Rule for explorer.exe

Yesterday when I inserted a USB in my computer defense+ gave me an alert that spomenar.exe is trying some malicious activity. Since that was an autorun program about which CIS AV did not alert, I could not quarantine it using AV and hence for defnse+ alert I opted for ‘isolated application’ with ‘remember my action’ (of course in a hurry without properly reading the alert).

I did read the file name in the alert as spomenar.exe but did not realise that I was actually isolating explorer.exe (which is a critical program).

After that I couldn’t open any program (including CIS) as explorer had been isolated by CIS. Since I was aware that this happened after a probable virus attack, I was a bit cautious and instead of rebooting I tried other steps. Fortunately, even though I could not open Task Manager using right click, Ctrl+Alt+Del was able to open it. I could open the programs from File-New Task. I first scanned using CIS AV and then SAS using this. Then I opened CIS GUI and realised that I had mentioned explorer.exe as ‘isolated’. I removed it and my problems were solved.

I mention this incident to point out that similar situations may arise with others too. Since I had realised that this started after that autorun attempt, I was able to clear it without any harm to my computer. However, I think many users may have gone for reboot (I don’t know about its cumulative efforts), but eventually may be forced to format the computer as CIS itself would not open using the regular means (like start-programs or clicking on any icon in desktop). True to its concept, defense+ did stop the program from doing a harm to my computer even though AV didn’t detect it, but my ‘hurry’ almost made me pay for it.

I don’t know about the technicality, but I think considering above, CIS may do something to stop a user making ‘explorer.exe’ as ‘isolated application’ as it may have catastrophic effect.

As I said it was almost accidental as the prominent name I saw in the alert was spomenar.exe trying to execute. I do follow these instructions normally, and am aware of CIS’s functioning as I have been with this for a long time now. So, without much trouble I was able to unlock it also.

I mentioned this because in this forum many users advise people to use ‘isolated application’ (though this was the first time I opted for it!) when the alert of probable virus comes, so that the particular virus is isolated from system. In my case, it was just a case of hurry, as I normally read the alerts.

In real life situation, in case of accidental mistake like this average user may not have been able to unlock it as none of the programs would open if explorer is made ‘isolated’ and eventually would have to format it. The user will only think that the virus infected his entire machine even though he had CIS and may even shun CIS. This was not a complaint but a ‘wish’ to save other users.

The wishlist was just to make an arrangement, to the effect that ‘isolated application’ is not shown for explorer.exe, if it is technically feasible.

EXPLORER.EXE is the user shell, which we see as the familiar taskbar, desktop, and other user interface features. This process isn’t as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on other applications.
The explorer.exe file is located in the folder C:\Windows. In other cases, explorer.exe is a virus, spyware, trojan or worm! you should be careful in allowing explorer.exe. But if Catastrophic problem arise after isolating explorer.exe try allowing it and fire your CIS AV and if no traces of malwares, run your updated ON-DEMAND SCANNER if you have it for a more convincing result.