of users and groups to grant access to a share.
  
  
  
  
• Windows NT networks based on a single Windows NT domain
  can always authenticate connections to list domain account information.
  
• Windows NT networks that use multiple domains may require anonymous user logon to list account information.
  
  
  
• A brief example shows how anonymous connections are used.
  
• Consider two Windows NT domains, an account domain and a resource domain.
  
• The resource domain has a one-way trust relationship with the account domain.
  
• That is, the resource domain "trusts" the account domain, but the account domain does not trust the resource domain.
  
• Users from the account domain can authenticate and access resources in the resource domain based on the one-way trust.
  
• Suppose an administrator in the resource domain wants to grant access to a file to a user from the account domain.
  
• They will want to obtain the list of users and groups from the account domain to select a user/group to grant access rights.
  
• Since the account domain does not trust the resource domain,
  the administrator request to obtain the list of users and groups from the resource domain cannot be authenticated.
  
• The connection is made using a NULL session to obtain the list of account domain users.
  
  
  
• Windows Logon Policies
  
• Monitors unauthorized additions and modifications to Windows logon policies.
  
  
  
• The Windows logon utility manages user logon and logoff actions.
  
• The utility prompts you for the password when you log on and enables you to log off or shut down.
  
  
  
• Windows logon is designed around an interactive logon model that consists of three components:
  
• the Winlogon executable,
  
• a graphical user interface, GUI
  
• an authentication dynamic-link library, DLL, referred to as the GINA,
  and any number of network providers.
  
  
  
• WOW Boot Shell
  
• monitors spyware threats that can load a particular file when Windows starts.
  
  
  
• WOW\Boot\Shell is a Windows registry entry
  that allows a particular program to be shelled (loaded) when Windows starts.

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

7. Application Agents.

Numbers 1-4 of 25 checkpoints listed & defined in the "detail" columns of the application agents screen.

• Process Execution
  
• Monitors unknown processes and alerts you if one is attempting to run on your computer.
  
  
  
• If known spyware is trying to run, the agent attempts to prevent the process from starting
  and warns you that you have spyware installed.
  
• You are provided with the option to remove the spyware before it can run.
  
• This feature helps to prevent known spyware installers from installing spyware on your computer.
  
  
  
• An executed process is a program or application that is currently running on your computer.
  
• You can see a list of most running processes in Task Manager.
  
  
  
  
• Running Process
  
• Monitors unknown processes attempting to execute on your computer.
  
  
  
• If a known spyware processes is attempting to execute, the process is blocked from starting.
  
• You are warned spyware is installed, and given the option to remove the spyware before it can run.
  
  
  
• A running process is a program or application that is currently running on your computer.
  
• You can see a list of most running processes in Task Manager.
  
  
  
  
• Startup Files
  
• Monitors additions and modifications to your list of startup programs.
  
  
  
• If a new startup program is added to your user or all users startup folder, the agent alerts you.
  
• If the program added is known to be safe, the agent will allow it.
  
• If it is known to be spyware, it is blocked. You are warned.
  
  
  
• Startup files are shortcut links to files or actual files.
  
• They are located in your startup folder (C:\\documents and settings\USERNAME\start menu\programs\startup)
  
• Also in the global Startup folder (C:\documents and settings\All Users\start menu\programs\startup).
  
  
  
• Applications that are listed in the startup folders are loaded automatically when Windows starts.
  
• For example, if you put a Microsoft Word document in the Start Up folder, Word will run
  and automatically open that document.
  
• If you put a WAV file there, your audio software will play the music.
  
• if you put a Web-page Favorites there, IE (or your choice of a browser) will run and open that Web page.
  
• These examples could just as easily be shortcuts to a WAV file or a Word document, and so on.
  
  
  
• Any files or shortcut files placed in the All Users Startup Folder are used for programs
  
• that should be auto started for all users who will log on to this computer.
  
• This folder applies to all Windows NT, 2000, XP and 2003 versions. Possible folder paths are:
  
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  
• C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
  
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  
  
  
  
• Any files or shortcut files placed in the User Profile Startup Folder will be executed
  for the user who logs on that corresponds to this folder.
  
