Jump to content

Need Clarification on Reg Values Detected


Recommended Posts

Hi,

After updating Malwarebytes to the database version of 1985 these two items were flagged.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures (Disabled.checkEXESignatures) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (SecurityRisk.RunInvalidSignatures) -> No action taken.

They have never been flagged before (I had last updated and scanned just a few days ago) and my setting have not changed. I have "Check for signature on downloaded programs" checked and do not have "Allow software to run or install even if signature is invalid" checked in Internet Options, which I believe is the settings these two entries refer to. When looking at the registry it shows that the value of CheckExeSignatures is set to yes and the value of RunInvalidSignatures is set to 0.

Can anyone tell me if these items really should have been flagged or if it is just a glitch in the newest database?

Thank you very much for whatever help you can give me in figuring this one out.

Link to post
Share on other sites

I saw when I checked it on Malwarebytes site using one of the options when I right clicked on the entries in Malwarebytes that it was first detected today on something like 1700 computers. Since it was showing as first detected today it made me think that maybe it was a glitch in the current database.

Btw, I have no signs of infection and Malwarebytes did not detect anything other than these two entries.

Link to post
Share on other sites

  • Staff

Please ignore this for now. This will be fixed in next update. It's a check if signature verification of downloaded programs are disabled or not. Also see here: http://www.liutilities.com/products/regist...y/tweaks/11387/

Next update will have an extra check if disabled and will only flag it if that's the case.

Update will be asap (within 2 hours)

In case you fixed it, don't worry. To set it to default again, download this regfix:

Unzip and doubleclick in order to merge it into the registry.

Then ignore it in the next scan till this is fixed.

Link to post
Share on other sites

Thank you very much, I appreciate the reply and info.

Just to clarify, does that mean that if I want to have the signature checked and do not want to run or install programs that do not have a valid signature that my settings are correct?

Thank you for your help

Link to post
Share on other sites

  • Staff

Just to clarify, does that mean that if I want to have the signature checked and do not want to run or install programs that do not have a valid signature that my settings are correct?
Yes, I'm pretty sure it's set correct in your case. As I said, in above case, Mbam checks the presence of those keys + values, but there appears an error here with reading the values. This will be fixed in next update.
Link to post
Share on other sites

miekiemoes,

I likewise thank you for your prompt response here.

Observation: I believe the liutilities page you linked to has part of its explanation backwards: their directions, under Description, assert:

"Now, right-click and modify string value checkexesignatures, in the right panel, to yes which can disable signature verification".

in fact, lower down, under Registry Entries, it (correctly) states:

Enabled Value: Yes

Disabled Value: No

Link to post
Share on other sites

Thank you so very much miekiemoes.

I really appreciate your help with this matter and the very timely manner in which you provided it.

I also appreciate you providing the file to change the registry back but since I had figured it was probably a glitch, I did not have Malwarebytes change this setting.

Thank you again, you put my mind at ease and I really appreciate that. :)

Link to post
Share on other sites

  • Staff

Yes, let me explain the confusion..

The default security setting for "CheckExeSignatures" should be yes, which means that it checks the signature verification of downloaded programs. Mbam is only supposed to flag it when it's set to "no".

The same is for the "RunInvalidSignatures" value. The default (secure) valuedata should be dword:00000000

mbam is only supposed to flag it when it's set to dword:00000001

But as I said, it's a temporary problem in mbam and will be fixed asap. :)

Link to post
Share on other sites

ky331,

Thank you for pointing out the part of that article about the registry entries that are found further down on that page. Until I read your post, I had not noticed that that part showed different info than the description did and the description is what made me be really confused.

Now I am no longer confused about that so thanks to your clearing that up and miekiemoes clearing up the other stuff, I guess I can probably forget all this and go to bed. Afterall, it is 6 am here so I should probably get some sleep, lol.

Thank you both for clearing all this up for me so quickly :)

Link to post
Share on other sites

Forgive the "butt in" here. I'm new to this program (2 days) and I too encountered this situation this morning. I allowed the program to quarantine these two keys and would appreciate if you could clarify something for me.

It's my understanding that I can highlight these two keys and click restore to put them back into the registry. I'm assuming that this regfixzip is only if I'd gone ahead and actually deleted these keys?

Thanks in advance for any advice.....

In case you fixed it, don't worry. To set it to default again, download this regfix:

Unzip and doubleclick in order to merge it into the registry.

Then ignore it in the next scan till this is fixed.

Link to post
Share on other sites

  • Staff
Forgive the "butt in" here. I'm new to this program (2 days) and I too encountered this situation this morning. I allowed the program to quarantine these two keys and would appreciate if you could clarify something for me.

It's my understanding that I can highlight these two keys and click restore to put them back into the registry. I'm assuming that this regfixzip is only if I'd gone ahead and actually deleted these keys?

As far as I know, it should be fixed by now - so update mbam :)

Above regfix is for the default Security Settings :)

Link to post
Share on other sites

Ah, thank you so much, miekiemoes, I've wondered very much about those 2 entries:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures (Disabled.checkEXESignatures) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (SecurityRisk.RunInvalidSignatures) -> No action taken.

very much, too - I try to do ervereything, that my systems stays clean and so on.^^ But for God's Sake the two entries are only F/P's...phew.

I just wanted to start another thread, but thought, it's better I search first, if someone other encountered the same problem, like it has been on another F/P's I've had, too. What a lcuk, that my thoughts were right. :)

I've just downloaded 1986 - there should be the fix included, I guess.

Maybe it's because the IE has been updated from Microsoft yesterday?

Thx for your great work and greetings from east germany!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.