After few minutes of browing, you might notice the failed ActiveX [same CLSID] control. [Assuming that you have visited the some rogue site which spreads a malware.
Prevent malware from being installed - Part 2 [Example of "Kill-Bit"]
[Continued from Part 1......]
Having set the "Kill-Bit" already, let's test the effectiveness of this. How it protects against Spyware Activex controls?
I have created the following value in "ActiveX Compatibility" key and set "Kill-Bit" to it. {319A68DB-06D0-46DA-9F93-A810D5A70836}
--
{319A68DB-06D0-46DA-9F93-A810D5A70836} is ZipclixToolbar
http://www.pestpatrol.com/pestinfo%5Cz%5Czipclixtoolbar.asp
--
Picture 1: shows the "Kill-Bit" setting
in the Windows Registry
Picture 2: shows that the ActiveX component failed resulting in a LOG file called
"?CodeDownloadErrorLog!Name={319A68DB-06D0-46DA-9F93-A810D5A70836}"
After few minutes of browing, you might notice the
failed ActiveX [same CLSID] control. [Assuming that you have visited the some
rogue site which spreads a malware.
Internet Explorer silently generates the ?CodeDownload
log when a ActiveX component download Fails.
You can view this log by opening an instance of Internet Explorer and
dragging the html file [seen in the picture] to the browser window. The
ActiveX component failure log is displayed.
By default, Internet Explorer does not generate the Code log for Successful
ActiveX installations. You need to tweak the registry to generate Success
Activex logs. Please see "Force Creation of an Internet Code Download
Log" - Microsoft Knowledgebase article referenced below:
*** Code Download Log entry (14 Jan 2004 @ 14:48:28) ***
Code Download Error: (hr = 8007007e) The specified module could not be found.
Operation failed. Detailed Information:
CodeBase: view-source:about:blank
CLSID: {319A68DB-06D0-46DA-9F93-A810D5A70836}
Extension:
Type:
LOG: Reporting Code Download Completion: (hr:8007007e (FAILED), CLASSID: 319a68db..., szCODE:(view-source:about:blank),
MainType:(null), MainExt:(null))
--- Detailed Error Log Follows ---
LOG: Download OnStopBinding called (hrStatus = 0 / hrResponseHdr = 0).
LOG: URL Download Complete: hrStatus:0, hrOSB:8007007e, hrResponseHdr:0, URL:(view-source:about:blank)
LOG: Reporting Code Download Completion: (hr:8007007e (FAILED), CLASSID: 319a68db..., szCODE:(view-source:about:blank),
MainType:(null), MainExt:(null))
If your aim is just to block malware, you don't need to see the LOGs. These logs are helpful for Internet Explorer programmers and those who wish to deploy ActiveX controls. For the latter, these links should be helpful.
HOWTO: Find More Information About Why Code
Download Failed:
http://support.microsoft.com/?kbid=252937
HOWTO: Force Creation of an Internet Code Download Log:
http://support.microsoft.com/?kbid=271451
HOWTO: Troubleshoot Java Applet and Component Download Problems:
http://support.microsoft.com/?kbid=241111
Support WebCast: How does Internet Component Download work:
http://support.microsoft.com/?kbid=325307
INFO: Internet Component Download Online Troubleshooter Is Available:
http://support.microsoft.com/?kbid=271594
Microsoft Support WebCast - How Does Internet Component Download Work?
http://support.microsoft.com/default.aspx?scid=%2fservicedesks%2fwebcasts%2fen%2fwc042500%2fwct042500.asp