Author (#13)May 2006 Archives

As i blogged earlier in the Entry
In Clean VM, SpyOnThis detected 13 different threats which are all FPs. Most of them were cookies.

Let us dig onto each key flagged as spywares by SpyOnThis and see why are they False Positives?

Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CTLS
RiskLevel: 4

ClearSearch object found!!!
Object: ClearSearch
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_CURRENT_USER:SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\
TRUSTEDPUBLISHER\CRLS
RiskLevel: 4

Claria object found!!!
Object: Claria
Class: REGKEY
Type: SPYWARE
FoundIn: HKEY_USERS:.default\software\microsoft\systemcertificates\trustedpublisher\crls
RiskLevel: 3

Look at the Original keys are in Registry which is flagged as Spyware,

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs]

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs]

Note: There are no values associated with the keys when it detected as Spyware.

In order to make a full analysis we need to know some basic things here:


CA - Certification Authority

An entity entrusted to issue certificates that assert that the recipient individual, computer,
or organization requesting the certificate fulfills the conditions of an established policy.

CRL - Certificate Revocation List
A document maintained and published by a certification authority (CA) that lists certificates
issued by the CA that are no longer valid.

CTL - Certificate Trust list
A predefined list of items that have been signed by a trusted entity. A CTL can be anything,
such as a list of hashes of certificates, or a list of file names. All the items in the list are
authenticated (approved) by the signing entity.

The keys which i mentioned are default keys for Windows operating system to handle
trusted publisher certificates when IE makes secure connection (SSL). SSL creates a secure
connection between a client and a server, over which any amount of data can be sent securely.

CA releases CRLs so often to make sure the user or enterprise knows about the no longer valid certificates.
This registry key modified when we import the CRLs from CA.

None of the above keys are related to either Claria or ClearSearch.
Thus classifying these keys as spyware is erroneous.

Let us check other keys also in detail.

About this Archive

This page is a archive of recent entries written by (Display Name not set) in May 2006.

Author (#13)April 2006 is the previous archive.

Author (#13)July 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.