Version 7.2.2.0 detecting many Restricted Sites from Spywareblaster

[catscomputer]

Hi. Version 7.2.2.0 detected 42 items on one of my laptops last night. Interestingly, I saw the exact same detections in a post on Wilders here: hxxps://www.wilderssecurity.com/threads/adwcleaner-updates-and-discussion-thread.345634/page-19#post-2769246 

I then scanned a second Win 10 laptop with AdwCleaner version 7.2.1 and it came back clean. So I immediately downloaded, installed and ran version 7.2.2.0 on the second machine, and lo and behold - the exact same 42 detections came up on that computer too.

I then checked the registry of a third computer (not yet scanned with AdwCleaner) and all of those same keys were present on that computer too, along with a lot of other seedy looking keys referencing adult material, so I wondered if these were part of some kind of blocklist that was supposed to be there and actually protecting my computers.

I then checked SpywareBlaster on all three computers, and protection was only partially enabled under the "Restricted Sites" on the two computers I had scanned with version 7.2.2.0 and allowed the programme to clean. There were exactly 42 unprotected sites on both those computers -  the same number of detections in AdwCleaner. 7.2.2.0. On the third computer that had not been scanned  - SpywareBlaster showed all protection as fully enabled.

To confirm my suspicions I ran 7.2.2.0 on the 2 machines with partially enabled protection and they came up clean, but as soon as I enabled all protection in SpywareBlaster on the "Restricted Sites" field, and then re-ran AdwCleaner version 7.2.2.0, those same 42 detections appeared again.  So it would seem that AdwCleaner is detecting stuff from SpywareBlaster's blocklists.

Here is the log file from computer number 1. Computer 2 is identical except it's running Win 10 Home not Pro. Thanks.

AdwCleaner[S02].txt

Edited July 18, 2018 by catscomputer

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the AdwCleaner Help forum.

Someone will reply shortly, but in the meantime here are a few resources which may help resolve your issue:

• AdwCleaner user guide
• A malicious element isn't being detected? Submit the sample here!
• Need help with another Malwarebytes product or malware removal?
  • Click here for home support
  • Click here for business support
  • Click here for malware removal help

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Confirmed, I found the same (as well as many of those added by Spybot S&D via its Immunize function/feature which uses the registry restricted sites, the IE ActiveX Killbit implemented by MS as well as the HOSTS file for blocking/restricting access to malicious web content).  An exclusion rule/whitelist should be created to not detect such sites when contained in the restricted zone (zone 4) for the Zonemap\Domains registry keys (HKLM/HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zonemap\Domains sub-keys) when the value data is set to 4 which denotes the Restricted Zone as documented on the following Microsoft sites:

https://support.microsoft.com/en-us/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)

If more detailed info is required such as scan logs etc. please let me know and I will provide them, however be aware that these restricted sites databases are constantly changing so whitelisting specific entries is most likely not a viable long-term solution and instead logic should be developed which can tell the difference between a site being included in the Trusted Zone and the Restricted Zone.

The following table is taken directly from Microsoft's own documentation on the various security zones and their equivalent value data for the Zonemap\Domans registry keys:

Quote

   Value    Setting
   ------------------------------
   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone

Edited July 18, 2018 by exile360

[catscomputer]

Thanks for the reply exile. That all Iooks very complicated in the links you posted. 

I'm not quite sure what I'm to do to prevent this from happening again. I feel like this is something Malwarebytes should address and create whitelists for rather than us users, surely?

I don't want to have to constantly create exclusions, or be in a position where I'm having to decide if something is a  legitimate detection or part of something like SpywareBlaster. 

