If users runs a virus or a rootkit this executable will run in security context of a user. If user is not a local administrator virus or rootkit will fail to deliver its payload (depending on what the virus tries to do). If you check default NTFS permissions on explorer.exe file you will see that users only have read and execute permission on the file. They can't even delete or replace the file...
There are some exceptions to this -- e.g. worms that exploit buffer overflows where they can gain elevated privileges. This should be fixed by applying appropriate patches. If I am local administrator -- it doesn't matter what security measures you throw at me; I (or virus or rootkit) can bypass all of them... ;-). Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gurpreet Singh Sent: Thursday, December 14, 2006 7:25 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: Is explorer.exe (XP) a high risk process Of course u should consider explorer.exe a high risk process. Not only viruses attack it but rootkits also. They modify the existing explorer.exe. See also, http://www.security.nnov.ru/docs4852.html http://securitydot.net/vuln/exploits/vulnerabilities/articles/17949/vuln .htm l -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 14, 2006 7:21 PM To: [email protected] Subject: Is explorer.exe (XP) a high risk process Quick questions for the IT security community. We have a 2000 workstation being centrally managed by McAfee ePO. All of those stations are being scanned / protected based on a single predefined policy. In that policy we have a list of highrisk processes which we want to ensure are clean and some we want to block instantly from running. One of those processes is explorer.exe . Alot of viruses are targeting thise process therefore we wanted to eleviate our level of pretection by doing so. But for 2 individuals it is causing a considerable slowdown when accessing local drive where large zip and iso files reside. Of course our first recommendation was to move those files on a network share but to back this recommendation I wanted to get your opinion of our strategy. Should explorer.exe be considered a highrisk process or not?? thank you ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
