Update: High Alert Pop-Up for Services

A High alert pop-up came to my attention as it states that:

C:\Windows\explorer.exe has tried to use C:\Windows\system32\svchost.exe through OLE…

I realize that OLE is being addressed in other threads but if anyone can offer an opinion as to why this is a High Alert I’d appreciate it.

Thanks for your help.

(B)

Search the forums for leaktests. This is exact method that leaktests (eg. PC Flank, GRC’s tooleaky, etc…) use to by-pass firewalls. And leaktests are there to demonstrate how Trojans & Hackers might do the same thing. Thus, the High alert.

Does that help?

Kail,

Thanks for the information about leak tests. I guess my next question - is this something I should deny? Or is it okay to allow?

Thanks.

Without seeing the full message, I don’t know. You can export CPFs log to an HTML file. From there you cut ‘n’ paste the relevant message & post it here. Then I can say.

But, the general rule is that if you know all the components that the message is talking about or if you expect the message due to an software update or new software installation, then allow it (remember ticked). If you’re unsure, then deny it (but, don’t tick remember just in case you were wrong). If you deny something & major bits of the system stop working with the Internet, then a reboot will resolve this as long as you didn’t tick remember.

Kail:

Here’s an alert from earlier:

Date/Time :2006-10-06 11:35:56
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 64.x.xx.xxx:https(443)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Kail -

Here’s another alert from this morning-this is happening frequently:

Date/Time :2006-10-07 06:34:38
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 64.236.4x.xxx:http(80)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications.

Thnaks for any advice Kail!

(V)

Here’s another log entry that pops up when I use Thunderbird:

Date/Time :2006-10-07 10:15:21
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (thunderbird.exe)
Application: C:\Program Files\Mozilla Thunderbird\thunderbird.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 69.1.30.27:dns(53)
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.

I’m not complaining-in fact I’m thrilled with the operation of CPF - I’m just trying to understand the operation prior to recommending it. Thanks for any opinions.