Author Topic: Firewall wants me to "block" explorer.exe  (Read 7699 times)

Offline NorrinRadd

  • Newbie
  • *
  • Posts: 3
Firewall wants me to "block" explorer.exe
« on: June 07, 2009, 05:41:38 AM »
First the "regular" firewall, and then "Memory Firewall" told me I should "block" explorer.exe.  It tells me there is behavior typical of a "hacker attack," and that I should "close" the program.

How the hell do I run Windows if I have to close explorer.exe?

OS:  WinXP Pro with all service packs.

Toggie

  • Guest
Re: Firewall wants me to "block" explorer.exe
« Reply #1 on: June 07, 2009, 06:27:46 AM »
Hi NorrinRadd, welcome to the forum.

A couple of things. First, Which version of CIS are you using and which additional security products are you running?

Second, it's not unusual to block explorer.exe from accessing the Internet, in most circumstances it's not necessary.

Unless you are using windows 7 federated search options, or have some other specific requirement, Blocking access to the internet for explorer.exe will not prevent it functioning correctly.


Offline NorrinRadd

  • Newbie
  • *
  • Posts: 3
Re: Firewall wants me to "block" explorer.exe
« Reply #2 on: June 08, 2009, 12:58:16 AM »
Hi NorrinRadd, welcome to the forum.

Thanks.


Quote
A couple of things. First, Which version of CIS are you using and which additional security products are you running?

Duh... Lessee...

CIS 3.9.95478.509

Comodo Memory Firewall 2.0.4.20

Comodo BOClean 4.27

Comodo Verification Engine Plug-In 2.7.0.17

Comodo Safe Surf 1.0.0.7

PC Tools Threat Fire 4.1.0.25

Microsoft Windows Defender


Quote
Second, it's not unusual to block explorer.exe from accessing the Internet, in most circumstances it's not necessary.

The thing that really took me aback was the suggestion (from the two different Comodo products) that I should "shut down" explorer.exe.


Quote
Unless you are using windows 7 federated search options, or have some other specific requirement, Blocking access to the internet for explorer.exe will not prevent it functioning correctly.

Well, I'm still using XP (with latest Service Packs), and never even heard of that Windows 7 feature, so...

Toggie

  • Guest
Re: Firewall wants me to "block" explorer.exe
« Reply #3 on: June 08, 2009, 01:17:22 AM »
Quote
Duh... Lessee...

CIS 3.9.95478.509

Comodo Memory Firewall 2.0.4.20

Comodo BOClean 4.27

Comodo Verification Engine Plug-In 2.7.0.17

Comodo Safe Surf 1.0.0.7

PC Tools Threat Fire 4.1.0.25

Microsoft Windows Defender

Interesting collection :)

One thing to note, Comodo Memory Firewall and Comodo BOClean are now incorporated into CIS, so running serarate instances of these along side CIS may well be causing conflicts.

Quote
The thing that really took me aback was the suggestion (from the two different Comodo products) that I should "shut down" explorer.exe.

It is interesting, I would have like to have seen the message, did you by chance keep a copy of the log?

Offline NorrinRadd

  • Newbie
  • *
  • Posts: 3
Re: Firewall wants me to "block" explorer.exe
« Reply #4 on: June 09, 2009, 12:04:00 AM »
...
It is interesting, I would have like to have seen the message, did you by chance keep a copy of the log?

Only in the form of the brief summary visible in the Comodo Memory Firewall log viewer:


Application Path:  C:\windows\explorer.exe

Action Taken:  Attack was allowed as per user's choice

Attack Type:  Buffer overflow

Attack address:  0x0007F400

Memory Type:  stack

Date & Time: 07-June-09 6:42:24 AM

Offline J2897

  • Comodo's Hero
  • *****
  • Posts: 331
  • Limted User Account Enforcer
    • YouTube Channel
Re: Firewall wants me to "block" explorer.exe
« Reply #5 on: June 09, 2009, 03:01:21 AM »
I have seen explorer.exe asking for internet access before on some system's. Does anyone know what may cause this? Seems odd.  ???

Toggie

  • Guest
Re: Firewall wants me to "block" explorer.exe
« Reply #6 on: June 09, 2009, 04:43:50 AM »
There are perfectly legitimate reasons for explorer.exe wanting to access the internet, there are, however, also exploits that can make use of this process.

Please understand that explorer.exe is actually a lot more than that simple file manager you interface with. Explorer.exe, for all intents and purposes, is the Windows shell. It contains the code for a number of the widgets on your desktop.

Also, consider some or the purposes to which this application may be put. Accessing FTP sites, Network shares, WEBDAV and many more.

The situation regarding exploits and explorer.exe are more complicated. One simple check you can do, however, is to check the path to the executable and also check the files details. The file itself should be in your %system%\windows folder. Typically this will be:

 C:\Windows\explorer.exe 

If it's any where else I would be very suspect.

The buffer overflow problem, once again, may or may not be a security issue. Clearly, the first thing to do is make sure your system is fully patched and check for any nasties.

Another cause of buffer overflow has been attributed to corrupt codecs. If you have installed a codec pack, such as K-lite, it may be worth while uninstalling it and seeing if the problem goes away.

Offline J2897

  • Comodo's Hero
  • *****
  • Posts: 331
  • Limted User Account Enforcer
    • YouTube Channel
Re: Firewall wants me to "block" explorer.exe
« Reply #7 on: June 09, 2009, 06:24:45 AM »
Thanks Toggie, that made sense.

Another cause of buffer overflow has been attributed to corrupt codecs. If you have installed a codec pack, such as K-lite, it may be worth while uninstalling it and seeing if the problem goes away.

... Another reason to love 'VLC Player'.  ;D

Do you know if explorer.exe is run with any Command Line Parameters by Default, and is there any way of checking these to make sure they haven't been changed?

Thanks again.

Offline Matty_R

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2529
  • How long is a piece of string?
Re: Firewall wants me to "block" explorer.exe
« Reply #8 on: June 09, 2009, 08:15:34 AM »
Norrinrad,

you can uninstall Comodo Memory Firewall, Comodo BOClean and Comodo Safesurf, these(as Toggie said) are now integrated into CIS as of version 3.9.

Matt
A couple of computers :P

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19758
Re: Firewall wants me to "block" explorer.exe
« Reply #9 on: June 09, 2009, 08:15:12 PM »
Also do notice that buffer overflows are a common error in programs, these errors are the basis of many exploits.

On the other hand you just may have found a bug in explorer.exe...(:NRD)

Toggie

  • Guest
Re: Firewall wants me to "block" explorer.exe
« Reply #10 on: June 09, 2009, 09:11:17 PM »
Quote
Do you know if explorer.exe is run with any Command Line Parameters by Default, and is there any way of checking these to make sure they haven't been changed?

The aspects of explorer we are referring to in this thread, primarily the shell, as far as I know, don't use accessible switches.

Certainly file management GUI can be controlled via switches:

Quote
Explorer [/n] [/e] [(,)/root,<object>] [/select,<object>]

/n                Opens a new single-pane window for the default
                  selection. This is usually the root of the drive Windows
                   is installed on. If the window is already open, a
                  duplicate opens.

/e                Opens Windows Explorer in its default view.

/root,<object>    Opens a window view of the specified object.


/select,<object>  Opens a window view with the specified folder, file or
                  application selected.

But I don't think they will be much help here.

 

Offline J2897

  • Comodo's Hero
  • *****
  • Posts: 331
  • Limted User Account Enforcer
    • YouTube Channel
Re: Firewall wants me to "block" explorer.exe
« Reply #11 on: June 10, 2009, 03:25:50 AM »
Certainly file management GUI can be controlled via switches:

But I don't think they will be much help here.

Nope, probably not... Settles my mind a bit though. I thought there may be Parameters which could automaticaly FTP on explorer.exe startup, or enable some kind of Remote Shell. I'm glad to see there are only a few boring Parameters. :)


Quote
/e                Opens Windows Explorer in its default view.


For anyone who uses 'MakeMeAdmin' on Windows XP, the above Parameter will also be useful...

Code: [Select]
set _Prog_="explorer.exe -e"
Code: (MakeMeAdminExplorer.cmd) [Select]
setlocal
set _Admin_=%COMPUTERNAME%\Administrator
set _Group_=Administrators
set _Prog_="explorer.exe -e"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
runas /u:%_Admin_% "%~s0 %_User_%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %* to group %_Group_%...
net localgroup %_Group_% "%*" /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /u:"%*" %_Prog_%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %* from group %_Group_%...
net localgroup %_Group_% "%*" /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal


Two birds with one stone, thanks!  ;D

Offline MetalShaun

  • Comodo's Hero
  • *****
  • Posts: 583
    • Mw Computers
Re: Firewall wants me to "block" explorer.exe
« Reply #12 on: June 19, 2009, 08:21:40 AM »
i also get buffer overflow alerts when installing some games. Like AOE 3.

Offline Dch48

  • Comodo's Hero
  • *****
  • Posts: 2548
Re: Firewall wants me to "block" explorer.exe
« Reply #13 on: June 19, 2009, 04:15:14 PM »
I got one when I uninstalled the Futuremark system info software installed fom the Peacekeeper browser benchmark site. It said explorer.exe would be isolated unless i chose to skip the alert. I skipped it and then scanned explorer.exe with CAV,MBAM,and SAS. Nothing was found so I guess it was a false alarm.

BTW, the Peacekeeper benchmark is unfairly biased against IE because it uses the canvas format for the complex graphics test and IE does not support canvas at this time and it scores zero on those tests.
Avatar FX6327X Desktop
AMD FX-6300 6 core CPU
Sapphire R9-270X GPU
Windows 8.1 64 bit, IE11 & Outlook 2007
Comodo Internet Security 7.0 full package, MBAM on Demand

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek