Is there any process that should be allowed to modify the status of Explorer.exe?

Online_Sword

Online_Sword

Level 12
Thread author
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Hi, here I hope to ask a question on Explorer.exe.

I found that, when I open the file dialog in many applications (for example, click "File -> Open" or "File -> Save as" in notepad.exe), HIPS programs will alert me that the corresponding application tries to modify the status of explorer.exe. (The description of this behavior could vary slightly between different HIPS products.)

Furthermore, I found that, denying this behavior will not influence the function of the file dialogs. I mean, I can still open & save files normally. Therefore, I am considering to create a rule that prevents any application from modifying the state of explorer.exe, because:

1. Modifying the state of explorer.exe is often used by malwares.
2. File dialogs are widely used by applications. So the alert that some application tries to modify explorer.exe is very frequent. Creating a all-deny rule could suppress such kind of alerts.
The problem is, I am not sure whether there would be any system processes that should be allowed to inject into explorer.exe. I have not found such process until now. Thanks for any information on this.:)
 
  • Like
Reactions: jamescv7, Venustus, Deleted Member 333v73x and 2 others
DracusNarcrym

DracusNarcrym

Level 20
Verified
Top Poster
Well-known
Oct 16, 2015
970
I see your point.

COMODO HIPS (for example), when set to Paranoid Mode (and no rules have been set for explorer.exe), generates HIPS alerts about explorer.exe, whenever a user attempts to perform an action such as opening a file (as you explained in the OP). We can say that explorer.exe is the "gateway" for the user's interacting with files and file write/read functions (saving documents).

Unfortunately, I don't think there is any documented information that we can use to determine any processes of the kind you described...

What we definitely could do (or try to do) is to intercept API calls made by known system processes/modules targeting explorer.exe, and test each case to see whether it's "essential" for the function of the system, by blocking it preliminarily using a preferred HIPS application.

I know this mind sound like mindlessly revolving around the subject (now that I think of it, it definitely does :rolleyes:) however I have found that this entire process of documenting known good API calls and creating allow rules for them in HIPS software is an IMMENSELY time-consuming task, and in the end only slightly increases the overall security (more in regard to peace of mind, than security itself).

Anyway, here is the software I consider most suited for this task (at least, it's the software I used the last time I tried to conduct such tests):
WinAPIOverride
 
  • Like
Reactions: Online_Sword, OokamiCreed and Venustus
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Good point, as I used HIPS way back before; many programs are executing on explorer.exe however if you've read the description alert then modify is different on executing of a process.

Well HIPS brought massive range of alerts especially in API hence it can detect those unusual operation even though the program is legitimate.
 
  • Like
Reactions: Online_Sword
You must log in or register to reply here.

Similar threads

R
Question Comodo Firewall and AnyDesk
Replies
6
Views
1,201
Comodo
Bot
Bot
Gandalf_The_Grey
    • Like
    • Applause
Microsoft wants to make Windows 11 faster by decoupling features from explorer.exe
Replies
2
Views
1,071
Windows 11
silversurfer
silversurfer
silversurfer
    • +Reputation
    • Like
  • Sticky
Serious Discussion The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing
Replies
3
Views
693
General Security Discussions
harlan4096
harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top