Edited July 19, 2018 by catscomputer
correcting a typo or two

[exile360]

I've dealt with issues like this in the past where the blocks created by Spywareblaster and Spybot were flagged as threats.  It's usually because some malware a long, long time ago would deliberately add malicious sites to the trusted sites list in the registry (Zone 2) and rather than looking at the actual value data (the number that assigns the zone for that particular site), they would flag any entry for malicious sites contained in their databases because additional logic beyond the scope of basic binary detection (1=malicious site data exists in the registry under the Zonemap\Domains registry key=detect as threat, 2=malicious site data does not exist in the registry=detect nothing) and it would require implementing conditional detection capabilities (if 1 & if value data is not 4 then detect as a threat, if 1 & value data is 4 then do not detect as a threat).  It sounds more complicated than it actually is, but for the Developers they will understand what I'm saying and should act upon it accordingly.

As for you and I, for now the best thing to do would be to simply check one or two of the detected entries in the registry and if you see the value data set as 4, that means it is safe and was added by Spywareblaster or Spybot because 4 means it is in what Microsoft refers to as the "Restricted Zone" where websites in that zone are the opposite of the "Trusted Zone" so they are not allowed to run scripts on their webpages, are not allowed to execute any ActiveX controls (Flash Player etc.) and many other security restrictions that essentially block them from being able to do harm (pretty much everything short of completely blocking access to those sites, where if that were the goal, they'd add the sites to the HOSTS file as Spybot does for some websites via one aspect of its Immunize function).  So if you check the entries detected by ADWCleaner and find that it is as I described (image below) then you should just right-click on it and select Add to Exclusion List (a new feature added in ADWCleaner 7.2.2).  I did and here is what my exclusions list now looks like (I added the entire categories to my exclusions list, not each individual detection one by one as I knew they all came from the same FP/source as my system is clean):

Once this false positive is corrected, or until these particular defs are pulled from ADWCleaner's database awaiting new engine capabilities to allow them to properly whitelist such entries, I would advise you do the same as I did as the probability that an actual threat would add entries to to Zonemap\Domains registry keys is extremely unlikely, especially since modern malware/adware etc. is far more focused on targeting more popular, modern browsers like Firefox and especially Chrome now that they are used more prominently than Internet Explorer, and since these settings have no impact on those browsers, it is unlikely that the bad guys would bother using them to try and add their sites to the Trusted Sites list in IE (which is why ADWCleaner is detecting them, because it just looks for entries for those sites, assuming they are there with a value data of 2 which would place them in the Trusted Sites list for IE).

Edited July 19, 2018 by exile360

[catscomputer]

1 hour ago, exile360 said:

It sounds more complicated than it actually is, but for the Developers they will understand what I'm saying and should act upon it accordingly.

 

Well I'm glad about that!! It's a bit over my head lol. Though I do get the gist. :)

I hope Malwarebytes will either correct these FPs, or, build in a function to whitelist such entries.

Until then I shall do as you've suggested and check the registry and make sure any detected entries are showing a 4 as per the picture. If they are I will add them to exclusions. I can definitely manage that. 

Thanks for the advice exile, the pictures you've included to go with the explanation are really helpful. :)

[Mumio]

Ugh, after seeing this thread, I went back and looked and sure enough.....it's detecting Spywareblaster host file blocks, right down to the shady-sounding adult stuff. I do hope this is resolved quickly. And I also think from now on that I am gonna wait on new versions until issues are worked out before I download. I feel like most new versions are coming with problems and I don't have time to deal with that.

Edited July 19, 2018 by Mumio

[exile360]

47 minutes ago, Mumio said:

Ugh, after seeing this thread, I went back and looked and sure enough.....it's detecting Spywareblaster host file blocks, right down to the shady-sounding adult stuff. I do hope this is resolved quickly. And I also think from now on that I am gonna wait on new versions until issues are worked out before I download. I feel like most new versions are coming with problems and I don't have time to deal with that.

Actually, unlike Spybot Search & Destroy, Spywareblaster doesn't use the Windows HOSTS file at all to block malicious sites.  It just uses the restricted sites list for Internet Explorer (located under the various HK**\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zonemap\Domains keys in the registry) as well as the ActiveX Killbit as implemented by Microsoft since XP.  It also performs immunization for Firefox, though how it accomplishes that I am not certain, though I suspect it is by a similar means as what is used for Internet Explorer's restricted sites, though likely through some kind of text based config file.

