explorer.exe/explorer.scf chksum change

Discussion in 'ProcessGuard' started by md411, Sep 12, 2004.

Thread Status:
Not open for further replies.
  1. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    I have Process Guard protecting explorer.exe - i believe its by default if you allow pg after installation. Question is if I got a message by file checker (javacool software) saying the file check sum has been edited - is it something to look at? or is it possible file checker giving false positives?? PG is protecting the file from write, terminate,read accesso_O? If its protected from write access then how can the checksum be edited?? This happened after the latest Norton updates.

    Some other files that got "checksum edited" are desktop.ini, dla.exe, boot.ini, config.sys, io.sys, msdos.sys, and NTdetect.com
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi md411, Do you have Process Guards Check summing switched on?

    Did you check the paths for explorer.exe that file checker showed and is it the same as path that Progrm Checksums is showing in Process Guard?

    Also you state Blocks on write, terminate,read access I believe that setinfo should also be blocked by default.

    Norton may have been altering these files as part of it's addins.

    Sorry more questions than answers ATM :) Pilli
     
  3. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    I dont see that option to turn on check summing...o_O

    The paths of the files mentioned are same as the paths in PG c:/windows/ and c:/

    Something changed the checksums in some of the files mentioned above... I was wondering why PG didnt prevent it?


    I wish the next version would allow the option to selectively allow programs to modify files......disabling the file change option to allow one program to modoify its own files also allow other programs trying to change or modify file to do so?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again md411,
    Process Guard's protection list only works when something attempts to change a running process ie. stop the process, change the process or inject into the running processes memory space, thus stopping malware from changing or stopping your system or security programs.
    The check summing part shows you if a trusted program has changed since the last time of opening & asks if you are going to permit the change. Also the check summing part checks all .exe's not just those on your protected list.
    Please spend some time going through the help file as it is a very useful document for all PG users. :)

    HTH Pilli
     
  5. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    Program checksum is enabled.... as well as all the other options for max protection but a few file and their checksums did get edited.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    No t quite with you there, do you mean that the check summing is not picking up new .exe's as you open them?
     
  7. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    explorer.exe is protected by pg .. after updating Norton Pro2004 and letting windows update windows media player authentication certificate ( it said something when i open windows media player that do you wish windows to aunthenticate OR update some certificate from the player ) After doing both and I am really not sure which one is causing the messages "checksum has been edited".. I opened windows media player because I needed the program to view video content from a web page ( reliable source : world wrestiling entertainment to watch Unforgiven)

    I probably should have not allowed the update by windows media player and Norton I didnt have much choice........... was just wondering why PG didnt stop the checksum editing or asked since I didnt disable that option.....
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi md411, explorere.scf is probably just the certificate file and not explorer.exe Process Guard's checksum list only covers .exe's - Could this .scf be what file checker is seeing.

    Just guessing. Pilli
     
  9. md411

    md411 Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    24
    I am thinking it from the windows media update... anyways I decided to use system restore to undo the changes from microsoft and filechecker STOPPED telling me the files mentioned were changed! I hope the new PG has the ability to selectively allow files and service driver changes instead of the user having to uncheck the checkmark for installing services or drives OR files changed.....

    Thanks for the help.. much appreciated. :)
     
  10. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia


    Hey all.


    As far as I know, explorer.scf is just some "special" shortcut in %SYSTEMROOT% (and .scf is just a special extension for this type of link), and there are also few other files with .scf extension.

    Mainly, I rememeber for those, used by "Quick-Launch" shell option in taskbar, if you use Explorer as default shell, shortcuts like ShowDesktop.scf, etc (I actually just found another one, in Windows directory, it's View Channels.scf)



    Cheers
     
Thread Status:
Not open for further replies.