Malware CLSIDs (toolbars, hijackers, dialers, etc) are an Internet
Explorer issue - unless you are using Mozilla's Active-X plugin.

These filters compare encountered IDs with a blocklist and block the
code on match.

The list is quite big already and new malware CLSIDs will come.
So there are two changes because of that:

Updating the list is "half-automated". :)
There is a filter included for Tony Klein's BHO Collection:

http://www.sysinfo.org/bholist.txt

It removes the duped CLSIDs and compares the "X" (certified malware)
and "O" (open to debate) entries with the blocklist. Missed items
will be printed in the proper list format so that you just need to
navigate to above link and copy/paste. Hits/matches/missed stats are
printed at the bottom, too.

The list is scanned rarely now, since the filters fail before for the
Flash CLSID. This hardly has any influence on the filter speed (yet),
but it gives you the option to save some memory and Proxomitron
startup time by adding "NoHash" somewhere to the top comment.


The list is current as of today and contains 873 entries (56 KB).

The zip contains two merge files, a MergeMe.cfg for all other configs
and a MergeMe_s.cfg for those who are using my set (a few things
aren't needed or are different). Mona's Count v2 list is included as
well and is needed if you want to see the stats.


Installation:

Copy "Count.txt" and "ClassIDs.txt" to the "lists" subdirectory.
Merge the appropriate merge file with your config.


All other configs:
Copy the the dummy-script "empty" to the "html" subdirectory.

My set:
In the web filter window, under "Anti-Exploit", look for:
JS Kill: Specific ClassIDs     3.12.08 [s] (d.1)
<script>... Block: Specific ClassIDs     3.12.08 [s] (d.1)
Move the new versions to the same position, then remove the old ones.
Move "Compare ClassIDs List & Malware BHO List" to the
"Site-Specific" section.


sidki
