Jump to content
Sign in to follow this  
jerryh

WinXP Security Center

Recommended Posts

Malwarebytes incorrectly identifies the following:

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

The DWORD was intentionally set to (1) by the user, and its identification as an infection is misleading and falsely alarms the user.

Share this post


Link to post
Share on other sites

Not a false positive. If you set this yourself or security software on your computer did, then set MBAM to ignore it and it won't show up again.

Share this post


Link to post
Share on other sites
Not a false positive. If you set this yourself or security software on your computer did, then set MBAM to ignore it and it won't show up again.

The same thing came up on my MalwareBytes scan. I did not set it myself but it is possible that my security software did. Would this be put there by security software that protects your Home page from hijack?? Thanks

Share this post


Link to post
Share on other sites

It would typically be set by some antivirus programs (like McAfee and Norton) that install their own security center.

Share this post


Link to post
Share on other sites

Many malware set these policies nowadays. Examples here of recent malware doing this (see below):

http://www.threatexpert.com/report.aspx?md...843f6feb747a125

http://www.threatexpert.com/report.aspx?md...7fe1f46a14f30f5

http://www.threatexpert.com/report.aspx?md...b958a90126afb57

Also, the default Windows setting is to notify the user if Antivirus, Firewall or Automatic updates are disabled, so that's why I think it's important that MBAM restores this to the default (secure) setting again.

Other scanners restore this as well. On top, I think it's a bad idea that other Security software change these values. They should use the FirewallOverride and AntivirusOverride instead and not to disable notifications.

In case you have set these policies yourself and don't want to get notified when your Antivirus / Firewall or Automatic updates are disabled, then just set it to ignore in MBAM.

After all, I still think it is important that scanners restore settings to default (secure) instead of ignoring it.

Share this post


Link to post
Share on other sites

Right you are miekiemoes, perhaps I should've been more clear in my response, I was just trying to answer this question in particular

I did not set it myself but it is possible that my security software did. Would this be put there by security software that protects your Home page from hijack??
not to say that it's only changed by legitimate software. In fact, I commented in another thread that Spybot Search & Destroy has detected these settings for quite a while now in it's scan.

Share this post


Link to post
Share on other sites

Had the same detection this morning Antivirus and Firewall Disable notifiy, set it back to (0)

but only on XP, NOT on Vista(on the laptop) same settings and both with McAfee Antivirus

But why isn't it quarantined and why not detected on Vista ?

Share this post


Link to post
Share on other sites
NOT on Vista(on the laptop) same settings - But why isn't it quarantined and why not detected on Vista ?
This is about a registry value. This value is restored (dword back to 0) instead of deleted.

If you didn't get this on your Vista, then it's because that value didn't exist there.

Share this post


Link to post
Share on other sites
It would typically be set by some antivirus programs (like McAfee and Norton) that install their own security center.

Thanks for answering Exile 360. I do have Norton Security 2009 so that is most probably it... All my other scans come out clean except MalwareBytes. Thanks,

Share this post


Link to post
Share on other sites

I know this thread is a bit dated, but I have a question about this topic that I haven't seen discussed in any of my research relating to this problem. MBAM detected a similar situation on my system;

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)

I run McAfee Total Protection, and as I've come to understand, this was probably caused after one of the program's latest updates. However, this entire situation began when I returned to my system to find several warnings about McAfee's security features being disabled. Namely; real-time scanning, spam and potentially unwanted program scanning, script scanning, and buffer overflow protection. I also got a Windows message that mcshield.exe encountered an 'unkown error' and had to shut down. I tried to re enable the security features but McAfee Security Center was unable to comply because of several 'errors'. Another interesting detail is that the McAfee icon in the taskbar became corrupted. A full system scan came up negative. I ran McAfee Virtual Technician but it was unable to restore the disabled security features. A view of the recent events log revealed the time that real-time scanning was disabled. I analyzed each security protocol one-by-one and was eventually able to re enable the security features through different sub-menus. After roughly 24HRS the problem occurred again.

I ran MBAM and it detected the 2 registry items listed above. My question is therefore, is it typical that this situation can disable the features of your anti-virus software, or could I possibly have another more insidious problem? I haven't come across any other user reporting this behavior. If anybody has any information for me concerning this it would be greatly appreciated. Thanks for your time.

(I run Windows XP Pro SP3)

Share this post


Link to post
Share on other sites

Hi,

No, it shouldn't act like that. It's actually funny that McAfee goes awhol why you actually restore the default recommended Security Settings.

Anyway, I guess it's rather a glitch in McAfee itself instead.

Share this post


Link to post
Share on other sites

Interesting. I guess I'll go bark at the McAfee techs and see what happens. Thanks again for your time and input.

Share this post


Link to post
Share on other sites
I haven't come across any other user reporting this behavior

I believe my computer is doing the exact same thing (except I run Symantec instead of McAfee).

Please help me fix it!

