Results 1 to 9 of 9

Thread: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook

Hybrid View

  1. #1
    snagglegrain Guest

    Default iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook

    From time to time, I am seeing a ZAP Security Alert for SUSPICIOUS BEHAVIOR that I always Deny.
    The warning states:
    "Internet Explorer is attempting to monitor user activity on this computer.
    If allowed it may try to track or log keystrokes (user input), mouse movements/clicks, web sites visited, and other user behaviors.
    Application: iexplore.exe
    Allow or Deny".

    In addition, the SmartDefense Advisor Technical Info for the OSFirewall Alert refers to the Sub Event Type as "ExecutionGlobalWindowsHook", explaining that "Internet Explorer attempted to set a Windows hook without a specific thread".
    In ZAP Program Control I have IE Trust Level set to Ask, Access toTrusted and Internet Zone
    is Allowed, Server rights for Trusted and Internet Zone set to Ask.
    As I stated, I always Deny this behavior, and my browser does not malfunction in any way.
    On one hand, it really gives me cause for concern, but on another level, I think
    it might just be the OSFirewall reacting to IE7.0 and the settings I have.

    I'm at a loss.
    All security apps show clean scans.
    I checked the MD5 hash of IE7 and it is okay.
    Perhaps some Gurus here can suggest to me
    what the heck is going on?



    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,287

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook

    Hi!it is normal and you should allow it (and tick on remember). Internet Explorer needs to monitor your keyboard to work correctly (auto complete functions, certain drop-down menu, etc).Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook


    <blockquote><hr>Snagglegrain wrote:
    From time to time, I am seeing a ZAP Security Alert for SUSPICIOUS BEHAVIOR that I always Deny.
    The warning states:
    "Internet Explorer is attempting to monitor user activity on this computer.
    If allowed it may try to track or log keystrokes (user input), mouse movements/clicks, web sites visited, and other user behaviors.
    Application: iexplore.exe
    Allow or Deny".

    In addition, the SmartDefense Advisor Technical Info for the OSFirewall Alert refers to the Sub Event Type as "ExecutionGlobalWindowsHook", explaining that "Internet Explorer attempted to set a Windows hook without a specific thread".
    In ZAP Program Control I have IE Trust Level set to Ask, Access toTrusted and Internet Zone
    is Allowed, Server rights for Trusted and Internet Zone set to Ask.
    As I stated, I always Deny this behavior, and my browser does not malfunction in any way.
    On one hand, it really gives me cause for concern, but on another level, I think
    it might just be the OSFirewall reacting to IE7.0 and the settings I have.

    I'm at a loss.
    All security apps show clean scans.
    I checked the MD5 hash of IE7 and it is okay.
    Perhaps some Gurus here can suggest to me
    what the heck is going on?



    Operating System:
    Windows XP Home Edition
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Pro

    <hr></blockquote>


    The ZA does have excellent keylogger protection or is that supposed to be antikeylogger protection?
    Anyways, the ZA alerts for the keyloggers attempts (as many of the ZoneAlarm alerts are in reality) are basically a 'blanket' warning and there is no real indication to the average user what to do or how to respond correctly to these ZoneAlarm security alerts. Or why.
    In the case of the IE7 keylogger alerts, these keylogger attempts to the keyboard and mouse is very normal - the Internet Explorer does set 'hooks' into the hardware for it's usual functions (not neccessarily seen or needed in very casual browsing with the MS Internet Explorer, but for other things).
    But understand these ZoneAlarm alerts cover not only suspicious files, but files that are approved and safe such as the Internet Explorer.

    So.... yes.... allow these hooks by the Internet Explorer.
    There is no harm in doing so and maybe even avoid some future issues.

    However if you happen to see alerts for the 'hooks' based on files in the Temp folders or from some new/unusual file in the Windows directory, then keep a sharp alert for possible malware or malicious keyloggers.

    Best regards.
    Oldsod.
    Best regards.
    oldsod

  4. #4
    naivemelody Guest

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook

    Hi again, Snagglegrain, &quot;Internet Explorer is attempting to monitor user activity on this computer.
    If allowed it may try to track or log keystrokes (user input), mouse movements/clicks, web sites visited, and other user behaviors..&quot; =
    this can occur when IE has been upgraded or ZA has been upgraded. Last Feb. 10, 2009 Microsoft updates - there was a new
    IE7 security update and was most 'probably' the cause of this alert. The monitoring/logging keystroke = is really the 'auto-fill, auto-complete' feature that most of us use when filling out passwords and common repeated words for address, searches, etc. IE is not malware for the most part.<hr>Generally, if you use IE7 as your main browser - it would be set for three green bars or if you don't mind getting too many alerts - two bars. When you have it to 'ask' = you will get alerts.<hr>For me when IE7 got the &quot;new&quot; security update, my settings were reset to all &quot; ???&quot; and I would have re-adjust, and &quot;allow&quot; for ZA Alerts that followed (including the hooks alert).<hr>
    Sidenotes: Since the last time you had that weird GUI logging issue, I didn't realize/see your software background until now - GeSWall Pro - looks like it may have some
    'firewall like capabilities/ intrusion(HIPS)'

    that 'may' conflict with ZA Pro. {Hopefully it does not; or had anything to do with that weird GUI issue you had back then } You also list two anti-virus - it's generally not a good idea to have two av's ; even if one is 'on-demand'/ in-active real time
    &gt; there is potential for conflicts. {Hopefully it will not: or had anything to do with that weird GUI issue you had back then }

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook


    <blockquote><hr>NaiveMelody wrote:
    Hi again, Snagglegrain, "Internet Explorer is attempting to monitor user activity on this computer.
    If allowed it may try to track or log keystrokes (user input), mouse movements/clicks, web sites visited, and other user behaviors.." =
    this can occur when IE has been upgraded or ZA has been upgraded. Last Feb. 10, 2009 Microsoft updates - there was a new
    IE7 security update and was most 'probably' the cause of this alert. The monitoring/logging keystroke = is really the 'auto-fill, auto-complete' feature that most of us use when filling out passwords and common repeated words for address, searches, etc. IE is not malware for the most part.<hr>Generally, if you use IE7 as your main browser - it would be set for three green bars or if you don't mind getting too many alerts - two bars. When you have it to 'ask' = you will get alerts.<hr>For me when IE7 got the "new" security update, my settings were reset to all " ???" and I would have re-adjust, and "allow" for ZA Alerts that followed (including the hooks alert).<hr>
    Sidenotes: Since the last time you had that weird GUI logging issue, I didn't realize/see your software background until now - GeSWall Pro - looks like it may have some
    'firewall like capabilities/ intrusion(HIPS)'

    that 'may' conflict with ZA Pro. {Hopefully it does not; or had anything to do with that weird GUI issue you had back then } You also list two anti-virus - it's generally not a good idea to have two av's ; even if one is 'on-demand'/ in-active real time
    > there is potential for conflicts. {Hopefully it will not: or had anything to do with that weird GUI issue you had back then }

    <hr></blockquote>
    And the **bleep**boclean is no longer supported as a stand alone product - it is fully integrated into their security suite.
    Can't really say it had any merit to begin with over the last few years - the antivirus should catch the exploits before the malware has a chance to do anything.

    Oldsod.
    Best regards.
    oldsod

  6. #6
    snagglegrain Guest

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook

    Hi again, NaiveMelody,
    Boy, did I ever get some helpful responses!
    Thank you everyone who replied, you've eased my mind regarding the SUSPICIOUS BEHAVIOR alerts.
    I guess I will go into Program Control and change the trust level for IE.
    I'm relieved to hear, NM,
    that you also received the hooks alert (after the IE&amp; update and before changing ZA Program Control settings).
    I never thought to ID the auto-fill dialog as the cause for the keystroke logging warning, so thanks also for that detailed info.

    Regarding the auto-fill dialog... I'd sure love to make that go away.
    I have to click No everytime, and it's getting old.
    I bet it's a registry tweak.
    Any help there?
    As for my security set up, I appreciate your input very much.
    What I have uninstalled since I had the GUI probs is ThreatFire, which definitely does have some deep hooks and was more than likely causing instability in my system.
    GeSWall Pro is a policy-based sandbox.
    The newest version has the abiIity to create network rules, thus allowing GW to function as a firewall... but I have not put any of those rules in place.
    I
    am also
    cognizant of the inadvisability of running two AVs simultaneoulsy, and I've taken careful steps to keep any Avira processes from loading or running, primarily achieving this by not installing the Guard.
    I also don't allow the update service to run, obtaining database updates manually.
    I will be on the look out for any funky behaviors that might be
    attributable to having the 2nd AV, but I truly believe that I have it installed so as to serve in the on-demand capacity only.
    Once again, my thanks to the forum responders... it was really great to post about my problem, then wake up this morning and find such helpful input.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook


    <blockquote><hr>Snagglegrain wrote:
    Hi again, NaiveMelody,
    Boy, did I ever get some helpful responses!
    Thank you everyone who replied, you've eased my mind regarding the SUSPICIOUS BEHAVIOR alerts.
    I guess I will go into Program Control and change the trust level for IE.
    I'm relieved to hear, NM,
    that you also received the hooks alert (after the IE& update and before changing ZA Program Control settings).
    I never thought to ID the auto-fill dialog as the cause for the keystroke logging warning, so thanks also for that detailed info.

    Regarding the auto-fill dialog... I'd sure love to make that go away.
    I have to click No everytime, and it's getting old.
    I bet it's a registry tweak.
    Any help there?
    As for my security set up, I appreciate your input very much.
    What I have uninstalled since I had the GUI probs is ThreatFire, which definitely does have some deep hooks and was more than likely causing instability in my system.
    GeSWall Pro is a policy-based sandbox.
    The newest version has the abiIity to create network rules, thus allowing GW to function as a firewall... but I have not put any of those rules in place.
    I
    am also
    cognizant of the inadvisability of running two AVs simultaneoulsy, and I've taken careful steps to keep any Avira processes from loading or running, primarily achieving this by not installing the Guard.
    I also don't allow the update service to run, obtaining database updates manually.
    I will be on the look out for any funky behaviors that might be
    attributable to having the 2nd AV, but I truly believe that I have it installed so as to serve in the on-demand capacity only.
    Once again, my thanks to the forum responders... it was really great to post about my problem, then wake up this morning and find such helpful input.

    <hr></blockquote>


    GeSWall without the firewall/networking rules enabled still places hooks and goes deep into the lower kernel of windows. You are still going to get issues - both with windows and with the ZA.
    Kind of ironic - users asks for help yet is doing the issues to themselves and believe they are correct and without fault. Yet their own choosing of the security setups are to blame.
    Security is not installing a lot of security programs.
    Security on the computer is instead using safe hex and practises.

    http://forum.zonelabs.org/zonelabs/b...essage.id=5419

    The same applies to using two antiviruses - even though one is dormant, it still installs kernel hooks and these will conflict with the resident full time antivirus.
    Really would advise to drop the geswall and the second antivirus.

    The boclean is no longer supported (or will be soon) as a stand alone and will only be available in their suite. Maybe consider dropping this too. Can't really say it had any real merits over the last few years anyways. Antiviruses have improved over the last few years, making the antitroyan scanners like boclean obselete and not needed anymore.
    A good antivirus (pick one of the two you are using now not two) is suitable for almost everything - including adware, spyware and riskware. A*V*ast is well known for excellent antispyware detedtions and removals and for being an excellent antivirus . Avira is an excellent antivirus. Either one would be a good choice - but not both at the same time.

    More security programs is not the 'better' apporach - especially if it the same repeated over and is just the same, but layering security is the best.
    Layered security is convering all areas but not over-lapping or repeating the same areas.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    snagglegrain Guest

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook

    Hey Oldsod-
    Your response here is quite &quot;preachy&quot;.
    I posted to ask about the SUSPICIOUS BEHAVIOR alerts.
    I surely appreciate any and all efforts to help with this topic, and I have said so repeatedly.
    But you have gone off on a tangent concerning the security applications I have installed.
    Your assumption that what you believe to be correct is what everyone else should believe is unfortunate,
    AND annoying.
    Your assumption that I think &quot;security is installing alot of programs&quot; is condescending as well.
    Like I have given this no thought, have just mindlessly installed whatever was out there.
    Like you somehow know how my machines run.
    You don't.
    You wrote, &quot;Kind of ironic - users asks for help yet is doing the issues to themselves and believe they are correct and without fault. Yet their own choosing of the security setups are to blame.&quot; ...
    What help and what blame are you referring to?
    What
    problem am I having that has to do with my apps?
    The one I posted about?
    I don't think so.
    Are you talking about me when you refer to &quot;users&quot;?
    How about
    not lumping people together when you reply... and if you choose to advise people on topics which they have not asked you about, how about being concise?

