First the “regular” firewall, and then “Memory Firewall” told me I should “block” explorer.exe. It tells me there is behavior typical of a “hacker attack,” and that I should “close” the program.
How the hell do I run Windows if I have to close explorer.exe?
OS: WinXP Pro with all service packs.
Hi NorrinRadd, welcome to the forum.
A couple of things. First, Which version of CIS are you using and which additional security products are you running?
Second, it’s not unusual to block explorer.exe from accessing the Internet, in most circumstances it’s not necessary.
Unless you are using windows 7 federated search options, or have some other specific requirement, Blocking access to the internet for explorer.exe will not prevent it functioning correctly.
Thanks.
A couple of things. First, Which version of CIS are you using and which additional security products are you running?
Duh… Lessee…
CIS 3.9.95478.509
Comodo Memory Firewall 2.0.4.20
Comodo BOClean 4.27
Comodo Verification Engine Plug-In 2.7.0.17
Comodo Safe Surf 1.0.0.7
PC Tools Threat Fire 4.1.0.25
Microsoft Windows Defender
Second, it's not unusual to block explorer.exe from accessing the Internet, in most circumstances it's not necessary.
The thing that really took me aback was the suggestion (from the two different Comodo products) that I should “shut down” explorer.exe.
Unless you are using windows 7 federated search options, or have some other specific requirement, Blocking access to the internet for explorer.exe will not prevent it functioning correctly.
Well, I’m still using XP (with latest Service Packs), and never even heard of that Windows 7 feature, so…
Duh... Lessee...CIS 3.9.95478.509
Comodo Memory Firewall 2.0.4.20
Comodo BOClean 4.27
Comodo Verification Engine Plug-In 2.7.0.17
Comodo Safe Surf 1.0.0.7
PC Tools Threat Fire 4.1.0.25
Microsoft Windows Defender
Interesting collection 
One thing to note, Comodo Memory Firewall and Comodo BOClean are now incorporated into CIS, so running serarate instances of these along side CIS may well be causing conflicts.
The thing that really took me aback was the suggestion (from the two different Comodo products) that I should "shut down" explorer.exe.
It is interesting, I would have like to have seen the message, did you by chance keep a copy of the log?
Only in the form of the brief summary visible in the Comodo Memory Firewall log viewer:
Application Path: C:\windows\explorer.exe
Action Taken: Attack was allowed as per user’s choice
Attack Type: Buffer overflow
Attack address: 0x0007F400
Memory Type: stack
Date & Time: 07-June-09 6:42:24 AM
I have seen explorer.exe asking for internet access before on some system’s. Does anyone know what may cause this? Seems odd. ???
There are perfectly legitimate reasons for explorer.exe wanting to access the internet, there are, however, also exploits that can make use of this process.
Please understand that explorer.exe is actually a lot more than that simple file manager you interface with. Explorer.exe, for all intents and purposes, is the Windows shell. It contains the code for a number of the widgets on your desktop.
Also, consider some or the purposes to which this application may be put. Accessing FTP sites, Network shares, WEBDAV and many more.
The situation regarding exploits and explorer.exe are more complicated. One simple check you can do, however, is to check the path to the executable and also check the files details. The file itself should be in your %system%\windows folder. Typically this will be:
C:\Windows\explorer.exe
If it’s any where else I would be very suspect.
The buffer overflow problem, once again, may or may not be a security issue. Clearly, the first thing to do is make sure your system is fully patched and check for any nasties.
Another cause of buffer overflow has been attributed to corrupt codecs. If you have installed a codec pack, such as K-lite, it may be worth while uninstalling it and seeing if the problem goes away.
Thanks Toggie, that made sense.
… Another reason to love ‘VLC Player’. ;D
Do you know if explorer.exe is run with any Command Line Parameters by Default, and is there any way of checking these to make sure they haven’t been changed?
Thanks again.
Norrinrad,
you can uninstall Comodo Memory Firewall, Comodo BOClean and Comodo Safesurf, these(as Toggie said) are now integrated into CIS as of version 3.9.
Matt
Also do notice that buffer overflows are a common error in programs, these errors are the basis of many exploits.
On the other hand you just may have found a bug in explorer.exe…(:NRD)
Do you know if explorer.exe is run with any Command Line Parameters by Default, and is there any way of checking these to make sure they haven't been changed?
The aspects of explorer we are referring to in this thread, primarily the shell, as far as I know, don’t use accessible switches.
Certainly file management GUI can be controlled via switches:
Explorer [/n] [/e] [(,)/root,] [/select,]/n Opens a new single-pane window for the default
selection. This is usually the root of the drive Windows
is installed on. If the window is already open, a
duplicate opens./e Opens Windows Explorer in its default view.
/root, Opens a window view of the specified object.
/select, Opens a window view with the specified folder, file or
application selected.
But I don’t think they will be much help here.
Nope, probably not… Settles my mind a bit though. I thought there may be Parameters which could automaticaly FTP on explorer.exe startup, or enable some kind of Remote Shell. I’m glad to see there are only a few boring Parameters.
/e Opens Windows Explorer in its default view.
For anyone who uses ‘MakeMeAdmin’ on Windows XP, the above Parameter will also be useful…
set _Prog_="explorer.exe -e"
[code=MakeMeAdminExplorer.cmd]
setlocal
set Admin=%COMPUTERNAME%\Administrator
set Group=Administrators
set Prog=“explorer.exe -e”
set User=%USERDOMAIN%%USERNAME%
if “%1”==“” (
runas /u:%Admin% “%~s0 %User%”
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %* to group %Group%…
net localgroup %Group% “%" /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session…
runas /u:"%” %Prog%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %* from group %Group%…
net localgroup %Group% “%*” /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal
Two birds with one stone, thanks! ;Di also get buffer overflow alerts when installing some games. Like AOE 3.
I got one when I uninstalled the Futuremark system info software installed fom the Peacekeeper browser benchmark site. It said explorer.exe would be isolated unless i chose to skip the alert. I skipped it and then scanned explorer.exe with CAV,MBAM,and SAS. Nothing was found so I guess it was a false alarm.
BTW, the Peacekeeper benchmark is unfairly biased against IE because it uses the canvas format for the complex graphics test and IE does not support canvas at this time and it scores zero on those tests.