Dang, I forgot I even replied to this. What was intimated with the emoticons is that the question wasn’t a ‘stupid’, but a ‘perplexing’. MS in general will make one ‘cry’ based on what it does. ;D
Who can know its ways, who can plumb its depths?
As far as buffer overflow, I never considered that. I guess it depends on what Comodo specifically alerted on. I was leaning towards shell32.dll.
One has to understand that IExporer and Explorer are joined at the hip for normal Windows functionality. You’d be suprised when Comodo alerts w/pop-ups implicating either (or both) of those when doing normal stuff in Windows. I’ve found the following custom config facilitates both Windows Explorer browsing and general Windows functionality (that’ll pretty much nip most ‘normal’ alerts in the bud):
Execute:
%PROGRAMFILES%\Common Files\Adobe\ARM\1.0\AdobeARM.exe
%PROGRAMFILES%\Common Files\Java\Java Update\jusched.exe
%PROGRAMFILES%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
%PROGRAMFILES%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
%PROGRAMFILES%\Comodo\COMODO Internet Security\cfp.exe
%PROGRAMFILES%\Internet Explorer\iexplore.exe
%PROGRAMFILES%\SpeedFan\speedfan.exe
%PROGRAMFILES%\Windows Defender\MSASCui.exe
%windir%\explorer.exe
%windir%\hh.exe
%windir%\regedit.exe
%windir%\PCHealth\HelpCtr\Binaries\msconfig.exe
%SYSROOT32%\calc.exe
%SYSROOT32%\cmd.exe
%SYSROOT32%\drwtsn32.exe
%SYSROOT32%\dumprep.exe
%SYSROOT32%\ie4uinit.exe
%SYSROOT32%\ieudinit.exe
%SYSROOT32%\javaw.exe
%SYSROOT32%\kxmixer.exe
%SYSROOT32%\mmc.exe
%SYSROOT32%\msiexec.exe
%SYSROOT32%\mspaint.exe
%SYSROOT32%\notepad.exe
%SYSROOT32%\ntbackup.exe
%SYSROOT32%\ntvdm.exe
%SYSROOT32%\oobechk.exe
%SYSROOT32%\reg.exe
%SYSROOT32%\regedt32.exe
%SYSROOT32%\rundll32.exe
%SYSROOT32%\TweakUI.exe
%SYSROOT32%\nwiz.exe
%SYSROOT32%\wupdmgr.exe
%SYSROOT32%\Macromed\Flash\FlashUtil10?.exe
E:\Adobe\Reader\AcroRd32.exe
E:\BOINC\boincmgr.exe
E:\BOINC\boinctray.exe
E:\FCU\FCU.exe
E:\FTP_Voyager\FTPVoyager.exe
E:\IrfanView\i_view32.exe
E:\Open Office\OpenOffice.org 3\program\scalc.exe
E:\Open Office\OpenOffice.org 3\program\sdraw.exe
E:\Open Office\OpenOffice.org 3\program\swriter.exe
E:\PCI_Latency\LtcyCfg.exe
E:\Power Bible\BibleCD.exe
E:\RivaTuner\RivaTuner.exe
E:\RivaTuner\Tools\D3DOverrider\D3DOverrider.exe
E:\ud_1_72\UDefrag.exe
E:\Visual Studio\Common7\IDE\devenv.exe
E:\VLC\vlc.exe
E:\WinRar\WinRAR.exe
E:\Civ_III\Civilization3.exe
E:\Civ_III\Conquests\Civ3Conquests.exe
C:\Descent3\Descent 3.exe
C:\f1_2002\f1_2002.exe
C:\F4UT\F4-BMS.exe
E:\MoO3\Moo3.exe
E:\Sub Command\subcommand.exe
E:\WinSPMBT\winSPMBT.exe
E:\WinSPMBT\GameOptions.exe
E:\Spybot\SpybotSD.exe
E:\COMODO System-Cleaner\CSC.exe
E:\CCleaner\CCleaner.exe
E:\NSW2003\Norton Ghost\Ghostexp.exe
E:\Registry Toolkit\regtkt.exe
H:\SC_Development\scx\custom\sfx\Z_SFX_Agg.exe
H:\SC_Development\scx\custom\sfx\SCSoundEdit.exe
H:\SC_Development\dw\LWAMI_308\Mods\LwAmi_Mod\Database\DWEdit.exe
E:\Sub Command\Audio\Sfx\SCSoundEdit.exe
E:\Sub Command\Database\SCEdit.exe
E:\Sub Command\Database_bak\SCEdit.exe
D:\Bootvis\BootVis.exe
D:\BootVis\Bootvis_Sleep.exe
%PROGRAMFILES%\Windows NT\Accessories\wordpad.exe
%PROGRAMFILES%\Windows Installer Clean Up\msicuu.exe
%PROGRAMFILES%\FavOrg\FavOrg.exe
E:\UD_v3\UltimateDefrag\Udefrag.exe
E:\UD_v3\UltimateDefrag\uninstall.exe
Interprocess memory access:
%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%windir%\explorer.exe
E:\Adobe\Reader\AcroRd32.exe
WinEvent Hooks:
%SYSROOT32%\SHELL32.dll
Process termination:
%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
E:\IrfanView\i_view32.exe
E:\WinSPMBT\GameOptions.exe
E:\Open Office\OpenOffice.org 3\program\soffice.bin
E:\Adobe\Reader\AcroRd32.exe
Windows Messages:
%PROGRAMFILES%\COMODO\COMODO Internet Security\cfp.exe
%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%windir%\system32\csrss.exe
E:\BOINC\boincmgr.exe
E:\IrfanView\i_view32.exe
E:\Open Office\OpenOffice.org 3\program\soffice.bin
Protected COM interfaces:
%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE
%SYSROOT32%\svchost.exe
LocalSecurityAuthority.Shutdown
E:\Adobe\Reader\AcroRd32Info.exe
E:\BOINC\boincmgr.exe
E:\Visual Studio\Common7\IDE\devenv.exe
{9BA05972-F6A8-11CF-A442-00A0C90A8F39} - if exists in host’s protected COM interface group ‘miscellaneous classes’
Protected registry keys:
*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.???*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Startup
*\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*
HKLM\SYSTEM\ControlSet???\Services*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2*\Shell*\command*
HKUS*\Control Panel\Desktop\SCRNSAVE.EXE
\Software\Microsoft\Windows\CurrentVersion\Run
\SOFTWARE\Classes\CLSID
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*
HKLM\SOFTWARE\Classes\Applications\scalc.exe\shell
HKLM\SOFTWARE\Classes\Applications\swriter.exe\shell\
Protected files/folders:
\Device\Afd\Endpoint
?:\RECYCLER*
any additional encountered during browsing with Windows Explorer for common maintenance, e.g.,
%windir%\SoftwareDistribution\Download*
%windir%$NtUninstallKB*$
%windir%\Installer*
%windir%*.log
The foregoing security policy will mitigate 95 out of 100 alerts for Explorer encountered during common normal Windows operation. 99% of the remaining alerts will be benign, i.e., cautionary - allow but don’t remember - and should be considered to be the ‘canary in the coal mine’. The details of each of these alerts requires zealous evaluation - in context - on a case by case basis to discern if the canary is being strangled. One must temper granting Explorer too wide of lattitude with granting permissions to alleviate pop-up alerts and one’s tolerance to click on pop-ups to make 'em go away (but allow).