Difference between revisions of "CodeStoreDB"

From SpybotWiki
Jump to: navigation, search
(New page: {{Outdated SBI|RegyKey}} If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the u...)
 
Line 3: Line 3:
  
 
==Usage==
 
==Usage==
  CodeStoreDB:[part of url],<advanced build parameters>
+
  CodeStoreDB:<part of url>[,advanced build parameters]
  
 
===Examples===
 
===Examples===
Line 14: Line 14:
 
===Description===
 
===Description===
 
If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.
 
If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.
 +
 +
* The first and only parameter specifies a substring of the URL. After 1.5.2, [[AlgoPrefix|Algo-Prefixes will be supported here as well]]. {{AlgoPrefix}}
  
 
Using the [[RegyKey]] [[SBI Command]] along with the proper [[Advanced registry parameters|advanced registry parameters]] would do the same, but also allow you to use [[AlgoPrefix|Algo-Prefixes]] to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most ''popular'' example would be that ''gator.com'' would also identify ''newsgator.com'', a [[False positive|false positive]] that happened some years ago).
 
Using the [[RegyKey]] [[SBI Command]] along with the proper [[Advanced registry parameters|advanced registry parameters]] would do the same, but also allow you to use [[AlgoPrefix|Algo-Prefixes]] to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most ''popular'' example would be that ''gator.com'' would also identify ''newsgator.com'', a [[False positive|false positive]] that happened some years ago).
 +
 +
Take special care when the installer includes newer version of system files, as some badly written DPFs do, since these files would get flagged as well.
 +
 +
===Scan Results===
 +
* DPF registry entries that were identified.
 +
* The associated files mentioned in the registry key (under the ''\Contains\Files\'' subkey).
  
 
==See also==
 
==See also==
 
* [[Advanced build parameters]]
 
* [[Advanced build parameters]]
 
* [[Advanced registry parameters]]
 
* [[Advanced registry parameters]]
 +
* [[AlgoPrefix]]
  
 
===Similar commands===
 
===Similar commands===
Line 25: Line 34:
  
 
[[Category:SBI Commands]]
 
[[Category:SBI Commands]]
[[Category:SBI Commands (current)]]
+
[[Category:SBI Commands supporting AlgoPrefix]]

Revision as of 10:23, 18 February 2008

This SBI command is outdated and will probably not be supported in Spybot-S&D 2.0. As of yet, it is unclear whether an automated conversion path exists. Automated conversion paths may also be less sufficient than a manual upgrade. We recommend that you take a look at RegyKey for a possible alternative command.

If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the used URL.

Usage

CodeStoreDB:<part of url>[,advanced build parameters]

Examples

CodeStoreDB:"download.spyware.com"

This search would identify the following entry in the Code Store Database:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{44332211-00AA-BBCC-DDEE-FF5566778899}\DownloadInformation]
"CODEBASE"="http://download.spyware.com/archive.cab"

Description

If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.

Using the RegyKey SBI Command along with the proper advanced registry parameters would do the same, but also allow you to use Algo-Prefixes to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most popular example would be that gator.com would also identify newsgator.com, a false positive that happened some years ago).

Take special care when the installer includes newer version of system files, as some badly written DPFs do, since these files would get flagged as well.

Scan Results

  • DPF registry entries that were identified.
  • The associated files mentioned in the registry key (under the \Contains\Files\ subkey).

See also

Similar commands