CodeStoreDB

From SpybotWiki
Revision as of 15:09, 16 February 2008 by CCRDude (talk | contribs) (New page: {{Outdated SBI|RegyKey}} If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the u...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This SBI command is outdated and will probably not be supported in Spybot-S&D 2.0. As of yet, it is unclear whether an automated conversion path exists. Automated conversion paths may also be less sufficient than a manual upgrade. We recommend that you take a look at RegyKey for a possible alternative command.

If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the used URL.

Usage

CodeStoreDB:[part of url],<advanced build parameters>

Examples

CodeStoreDB:"download.spyware.com"

This search would identify the following entry in the Code Store Database:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{44332211-00AA-BBCC-DDEE-FF5566778899}\DownloadInformation]
"CODEBASE"="http://download.spyware.com/archive.cab"

Description

If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.

Using the RegyKey SBI Command along with the proper advanced registry parameters would do the same, but also allow you to use Algo-Prefixes to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most popular example would be that gator.com would also identify newsgator.com, a false positive that happened some years ago).

See also

Similar commands