Share this post


Link to post
Share on other sites

GodSpeed, your issue is totally different - you already explained your issue in your other thread. This has nothing to do with mbam. :angry:

Share this post


Link to post
Share on other sites
GodSpeed, your issue is totally different - you already explained your issue in your other thread. This has nothing to do with mbam. :)

Let me first agree that my problem :) has nothing to do with MBAM.

But otherwise, whatever this issue is, I am experiencing the same symptoms -- I get a weird notification that Symantec is disabled (which it isn't), MBAM tells me my Security Center is disabled when I run a can (same result as poster, above), at one point my Symantec icon was corrupted and I couldn't do a Live Update or run a Scan and from time to time I get a warning that my Windows Firewall is shut off.

Something is wrong.

I feel like I'm jacking this thread now though....sorry.

*ps. I'm still having trouble with the main Administrator account getting deleted from the Welcome screen upon restart (and tried numerous restarts). :angry: I might need to call Microsoft. Is that even possible? :(

Share this post


Link to post
Share on other sites
I get a weird notification that Symantec is disabled (which it isn't), MBAM tells me my Security Center is disabled when I run a can (same result as poster, above), at one point my Symantec icon was corrupted and I couldn't do a Live Update or run a Scan and from time to time I get a warning that my Windows Firewall is shut off.
This really has nothing to do with that policy in the registry though after fixing it in mbam. Mbam doesn't delete anything here, it just RESTORES the default security setting to default. It changes the dword value 1 back to the dword value 0 which is the default setting.

I guess it's still unclear for many what this policy exactly does...

If the policy is enabled, as it should be, then you will get a notification from Windows Security Center that your Antivirus, Firewall or Automatic updates are disabled.

This is the default setting in the registry.

Some security suites just disable that setting, because they will control it instead.

I really don't see why an Antivirus would react on this like that and disables itself / crashes etc.. after you restore that policy to default again - it doesn't make sense.

Restoring the default security setting again won't do anything related with the Security suites installed and won't break anything at all - I actually can't see how it could break it. The security suites will just disable that policy again and take over the Security Center.

*ps. I'm still having trouble with the main Administrator account getting deleted from the Welcome screen upon restart (and tried numerous restarts).
So it's only from the Welcome screen? This one is by default not present on the XP welcome screen at all, only in Windows safe mode.

Let me quote:

The original ("Hidden") Administrator account was the first one set up when XP is installed. The moment a User account is set up the Administrator account vanishes from the Welcome screen and you cannot logon to the Administrator account unless you use the Ctrl+Alt+Delete (for XP Pro) or Safe Mode (for Home). Now if you did not create a second user this Administrator account cannot go into hiding and becomes your normal user. (For safety reasons, it's best to NOT use the main administrator account as the only account. If nothing else, create a second account with admin privleges, although many prefer using a third account with limited user priviledges as the main working account. It's your choice. With a single "Hidden" Administrator account, if something goes wrong, you don't have a backup account from which you can fix things.)
I guess that's where the confusion is. No accounts were deleted. There aren't even corrupted useraccounts. You just didn't explain it properly in the other thread :angry:

Also, see here: http://www.microsoft.com/windowsxp/using/s...tips/knox1.mspx and here: http://www.pctools.com/guides/registry/detail/1165/

Share this post


Link to post
Share on other sites
[regarding Admin account delete]So it's only from the Welcome screen? This one is by default not present on the XP welcome screen at all, only in Windows safe mode.

Let me quote:

The original ("Hidden") Administrator account was the first one set up when XP is installed. The moment a User account is set up the Administrator account vanishes from the Welcome screen and you cannot logon to the Administrator account unless you use the Ctrl+Alt+Delete (for XP Pro) or Safe Mode (for Home). Now if you did not create a second user this Administrator account cannot go into hiding and becomes your normal user. (For safety reasons, it's best to NOT use the main administrator account as the only account. If nothing else, create a second account with admin privleges, although many prefer using a third account with limited user priviledges as the main working account. It's your choice. With a single "Hidden" Administrator account, if something goes wrong, you don't have a backup account from which you can fix things.)

I guess that's where the confusion is. No accounts were deleted. There aren't even corrupted useraccounts. You just didn't explain it properly in the other thread :)

Also, see here: http://www.microsoft.com/windowsxp/using/s...tips/knox1.mspx and here: http://www.pctools.com/guides/registry/detail/1165/

OH MY GOD. I feel like I'm getting computers 101 here. :angry: That quote explains EVERYTHING that's been going 'wrong' (so I thought) with the user accounts.

I'll create both my wife and I our own accounts and let the original Administrator account 'disappear' like it should. My only trouble with that is, she's been using the account as her own forever now and everything is set up they way she wants it. I actually tried the user profile transfer action you posted in a link in the other thread and it transfered her files (took a long time), but it didn't transfer any of her settings and wanted to go through the whole install wizard thing with Outlook so I scrapped that plan because I thought it didn't work to my expectations.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.