CounterSpy and Defense+

Windows XP Prof
Comodo 3.0.14.276

Each time CounterSpy is loaded Defense+ detects a file. The file is sbapifs.sys.
Pending files says that this file is in C:\windows\system32\drivers but it does not show. I’ve already enabled hidden files and folders and its not there. This file is loaded by SBCSSvc.exe. I have SBCSSvc.exe as trusted application.

Now, I wanted to submit this file but I can’t because I don’t have it.

I suspect that Defense+ is interfering with CounterSpy.

What should I do? How can CounterSpy load this file?

I have the same problem with a-squred.

Please help (:SAD)

Hi geko - your .sys file may be created on demand and deleted after use. I saw a bunch of files that were temp files that I could never actually get a look at whenever my system ran - and they were randomly named and were .dll’s and .exe’s. Turns out that my video card uses the .net framework files which pulls tricks like that. One problem that you will be having with the setup you describe is that even trusted files do not have rights to launch other programs unless you try it in Training Mode. You will always get an Ask pop-up until you either try setting Defense+ to Training Mode for a bit or edit the Access Rights of the program that uses sbapifs.sys. For Training Mode, click Defense+>Advanced>Defense+ Settings> and move the slider to Training Mode and then click Apply. Then run SBCSSvc.exe. You should get a small “Learning…” balloon, and if that works, then it should now have the necessary permissions. Change the Defense+ Mode back to where it was and all should be well.

I’ve explained myself not very well, sorry.

I don’t have pop-ups. The only thing that happens is CounterSpy loads sbapifs.sys for its active protection. Yes, it might be a temp file. Maybe CounterSpy doesn’t need it that much… Don’t know how it works (I only see its used when activating realtime protection)

The thing is, it gets on My Pending Files, everytime it activates. Shouldn’t this file be on Comodo’s Database, so this doesn’t happen? If its a safety file this shouldn’t happen right?

Please, an explanation.

If you see sbapifs.sys on the Pending list, and it shows up on the Purge list (click the Purge button and a list of the files on the Pending Files list that are no longer on the HD is offered and you have the choice to remove then from the Pending list), then I would assume that it is a file that is created on the fly and vanishes when not in use. You could try to locate it in the directory you mentioned while SBCSSvc.exe is running, but I expect that it will be locked while in use. You may be able to copy it? In any event, it is quite difficult for Comodo users to submit such files, and therefore it is not easy to add to the Safe files database. You could try this: Start SBCSSvc.exe and then open Comodo’s interface. Click Defense+>Common Tasks>My Own Safe Files. On that screen, click Add and select Browse Files and navigate to the folder C:\Windows\System32\Drivers and locate sbapifs.svs and select it and click the right arrow to put the file on the Selected files window. Click Apply and (Apply again?) and Close the Safe files window.

Yes, I’m starting to think a rootkit is involved. I don’t know much about how rootkits works.

I uninstalled Comodo and CounterSpy. Installed CounterSpy without Comodo. sbapifs.sys is not in the folder again.

And a blank line has been added to msconfig (see the image):


http://img265.imageshack.us/img265/3770/dibujoyd2.png

What does this blank line mean?
What can I do now?

Hi Geko,

I came across this post pertaining to the same thing your discussing about
https://forums.comodo.com/general_security_questions_and_comments_not_product_related/sbapifssys-t10687.0.html

sbapifs.sys Sbapifs.sys is related to SBAPIFS Active Protection Driver. Manufacturer: Sunbelt Software http://www.sunbelt-software.com/

I don’t know what counterspy is and have not ever used it so i can’t say with any certainty if that file is 100% safe or not, but should be if its located here → C:\Windows\System32\driver

the file must be getting deleted and creating a new sbapifs.sys eachtime. don’t worry about that, I have two files one a .dll by Ms for UPnp for shareaza that keeps doing that so each reboot it ends up in my pending files and i have to put it in my safe file list, reason for that one would be cause I don’t use Upnp and have Upnp fully disabled on my system.

the other file is a everest.sys file it ends up in my documet settings temp folder and i always delete stuff there, so eachtime a new everest.sys file is created for the software i got called Everest Ultimate Edition it ends up in my pending file list and i have to re-add it to my safe file list.

hope that helps to let you know thats normal and ain’t anything to worry about if its a safe file and not a malicious file or part of a malicious software

regards

Ron

P.S one more thing i did a little bit of googling about that file of yours, its normal for it not to show itself in the C:\Windows\System32\driver folder must just be how counterspy uses that file

just 1 more thing even if the file is in comodo’s whitelist of safe files it will keep on re-appearing in your pendling list to be re-added to your safe file list. that .dll Upnp file i have is recognised as safe when i do a lookup so its in comodo’s whitelist, but because it keeps automtically being deleted and recreated it still ends up in the pending list on each reboot.

just so you know. would be interesting for a way for comdo to just automatically re-add these files especially when it recognises them as safe files from its whitelist database.

I think we’ll have to wait for them to make that happen :wink:

if you want to try and find the file though then just load up that dos box and from teh root directory C:\ type dir /a /s /p sbapifs.sys if that file is currently on your hardrive then it will list from Dos. well should do anyway, no harm trying it and see :wink:

Oh well… Thanks Ron_75.

The blank line that I talked before is a bug that CounterSpy has on some Windows. The solution to that is deleting the key in regedit.

if you need to know if that file (sbapifs.sys) is part of sunbelt counterspy
you can ask here http://beta.sunbelt-software.com/index.php?sid=12a43d4fcc628bc6bd89db28f0dfc6ca

it’s there beta testing fourm it’s where i beta tested for counterspy
sorry i can’t help more but i doin’t have counterspy installed right now

:slight_smile:

no prob :slight_smile: your welcome.

some entries for startup exetubales or hidden background launch process are hidden processes, its why some entries for launch process of some vendors software exec files are hidden due to being termed running in background processes, same for some startup entries, so its better to see if you can somehow find out how to check that blank entry instead of just deleting it first, just to make sure what entry it is for.

I know i have 1 or 2 blank entries for a couple of startup processes too but they are all safe and part of some software that just hides showing what file it is and only shows the registry key it belongs too

P.S just read you said that blank line is a bug, i guess no harm in deleting it then. probably best to just untick it and reboot and see if you have no probs and with counterspy then you know its safe to delete that blank line

It’s Ok. I’ve known it’s a bug from CounterSpy Forum. The Tech Support says its safe to delete it.