Regarding Custom Blocking

Hello everyone. I did have a question regarding the custom blocking of spyware CLSIDs in the registry.

Do we also block the Interface, and Typelib registry keys as well? Or do I only need to block strictly CLSIDs?

For example this spwyare below... I bolded them, so you can see what I am referring to. I've been adding them along with CLSIDs too, but wanted to make sure it was neccessary.

WebPI Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA438A1-2530-11D2-9D84-00C04F7FB7C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA438A4-2530-11D2-9D84-00C04F7FB7C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7EDC300-766F-11CF-A64F-0020AF37425D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FBA474B-43AC-11CE-9A0E00AA0062BB4C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7EDC301-766F-11CF-A64F-0020AF37425D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7EDC302-766F-11CF-A64F-0020AF37425D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6FBA474BC-43AC-11CE-9A0E00AA0062BB4C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6FBA474D-43AC-11CE-9A0E00AA0062BB4C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7EDC303-766F-11CF-A64F-0020AF37425D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Typelib\{6FBA474E-43AC-11CE-9A0E00AA0062BB4C}

Thank you!

 

SpywareBlaster blocks ActiveX by adding Registry like the one below:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}]
Compatibility Flags=dword:00000400

That entry blocks the download and execution ActiveX processes. Internet Explorer ActiveX applications are stored in the following Registry location:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units]

Since WebPI does not add entries to that location it does not appear that WebPI uses an ActiveX process. Therefore it does not appear that using Custom Blocking would have any affect on WebPI.

******************

To answer you question in general, CLSIDs.

 

Thank you. That would make it much easier and save me a lot of work then. Just to make sure I understand, I'll post another example below where I see that and it's in bold. So that also means that I can leave all the other CSLIDS alone? Just clarifying.

Spyware.WALogger Creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93AAC05D-B974-4770-A9EE-92EFE7A59A85}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA6AF311-61FA-468B-BB20-303BFA6B6C6B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51CF22E-E6B3-498F-A9A5-80E80E9E06BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8FB10DD5-CC4F-4D5C-B8E9-E45BE911DE2A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UNIPro.uUNIPro
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Activity Logging Interface_is1
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI

 

What dword is in the following regitry entry?

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}]

If the is dword:00000400 then it is being blocked. If not then there may be a problem.

If you are getting those Registry entries from a write up of what WALogger modifies in the Registry, it may indicate that WALogger is resetting any blocking of the ActiveX that was put in place by anti-malware products before or as it installs.

****************

See the following for the meaning of "dword:00000400" in the following Registry entry:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}]

See:

• Microsoft Knowledge Base Article - 240797
  How to Stop an ActiveX Control from Running in Internet Explorer
  http://support.microsoft.com/default.aspx?kbid=240797

 

Thanks for all of that, but now it's way over my head.

The CLSIDs I posted was copied from Symantec Security Risks website, not my machine. It was just an example.

WALogger is already blocked on my PC. What I had asked and wanted to know was the CLSID that I bolded was the only one that needed to be blocked, just to make sure. I was just clarfying and verifying to make sure I was on the right track.

 

I do not feel you are "on the right track" and hopefully I will not add to your confusion

The Custom blocking feature of Spywareblaster is only useful in blocking ActiveX objects(Downloaded Program Files) as they relate to Internet Explorer.

Yes....there is an ActiveX object that is part of the Wali keylogger payload but that is only one of the many items contained in that keyloggers payload. Sure....you can place that entry in Spywareblasters Custom blocking list but all that does is prevent Wali from installing that portion of it's payload as it relates to the logging of your Internet Explorer activity.

 

Well now, I'm more confused. I asked if I was on the right track because of the first answer I received. So, according to the CLSIDs, I originally posted, what all do I block then. How would I block an entire program from installing in the first place? In layman's terms. I'm still fairly new at this.

 

In regards to keyloggers....that is not a function of Spywareblaster and if you are searching for ways to deal with malware similar to your keylogger examples....I suggest we consider moving this whole thread to a more appropriate section or take a look at our other Forum listings and decide which area you are interested in....Anti-malware, Anti-Trojan, Anti-virus....etc.

Bottom line....it is not a function of Spywareblaster to accomplish what you are wanting. It strictly helps protect Internet Explorer with ActiveX, Cookie and Restricted Sites protection and also MOzilla\Firefox cookie protection.