RE: Is explorer.exe (XP) a high risk process



If users runs a virus or a rootkit this executable will run in security
context of a user. If user is not a local administrator virus or rootkit
will fail to deliver its payload (depending on what the virus tries to
do).
If you check default NTFS permissions on explorer.exe file you will see
that users only have read and execute permission on the file. They can't
even delete or replace the file...

There are some exceptions to this -- e.g. worms that exploit buffer
overflows where they can gain elevated privileges. This should be fixed
by applying appropriate patches.

If I am local administrator -- it doesn't matter what security measures
you throw at me; I (or virus or rootkit) can bypass all of them... ;-).

Mike

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Gurpreet Singh
Sent: Thursday, December 14, 2006 7:25 PM
To: sergelessard76@xxxxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Is explorer.exe (XP) a high risk process

Of course u should consider explorer.exe a high risk process. Not only
viruses attack it but rootkits also. They modify the existing
explorer.exe.

See also,
http://www.security.nnov.ru/docs4852.html
http://securitydot.net/vuln/exploits/vulnerabilities/articles/17949/vuln
.htm
l


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of sergelessard76@xxxxxxxxxxx
Sent: Thursday, December 14, 2006 7:21 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Is explorer.exe (XP) a high risk process

Quick questions for the IT security community. We have a 2000
workstation being centrally managed by McAfee ePO. All of those stations
are being scanned / protected based on a single predefined policy. In
that policy we have a list of highrisk processes which we want to ensure
are clean and some we want to block instantly from running. One of those
processes is explorer.exe . Alot of viruses are targeting thise process
therefore we wanted to eleviate our level of pretection by doing so. But
for 2 individuals it is causing a considerable slowdown when accessing
local drive where large zip and iso files reside. Of course our first
recommendation was to move those files on a network share but to back
this recommendation I wanted to get your opinion of our strategy. Should
explorer.exe be considered a highrisk process or not?? thank you

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: MSE
    ... | rootkit is beneficial." ... There have been cases of so-called beneficial viruses where the viruses spreads and removes a particular malware. ... | The term computer virus is used for a program that has ... | actively transmits itself over a network to infect other ...
    (microsoft.public.windowsxp.general)
  • Re: MSE
    ... At the end of the day, because it's not just the technocrats that use computers, but all the common folk - that, by the very nature of the way language develops, the meaning of the word "Virus" is always going to mean an unwanted file that, on execution, manages to disrupt the normal working of our PC - in short, what we would call; "malware" as an "umbrella" term to describe all such harmful code. ... But, despite the I.T. communities' every effort to make people use the correct term to describe types of "malware", most people would name any unwanted software that causes noticeable disruption as a "virus" - no matter weather it was really a virus, rootkit, "hijackware" or other PUP.... ... Take 12KB EXE file that is infected by a file infecting virus. ...
    (microsoft.public.windowsxp.general)
  • Re: Malware
    ... Despite having Norton Anti ... endless messages about anti virus software, ... Probably some sort of rootkit. ... It's also the best all-round anti-spyware package I've ...
    (uk.rec.motorcycles)
  • Re: Rootkit viruses
    ... Alureon is a trojan and is a pseudonym for the TDSS Rootkit. ... Many people use the word "virus" to mean malicious software, ... talk about rootkit viruses, trojan viruses ...
    (microsoft.public.windowsxp.general)