homepage Welcome to WebmasterWorld Guest from 50.19.155.235
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Visit PubCon.com
Home / Forums Index / Microsoft / (deprecated) Microsoft Windows OS (XP/NT/Vista)
Forum Library : Charter : Moderators: bill

(deprecated) Microsoft Windows OS (XP/NT/Vista) Forum

    
I don't trust Windows Explorer any more
Viewing folder caused net access
Hester




msg:1570706		 9:30 pm on Sep 6, 2005 (gmt 0)

I recently installed Kerio's personal firewall. On opening Opera 8's web cache folder in Windows Explorer, Kerio started popping up multiple messages that Windows Explorer wanted to connect to the net. I kept pressing "Deny" to stop it. Moving to a new folder paused the messages, but then they returned. In the end I had to close Explorer down.

On reopening it and navigating to the same folder, again Kerio reported multiple net attempts. I noted some of these contained the names of advertising sites and IP addresses, including this site:

reverse.theplanet.com

A Google search told me many users have had problems with this site repeatedly hitting them. (In fact there's a Webmaster World thread about it here [webmasterworld.com].)

But why would a site be using Windows Explorer when viewing the folder? Do I have a virus on my PC? Ad-Aware reports nothing. (I have now banned Explorer from accessing the net altogether.)

The key perhaps lies in the contents of the Opera 8 cache. Because the files are not encoded, you can see what they are. I noticed dozens of JavaScript files in there, along with HTML. Is it possible Windows is allowing these to run?

I've noticed before that when an HTML page is in a folder, Windows tries to connect to the net. Something secretive by Microsoft going on perhaps? Who knows. I think this only happens when thumbnails are shown. (It then shows an image of the web page.)

I looked through all the JavaScript files and there was some horrendous code in there. Some were even encoded, so you could not tell what they did. Most were for menus on sites, but quite a few were for advertisers.

It's enough to make me turn off JavaScript altogether.

Dare we risk leaving it on? If only I could allow JavaScript to run on sites I choose. Ah wait, Kerio has this built in! And I'm pretty sure you could do it with Opera's 'User JavaScript' too. Maybe I'll add the tick box to toggle JavaScript on and off to my Opera toolbar, as one user has done that I know of.

I always clear the cache after surfing too.

I am on XP SP2 with all the latest patches.

 

bill




msg:1570707		 1:02 am on Sep 7, 2005 (gmt 0)

The issue you're encountering is with Internet Explorer. IE works in many programs throughout Windows, one of them is Windows Explorer. Windows Explorer can browse the web just the same as IE...it's the same engine. You can try this out by simply typing any URL into the address bar of Windows Explorer and hitting Enter.

I'm guessing that you were accessing fully cached pages that were phoning home the same as they would if you downloaded the page to your local PC and tried to view them offline. I don't think there's anything malicious intended.

Although your firewall seems to be doing a good job for you (Kerio recently announced that they're going to stop making firewall products.) there are settings that you can make to your Internet Options that will prevent a lot of these scripts from running.

What you need to do is securely setup your Security Zones. Microsoft has a great article about how you can do this: Setting Up Security Zones [microsoft.com].

Hester




msg:1570708		 9:14 am on Sep 7, 2005 (gmt 0)

The issue you're encountering is with Internet Explorer. IE works in many programs throughout Windows, one of them is Windows Explorer.

Ah, of course, I forgot about that. So even if I'm using a different browser, it can still get me.

I'm guessing that you were accessing fully cached pages that were phoning home the same as they would if you downloaded the page to your local PC and tried to view them offline. I don't think there's anything malicious intended.

Fully cached in Opera, not IE. So why would using Windows Explorer cause them to connect?

Kerio recently announced that they're going to stop making firewall products

NO! I was a longterm user of Zone Alarm but couldn't get the latest version to run. Hence I tried Kerio (after getting top marks in a maazine firewall roundup) and was pleased with the extra notifications it gives when any program tries to connect, or launch another program. (I've even seen messages pop up as Windows is shutting down! It can also prevent any net access during bootup or shutdown.)

Now what am I going to use?!?!?

Hester




msg:1570709		 11:45 am on Sep 7, 2005 (gmt 0)

Kerio recently announced that they're going to stop making firewall products

Their website says the Server Firewall is to be discontinued. But not the Personal Firewall. Do you have any news about that?

bill




msg:1570710		 12:42 am on Sep 8, 2005 (gmt 0)

Fully cached in Opera, not IE. So why would using Windows Explorer cause them to connect?

As you said, you were browsing the Opera cache. If you hover over an HTML page in the cache Windows Explorer will try to generate a little thumbnail to show in the window. (It will do the same with images) It's actually fetching the page then. That's the action you're seeing on your firewall.

Kerio recently announced that they're going to stop making firewall products

Symantec bought Sygate and Keiro stopped making firewalls [webmasterworld.com]. The choices are dwindling. The initial article, which I can't find now, indicated that Kerio was pulling out of all firewall products. The server product was first, then the personal edition would follow. I'd be happy if it wasn't true. I'd prefer to have several to choose from as well.

Hester




msg:1570711		 12:30 pm on Sep 8, 2005 (gmt 0)

It's actually fetching the page then. That's the action you're seeing on your firewall.

So it's also fetching the JavaScript. (Required, I guess, incase it radically changes the page.) But if the JavaScript is dangerous, then that suggests a security risk to me. Someone might even be able to write a script that is OK in a browser, but when Windows Explorer uses it, it triggers a virus. I don't know if that's possible.

bill




msg:1570712		 1:48 pm on Sep 8, 2005 (gmt 0)

You might be giving the virus writers a bit too much credit here. Remember the IE cache doesn't work this way, so they'd have to be targeting the Opera crowd who browse their cache with Windows Explorer. Doesn't sound like a high volume market to me. ;)

Regardless, if it makes you feel safer I'd look into the Security Zones link I posted. You can really lock down IE so that it will ask you before it does anything. Plus you have your firewall to let you know of anything else.

Personally I don't think the action you're seeing is a real threat. It's good that you're looking into it, but it doesn't look like a malicious action at all. IE is just working the way it is supposed to. Fortunately you have the tools and wherewithal to stop or permit that action.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / (deprecated) Microsoft Windows OS (XP/NT/Vista)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved