I just cleaned and immunized my PC using Spybot. Went online again, ran a
check, and found Doubleclick cookies present. Does immunization just
prevent these cookies from doing their nasty deed, or is it supposed to
prevent them from being written again to the hard drive? Sorry if this is a
dumb question - I'm a newbie here ...)
George
Spybot will remove existing cookies. To prevent them from re-infecting, use
Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.html
Ken Russell
"George Weischadle" <gweischadle@earthlink.net> wrote in message
news:6l4hb.3710$dn6.1847@newsread4.news.pas.earthl ink.net...
| I just cleaned and immunized my PC using Spybot. Went online again, ran a
| check, and found Doubleclick cookies present. Does immunization just
| prevent these cookies from doing their nasty deed, or is it supposed to
| prevent them from being written again to the hard drive? Sorry if this is
a
| dumb question - I'm a newbie here ...
|
| George
|
|
Vanguard answers it better than I did.
Ken Russell
Spybot's Immunize works like SpywareBlaster. Registry entries get added
which act as kill bits to known spyware ActiveX controls. Because of
these registry entries, any AX control that uses that class ID will not
be allowed to run. That does NOT prevent them from existing in your
system or from them getting installed. It only prevents them from
running. Immunization doesn'te prevent you from getting infected. It
just prevents the effects of that infection. It is passive protection.
So they may pollute your system but are not runnable. That doesn't mean
you have the disease. Immunization prevents the problem later so you
don't have to keep running a spyware scanner every day. You getting
immunized doesn't eliminate the other people that are infected in the
same room with you. It just eliminates you getting the infection. You
getting immunized after getting infected is too late and doesn't do any
good, but spyware immunization will abate the effects of a current
infection (by not allowing that AX control to load but may not prevent
it from running if it was already running when it then got immunized).
Immunization is a passive trap: when the infection arrives, it doesn't
get stopped from arriving but it stops it from effecting its nasty
payload. When you get immunized, it is when you are healthy and to
prevent you from getting sick later. You get occasional updates and
rerun the Immunize just like when you get booster shots; immunization
wears off over time (because of new or variant spyware).
Spybot has a BHO (browser helper object) under Immunize that you can
install in IE to help prevent the download of this crap but I don't know
if the BHO's detection is against the spyware signatures or against the
class IDs for bad AX controls, so I also have SpywareGuard running.
Although Spybot's Immunize recommends getting SpywareBlaster, so far
SpyBot's Immunize has a longer list of class IDs with which to provide
immunization; on my last check, SpyBot's Immunize had 9 more AX controls
than SpywareBlaster's. However, SpywareBlaster also includes blocking
of cookies from known spyware domains; it adds those domains to the
Always Block blacklist in IE for cookies. So I use both Spybot Immunize
and SpywareBlaster.
If you run SpyBot's or Ad-Aware's spyware scan and find nothing or
delete any that get found, that has no effect on how Immunize works.
You are adding registry entries to kill any bad AX controls that might
appear later. Note that the message is "All known bad products are
blocked". They weren't detected. They were BLOCKED. When you define a
firewall rule to block something, that doesn't mean that something has
to current exists. Unless you are under attack at the time you define
the firewall rule, the rule is to prevent that attack later *if* it
occurs.
SpywareBlaster adds a list of domain in IE under Tools -> Internet
Options -> Privacy where you click Edit to see which are listed as
Always Allow and Always Block. SpywareBlaster adds domains with the
Always Block attribute.
Note that Doubleclick has several domains. If you want to deny any
connects Doubleclick, you can define rules in your firewall to block
connections to them. You could try blocking on a URL rule with
".doubleclick." and hope that it only blocks connections to domains with
that in the domain portion of the URL, but it would also block something
like "http://somewhere.com/somepath/my.doubleclick.jpg". So I block on
(and showing some other common polluters):
atdmt.com
doubleclick.com
doubleclick.net
doubleclick.us
doubleclick.org
fastclick.biz
fastclick.com
fastclick.net
hitbox.com
websidestory.com
x10.com
I add these under the Parental Control section in Norton Internet
Security. If you have another firewall and you are using these in a URL
block then prefix them with a period and postfix a trailing slash, like
".doubleclick.com/", just to help ensure you specify a domain and not
some path under it. If your firewall allows you to specify regular
expressions then maybe something like "*.doubleclick.*/" or
"//*.doubleclick.*/" would be usable (you might have to escape the slash
character and have to use "////*.doubleclick.*//").
