Author Topic: Why is explorer.exe trying to connect to an external ip?  (Read 27724 times)

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Why is explorer.exe trying to connect to an external ip?
« Reply #15 on: February 05, 2012, 08:50:26 PM »
I already had Autoruns (see below more info about it). I don't saw anything suspicious listed here... 
Thanks for Process monitor. I see here that 'explorer.exe' is a busy guy... Added a filter to display only explorer and has about 17.000 entires - OMG! Is this normal?  ???

Unfortunately, yes. Don't forget explorer.exe is also the Windows shell.

Quote
Before I rebooted my system, I had it turned on for about 8 hours with Wireshark running. At startup svchost did his number in checking those crl files and after a while made a windows update check too. Then nothing.. for about 30-40 minutes nothing suspicious. I ran some random programs, no weird connections. Then I made a list of all the apps I downloaded and all the apps that were preinstalled. Tried some random preinstalled apps and nothing strange. Tried some downloaded apps and only two were bothering explorer.exe.. The two are Process Explorer and Autoruns. Whenever I started one of these two apps, the firewall was alerting me about explorer.exe making a connection. Looking at wireshark.. all it did was to check those crl stuff. So I assume there is nothing wrong with this, right?

Sounds fine to me, although I can't seem to get autoruns or PE to invoke explorer. If your connections were doing something else, I'd be more concerned, as it is, I don't believe there's cause for concern.

Quote
Now.. after I rebooted my system to check those UDP connections on port 53, I tried again Autoruns and this time it didn't bother explorer. Tried PE also, and some connections appeared.. I think it was checking something with VeriSign. That was all. Maybe Win7 on x64 need more checking to do... This is my first x64 OS, I don't see big differences but I'm no expert.

As far as I'm aware all Sysinternals applications are signed by Microsoft, not Verisign, so what ever check your seeing isn't for AR or PE.


“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Why is explorer.exe trying to connect to an external ip?
« Reply #16 on: February 05, 2012, 10:56:50 PM »
Just had a thought, do you have 'Verify Code Signatures' in Autoruns and 'Verify Image Signatures' in PE enabled?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline alex29

  • Newbie
  • *
  • Posts: 13
Re: Why is explorer.exe trying to connect to an external ip?
« Reply #17 on: February 06, 2012, 04:37:21 PM »
Just had a thought, do you have 'Verify Code Signatures' in Autoruns and 'Verify Image Signatures' in PE enabled?

Thanks for the tip!

'Verify Image Signatures' was enabled in PE, but 'Verify code Signatures' was disabled in Autoruns.

I disabled 'Verify Image Signatures' in PE and the connection on port 80 was gone for this app. After I enabled this option, the connection appeared again, same port, same IP.

Tried the same thing with Autoruns - I enabled the 'Verify code signatures' option and, not surprisingly,  a new connection for Autoruns appeared on the same IP and same port. I disabled the options back as it was and the connection was gone.

However... explorer.exe appears when I start one of them, even if those options are on or off; but (according to Wireshark) there were less connections after I disabled that option in PE so this probably answers the 'many connections' question.

I'm still keeping my eye on Process Monitor - watching to see if there is something fishy going on... So far, all seems to be OK.

All connections were made on the same IP addresses as before. All connections are checking those crl files.


Thanks

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Why is explorer.exe trying to connect to an external ip?
« Reply #18 on: February 06, 2012, 11:53:52 PM »
You could try going to:

Control Panel/Internet Options/Advanced/Security

The playing around with the three options:

Check for Publishers...
Check for server...
Check for Signatures...

They're all enabled by default, but you could selectively disable them and see if there's an impact on explorers behaviour.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline alex29

  • Newbie
  • *
  • Posts: 13
Re: Why is explorer.exe trying to connect to an external ip?
« Reply #19 on: February 07, 2012, 05:00:25 PM »
You could try going to:

Control Panel/Internet Options/Advanced/Security

The playing around with the three options:

Check for Publishers...
Check for server...
Check for Signatures...

They're all enabled by default, but you could selectively disable them and see if there's an impact on explorers behaviour.

That's it!!!  :-TU It seems that disabling 'Publisher's Certificate Revocation' solves this thread's mystery - Windows Explorer (explorer.exe) doesn't attempt to connect to an IP anymore.

Thank you Radaghast for your guidance with my enigma!

I hope this thread will help others if they come across this problem.

Offline ligh7

  • Newbie
  • *
  • Posts: 2
Re: Why is explorer.exe trying to connect to an external ip?
« Reply #20 on: April 21, 2012, 05:47:12 PM »
I checked this out years ago, explorer.exe connects to the internet because it was looking for relevant search results help from internet sources. its like a thing from the windows 95 days when they thought that if it connected to the internet it could find more info on whatever you were doing to help out the user.  it's alot like when windows help and support connects to the internet to find any newer help info that may be useful.

that explorer thing i even got on windows 7, trying to connect to the internet again, ugh. from there i just blocked the outgoing connection  and incomming.

comodo DHCP trick set source port = 68.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek