CodeStoreDB
| This SBI command is outdated and will probably not be supported in Spybot-S&D 2.0. As of yet, it is unclear whether an automated conversion path exists. Automated conversion paths may also be less sufficient than a manual upgrade. We recommend that you take a look at RegyKey for a possible alternative command. |
If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the used URL.
Usage
CodeStoreDB:[part of url],<advanced build parameters>
Examples
CodeStoreDB:"download.spyware.com"
This search would identify the following entry in the Code Store Database:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{44332211-00AA-BBCC-DDEE-FF5566778899}\DownloadInformation]
"CODEBASE"="http://download.spyware.com/archive.cab"
Description
If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.
Using the RegyKey SBI Command along with the proper advanced registry parameters would do the same, but also allow you to use Algo-Prefixes to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most popular example would be that gator.com would also identify newsgator.com, a false positive that happened some years ago).
