Comodo fire wall blocking explorer.exe

Uh, I was trying to uninstall Warhammer Mark of Chaos. And then all of a sudden Comodo Firwall told me explorer.exe was trying to execute a shellcode.

Is this even related to me uninstalling the game or should I let Comodo block it?

Sorry if this is a stupid question. I’m tired, and now I’m nervous over this right now. :-\

Yours is not a ‘stupid’.

It is a ???; MS Explorer is :cry:

How long you been running w/CIS? What version of CIS? You been doing the on-line gaming thing prior to CIS?

I got 84 things that I allow MS explorer to run; 3 interprocess memorry access,; 1 Win event hooks; 5 process termination; 6 Win messages; 7 protectected COM interface; 12 protected registry entries; 9 protected files/folders.

Dang! It’s been a long time since I’ve even thought of this! :-[

I’m using the free version of Comodo Firewall along with Avast and SAS. I’ve had it for about two months now. I online gamed once prior to using Comodo Firewall and that was over a year ago, and it wasn’t with Mark of Chaos.

What? ???

I think what Wxman means is if it is the real Windows Explorer program and not another program pretending to be Windows Explorer.

When it is the real Windows Explorer then basically the BO detection found a bug. Only if a malware is present to abuse this buffer overlfow then you may get infected. Check your system with various scanners to see if it is clean.

The BO alert in its self does not mean you are infected. It points to a vulnerability. When you know your system is clean you can choose to allow the program to continue.

In case you would decide to terminate Explorer out of precaution then most of the time it will restart its self. When it does not restart simply call Task Manager and start a new task with name explorer.exe.

Dang, I forgot I even replied to this. What was intimated with the emoticons is that the question wasn’t a ‘stupid’, but a ‘perplexing’. MS in general will make one ‘cry’ based on what it does. ;D

Who can know its ways, who can plumb its depths?

As far as buffer overflow, I never considered that. I guess it depends on what Comodo specifically alerted on. I was leaning towards shell32.dll.

One has to understand that IExporer and Explorer are joined at the hip for normal Windows functionality. You’d be suprised when Comodo alerts w/pop-ups implicating either (or both) of those when doing normal stuff in Windows. I’ve found the following custom config facilitates both Windows Explorer browsing and general Windows functionality (that’ll pretty much nip most ‘normal’ alerts in the bud):

Execute:

%PROGRAMFILES%\Common Files\Adobe\ARM\1.0\AdobeARM.exe
%PROGRAMFILES%\Common Files\Java\Java Update\jusched.exe
%PROGRAMFILES%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
%PROGRAMFILES%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
%PROGRAMFILES%\Comodo\COMODO Internet Security\cfp.exe
%PROGRAMFILES%\Internet Explorer\iexplore.exe
%PROGRAMFILES%\SpeedFan\speedfan.exe
%PROGRAMFILES%\Windows Defender\MSASCui.exe
%windir%\explorer.exe
%windir%\hh.exe
%windir%\regedit.exe
%windir%\PCHealth\HelpCtr\Binaries\msconfig.exe
%SYSROOT32%\calc.exe
%SYSROOT32%\cmd.exe
%SYSROOT32%\drwtsn32.exe
%SYSROOT32%\dumprep.exe
%SYSROOT32%\ie4uinit.exe
%SYSROOT32%\ieudinit.exe
%SYSROOT32%\javaw.exe
%SYSROOT32%\kxmixer.exe
%SYSROOT32%\mmc.exe
%SYSROOT32%\msiexec.exe
%SYSROOT32%\mspaint.exe
%SYSROOT32%\notepad.exe
%SYSROOT32%\ntbackup.exe
%SYSROOT32%\ntvdm.exe
%SYSROOT32%\oobechk.exe
%SYSROOT32%\reg.exe
%SYSROOT32%\regedt32.exe
%SYSROOT32%\rundll32.exe
%SYSROOT32%\TweakUI.exe
%SYSROOT32%\nwiz.exe
%SYSROOT32%\wupdmgr.exe
%SYSROOT32%\Macromed\Flash\FlashUtil10?.exe
E:\Adobe\Reader\AcroRd32.exe
E:\BOINC\boincmgr.exe
E:\BOINC\boinctray.exe
E:\FCU\FCU.exe
E:\FTP_Voyager\FTPVoyager.exe
E:\IrfanView\i_view32.exe
E:\Open Office\OpenOffice.org 3\program\scalc.exe
E:\Open Office\OpenOffice.org 3\program\sdraw.exe
E:\Open Office\OpenOffice.org 3\program\swriter.exe
E:\PCI_Latency\LtcyCfg.exe
E:\Power Bible\BibleCD.exe
E:\RivaTuner\RivaTuner.exe
E:\RivaTuner\Tools\D3DOverrider\D3DOverrider.exe
E:\ud_1_72\UDefrag.exe
E:\Visual Studio\Common7\IDE\devenv.exe
E:\VLC\vlc.exe
E:\WinRar\WinRAR.exe
E:\Civ_III\Civilization3.exe
E:\Civ_III\Conquests\Civ3Conquests.exe
C:\Descent3\Descent 3.exe
C:\f1_2002\f1_2002.exe
C:\F4UT\F4-BMS.exe
E:\MoO3\Moo3.exe
E:\Sub Command\subcommand.exe
E:\WinSPMBT\winSPMBT.exe
E:\WinSPMBT\GameOptions.exe
E:\Spybot\SpybotSD.exe
E:\COMODO System-Cleaner\CSC.exe
E:\CCleaner\CCleaner.exe
E:\NSW2003\Norton Ghost\Ghostexp.exe
E:\Registry Toolkit\regtkt.exe
H:\SC_Development\scx\custom\sfx\Z_SFX_Agg.exe
H:\SC_Development\scx\custom\sfx\SCSoundEdit.exe
H:\SC_Development\dw\LWAMI_308\Mods\LwAmi_Mod\Database\DWEdit.exe
E:\Sub Command\Audio\Sfx\SCSoundEdit.exe
E:\Sub Command\Database\SCEdit.exe
E:\Sub Command\Database_bak\SCEdit.exe
D:\Bootvis\BootVis.exe
D:\BootVis\Bootvis_Sleep.exe
%PROGRAMFILES%\Windows NT\Accessories\wordpad.exe
%PROGRAMFILES%\Windows Installer Clean Up\msicuu.exe
%PROGRAMFILES%\FavOrg\FavOrg.exe
E:\UD_v3\UltimateDefrag\Udefrag.exe
E:\UD_v3\UltimateDefrag\uninstall.exe

Interprocess memory access:

%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%windir%\explorer.exe
E:\Adobe\Reader\AcroRd32.exe

WinEvent Hooks:

%SYSROOT32%\SHELL32.dll

Process termination:

%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
E:\IrfanView\i_view32.exe
E:\WinSPMBT\GameOptions.exe
E:\Open Office\OpenOffice.org 3\program\soffice.bin
E:\Adobe\Reader\AcroRd32.exe

Windows Messages:

%PROGRAMFILES%\COMODO\COMODO Internet Security\cfp.exe
%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%windir%\system32\csrss.exe
E:\BOINC\boincmgr.exe
E:\IrfanView\i_view32.exe
E:\Open Office\OpenOffice.org 3\program\soffice.bin

Protected COM interfaces:

%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%SYSROOT32%\svchost.exe
LocalSecurityAuthority.Shutdown
E:\Adobe\Reader\AcroRd32Info.exe
E:\BOINC\boincmgr.exe
E:\Visual Studio\Common7\IDE\devenv.exe
{9BA05972-F6A8-11CF-A442-00A0C90A8F39} - if exists in host’s protected COM interface group ‘miscellaneous classes’

Protected registry keys:

*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.???*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Startup
*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*
HKLM\SYSTEM\ControlSet???\Services*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2*\Shell*\command*
HKUS*\Control Panel\Desktop\SCRNSAVE.EXE
\Software\Microsoft\Windows\CurrentVersion\Run
\SOFTWARE\Classes\CLSID
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*
HKLM\SOFTWARE\Classes\Applications\scalc.exe\shell
HKLM\SOFTWARE\Classes\Applications\swriter.exe\shell\

Protected files/folders:

\Device\Afd\Endpoint
?:\RECYCLER*
any additional encountered during browsing with Windows Explorer for common maintenance, e.g.,

%windir%\SoftwareDistribution\Download*
%windir%$NtUninstallKB*$
%windir%\Installer*
%windir%*.log

The foregoing security policy will mitigate 95 out of 100 alerts for Explorer encountered during common normal Windows operation. 99% of the remaining alerts will be benign, i.e., cautionary - allow but don’t remember - and should be considered to be the ‘canary in the coal mine’. The details of each of these alerts requires zealous evaluation - in context - on a case by case basis to discern if the canary is being strangled. One must temper granting Explorer too wide of lattitude with granting permissions to alleviate pop-up alerts and one’s tolerance to click on pop-ups to make 'em go away (but allow).

Again I waited forever to reply to this.

It seems to bug me allot when running certain uninstallers. I tried uninstalling one program and it just screamed at me repeatedly because it used MS DOS or something.

Then again I’m having trouble with Defense+ now (refer to my other thread) so I don’t know what the heck is wrong with this thing. :-\