Is there any process that should be allowed to modify the status of Explorer.exe?

[Online_Sword]

Hi, here I hope to ask a question on Explorer.exe.

I found that, when I open the file dialog in many applications (for example, click "File -> Open" or "File -> Save as" in notepad.exe), HIPS programs will alert me that the corresponding application tries to modify the status of explorer.exe. (The description of this behavior could vary slightly between different HIPS products.)

Furthermore, I found that, denying this behavior will not influence the function of the file dialogs. I mean, I can still open & save files normally. Therefore, I am considering to create a rule that prevents any application from modifying the state of explorer.exe, because:

1. Modifying the state of explorer.exe is often used by malwares.
2. File dialogs are widely used by applications. So the alert that some application tries to modify explorer.exe is very frequent. Creating a all-deny rule could suppress such kind of alerts.
​

The problem is, I am not sure whether there would be any system processes that should be allowed to inject into explorer.exe. I have not found such process until now. Thanks for any information on this.

 

[DracusNarcrym]

I see your point.

COMODO HIPS (for example), when set to Paranoid Mode (and no rules have been set for explorer.exe), generates HIPS alerts about explorer.exe, whenever a user attempts to perform an action such as opening a file (as you explained in the OP). We can say that explorer.exe is the "gateway" for the user's interacting with files and file write/read functions (saving documents).

Unfortunately, I don't think there is any documented information that we can use to determine any processes of the kind you described...

What we definitely could do (or try to do) is to intercept API calls made by known system processes/modules targeting explorer.exe, and test each case to see whether it's "essential" for the function of the system, by blocking it preliminarily using a preferred HIPS application.

I know this mind sound like mindlessly revolving around the subject (now that I think of it, it definitely does ) however I have found that this entire process of documenting known good API calls and creating allow rules for them in HIPS software is an IMMENSELY time-consuming task, and in the end only slightly increases the overall security (more in regard to peace of mind, than security itself).

Anyway, here is the software I consider most suited for this task (at least, it's the software I used the last time I tried to conduct such tests):
WinAPIOverride

 

[jamescv7]

Good point, as I used HIPS way back before; many programs are executing on explorer.exe however if you've read the description alert then modify is different on executing of a process.

Well HIPS brought massive range of alerts especially in API hence it can detect those unusual operation even though the program is legitimate.