    As for BOClean, I am aware that
    its demise as a standalone product is imminent... I read the forums too.
    The news first came out about 8 days ago.
    And just because you don't think it is a viable product doesn't necessarily make it so.
    You leave no room for other people's opinions and choices and preferences when you write... which makes you hard to take.
    I have been running Windows-based operating systems for about 14 years.
    Not an eternity, but long enough.
    I have never been infected by a virus or malware.
    My security programs either block them or find them immediately.
    I call that good security.
    I must have been doing something right for 14 years.
    And I dare say, I haven't been adding applications to achieve this level of protection, I have been choosing applications.
    Your advice to drop GeSWall and Avira is bad advice... in my opinion.
    Certainly it is your option to
    NOT add those programs to
    YOUR system, and I promise not to advise
    you on that one way or the other, unless asked.
    Just thought I'd be as blunt with you as you have been with me.
    Nobody I know likes to be lectured.
    Do you?


  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: iexplore.exe SUSPICIOUS BEHAVIOR attempts to set a Windows hook


    <blockquote><hr>Snagglegrain wrote:
    Hey Oldsod-
    Your response here is quite "preachy".
    I posted to ask about the SUSPICIOUS BEHAVIOR alerts.
    I surely appreciate any and all efforts to help with this topic, and I have said so repeatedly.
    But you have gone off on a tangent concerning the security applications I have installed.
    Your assumption that what you believe to be correct is what everyone else should believe is unfortunate,
    AND annoying.
    Your assumption that I think "security is installing alot of programs" is condescending as well.
    Like I have given this no thought, have just mindlessly installed whatever was out there.
    Like you somehow know how my machines run.
    You don't.
    You wrote, "Kind of ironic - users asks for help yet is doing the issues to themselves and believe they are correct and without fault. Yet their own choosing of the security setups are to blame." ...
    What help and what blame are you referring to?
    What
    problem am I having that has to do with my apps?
    The one I posted about?
    I don't think so.
    Are you talking about me when you refer to "users"?
    How about
    not lumping people together when you reply... and if you choose to advise people on topics which they have not asked you about, how about being concise?

    As for BOClean, I am aware that
    its demise as a standalone product is imminent... I read the forums too.
    The news first came out about 8 days ago.
    And just because you don't think it is a viable product doesn't necessarily make it so.
    You leave no room for other people's opinions and choices and preferences when you write... which makes you hard to take.
    I have been running Windows-based operating systems for about 14 years.
    Not an eternity, but long enough.
    I have never been infected by a virus or malware.
    My security programs either block them or find them immediately.
    I call that good security.
    I must have been doing something right for 14 years.
    And I dare say, I haven't been adding applications to achieve this level of protection, I have been choosing applications.
    Your advice to drop GeSWall and Avira is bad advice... in my opinion.
    Certainly it is your option to
    NOT add those programs to
    YOUR system, and I promise not to advise
    you on that one way or the other, unless asked.
    Just thought I'd be as blunt with you as you have been with me.
    Nobody I know likes to be lectured.
    Do you?


    <hr></blockquote>


    One windows operating system is the same as the next windows operating system, regardless of the hardware involved. They are all the same and work the same and do the same.
    In this way, I do not have to know about your individaula machine - the windows alone tells the story.
    Windows was never designed to support many security applications - it is very limited in the number of kernel hooks it can properly handle lower kernel hooks into it's operating system.
    This alone tells everything. Too many and windows itself is ruined.
    This is the biggest issue with too many security applications installed at the same time (regardless if they are on demand or resident).

    Myself I never get viruses or malware for many years.
    I never get to see the security jump into action since I practise safe hex and am careful.
    The extra such as antispyare and antitroyans and such is not needed to provide the protections. Avoidance of malware is the best practise, not solutions by malware removing softwares.
    But using two antivirus and two fiewalls will cause issues with the windows and more importantly with the Zone Alarm.
    Regardless of the extra thought of protection by over installing the security.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •