See previous post about the new version 1.6 of Spybot SD and its issues. I've updated my Bart plugin (tested with XP SP2 code base, Bart Builder 3.1.3) to address these, and offer it here, along with .REG for control in Windows.
To use the plugin, do this:
- Navigate into your Bart Builder plugin folder
- Create new folder called SpybotSD and enter it
- Copy this post's plugin files to this location
- Create a subfolder Files within this location and enter it
- Copy the installed Spybot 1.6 subtree contents into here
The plugin is written with these assumptions and dependencies:
- Standard Bart PE Builder with nu2menu as shell
- Cmdow utility in Bart included Bin folder (not essential)
- Paraglider's RunScanner plugin in plugin\RunScanner
Cmdow
Cmdow hides windows for processors, and I use it to hide the .CMD launcher; it's purely cosmetic, so if missing, the plugin will still work. Because Cmdow can be dropped on systems and used maliciously, many scanners will detect it as a "potentially unwanted program", and fair enough!
RunScanner
RunScanner allows registry-aware tools to run relative to an inactive set of hives, rather than those of the booted OS. Spybot has native awareness of this situation, so theoretically doesn't need RunScanner, but I find I get better detections if I use it anyway. If RunScanner isn't present, you'd have to revise the .INF and .XML for it else it won't work.
SpybotSD.inf
This determines how Spybot 1.6 is integrated into the Bart CDR at build time.
; spybotsd.inf
; PE Builder v3 plug-in INF file for Spybot - Search & Destroy by Safer Networking Ltd.
; Created by Patrick M. Kolla, Jochen Tösmann and modified by cquirke for Spybot 1.6[Version]
Signature= "$Windows NT$"[PEBuilder]
Name="Spybot - Search & Destroy"
Enable=1
Help="spybotsd.htm"[WinntDirectories]
a="Programs\SpybotSD",2
b="Programs\SpybotSD\Dummies",2
c="Programs\SpybotSD\Excludes",2
d="Programs\SpybotSD\Help",2
e="Programs\SpybotSD\Includes",2
f="Programs\SpybotSD\Languages",2
g="Programs\SpybotSD\Plugins",2h="Programs\SpybotSD\HelpHTML",2
i="Programs\SpybotSD\HelpHTML\css",2
j="Programs\SpybotSD\HelpHTML\html",2
k="Programs\SpybotSD\HelpHTML\images",2[SourceDisksFiles]
*.cmd=a,,1files\blindman.exe=a,,1
files\SDMain.exe=a,,1
files\SDUpdate.exe=a,,1
files\SDWinSec.exe=a,,1
files\SpybotSD.exe=a,,1
files\TeaTimer.exe=a,,4
files\Update.exe=a,,4
files\advcheck.dll=a,,1
files\aports.dll=a,,1
files\DelZip179.dll=a,,1
files\SDHelper.dll=a,,4
files\Tools.dll=a,,4
files\messages.zres=a,,1
files\Tools.dll=a,,1
files\sqlite3.dll=a,,4files\Dummies\*.*=b,,1
files\Excludes\*.*=c,,4
files\Help\*.*=d,,4
files\Includes\*.*=e,,1
files\Languages\*.*=f,,4
files\Plugins\*.*=g,,1files\HelpHTML\*.*=g,,4
files\HelpHTML\css\*.*=h,,4
files\HelpHTML\html\*.*=i,,4
files\HelpHTML\images\*.*=j,,4[Software.AddReg]
0x4, "Safer Networking Limited\Tweaks", "DisableTempFolderCleaning", 0x1
0x1, "Paraglider\RunScanner\SpybotSD.exe", "HKLM", "Software\Safer Networking Limited\Tweaks"[Append]
nu2menu.xml, spybotsd_nu2menu.xml
Ensure that when you copy and paste these files, that they are free of HTML tags and formatting junk, and that long lines (e.g. the two lines in the last section) are not broken. The above differs from Safer Networking's plugin for 1.5, in that:
- It includes new code file sqlite3.dll
- It suppresses automatic temp file clearance
- It persists the above setting through RunScanner
The last is useful, so you don't have to use non-zero /t parameters in an attempt to delay registry redirection until Spybot has checked for the "disable temp clearance" setting.
SpybotSD_nu2menu.xml
This integrates Spybot 1.6 into the Bart menu system, and is referenced from the .INF during build time.
<!-- Nu2Menu entry for SpybotSD -->
<NU2MENU>
<MENU ID="Programs">
<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDir()\..\SpybotSD\SpybotSD.exe))" CMD="RUN" FUNC="@GetProgramDir()\..\SpybotSD\SpybotSD.exe">Spybot 1.5.2</MITEM>
</MENU>
</NU2MENU>
You may change this to strip references to RunScanner, relocate it to a different menu flyout etc. or if you're fed up with disordered menus, you may simply leave out this file (; comment it out in the .INF) and add your reference directly to plugin\nu2menu\nu2menu.xml - once again, watch out for long lines; there is in fact only one line between the MENU ID and /MENU tags.
SpybotSD.cmd
This launches Spybot 1.6 from the nu2menu entry at runtime.
@Echo Off
SetLocal
Set Debug=
Set Prog=SpybotSD.exe
Set Launch=%~dp0..\RunScanner\RunScanner.exe
Set Opt=/t 0If Not Defined Debug (
Cmdow @ /HID
%~dp0..\..\Bin\Cmdow @ /HID
) Else (
Title Debug
Echo.
Echo ProgDir %~dp0
Echo Prog %Prog%
Echo Launch %Launch%
Echo Opt %Opt%
Echo.
Pause
Title %~dp0%Prog%
)If Exist "%~dp0Files\%Prog%" Set ProgDir=%~dp0Files\
If Exist "%~dp0%Prog%" Set ProgDir=%~dp0
If Defined ProgDir (
If "%SystemDrive%"=="%~d0" (
Start %Launch% %Opt% %ProgDir%%Prog%
) Else (
Start %ProgDir%%Prog%
)
) Else (
Title Error - target executable not found!
Echo "%Prog%" not found in %~dp0 or %~dp0Files\ - abort!
Pause
EndLocal
Exit /b 1
)If Defined Debug (
Echo.
Echo Done!
Echo.
Pause
)EndLocal
Exit /b 0
You can edit this to strip out the "debug" part (define the Debug variable to enable it), as well as references to Cmdow and RunScanner. By changing the variables, you can use this for other "easy" tool plugins (e.g. HiJackThis).
The logic goes as follows; if boot drive is same as where we are, then we're Bart-booted and need to apply RunScanner redirection, else we're not, and can run the tool directly. This logic will also not use RunScanner if run from a WinPE 2.0 boot disk, which is OK with me as I don't know how safe RunScanner is for Vista hives.
An extra bit of logic is applied to deriving the path to the tool, so that the .CMD will work when run from the pre-build subtree. This is also why the .XML uses relative "GetProgramDir()\..\" paths, rather than the more commonly used "GetProgramDrive()\Programs\" paths that break in the pre-build or pre-iso environments.
Windows .REG
You can also control some of Spybot's potentially unwanted behaviours via .REG in Windows, similar to the Software.AddReg section in the .INF above:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Safer Networking Limited\Tweaks]
"DisableTempFolderCleaning"=dword:00000001[HKEY_LOCAL_MACHINE\SOFTWARE\Paraglider\RunScanner\SpybotSD.exe]
"HKLM"="Software\\Safer Networking Limited\\Tweaks"
The second part of the above will pre-load appropriate settings for a Bart session using RunScanner, in case the RunScanner's parameters cause it to read its settings from the hard drive's hives.
Some settings can be changed interactively, e.g. disabling the intrusive Tea Timer feature, while others have to be excluded at the time of installation. One of the latter, is the right-click context menu action to scan using Spybot, which annoyed these folks who offer this fix:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\*\Shell\sdfiles]
[-HKEY_CLASSES_ROOT\Folder\shell\sdfiles]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Shell\sdfiles]
The * association is applied to all things, hence all things can be right-clicked and scanned. There's an Undo .REG in the same post in that thread.
