False positive: Trend Antispyware Online Scan
Edit: 9 April '06, 11.03am (+0800) - the false positive has been fixed, and the updated definitions pushed out to Trend Micro Anti-Spyware, SpySubtract, and Trend Micro's online spyware scanner.
Here we go again :o(
Charles has queried another false positive affecting Trend's online scanner.
I've been able to reproduce the false positive on my test system:
The key in question, being:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\
is where Internet Explorer stores cookie restrictions. By clicking on Tools, then Internet Options, then Privacy, then the Sites button you can control whether Internet Explorer will 'always allow' or always block' cookies from particular sites
(0x00000005 = Always Block; 0x00000001 = Always Allow).
Spywareblaster has an option to block "ad/tracking cookies". This protection is achieved by adding "always block" entries to the registry key mentioned above. Trend Micro's online spyware scan is detecting some of these registry entries, and falsely flagging them as "AdClicker" adware.
In reality, Spywareblaster adds whole slew of entries to the P3P\History\ key; thankfully TrendMicro's online antispyware scan only detects 6 of them.
Trend will be alerted to the false positive as soon as I've finished this entry, and I'm sure it will be fixed very soon. In the meantime, you can safely ignore the alert and allow the keys to remain.
Ideally, the scanner should check the registry key in question, but only flag known adware sites entries IF the sites are set to "always allow".
Side note: Spywareblaster would not install for me until I logged in to my XP machine as Administrator. Not a good move. The PC in question is part of a network; my standard user account is a standard SBS 'domain user' account. It is a concern that Spywareblaster would only install under my separate administrator account.