Re: Why is Win Explorer accessing the Net?

From: David (davidwnh_at_adelphia.net)
Date: 12/18/03


Date: Thu, 18 Dec 2003 04:52:26 GMT

Windows explorer is much more than a simple file manager. It is the user
shell when you log into windows. It can be difficult to decide which
core windows programs to allow to access the internet especially since
the application controls of the different personal firewalls all work a
little differently. Other firewalls for example may not indicate such
activity if they are using a different scheme to control ICMP traffic or
  can "monitor" activity at the dll level. I would tend to use protocol
and port filtering for such diverse applications as explorer.exe and
svchost.exe since they perform multiple functions. I'm not familiar with
Sygate, but you should check to see what other filtering is available.
For example, explorer in regards to being a shell can oversee file
transfers via netbios over tcp/ip, ftp, and has some responsibility as
seen in your case in regards to ICMP traffic. If you are not in a LAN
where you need to browse the resources of other LAN machines,if you do
not do ftp transfers via the explorer shell, and if you have a DHCP
assigned internet gateway address and no internal routers using routing
protocols, then you could probably block explorer access in Sygate
without adverse affects. Personally I would probably hack the registry
as Lars has pointed out, and leave the Sygate settings for explorer in a
state of flux so that other activity would generate an alert. This way
you would be dealing with the specific alerts you received, and will not
block explorer from doing something else you may want it to do or allow
it to do things you may not want. The next thing it tries will generate
an alert which will either be for valid traffic or perhaps give you a
hint that something malicious has made its way onto your machine.

>
> My QUESTION to the newsgroup is should I allow Windows Explorer
> access to the Net in order for it to go to that IP address?
>
> --------
>
> These are my own thoughts:
>
> (a) On one hand, I can not see why a simple file manager like Windows
> Explorer would need to access the Net.
>
> (b) On the other hand, Windows Explorer is deeply embedded in Win XP
> and may need to perform all sorts of function on behamf of XP.
>
> I have had some problems in being over-hasty in blocking
> comunications from XP to the Net (for example blocking NTOSKRNL.EXE,
> NDISUIO.SYS and SVCHOST.EXE).
>
> --------
>
> Can someone who understands what is taking place please advise me if
> I should allow to permit permanent access for Windows Explorer to the
> Net?