Author Topic: Is there a way to permanently block intrusions using explorer.exe as Parent ?  (Read 6668 times)

Offline P--L

  • Newbie
  • *
  • Posts: 11
Hello everyone.
I have used ZoneAlarm Pro for 2 years, untill the recent 6.5.737 version.
ZoneAlarm Pro DID NOT pass even the first test, allowing Internet Explorer to open
without waiting for my reply to the request it posed to me.
The day before yesterday I swiched to COMODO, which did pass all 3 tests.

However, I discovered that a special rule had to be created to pass the test without
preventing my Firefox or IE from functioning.
The rule is: BLOCK  Iexplorer.exe operated by explorer.exe as Parent.
If you do not create this rule, even passivly through denying the proper pop-up request,
then COMODO will fail the first test too.

It became clear to me when COMODO explained in one of its pop-ups, that explorer.exe is frequently used as an invisible mediator for many other (legitimate and malware) applications
to reach the Internet. This makes explorer.exe a target for abuse, so beware before
allowing it to act as Parent !

In fact, before this rule was created the failure of COMODO was not expressed only by
opening IE browser, but strange enough, also by neutralizing COMODO,
moving the security slider from CUSTOM position to ALLOW ALL position.
I wonder if that kind of thing happened to any of you too ?



« Last Edit: December 17, 2006, 05:25:12 PM by P--L »

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11441
  • Linux is free only if your time is worthless.;-)
"Explorer.exe" is your windows xp shell - it's basically the driving force behind the desktop. If you do not allow an app to be launched with explorer.exe as its parent, you're going to have an extremely secure system, 'cause it won't be able to access anything.  ;)

Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline P--L

  • Newbie
  • *
  • Posts: 11
"Explorer.exe" is your windows xp shell - it's basically the driving force behind the desktop. If you do not allow an app to be launched with explorer.exe as its parent, you're going to have an extremely secure system, 'cause it won't be able to access anything.  ;)

Ewen :-)


To let Iexplorer.exe to be launched by explorer.exe means
to let COMODO fail the first leaking test for sure. I've tried it many times.
What good will it make to discard this test,
which lead me to abandon ZoneAlarm in the first place ?
What are you suggesting then ?

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11441
  • Linux is free only if your time is worthless.;-)
Quote

I have used ZoneAlarm Pro for 2 years, untill the recent 6.5.737 version.
ZoneAlarm Pro DID NOT pass even the first test, allowing Internet Explorer to open
without waiting for my reply to the request it posed to me.
The day before yesterday I swiched to COMODO, which did pass all 3 tests.

However, I discovered that a special rule had to be created to pass the test without
preventing my Firefox or IE from functioning.
The rule is: BLOCK  Iexplorer.exe operated by explorer.exe as Parent.
If you do not create this rule, even passivly through denying the proper pop-up request,
then COMODO will fail the first test too.


Ok then, what is this "first test" you refer to. Please give me the URL and I'll test it here and pass on my findings. I'm not doubting you, just want to clarify that we're on the same page.

Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline P--L

  • Newbie
  • *
  • Posts: 11
Ok then, what is this "first test" you refer to. Please give me the URL and I'll test it here and pass on my findings. I'm not doubting you, just want to clarify that we're on the same page.

Ewen :-)


I'm talking about the triple (3 button) test " CPILSuite " downloadable from COMODO site:
http://www.personalfirewall.comodo.com/onlinetest.html
After pushing the first button (Test 1) at COMODO's request pop-up,
if you allow explorer.exe as parent for Iexplore.exe , IE browser will open
with the info typed, anouncing failure.
« Last Edit: December 16, 2006, 10:34:15 AM by P--L »

Offline P--L

  • Newbie
  • *
  • Posts: 11
My problem is that there is no automated process to block these threats forever.
If you apply the DENY rules for good, you will not be able to surf the Internet,
since most of the connections go through explorer.exe as Parent Path.
The problem is that most sophisticated code/dll injections involve this file,
and for now, there is no way to make distinctive rules against exploiting it,
without messing up all your Internet connections.
All we can do now is to block these attacks but only once,
and then, most likely, reboot the system to get rid of the malicious injections.

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11441
  • Linux is free only if your time is worthless.;-)
I'm talking about the triple (3 button) test " CPILSuite " downloadable from COMODO site:
http://www.personalfirewall.comodo.com/onlinetest.html
After pushing the first button (Test 1) at COMODO's request pop-up,
if you allow explorer.exe as parent for Iexplore.exe , IE browser will open
with the info typed, anouncing failure.

G'day,

I've downloaded the CPILSuite and run the first test - the one you say leaks.

All I got was a firewall alert telling me that IE was trying to send data (the data is was trying to send was the data I typed into CPIL). I clicked BLOCK (without clicking "REMEMBER") and the data was not sent. Naturally if I had clicked ALLOW, the data would have been sent.

Not being funny, but do you fully understand the concept behind leak testers?

When you run a leak test, it will typically ask you to enter some data that it will attempt to transmit to a remote site, where you can view the data you typed in locally, thereby proving that the firewall has allowed the data to leak. After you have typed in the text, a good firewall will display an alert about IE attempting to trasmit data. At this point, the firewall still has not leaked as it is waiting for you to tell whether to leak or not.

If you click ALLOW, of course it's going to leak, because you explicitly told it to. If you click BLOCK, it won't, but the firewall has actually stopped IE dead in its tracks (because it is the communicating medium, not the leak test), not the leaktest. At this point you should reboot to run the next leak test (it's a good idea to reboot between each attempted leak test).

The KEY factor is to not click REMEMBER!!!!! The firewall alert is about IE, not the leaktest and if you click REMEMBER and BLOCK, you have just successfully blocked IE until you remove the application monitor rule.

There cannot be an automated response to this type of threat, as this type of threat keeps changing. How many leaktests were there two years ago? Maybe one or two. How many are there now? Around twenty. The nature of the threat changes and, as good as Comodo is, their crystal ball can't foresee what the bad guys will come up with next.

Quote
The problem is that most sophisticated code/dll injections involve this file, and for now, there is no way to make distinctive rules against exploiting it, without messing up all your Internet connections.
All we can do now is to block these attacks but only once, and then, most likely, reboot the system to get rid of the malicious injections.

What you say is exactly correct - what you've described IS all we can do. I would rather KNOW about each and every threat that managed to get inside my PC and be able to block it, than place blind trust (sorry Melih) in any security app. If the price of security is a handful of click and a little bit of awareness, then I for one am happy to pay that price.

Hope this helps,
Ewen :-)

As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline P--L

  • Newbie
  • *
  • Posts: 11
...
What you say is exactly correct - what you've described IS all we can do. I would rather KNOW about each and every threat that managed to get inside my PC and be able to block it, than place blind trust (sorry Melih) in any security app. If the price of security is a handful of click and a little bit of awareness, then I for one am happy to pay that price.

Hope this helps,
Ewen :-)


I appreciate your detailed explanation, Thank you !
The problem is, that COMODO's pop-up message about explorer.exe trying to connect,
does not specify which file is the origin of this initiative,
so in real mode, if I receive this kind of message I would not know if I should accept
or deny the attempted connection.
I wish the pop-up message would be informative enough to make it easy for me
to make a decision, since as you say, there is no automated process to make the same decision always.
What do you say ?

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11441
  • Linux is free only if your time is worthless.;-)
I appreciate your detailed explanation, Thank you !
The problem is, that COMODO's pop-up message about explorer.exe trying to connect,
does not specify which file is the origin of this initiative,
so in real mode, if I receive this kind of message I would not know if I should accept
or deny the attempted connection.
I wish the pop-up message would be informative enough to make it easy for me
to make a decision, since as you say, there is no automated process to make the same decision always.
What do you say ?

Assume you're just sitting there staring at your PC and some piece of malware tries to send data using IE. All of a sudden theres a firewall alert and you weren't doing anything. There's your first indicator that something's not quite right.

If you were using IE at the time, CPF would detect a new source (even if it doesn't display it) for the transmission of data and pop up another alert. Since you were already using IE and you got another alert, this means something is different and you should look further.

Sometimes you just have to do a bit of reading between the lines. It'd be nice if there was an automated method but nothing beats awareness.

Trust no-one, Scully!

Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline P--L

  • Newbie
  • *
  • Posts: 11
Assume you're just sitting there staring at your PC and some piece of malware tries to send data using IE. All of a sudden theres a firewall alert and you weren't doing anything. There's your first indicator that something's not quite right.

If you were using IE at the time, CPF would detect a new source (even if it doesn't display it) for the transmission of data and pop up another alert. Since you were already using IE and you got another alert, this means something is different and you should look further.

Sometimes you just have to do a bit of reading between the lines. It'd be nice if there was an automated method but nothing beats awareness.

Trust no-one, Scully!

Ewen :-)


I understand now, and hope that in the future there will be some automatic mechanism
to diagnise and block only the unwanted Internet connections.
Thank you very much for your efforts.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek