RE: Is explorer.exe (XP) a high risk process
- From: "Miha Pihler" <Miha.Pihler@xxxxxx>
- Date: Fri, 15 Dec 2006 11:53:14 +0100
If users runs a virus or a rootkit this executable will run in security
context of a user. If user is not a local administrator virus or rootkit
will fail to deliver its payload (depending on what the virus tries to
do).
If you check default NTFS permissions on explorer.exe file you will see
that users only have read and execute permission on the file. They can't
even delete or replace the file...
There are some exceptions to this -- e.g. worms that exploit buffer
overflows where they can gain elevated privileges. This should be fixed
by applying appropriate patches.
If I am local administrator -- it doesn't matter what security measures
you throw at me; I (or virus or rootkit) can bypass all of them... ;-).
Mike
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Gurpreet Singh
Sent: Thursday, December 14, 2006 7:25 PM
To: sergelessard76@xxxxxxxxxxx; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Is explorer.exe (XP) a high risk process
Of course u should consider explorer.exe a high risk process. Not only
viruses attack it but rootkits also. They modify the existing
explorer.exe.
See also,
http://www.security.nnov.ru/docs4852.html
http://securitydot.net/vuln/exploits/vulnerabilities/articles/17949/vuln
.htm
l
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of sergelessard76@xxxxxxxxxxx
Sent: Thursday, December 14, 2006 7:21 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Is explorer.exe (XP) a high risk process
Quick questions for the IT security community. We have a 2000
workstation being centrally managed by McAfee ePO. All of those stations
are being scanned / protected based on a single predefined policy. In
that policy we have a list of highrisk processes which we want to ensure
are clean and some we want to block instantly from running. One of those
processes is explorer.exe . Alot of viruses are targeting thise process
therefore we wanted to eleviate our level of pretection by doing so. But
for 2 individuals it is causing a considerable slowdown when accessing
local drive where large zip and iso files reside. Of course our first
recommendation was to move those files on a network share but to back
this recommendation I wanted to get your opinion of our strategy. Should
explorer.exe be considered a highrisk process or not?? thank you
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- References:
- RE: Is explorer.exe (XP) a high risk process
- From: Gurpreet Singh
- RE: Is explorer.exe (XP) a high risk process
- Prev by Date: RE: U3 TEchnology was RE: strange new virus
- Next by Date: Re: strange new virus
- Previous by thread: RE: Is explorer.exe (XP) a high risk process
- Next by thread: RES: [SPAM] RE: Is explorer.exe (XP) a high risk process
- Index(es):
Relevant Pages
|
