Results of restricting Explorer!

Salut,


Explorer requests the connection how many times a year?... once? then you allow or deny once and the problem is set, same for rundll, alg, lsass, mmc.

The real problem comes from your taste for the "HIPS/IDS", this type of tools, in fact behavioral blockers, was originally much too talkative, antivirus resumed this role... and ask more for nothing to internet users, so Kaspersky or Bitdefender will never ask whether to allow explorer.exe, it knows what to do.

All who dramatize or cumulative protection tools are wrong, sometimes by treating the other idiot, having firewall with behavioral blocker "HIPS/IDS" + antivirus (signatures + heuristic + behavioral blocker) or even sandboxie, actually destroys their protection, the only behavioral blocker to use is the UAC.

Antivirus software (good) without firewall + windows firewall + UAC, or suite antivirus with firewall + UAC, NOTHING else.


Explorer demande la connexion combien de fois par an ?... une fois ? alors vous autorisez ou refusez une fois et le problème est réglé, même chose pour rundll, alg, lsass, mmc.


Le véritable problème vient de votre goût pour les « HIPS/IDS », à l'origine ce type d'outils, en fait des bloqueurs comportementaux, était bien trop bavard, les antivirus ont repris ce rôle... et ne demandent plus rien aux internautes, donc Kaspersky ou Bitdefender ne vous demandera jamais s'il faut autoriser explorer.exe, il sait quoi faire.

Tous ceux qui dramatisent et/ou cumulent les outils de protection se trompent, parfois en traitant les autres d'idiot, avoir un pare feu avec bloqueur comportemental « HIPS/IDS » + un antivirus (signatures + heuristique + bloqueur comportemental) voire sandboxie, en fait détruisent leur protection, le seul bloqueur comportemental à utiliser est l'UAC.


UN antivirus (bon) sans pare feu + windows firewall + UAC, ou une suite antivirus avec pare feu + UAC, RIEN d'autre .

[luciddream]

Quote:

Originally Posted by Spiedbot

the only behavioral blocker to use is the UAC.

Talk about "high maintenance", and "chatty"... UAC is the poster child. I don't need something asking me: "are you sure?" every time I try to do something. I don't consider that protection at all. I consider that an irritant. And I find it amusing how the same people that cut on HIPS for being chatty, will have UAC in their setup. UAC will "chat" more in 1 day than my HIPS will in an entire calendar year.

I'll stick with my D+ & Sandboxie... thank you.

Quote:

Originally Posted by luciddream

I'll stick with my D+ & Sandboxie... thank you.

Pray!... me I do not pray, I am French and voltairian.

[Escalader]

Although I don't like the term "idiot" (probably fearing I have lapsed myself at times) Let me suggest that we won't find many here on Wilders. We are at least thinking about these matters and only debate tools and policy in security.

FWIW IMHO these "typical non security non techi users are better off with a suite ( can't believe I said that).

The rationale ( yours may differ) is the suite is smarter and more secure than anything these users may ever do themselves.

That is the domain of others here who know suites and advocate from time to time.

On my spouse's PC I just use Avast free and that is sufficent. It does it's thing and all that pc is used for is email and receipt hunting.

This post will self destruct in 3 minutes

[noone_particular]

Quote:

Originally Posted by Escalader

This post will self destruct in 3 minutes

Does it burn or explode? Need to know how far to back up.

[Escalader]

Quote:

Originally Posted by noone_particular

Does it burn or explode? Need to know how far to back up.

Like magic it will just dissappear. No collateral damage!

Good idea to backup anyway!

[luciddream]

Quote:

Originally Posted by Escalader

FWIW IMHO these "typical non security non techi users are better off with a suite ( can't believe I said that).

Agree... but as you said, we're not average users here. So us big kids, sitting here at the big kid table, can talk about advanced HIPS setups.

And thanks for the Inspector Gadget nostalgia... used to LOVE that show!

Windows 8 pro, going to have to get used to allow explorer.exe output, it caused great with windows.

[luciddream]

I don't have to get used to anything... Windows 8 will never touch a box that I own. And for that matter I think I'll be sticking with XP Pro for a very long time.

[noone_particular]

On XP and older, there's no reason the user has to allow explorer.exe to have internet access. If it won't function properly without access on Vista/7/8, I have to question what it's doing that requires it and why I should need to allow it based on my needs. I'd insist on knowing why it has to connect and what it's specifically sending/retrieving. If this can't be disabled, I don't want it.

Somewhat OT but looks like as good of a place as any to ask. A while back there was a discussion regarding open ports on Win 7 and whether or not they could all be closed, not blocked with a firewall, actually closed. The question was danced around with comments like "it's not necessary" or "that's not how it works", etc but never seemed to get answered. Has anyone managed to close all of the listening ports on Win 7? How about on Win 8?

[Hungry Man]

Which ports are open? As far as I know they're all easily closed by disabling the services behind them.

Edit: I also don't see too much point in restriction Explorer as any sandbox is going to be really weak anyways.

[wat0114]

Quote:

Originally Posted by noone_particular

If it won't function properly without access on Vista/7/8, I have to question what it's doing that requires it and why I should need to allow it based on my needs.

I've always denied explorer.exe through the firewall in Win7 and it's never resulted in broken functionality of any consequence for my needs.

Quote:

Somewhat OT but looks like as good of a place as any to ask. A while back there was a discussion regarding open ports on Win 7 and whether or not they could all be closed, not blocked with a firewall, actually closed. The question was danced around with comments like "it's not necessary" or "that's not how it works", etc but never seemed to get answered. Has anyone managed to close all of the listening ports on Win 7? How about on Win 8?

Without going to great lengths trying, closing all open ports in Win 7 was something I've not quite been able to achieve, although I did manage to close most of them. I think it was 135 and a couple in the 500+ range that were open.

Quote:

Originally Posted by wat0114

I've always denied explorer.exe through the firewall in Win7 and it's never resulted in broken functionality of any consequence for my needs.
Without going to great lengths trying, closing all open ports in Win 7 was something I've not quite been able to achieve, although I did manage to close most of them. I think it was 135 and a couple in the 500+ range that were open.

With Windows 7 firewall, ports are stealth, ports 135, netbios and 500... are listening only on the LAN and are not open to internet.

[bonedriven]

MS is not a trustable company. nuff said.

[Escalader]

ahh I owe the thread some "new to me" results.

It WAS NOT my fw rules that blocked control panel from staying up and useful!

It was my EMET 3 full range of 7 ticks on those mitigations!

I have control panel back now, explorer has only DEP,SEHOP, and NullPage active in EMET 3. I add 1 per day to see which one blocks control panel which clearly uses explorer on W7 64 bit.

More later guys, don't let your children if any do this on their own!

[Escalader]

I have control panel back now, explorer has 6 mitigations out of 7 active in EMET 3.

Export Address Table Access Filtering EAF blocks control panel from displaying Control Panel clearly needs explorer on W7 64 bit.

This exe is the only one I have had to alter in EMET 3 so far.

[m00nbl00d]

Quote:

Originally Posted by Escalader

I have control panel back now, explorer has 6 mitigations out of 7 active in EMET 3.

Export Address Table Access Filtering EAF blocks control panel from displaying Control Panel clearly needs explorer on W7 64 bit.

This exe is the only one I have had to alter in EMET 3 so far.

I have all mitigations enabled for Explorer (EMET 3.5 Tech Preview). On Win 7 x86, no issues.

[wat0114]

I've discovered evidence explorer.exe needs access to Versisign certificate revocation servers @: 199.7.50.1/20 to remote port 80 (HTTPS). It seems maybe not such a good idea to block it outbound completely after all.

[TheWindBringeth]

Quote:

Originally Posted by wat0114

I've discovered evidence explorer.exe needs access to Versisign certificate revocation servers @: 199.7.50.1/20 to remote port 80 (HTTPS). It seems maybe not such a good idea to block it outbound completely after all.

Can you shed more light on that? Tell why it is attempting to contact such servers (why it is doing certificate checks) and if the connections are related to your utilizing something that others may not be using on Windows 7?

Confirmation requested: It was HTTPS on port 80 and not HTTP?

[wat0114]

Quote:

Originally Posted by TheWindBringeth

Confirmation requested: It was HTTPS on port 80 and not HTTP?

Sorry my bad, it is HTTP to remote port 80, not the secure HTTP. The firewall logs don't lie. These are the many connection attempts Jetico has logged of explorer.exe trying to connect to these remote ip addresses to port 80, and a ipwhois lookup confirms it's verisign, then I found a blog, forget where it was, that suggests these rare certificate revocation server ip addresses, checking to see if the file's certificate is still valid. I think if you at least restrict explorer.exe to these ip address/cidr mask addressess (what I've done), you'll be okay doing so.

[TheWindBringeth]

If the TBD feature is using hard-coded IP Addresses and those are the only ones it might use you should be fine unless/until those get changed through a software update. If the TBD feature is using hostnames, their IP Addresses could change at any time, be a function of load or location, etc. This I suspect you realize, just saying it out loud for anyone who might not.

I appreciate you sharing the info. I've made a note of it and will try to look for it when I spend some time on a Windows 7 machine. I don't have Ultimate and an AppLocker setup on that box yet (I think AppLocker does do some certificate checks) but maybe I'll see it.

[wat0114]

I'm happy to share my findings, curious to see what all these ip address attempts are about, as opposed to simply disregarding them as all bogus attempts. There seems to be some purpose after all to many of the attempts explorer.exe is attempting to make.

[Escalader]

Quote:

Originally Posted by m00nbl00d

I have all mitigations enabled for Explorer (EMET 3.5 Tech Preview). On Win 7 x86, no issues.

Thanks, when the technical prveview for 3.5 is over I'll go 7 for 7 on explorer.

Seems strange doesn't it to use one MS tool to restrain another!