Blocking spyware via the ActiveX kill bit

Changing IE to help you block spyware can limit your Internet browsing. Using the registry can be as effective and more transparent.

Administrators trying to come up with a proactive way to block spyware from infesting workstations often have to make difficult choices. Restricting the functionality of IE to prevent spyware from taking root can be cumbersome. Third-party programs require installation and maintenance to be useful. Switching to another browser doesn't always resolve the problem, either, as there are now breeds of spyware that operate through Netscape/Mozilla...

as well.

Most spyware installs through an ActiveX plug-in when a browser window is opened. Disabling ActiveX controls entirely can cripple IE to the point where many legitimate sites don't work at all, and using the Trusted and Restricted Sites feature in IE isn't always helpful either. One way to stop spyware from installing itself is to attack it in the Registry, by preemptively blocking specific ActiveX controls from being installed.

The way this is done is via a little-known function of ActiveX controls called the "kill bit," as described in Microsoft Knowledge Base article 240797. The "kill bit" is a flag in the Class Identifier, or CLSID, for the ActiveX control. The CLSID for any given ActiveX component is found in the Registry, under HKEY_CLASSES_ROOTCLSID, but Internet Explorer maintains a separate list of compatible ActiveX controls in HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility.

To disable a particular control, add the CLSID for that control as a new subkey under ActiveX Compatibility, and under that subkey add a DWORD value named Compatibility Flags. Set this value to 400 hex, or 1024 decimal. For instance, if you wanted to create a .REG file that blocked the CLSID {00000000-5eb9-11d5-9d45-009027c14662}, it would look like this:

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerActiveX Compatibility{00000000-5eb9-11d5-9d45-009027c14662}]
"Compatibility Flags"=dword:00000400

Because CLSIDs are meant to be globally unique, once a control is blocked in this fashion it is blocked permanently (unless it is withdrawn and reissued with a new CLSID).

The site Spywareguide.com has a regularly-updated .REG file that contains over 300 ActiveX controls known to be spyware. The .REG file does not interfere with any other functions of IE or the system and can interoperate with other spyware-blocking products. An administrator can roll out this .REG file in an automated fashion via SMS, or even add it to freshly-imaged systems as part of a post-installation configuration.


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!


This was first published in June 2004

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close