I have a bunch of logged actions in the D+ log that show excel.exe being blocked trying to access the windows messenger file (msmsgs.exe). Messenger is on my blocked list since I don’t use it. I also have entries for svchost.exe trying to access outlook express wab.exe (outlook express is supposedly not installed), and explorer.exe trying to access netmeeting (conf.exe). Outlook express and netmeeting are also on my blocked list.
Why are these microsoft applications trying to access files that I am not using and supposedly don’t have installed on my system? Is this common.
Can you show a screenshot of the D+ logs? They are under View Defense + Events.
I exported the log and attached a .zip file if that’s ok. It was too big to get in a single capture.
The dfrgntfs.exe app runs on startup and is part of the clean/compress stuff. The entries for that are probably from it scanning for junk and finding folders it couldn’t look at. Since I exported the log, there are more entries of explorer.exe trying to access netmeeting. I don’t know why my text editor (cedit.exe) is trying to access some of these directories. I don’t know why svchost is tyring to access the web address book app in outlook express. I don’t know why excel is trying to access messenger.
[attachment deleted by admin]
Your D+ logs kinda puzzle me. Can please post a screenshot of the Defense + Rules? They are under Defense + → Computer Security Policy.
I have attached a capture of my rules. There doesn’t seem to be much there.
I have had a more serious issue in that it looks like some of the changes I made prevented my from logging into windows. I have the following folders added to my D+ blocked files.
C:\Program Files\Internet Explorer*
C:\Program Files\microsoft frontpage*
C:\Program Files\Movie Maker*
C:\Program Files\MSN Gaming Zone*
C:\Program Files\Outlook Express*
C:\Program Files\Windows Media Player*
These are applications I never use and they have been uninstalled using the control panel remove windows components. The exception is ie which use for updates, but nothing else. When I had these blocked, when I boot the computer, I get to the login screen, but the screen freezes when I am trying to enter my password. Nothing will work and I have to restart. I had to restore from an image to get my system back. This happened twice before I began to suspect it was the new D+ settings.
Is there anything here that would outright prevent my from logging into windows if the OS couldn’t access it? I decided to block the entire directory when I say some activity between system processes and some of these “uninstalled” components. I have attached my current configuration files as well if that is of use.
[attachment deleted by admin]
D+ can surely block access to Windows. That’s how powerful it is.
When that happens best is to boot in Safe Mode and remove the latest changes made to D+. That will save you restoring a back up image.
It is odd to see programs try to access another file that is no longer there. It could mean Excel is not noticing these programs are no longer there. You are using Excel 2010? I take it you are on XP. Is that correct?
Yes, this is excel 2010 with XP sp3. The thing with uninstalling apps like messenger and outlook is that you can never really remove them from your system. The files like msmsgs.exe, wab.exe, conf.exe, etc, remain on your computer but are hidden. There are allot of .dll files that also remain. If you set up to see hidden files, you can acquire access to delete these files, but they re-appear a few seconds later. Even though messenger has been “uninstalled” using remove windows features, the .exe file is still there and cannot be removed.
One of the reasons I started using a firewall was that every time I would click on an email link in ie, windows would re-install outlook express, configure it to be my default mail client without asking, and then open the wizard for me to set up an email account. This in spite of the fact that I had a different client set as the mail default. Using a good firewall let me block apps that I didn’t want to run.
After just starting up, I reset my logs and rules, and I already have an instance of windows explorer trying to access something in the outlook express folder. I can’t see any reason why svchost should ever need to access the address book app in outlook.
Personally I could never be bothered by the existence of these programs of which most I never use.
The fact that is getting blocked is what you want. In that sense the firewall does its trick. It’s underlying WIndows behaviour that is peculiar.