I received the following message after installing an application I thought was clean:
“… Defense+ temporarily blocked explorer.exe. It tried to execute shellcode as a result of a possible buffer overflow attack.” I chose terminate rather than skip so can I assume that I was protected from being infected? I reran the application install to see if I could reproduce it and sure enough - but while I was copying the message, the Defense+ alert box disappeared. Did it default to terminating explorer and again protect me? Last question, I take it what’s being terminated is whatever process is attempting to execute, not explorer.exe itself (days of old if it terminated, would see windows close out any open Explorer windows, etc)?
I’m running Vista Home Premium, CIS v3.12.111745, AVG AV free, and Malwarebytes MBAM with protection turned on. I scanned with MBAM and AVG and didn’t find anything. I also ran Vundofix whose scan came clean. Finally ran HiJackthis and checked with the auto analyzer which didn’t mark anything as potentially bad (except marking Vista Sidebar.exe and gopher prefix: which I believe are false positives).
Should I be concerned figuring CIS blocked the execution and the scans are coming up clean? Call me crazy (but have everything backed up), but I ran the application that was installed to see if anything was picked up by MBAM, AVG, or Comodo but nothing was. Did realized after that in Comodo’s case the application is set to “treat as installer or updater” which what, lets thing through?
So again, should I feel comfortable with the scans I’ve done, do more with other scan engines or tools, or ? If go to a restore point immediately before I installed this application, can I know that anything “bad” that might not have been detected has been reverted back to before?
Please let me know if I need to provide any additional info, clarify, or what - I feel comfortable with this but at the same time I’m not the expert! Thanks in advance!!
The Shellcode injection protection looks for buffer overflow (BO) errors. BO is the most common error that is being used by malware in attempts to take over the control of a system. BO is technically speaking a bug in a program; from a security point of view it is a possible entrance for programs with malicious intend.
Since there is no malware present you found a bug in Explorer.
Thanks - just want to be safe and not have any nagging worries. So scanning with those tools should be sufficient to say that nothing was introduced?
So…since it occurred immediately after the installation had completed, it could be it didn’t complete/exit cleanly and created a problem explorer.exe couldn’t handle (thus the buffer overflow), and that in turn was detected by CIS defender+? And just IF there was something malicious attempting to be introduced/injected, it was prevented by CIS by my choosing terminate (and in my test case the second time around, CIS defaulted to terminate whatever was triggering this when the pop up disappeared)?
Out of curiousity, any idea what was terminated? I remember back when explorer.exe was terminated in XP, Windows would close any Explorer windows, redraw the screen, etc. Here it was as if nothing obvious was affected.
And not to ask so many questions, but if I were infected would going to an earlier clean restore point work or would I have to clean it off via malware removal tools?
Sure appreciate all the info! 
In general in case of doubt it is always better to use a couple of more scanners. However…
So...since it occurred immediately after the installation had completed, it could be it didn't complete/exit cleanly and created a problem explorer.exe couldn't handle (thus the buffer overflow), and that in turn was detected by CIS defender+? And just IF there was something malicious attempting to be introduced/injected, it was prevented by CIS by my choosing terminate (and in my test case the second time around, CIS defaulted to terminate whatever was triggering this when the pop up disappeared)?
By terminating you prevented a possible malware infection. By terminating you were on the safe side of things.
Out of curiousity, any idea what was terminated? I remember back when explorer.exe was terminated in XP, Windows would close any Explorer windows, redraw the screen, etc. Here it was as if nothing obvious was affected.
And not to ask so many questions, but if I were infected would going to an earlier clean restore point work or would I have to clean it off via malware removal tools?
Sure appreciate all the info!
I haven’t been in the situation where CIS terminated explorer.exe. When you open an explorer screen and terminate it with Task Manager from the applications tab it will behave as you describe.