• C:\windows\start menu\programs\startup
  
• C:\Documents and Settings\LoginName\Start Menu\Programs\Startup
  
  
  
  
  
• Startup Registry Files
  
• Monitors additions and modifications to the list of startup programs in your system registry.
  
  
  
• If a new startup program is added to any startup registry location, you are notified.
  
  
  
• If the program being added is known to be safe, it's allowed.
  
• If it is known to be spyware, it will be blocked and you are warned of the fact.
  
  
  
  
• Startup registry keys are a number of registry entries in the Windows registry
  that store paths to applications on your computer.
  
• Applications listed in any registry keys are loaded automatically when Windows starts.
  
• These keys generally apply to Windows 95, 98, ME, NT, 2000, XP, and 2003.
  
• The startup registry keys are as follows:

Registry Local Machine Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Any application path placed in this location will start when any user logs into Windows.
These are the most common startup locations for programs to install auto start from.
By default these keys are not executed in Safe mode.
If you prefix the value of these keys with an asterisk, *, is will run in Safe Mode.



Registry Current User Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Any application path placed in this location will start when the current user for this key logs into Windows.
These are the most common startup locations for programs to install auto start from.
By default these keys are not executed in Safe mode.
If you prefix the value of these keys with an asterisk, *, is will run in Safe Mode.



Registry Local Machine RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Any application path placed in this location will start when any user logs into Windows.
These keys are designed to be used primarily by Setup programs.
Entries in these keys are started once and then are deleted from the key.
If there a exclamation point preceding the value of the key, the entry will not be deleted
until after the program completes, otherwise it will be deleted before the program runs.
This is important, because if the exclamation point is not used,
and the program referenced in this key fails to complete,
it will not run again as it will have already been deleted.
All entries in this key are started synchronously in an undefined order.
Due to this, all programs in this key must be finished before any entries in
HKEY_LOCAL_MACHINE\...\Run,
HKEY_CURRENT_USER\...\Run,
HKEY_CURRENT_USER\...\RunOnce,
and Startup Folders can be loaded.



Registry Current User RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Any application path placed in this location will start when the current user for this key logs into Windows.
These keys are designed to be used primarily by Setup programs.
Entries in these keys are started once and then are deleted from the key.
If there a exclamation point preceding the value of the key, the entry will not be deleted
until after the program completes, otherwise it will be deleted before the program runs.
This is important, because if the exclamation point is not used,
and the program referenced in this key fails to complete,
it will not run again as it will have already been deleted.
All entries in this key are started synchronously in an undefined order.
Due to this, all programs in this key must be finished before any entries in
HKEY_LOCAL_MACHINE\...\Run,
HKEY_CURRENT_USER\...\Run,
HKEY_CURRENT_USER\...\RunOnce,
and Startup Folders can be loaded.


Registry Local Machine RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx



Registry Current User RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx



Registry Local Machine RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce



Registry Local Machine RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

This key is designed to start services as well for all users.
These entries can also continue running even after you log on, but must be completed before the
HKEY_LOCAL_MACHINE\...\RunServices registry can start loading its programs.


Registry Current User RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

This key is designed to start services as well for the current user.
These entries can also continue running even after you log on, but must be completed before the
HKEY_CURRENT_USER\...\RunServices registry can start loading its programs.


Registry Local Machine Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This key is designed to start services as well for all users.
These keys is generally used to load programs as part of a policy set in place on the computer or user.


Registry Current User Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
This key is designed to start services as well for the current user.
These keys is generally used to load programs as part of a policy set in place on the computer or user.


Load Key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
This key is not commonly used, but can be used to auto start programs

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

7. Application Agents.

Numbers 5-6 of 25 checkpoints listed & defined in the "detail" columns of the application agents screen.

• ActiveX Installation
  
• monitors ActiveX applications that are downloaded through Internet Explorer.
  
  
  
• If the ActiveX program is known to be safe, it is allowed to run.
  
• If it is known to be spyware, it is automatically blocked.
  
  
  
• ActiveX applications are programs downloaded from Web sites.
  
• They are stored in C:\windows\Downloaded Program Files.
  
• They are also referenced in the registry by their class ID (CLSID).
  
• There are many legitimate ActiveX applications that IE regularly uses.
  
  
  
• The service called active scripting is one method by which spyware can be installed.
  
• Active scripts are programs written in script languages such as JavaScript, or Microsoft VBScript, or ActiveX.
  
• While you can disable active scripting, legitimate sites use active scripting as part of their normal operating procedures.
  
• Sites like Windows Update, Web mail browsers, and high volume content sites such as news web sites use active scripting.
  
  
  
  
• Internet Explorer has a feature called Trusted Sites where you can disable active scripting for most Web sites.
  
• Enable it for the sites that you routinely visit.
  
  
  
  
• A signed Active X control has a digital ID, or certificate, issued by an authority, such as VeriSign, Inc,
  that verifies that it is safe and secure.
  
• A signed control can be traced to the software publisher or developer
  who created it and can be trusted and downloaded onto your computer.
  
• Other software that can be signed are macros, device drivers, firmware images, virus updates, and configuration files.
  
  
  
• An unsigned Active X control may be unsafe and unsecured.
  
• An unsigned control does not have a digital ID issued by a certificate authority.
  
• An unsigned control usually means it cannot be traced to the software publisher
  
• or developer who created it.
  
• If the control is used within a Web page that you trust then it may not be as risky to use.
  
  
  
  
• Active content refers to content on a Web page that is dynamic—
  
• animated .gif files, streaming audio and video—or interactive—surveys or polls.
  
• ActiveX controls and JavaScript are often used to create content to draw readers' interest and increase viewership.
  
  
  
  
• Browser Helper Object (BHO) Protection
  
• Monitors additions to your Internet Explorer BHOs.
  
  
  
• If the BHO being installed is known to be safe, it's allowed.
  
• If it is known to be spyware, it's blocked and you are notified of the fact.
  
  
  
• A browser helper object (BHO) is an application that extends IE and acts as a plug-in.
  
• Spyware and browser redirectors often use BHOs to display ads or monitor your activities across the Internet.
  
• BHOs are also used by legitimate applications such as the toolbars offered by some common search sites.
  
  
  
  
• Applications that install BHOs are popular because they enable developers to control IE
  through its native object model and provide useful functionality.
  
• Some legitimate applications use BHOs to monitor page navigation and show related page links.
  
• Others use them to monitor and control file downloading.
  
  
  
  
• It's likely you have BHOs installed on your computer that you don’t know about.
  
• There are good uses for BHOs, but you might not know that they are installed and
  
• they can be used for gathering information about your browsing habits.
  
  
  
  
• Spyware and BHOs can unintentionally cause problems, too.
  
• Problems ranging from incompatibility issues to corrupting important system functions.

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

8. Application Agents.

Numbers 7-11 of 25 checkpoints listed & defined in the "detail" columns of the application agents screen.

• Internet Explorer Explorer Bar
  
• Monitors modifications made to your list of Internet Explorer Explorer Bar applications.
  
  
• An Explorer bar is a pane like the Favorites, History, or Search panes in Internet Explorer or Windows Explorer.
  
• An Explorer bar (band) is a panel like the Favorites, History or Search panels you see in IE or Windows Explorer.
  
  
  
• Internet Explorer Extensions
  
• Monitors modifications made to your list of Internet Explorer extension applications.
  
  
  
• IE extensions control icons on the main IE toolbar or items in the IE Tools menu, those not part of the default installation.
  
• IE Extensions control toolbar buttons on the main IE toolbar or items in the IE 'Tools' menu not part of the default installation.
  
• When you click on one of these, the button can launch an associated application, a script, or load an IE Bar.
  
  
  
  
• Internet Explorer Extensions
  
• Monitors modifications made to Internet Explorer toolbar applications.
  
  
  
• IE Toolbars are the toolbars underneath your navigation bar and menu in IE.
  
  
  
• Internet Explorer URLs
  
• Monitors changes to Internet Explorer URLs to help prevent browser redirecting.
  
  
  
• When your Web browser is redirected (hijacked), attempts to view some Web sites,
  such as common search engines or popular Web directory sites,
  are automatically redirected to a alternative Web site without your knowledge or consent.
  
• A browser redirector can also disallow access to certain Web pages, for example an antivirus site.
  
• These programs can also disable antivirus and anti-spyware software.
  
  
  
• Some Internet Explorer URLs that are monitored and protected by this agent include:
  
• Internet Explorer Start Page
  
• Internet Explorer Search Page
  
• Internet Explorer Default_Page_URL
  
• Internet Explorer Local Page
  
• Internet Explorer Search Bar
  
• Internet Explorer Default_Search_URL
  
• Internet Explorer CustomizeSearch
  
• Internet Explorer SearchAssistant
  
• Internet Explorer SearchUrl Local page
  
• Internet Explorer SearchUrl Blank page
  
• Internet Explorer SearchUrl Desktop navigation failure
  
• Internet Explorer SearchUrl Navigation canceled
  
• Internet Explorer SearchUrl Navigation failure
  
• Internet Explorer SearchUrl Offline information
  
• Internet Explorer SearchUrl PostNotCached
  
• Internet Explorer SearchUrl mozilla
  
  
  
  
• It is possible for a browser redirector to change the default prefix appended to a URL if one is not included.
  
• For example, if you type woodgrovebank.com you would expect the browser to automatically add http://www.
  
• This part is called the URL prefix, and the www. is not fixed to http://.
  
• The prefix values are stored in the registry at
  HLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix HLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefix.
  
  
  
  
• If you change the default prefix from http:// to http://www.woodgrovebank.com/search?q=
  the browser automatically goes to woodgrovebank.com, even if you don't type http://.
  
• Then, if you type microsoft.com in the browser address bar, instead of http://www.microsoft.com,
  the browser goes to woodgrovebank.com and carries out a search for microsoft.com.
  
• This behavior occurs because the updated prefix changed the address to http://www.woodgrovebank.com/search?q=security.com.
  
• Browser redirectors can use this method to redirect browsers from one search engine to another search engine.
  
  
  
• Some IE prefixes that are monitored and protected include:
  
• DefaultPrefix
  
• ftp
  
• gopher
  
• home
  
• mosaic
  
• www
  
  
  
  
• Internet Explorer Security Settings
  
• Monitors changes to Internet Explorer settings that could compromise security settings...
  
• The result would be a remote Web site exploiting your computer by allowing ActiveX controls to be installed.
  
  
  
• Browser security preference settings help prevent unwanted viewing
  
• or theft of confidential, personal information.
  
• Web browsers issue an alert (notification) if any of the following actions happen or are about to happen:
  
  
• A change between secure and insecure transmission modes.
  
  
  
• A visit to a site with an invalid site certificate.
  
• The browser notifies you if the site's SSL certificate is invalid or has expired.
  
• An invalid certificate deactivates SSL.
  
  
  
• A transmission is sent over an open or unsecured connection.
  
  
  
• A form submittal is redirected.
  
• The browser warns you if information being submitted on a Web-based form is being sent
  
• to a Web site other then the one you are currently viewing.
  
  
  
• the Microsoft Anti-Spyware System Inoculation Wizard automatically modifies these settings.
  
  
  
• IE offers advanced security options.
  
• To access these options, on the Tools menu, click Internet Options, and then click the Advanced tab.
  
• The Advanced tab contains a Security section.
  
• Included are several configuration options pertaining to encrypted communications.
  
• Although the default settings may be acceptable,
  
• for maximum security you must select the following four checkboxes:
  
  
• Check for publisher's certificate revocation
  
• Check for server certificate revocation (requires restart)
  
• Do not save encrypted pages to disk
  
• Empty Temporary Internet Files folder when browser is closed

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

9. Application Agents.

Numbers 12-16 of 25 checkpoints listed & defined in the "detail" columns of the application agents screen.

• Internet Explorer Third-Party Cookies
  
• Monitors unauthorized cookies that are added as acceptable third-party cookies.
  
  
  
• Cookies are files that Web sites download to your computer so that you are recognized on return visits.
  
• Many cookies are useful—for example, those that allow sites to automatically log you in to private member areas.
  
  
  
• Others cookies gather information without your knowledge and monitor your Web activities.
  
• Third-party cookies are downloaded by sites other than the one you are visiting.
  
  
• (First-party cookies are those for the site you’re actually visiting.)
  
  
  
• Platform for Privacy Preferences (P3P) was developed by the World Wide Web Consortium (W3C).
  
• P3P enables Web sites to communicate their privacy practices—how personal user information is handled—
  
• in a standard format that can be retrieved automatically and interpreted by browsers or other user agents.
  
  
  
• In IE, Microsoft implemented P3P to address Internet security and privacy risks.
  
• It enables Microsoft to track Web site practices and provides additional security settings related to cookies.
  
• By default IE blocks all third-party cookies that do not comply with the P3P standard.
  
  
  
  
• Internet Explorer Plugins
  
• Monitors unauthorized installation of Internet Explorer plugins.
  
  
  
• IE plugins are software that add functionality to the browser.
  
• They are loaded when Internet Explorer starts.
  
  
  
• An IE plugin can be installed and loaded as part of your Web browser.
  
• A plugin is automatically recognized by your browser, and its functionality is integrated
  
• into the main HTML file that is being presented, for example, to play sound or video.
  
• Plugin examples include Adobe Acrobat and RealNetwork multimedia player.
  
  
  
  
• Internet Explorer Security Zones
  
• Monitors unauthorized changes to your Internet Explorer security zones.
  
  
  
• IE provides precautionary options to help you have a secure browsing experience.
  
• Preserving the your computer security when you browse the Web is a balancing act.
  
  
  
• The more your browser is open to software downloads and other content,
  
• the greater the exposure to risk.
  
• However, the more restrictive your settings, the less usable—and useful—the Web becomes.
  
  
  
  
• The security features in Internet Explorer aim for a balance.
  
• When you first install IE, it categorizes all Web sites into a single zone
  
• —the Internet zone—and sets a medium security level on this zone.
  
• This helps you browse securely, but should prompt you before downloading potentially unsafe content.
  
  
  
  
• Three other zones are offered—Local Intranet, Trusted, and Restricted—
  
• You can assign Web sites and security settings to them as you like.
  
• You can add sites you trust to the Trusted Sites zone.
  
  
  
  
• Zones enable you to set different levels of security for various types of Web content.
  
• For example, a low security setting allows your browser to run all types of active content.
  
• A low setting is most appropriate for sites you fully trust, like your company intranet.
  
• The reverse is true for a high security setting.
  
• At this setting, the highest restrictions prevent your browser from running active content and downloading codes.
  
  
  
  
• To see the Web sites added to your Trusted and Restricted sites:
  
• on the Internet Explorer Tools menu, click Internet Options.
  
• Click the Security tab, and then click either Trusted sites or Restricted sites.
  
• Click Sites to see the list. When you’re finished, click Cancel twice. The list includes:
  
• Internet Zone
  
• This zone contains all Web sites that you haven't placed in the other zones.
  
• Possible values: High/Medium/Medium-low/Low
  
• Default value: Medium
  
  
  
• Local Intranet Zone
  
• This zone contains all Web sites on your company's intranet.
  
• These sites usually reside within your company's firewall.
  
• Possible values: High/Medium/Medium-low/Low
  
• Default value: Medium-Low
  
  
  
• Trusted Sites Zone
  
• This zone contains all Web sites that you trust not to damage your computer or data,
  
• Perhaps the sites of trusted business partners.
  
• Sites assigned to this zone are allowed to perform numerous operations.
  
• Possible values: High/Medium/Medium-low/Low
  
• Default value: Low
  
  
  
• Restricted Sites Zone
  
• This zone contains all Web sites that could potentially damage your computer or data.
  
• Sites assigned to this zone can perform only minimal, very safe operations.
  
• Generally speaking, this zone is for sites you do not trust.
  
• Possible values: High/Medium/Medium-low/Low
  
• Default value: High
  
  
  
  
• Internet Explorer ShellBrowser
  
• Monitors changes or additions to the Internet Explorer shell.
  
  
  
• IE ShellBrowser contains information and settings about an instance of IE.
  
• If these settings are modified or a new ShellBrowser is added, this ShellBrowser
  
• can take control of IE and add toolbars, menus, and buttons.
  
  
  
  
• Internet Explorer Trusted Sites
  
• Monitors unauthorized sites that can be added to your Trusted Sites list.
  
  
  
• Add a site to this zone only if you trust that it will not cause harm to your computer.
  
  
  
• Active scripting is one mechanism by which spyware can be installed on your computer.
  
• Active scripts are programs written in, for example, JavaScript, or Microsoft's VBScript and ActiveX.
  
• You can disable active scripting; however, there are legitimate sites for which you want active scripting enabled.
  
• Windows Update Service, online Web mail browser, and sites with high volumes of content (for example, news web sites) use active scripting.
  
  
  
  
• Because Internet Explorer has Trusted Site protection, you can disable active scripting in general,
  
• but enable it for sites that you routinely visit, such as your Web mail browser or online commerce sites.

This post has been edited by phawgg: 17 January 2005 - 12:20 AM

Microsoft Anti-spyware Beta 1
Part III
"tools" cont.

10. Application Agents.

Numbers 17-22 of 25 checkpoints listed & defined in the "detail" columns of the application agents screen.

• Internet Explorer WebBrowser
  
• Monitors changes or additions to Internet Explorer's Web browser.
  
  
  
• The Internet Explorer WebBrowser contains information and settings about an instance of Internet Explorer.
  
• If these settings are modified or a new WebBrowser is added, this WebBrowser can take control of Internet Explorer,
  
• and add toolbars, menus, and buttons.
  
  
  
  
• URL Search Hooks
  
• Monitors unauthorized changes to the Internet Explorer URL search hooks.
  
  
  
• A URL search hook is used when you type an address in the address bar of the browser,
  
• but do not include a protocol such as http:// or ftp:// in the address.
  
• When you enter such an address, the browser will attempt to figure out the correct protocol on its own,
  
• If it fails to do so, it will use the UrlSearchHook to find the location you entered.
  
  
  
• URL SearchHook is a COM object,
  
• used by the browser to translate the address of an unknown URL protocol.
  
  
  
• When attempting to browse to a URL address that does not contain a protocol,
  
• the browser will first attempt to determine the correct protocol from the address.
  
  
  
• If this is not successful, the browser will create URL Search Hook objects and call each object's
  
• Translate method until the address is translated or all of the hooks have been queried.
  
  
  
  
• Internet Explorer Menu Extensions
  
• Monitors changing to your Internet Explorer menu extensions.
  
  
  
• IE menu extensions are options found in the context menu of IE.
  
• These options display on the shortcut menu when you right-click on the Web page you are viewing in the browser.
  
  
  
  
• Disable Regedit Policy
  
• Monitors spyware that attempt to disable Registry Editor functionality.
  
  
  
• It helps prevent spyware from running Registry Editor and changing entries in the registry.
  
• Many administrators on corporate networks disable Registry Editor as a security measure.
  
  
  
• Registry Editor is a system application that is used to change settings in the system registry.
  
• This application contains information about how your computer runs and what software is installed.
  
• Changing the registry improperly can result in system malfunctions.
  
  
  
  
• Internet Explorer Reset Web Settings
  
• Monitors changes to your Internet Explorer reset Web settings.
  
  
  
• IE uses the IEReset.inf file to reset your Internet options to the default settings.
  
• IEReset.inf is stored in C:\windows\inf\.
  
  
  
• If spyware changes the information in the file, your computer will be re-infected each time you attempt
  
• to reset your settings until a copy of the original file is installed or the default settings are manually reentered.
  
• Computer manufacturers or system administrators can change the default Internet settings according to corporate requirements.
  
  
  
  
• Internet Explorer Restrictions
  
• Monitors Internet Explorer restrictions.
  
  
  
• IE restrictions are a security measure that prevent you from changing the options or home page in IE.
  
• Restrictions are activated by changing registry settings.
  
• These options should only appear if your administrator has authorized them.