Windows Defender Beta 2 and Browswer Helper Object (BHO)

[Paul Baker]

Windows Antispyware Beta enumerated configured Browser Helper Objects (BHO)
as part of the Software Explorer feature.

Windows Defender Beta 2 has a System Explorer feature which seems to be
similar, but it does not enumerate BHOs. Why did Microsoft apparently remove
the ability to enumerate BHOs? A BHO is an important potential point of
entry for malware.

Paul

 

[Guest]

Hello Paul,
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize.

I hope this post is helpful.
Let us know how it works ºut.
Еиçеl

 

[Paul Baker]

Engel,

Thanks. Yes, I know how to manage BHO's on my own. My point is, why did they
remove an essential feature?

Paul

 

[Bill Sanderson]

Because BHO management is already offered in the browser, and is, presumably
stronger than ever in IE7. Why should Microsoft produce multiple tools at
the same time for this purpose? The tracks eraser, similarly, is in IE7.

--

 

[Paul Baker]

Yes, that explanation makes sense.

However, even given this, I feel it would be a good idea to keep it in
Windows Defender. This is an extremely common way that people are attacked.
Users concerned enough with security to look in System Explorer but unaware
of the BHO management feature in Internet Explorer will miss the boat and
potentially continue to be exposed to malware they are unaware of.

Competitors tools like Hijack This are all-encompassing so that there is a
one-stop place to view all the the common places that code has been injected
onto your system.

I would argue that one feature of a good security system is fail-safes and
that can mean more than one way of doing things or protecting against the
same type of thing.

To me, removing this feature makes Windows just a little less secure, and I
don't think that's what Microsoft really wants.

Paul

 

[Bill Sanderson MVP]

I can't disagree with your arguments.

I've often wondered how the budget for a project like this is set--one which
directly produces no revenue, and has some substantial costs associated with
it--and becomes a supported part of Windows--with direct support costs for
Microsoft and every OEM which supports Windows.

I think it is likely that battles were fought over every feature change.
--

 

[Paul Baker]

I can't disagree with you either. It is a challenging issue.

Paul

 

[Paul Baker [MVP, Windows - Networking]]

I asked this same question in an Windows Defender MVP chat and someone from
Microsoft (I forget who) explained that it was discussed at length with the
Internet Explorer team and it was felt that they could manage BHOs better.
That makes sense.

Perhaps a basic listing of BHOs with a link to the more advanced Internet
Explorer configuration would be in order though. Microsoft acknowledged
this.

Paul

 

[Guest]

I think another important fact we often forget when these Software Explorer
questions come up is that Defender itself still provides protection from such
attacks, both by scanning for malicious BHO and other downloads and within
Real-time protection to provide notification.

From Windows Defender Help file:
Internet Explorer Add-ons - Monitors programs that automatically run when
you start Internet Explorer. Spyware and other potentially unwanted software
can masquerade as web browser add-ons and run without your knowledge.

Internet Explorer Configurations (settings) - Monitors browser security
settings, which are your first line of defense against harmful content on the
Internet. Spyware and other potentially unwanted software can try to change
these settings without your knowledge.

Internet Explorer Downloads - Monitors files and programs that are designed
to work with Internet Explorer, such as ActiveX controls and software
installation programs. These files can be downloaded, installed, or run by
the browser itself. Spyware and other potentially unwanted software can be
included with these files and installed without your knowledge.

The difference is simply the 'management' of IE add-ins, which as you've
already agreed makes more sense in IE itself, especially since it is somewhat
version sensitive (IE 6 vs. IE 7) which could lead to problems as the browser
evolves.

Bitman

 

[Paul Baker [MVP, Windows - Networking]]

Yes, that is a good point. However, the same can be said about listing
running processes, yet those are listed. I feel that allowing the user to
take an active role by taking an overview of attack surfaces only adds
security.

Paul

I think another important fact we often forget when these Software Explorer
questions come up is that Defender itself still provides protection from
such
attacks, both by scanning for malicious BHO and other downloads and within
Real-time protection to provide notification.

[snip]

 

[Guest]

I understand and agree to some extent, however, these startup items are not
'browser specific' and don't have the potential to anger those who prefer
other browsers. Supporting tools for the IE add-ons directly implies a
requirement to provide this for all browsers, which isn't a good precedent to
set.

The fundamental problem is that 'Tools' are a never ending bucket and the
primary focus of Defender development must be the core protection it provides
on all platforms currently supported. I'm sure if the improvements provided
in IE 7 don't perform as expected, the Anti-Malware Team will be asked to
revisit the question.

Bitman

Yes, that is a good point. However, the same can be said about listing
running processes, yet those are listed. I feel that allowing the user to
take an active role by taking an overview of attack surfaces only adds
security.

Paul

I think another important fact we often forget when these Software Explorer
questions come up is that Defender itself still provides protection from
such
attacks, both by scanning for malicious BHO and other downloads and within
Real-time protection to provide notification.

[snip]

 

[Paul Baker [MVP, Windows - Networking]]

Bitman,

I do see your point, and would agree with it except that I believe it is
founded partially on inaccurate information.

Browser Helper Objects (BHOs) are loaded by Windows Explorer too, if the
shell32.dll version is 4.71 or higher, regardless of browser choice. This is
because Windows Explorer is integrated with Internet Explorer. Therefore,
they are core to all Windows users.

Paul

I understand and agree to some extent, however, these startup items are not
'browser specific' and don't have the potential to anger those who prefer
other browsers. Supporting tools for the IE add-ons directly implies a
requirement to provide this for all browsers, which isn't a good precedent
to
set.

The fundamental problem is that 'Tools' are a never ending bucket and the
primary focus of Defender development must be the core protection it
provides
on all platforms currently supported. I'm sure if the improvements
provided
in IE 7 don't perform as expected, the Anti-Malware Team will be asked to
revisit the question.

Bitman

Yes, that is a good point. However, the same can be said about listing
running processes, yet those are listed. I feel that allowing the user to
take an active role by taking an overview of attack surfaces only adds
security.

Paul

I think another important fact we often forget when these Software
Explorer
questions come up is that Defender itself still provides protection
from
such
attacks, both by scanning for malicious BHO and other downloads and
within
Real-time protection to provide notification.

[snip]