Process Explorer suspicious behavior !?

Hi folks,

Still learning the ropes of this amazing Firewall (my computer is so much more responsive since I switched – after setting the logs.log to read-only though :slight_smile:

Ok, here is what I got 4 times yesterday… didn’t see any popups, but saw it on the logs this morning and was wondering if this is normal behaviour or not…

Date/Time :2007-08-04 21:30:48
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application:C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\system32\svchost.exe
Protocol: TCP OutDestination: 65.55.194.60::https(443)
Details: D:\ProcessExplorer\procexp.exe modified the memory of the Parent application C:\WINDOWS\system32\svchost.exe in memory.

Is is normal behavior for ProceXP? ??? or not? How do I find out? (perhaps someone knows here).

Thanks in advance,

Regards…

Rej

P.S. sure hope this is the right forum, if not, my apologies and please transfer to proper forum if possible, or let me know and I’ll transfer it myself.

I might have had popups (after rereading my message, IE should have popuped, so can’t recall for sure but probably had them.

Rej

Yes, Process Explorer (PE) does this in an effort to get as much info on each process as possible. But, it is only a warning (a maybe) anyway, SVCHOST was going to MS (probably Windows Update) & PE just happened to have had previously been caught meddling with MSIE (the parent of SVCHOST… manual Update attempt?). Anyway, you would have got a warning at one point from CFP. Maybe ages ago about MSIE using SVCHOST, when you first ran a manual Windows Update with CFP present.

Hi Kail,

thanks for the info… at least this is something Process Explorer does so I’m ok with it.

got his new one that happens very often but not all the time. When Azureus is running, sometimes I’ll start IE without any popups, but at other times (within a few minutes), I’ll get this popup… (see attachment)

Now, since it doesn’t happens everytime (I don’t tell comodo to remember the setting, wanting to see if it’ll happen again or not), I’m not sure what’s going on under the hood. But since I scan a few times a weeks these days (both AV and Anti-Spyware) I’m not too worried. Still not sure what it means tho.

Well, just wanted to say thanks and this came out :wink: sorry about that lol

Regards…

Rej

[attachment deleted by admin]

OK, check CFPs Log (Activity) to double check if these are indeed identical. I say this because when first installed CFP will produce a lot of alerts like this as it learns what you use. Basically it is leak prevention, to stop leaks, like GRCs Leaktest, PC Flank & the real thing… these tests/nasties exploit explorer.exe & abuse the fact that explorer.exe is the parent (usually) of… all your browsers in this case. A parent process has certain privileges/rights over the child process (browser). So, if anything goes near explorer.exe (or the parent process of anything)… claiming file extensions, adding context menus, injecting DLLs, etc… CFP wants to know if that is OK. Thus the alert & thus the initial volume. This, in fact, will be the exact same alert you’ll see if you perform a leak test or encounter the real exploit. So, double check the Log & see if these alerts really are the same… you might find that they are just very similar. Thanks.

Hi Kail,

thanks again for the useful infos… this gives me a much better idea of why I get those reports. Much appreciated!

I’ll have to check when it happens again since I don’t keep the logs (logs.log is read only) and I rebooted since I last used Azureus, but I’ll keep an eye on it when I reuse it (might be a while but it’ll come back to me once I see the popup again).

Regards…

Rej