As for this FP, it's actually not that big of a deal and is something I've seen several other scanners in the past FP on, so ADWCleaner is far from the first (in fact, the first time I saw this it was being detected by eTrust/CA PestPatrol back in the day long before Malwarebytes or ADWCleaner ever existed).  I'm sure they'll either have the issue corrected promptly or will temporarily back out the defs causing the detections until the issue can be resolved by implementing more robust, conditional detection for these kinds of registry entries as I suggested they do above.  Either way I will be submitting the details of this issue to the team in my report this Friday so they will hear about it.

[jboursier]

Hello,

Thanks for the feedback.

We're working on it. At the same time, you can use the right-click -> Add to exclusion feature that just appeared with 7.2.2.

[Mumio]

13 hours ago, exile360 said:

Actually, unlike Spybot Search & Destroy, Spywareblaster doesn't use the Windows HOSTS file at all to block malicious sites.  It just uses the restricted sites list for Internet Explorer (located under the various HK**\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zonemap\Domains keys in the registry) as well as the ActiveX Killbit as implemented by Microsoft since XP.  It also performs immunization for Firefox, though how it accomplishes that I am not certain, though I suspect it is by a similar means as what is used for Internet Explorer's restricted sites, though likely through some kind of text based config file.

As for this FP, it's actually not that big of a deal and is something I've seen several other scanners in the past FP on, so ADWCleaner is far from the first (in fact, the first time I saw this it was being detected by eTrust/CA PestPatrol back in the day long before Malwarebytes or ADWCleaner ever existed).  I'm sure they'll either have the issue corrected promptly or will temporarily back out the defs causing the detections until the issue can be resolved by implementing more robust, conditional detection for these kinds of registry entries as I suggested they do above.  Either way I will be submitting the details of this issue to the team in my report this Friday so they will hear about it.

Thanks for the nitty-gritty details on it :)  I'll wait for it to be corrected, but like I said...not gonna jump on new downloads anymore. Life is too busy.

[exile360]

You're welcome

I'm honestly not sure if it was the new release that caused these FPs or just a signature/database update as the old versions of ADWCleaner certainly should have been fully capable of detecting these kinds of entries before now as they're just simple registry keys.

[exile360]

Hey guys,

I just wanted to post to let you know in case you were not aware that this issue has now been addressed in the most recent release version 7.2.3.  Info and download available here.

[mbyuser]

hi guys n girls.

long time no see as to speak.

wonered if it was intentionl that the tool was picking up so much from spyblaster,obviously not.

the latest build is still picking up spyblaster.  the last build was also calling some adaware as well as pups as is this version/build.

deactivate spyblaster and nothing comes up otherwise i get this;

AdwCleaner[S21].txt

[exile360]

Yep, confirmed.  I just scanned my own system and it's still detecting the ZoneMap/Domains entries entered by Spybot Search & Destroy and Spywareblaster.  I guess it wasn't fixed after all  

@fr33tux Attached are registry exports of the registry entries in question along with a copy of my scan log from ADWCleaner 7.2.3 showing the detections.

Please let me know if anything else is required to resolve this.

Thanks

Domains.zip

AdwCleaner[S12].txt

[MichaW]

..the same here, the problems with Spywareblaster still exist with vers. 7.2.3

[MichaW]

Problems with Spywareblaster are gone with vers. 7.2.3.1

[exile360]

I'm still seeing some of these detections though most of them have been fixed.  Please see attached.

AdwCleaner[S13].txt

[jboursier]

Hello,

@exile360 Can you get me an export of those keys?

Thanks,

[exile360]

Sure, here you go.

exports.zip

[Alan123]

I just checked mine,  Spybot search and destroy is still giving me some issues, bit spyware blaster seems to be working completely.

 

I also have one heuristing listing BING that can not be corrected