I actually wanted to use the URL blocking in my router so other hosts on
my intranet wouldn't end up connecting to those sites. Alas my router
doesn't allow many entries in its URL block list nor do they allow
wildcarding. Once the domain or URL blocking is enabled in the
firewall, a good check is to visit http://www.cheaptickets.com/ which
makes extensive use of Doubleclick. The links might still display on
the page (unless you have ad blocking also enabled) but when you click
on them you get a "page not found" or a default page from your firewall
noting the block.
Using a firewall to block connects to Doubleclick will not prevent a web
site from writing cookies that can be used by Doubleclick. My
understanding is that scripts are used to write and read cookies, so if
scripting is disabled then a new cookie cannot be written and an old
cookie cannot be read. But so many legitimate web sites use scripts
that you usually find that you want to leave it enabled. So blocking
the cookie using Always Block in IE is another way to keep clean.
However, using the cookie Always Block only works for the user that is
logged on at the time this list is updated, so other users logging onto
the same host won't be protected unless they also run SpywareBlaster
(and include the cookie immunizations). The cookie allow/block list
gets saved in the registry under
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings\P3P\History"; blocked domains have a value of 5 while allowed
domains gets a value of 1. Since this is a user registry hive, each
user has a different instance of this registry key so each user must run
SpywareBlaster to add the blocked cookie domains.
I use PopUp Cop to eliminate popup windows (rather than disabling
javascript). It has has "dynamic" cookie management. You can use
products like Cookie Wall and others to manage cookies but you end up
periodically having to check and do the deletes yourself, or you end up
having to leave a constantly running background program to monitor
cookies and delete any not on a whitelist. PopUp Cop's cookie
management also uses a whitelist; domains you list will not have their
cookies deleted while all others get purged. It effectively forces all
non-whitelisted cookies to be per-session cookies. Even per-session
cookies sometimes don't get deleted when you exit IE, but PopUp Cop will
make sure they get deleted. Since PopUp Cop is only active when IE is
loaded, and since that's the only time you need cookie management, it
works when it is appropriate rather than leaving some program always
running in the background. You can also choose to ignore cookies from
domains in the Trusted security zone; if the sites are trusted then
presumably you trust their cookies. However, I still leave IE
configured to accept 1st party cookies, BLOCK 3rd party cookies, and
allow per-sesion cookies. A legit domain shouldn't have to use 3rd
party cookies. Another option is to not delete cookies in IE's Always
Allow list. So not only can you specify which domains in PopUp Cop to
keep their cookies but you don't end up obviating IE's own Always Allow
list. Domains can be wildcarded in PopUp Cop's cookie manager so you
can use something like "*.domain.tld" and not have to worry if the
cookie is for the domain or for a subdomain. Rather than disable some
functionality of a site that needs cookies during that session, they can
write and read their cookie but it won't be there after I exit the last
instance of IE.
--
__________________________________________________
Post replies to newsgroup. E-mail not accepted.
__________________________________________________
"Ken Russell" <rusty@theseams.com.au> wrote in message
news:3f84d777$0$14559$afc38c87@news.optusnet.com.a u...
> Spybot will remove existing cookies. To prevent them from
re-infecting, use
> Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.html
>
> Ken Russell
>
> "George Weischadle" <gweischadle@earthlink.net> wrote in message
> news:6l4hb.3710$dn6.1847@newsread4.news.pas.earthl ink.net...
> | I just cleaned and immunized my PC using Spybot. Went online again,
ran a
> | check, and found Doubleclick cookies present. Does immunization
just
> | prevent these cookies from doing their nasty deed, or is it supposed
to
> | prevent them from being written again to the hard drive? Sorry if
this is
> a
> | dumb question - I'm a newbie here ...
> |
> | George
> |
> |
>
>
Vanguard wrote:
> SpywareBlaster adds a list of domain in IE under Tools -> Internet
> Options -> Privacy where you click Edit to see which are listed as
> Always Allow and Always Block. SpywareBlaster adds domains with the
> Always Block attribute.
I always wondered how they got there. Thanks.
I use IE-SPYAD, WinPatrol Free and CookieCop2 V2.2.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD updated usually
weekly.
http://www.winpatrol.com
CookieCop2 is a PCMagazine utility but is subscription based now.
I guess Cookie management could have its own topic so thanks for this good
explanation.
> Note that Doubleclick has several domains. If you want to deny any
> connects Doubleclick, you can define rules in your firewall to block
> connections to them. You could try blocking on a URL rule with
> ".doubleclick." and hope that it only blocks connections to domains
> with that in the domain portion of the URL, but it would also block
> something like "http://somewhere.com/somepath/my.doubleclick.jpg".
> So I block on (and showing some other common polluters):
>
> atdmt.com
> doubleclick.com
> doubleclick.net
> doubleclick.us
> doubleclick.org
> fastclick.biz
> fastclick.com
> fastclick.net
> hitbox.com
> websidestory.com
> x10.com
>
> I add these under the Parental Control section in Norton Internet
> Security. If you have another firewall and you are using these in a
> URL block then prefix them with a period and postfix a trailing
> slash, like ".doubleclick.com/", just to help ensure you specify a
> domain and not some path under it. If your firewall allows you to
> specify regular expressions then maybe something like
> "*.doubleclick.*/" or "//*.doubleclick.*/" would be usable (you might
> have to escape the slash character and have to use
> "////*.doubleclick.*//").
>
> I actually wanted to use the URL blocking in my router so other hosts
> on my intranet wouldn't end up connecting to those sites. Alas my
> router doesn't allow many entries in its URL block list nor do they
> allow wildcarding. Once the domain or URL blocking is enabled in the
> firewall, a good check is to visit http://www.cheaptickets.com/ which
> makes extensive use of Doubleclick. The links might still display on
> the page (unless you have ad blocking also enabled) but when you click
> on them you get a "page not found" or a default page from your
> firewall noting the block.
>
> Using a firewall to block connects to Doubleclick will not prevent a
> web site from writing cookies that can be used by Doubleclick. My
> understanding is that scripts are used to write and read cookies, so
> if scripting is disabled then a new cookie cannot be written and an
> old cookie cannot be read. But so many legitimate web sites use
> scripts that you usually find that you want to leave it enabled. So
> blocking the cookie using Always Block in IE is another way to keep
> clean. However, using the cookie Always Block only works for the user
> that is logged on at the time this list is updated, so other users
> logging onto the same host won't be protected unless they also run
> SpywareBlaster (and include the cookie immunizations). The cookie
> allow/block list gets saved in the registry under
> HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
> Settings\P3P\History"; blocked domains have a value of 5 while allowed
> domains gets a value of 1. Since this is a user registry hive, each
> user has a different instance of this registry key so each user must
> run SpywareBlaster to add the blocked cookie domains.
>
> I use PopUp Cop to eliminate popup windows (rather than disabling
> javascript). It has has "dynamic" cookie management. You can use
> products like Cookie Wall and others to manage cookies but you end up
> periodically having to check and do the deletes yourself, or you end
> up having to leave a constantly running background program to monitor
> cookies and delete any not on a whitelist. PopUp Cop's cookie
> management also uses a whitelist; domains you list will not have their
> cookies deleted while all others get purged. It effectively forces
> all non-whitelisted cookies to be per-session cookies. Even
> per-session cookies sometimes don't get deleted when you exit IE, but
> PopUp Cop will make sure they get deleted. Since PopUp Cop is only
> active when IE is loaded, and since that's the only time you need
> cookie management, it works when it is appropriate rather than
> leaving some program always running in the background. You can also
> choose to ignore cookies from domains in the Trusted security zone;
> if the sites are trusted then presumably you trust their cookies.
> However, I still leave IE configured to accept 1st party cookies,
> BLOCK 3rd party cookies, and allow per-sesion cookies. A legit
> domain shouldn't have to use 3rd party cookies. Another option is to
> not delete cookies in IE's Always Allow list. So not only can you
> specify which domains in PopUp Cop to keep their cookies but you
> don't end up obviating IE's own Always Allow list. Domains can be
> wildcarded in PopUp Cop's cookie manager so you can use something
> like "*.domain.tld" and not have to worry if the cookie is for the
> domain or for a subdomain. Rather than disable some functionality of
> a site that needs cookies during that session, they can write and
> read their cookie but it won't be there after I exit the last
> instance of IE.
>
> "Ken Russell" <rusty@theseams.com.au> wrote in message
> news:3f84d777$0$14559$afc38c87@news.optusnet.com.a u...
>> Spybot will remove existing cookies. To prevent them from
>> re-infecting, use Spyware Blaster
>> http://www.javacoolsoftware.com/spywareblaster.html
>>
>> Ken Russell
>>
>> "George Weischadle" <gweischadle@earthlink.net> wrote in message
>> news:6l4hb.3710$dn6.1847@newsread4.news.pas.earthl ink.net...
>>> I just cleaned and immunized my PC using Spybot. Went online
>>> again, ran a check, and found Doubleclick cookies present. Does
>>> immunization just prevent these cookies from doing their nasty
>>> deed, or is it supposed to prevent them from being written again to
>>> the hard drive? Sorry if this is a dumb question - I'm a newbie
>>> here ...
>>>
>>> George
On Thu, 09 Oct 2003 16:18:07 GMT, "YK" <YKnot@home.invalid> wrote:
>Vanguard wrote:
>> SpywareBlaster adds a list of domain in IE under Tools -> Internet
>> Options -> Privacy where you click Edit to see which are listed as
>> Always Allow and Always Block. SpywareBlaster adds domains with the
>> Always Block attribute.
>
>I always wondered how they got there. Thanks.
>
>I use IE-SPYAD, WinPatrol Free and CookieCop2 V2.2.
>http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD updated usually
>weekly.
>http://www.winpatrol.com
>CookieCop2 is a PCMagazine utility but is subscription based now.
>
Analogx CookieWall (
http://www.analogx.com/contents/download/network.htm ) is free. Other
products like it too.
I use AdAware, Spybot, and HijackThis regularly. I also check my
browsers for vulnerabilities:
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/index.php
https://testzone.secunia.com/browser_checker/
Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.
On 9 Oct 2003 11:59:05 -0500, in <alt.privacy.spyware>, Chuck
<cacrollthespam@yahoo.com> wrote:
>
[snip]
> Analogx CookieWall (
> http://www.[REDACTED].htm ) is free.
[snip]
It's also written and distributed by a sociopathic loon who *deliberately*
plants open-proxy trojans on unsuspecting users' systems.
<http://groups.google.com/groups?q=AnalogX+group:news.admin.net-abuse.email&hl=en&lr=&ie=UTF-8&sa=G&scoring=d>
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
On Thu, 9 Oct 2003 13:35:19 +1000, in <alt.privacy.spyware>, "Ken Russell"
<rusty@theseams.com.au> wrote:
>
> Spybot will remove existing cookies. To prevent them from re-infecting,
> use Spyware Blaster http://www.javacoolsoftware.com/spywareblaster.html
>
[snip]
No, don't.
First, get rid of MSIE, replacing with with a decent browser (Mozilla,
K-Meleon, some older versions of Opera, etc.).
Second, use either the built-in functions of said decent browser, or a
proper "cookie manager" utility like CookiePal or CookieCop, to control the
future download/use of cookies.
--
Jay T. Blocksom
--------------------------------
Appropriate Technology, Inc.
usenet01[at]appropriate-tech.net
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: E-Mail address in "From:" line is INVALID! Remove +SPAMBLOCK to mail.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Unsolicited advertising sent to this E-Mail address is expressly prohibited
under USC Title 47, Section 227. Violators are subject to charge of up to
$1,500 per incident or treble actual costs, whichever is greater.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote