back to article Kaspersky false alarm quarantines Windows Explorer

A faulty signature update from Kaspersky Lab on Wednesday flagged up Windows Explorer (explorer.exe) as infected with a low-risk virus, Huhk-C. As a result the core Windows component was quarantined or worse. Kaspersky released a revised update alongside advice on how to recover legitimate system and application files from …

COMMENTS

This topic is closed for new posts.
  1. Tawakalna
    Gates Horns

    so it's wrong how?

    because Internet Explorer is (to all intents and purposes) one of the main conduits by which viruses and malware enter a computer. Hardly a safe app, is it?

  2. James O'Brien
    Joke

    It deleted Explorer.exe?

    And this is a problem why?

  3. Phil
    Thumb Down

    RE: so it's wrong how?

    Sorry to correct you, but explorer.exe is actually the main windows shell. It takes care of displaying such things as the start menu.

    You're thinking of iexplore.exe, a totally separate piece of software.

  4. yeah, right.
    Gates Horns

    fair cop guv.

    I thought explorer WAS malware? As Tawakalna comments, it seems to allow anyone and their dog a conduit into getting complete control over a system. Seems only fair to flag it for what it is.

  5. Simon Edwards

    @ Tawakalna

    Windows Explorer is not the same as Internet Explorer.

  6. Steven Hewittt

    Horrific

    Can you imagine....

    3am, your AV management server downloads the latest AV updates

    4am, your clients are set to download from your management server

    5am, your clients do their daily scan

    5:10am - explorer.exe is deleted from Windows

    5:20am - Your network is crippled....!

    Stuff of nightmares....

  7. Anonymous Coward
    Gates Halo

    @Tawakalna

    explorer.exe is not Internet Explorer, but I guess your still in 80's Linux retro land

  8. Jason Miles

    Re: So it's wrong how?

    First, this is Explorer, not IE. Deleting Explorer would require everything to be done from new task.

  9. Ben Schofield
    Gates Horns

    Wrong because...

    You're mistaking the process as iexplorer.exe, the Internet Explorer process. This is the explorer.exe process which runs the file browser, Windows Explorer.

    Ben

  10. Anonymous Coward
    IT Angle

    Maybe, just maybe...

    Perhaps it was a false false positive?

  11. Anonymous Coward
    Alert

    Explorer, not IE

    Windows Explorer, wot does the GUI bit, not Internet Explorer, wot does t'internet.

    Speaking of irritating anti-virus updates, maybe someone could also tell Grisoft that rc.exe, compiler of resources in Visual Studio, is also not a virus, as I've had to remove it just to get my projects to compile properly.

  12. Anonymous Coward
    Anonymous Coward

    Forget cyber terrorism

    No need for Chinese or Russian covert hacking activities then? All that Putin and his mob need to do is to infiltrate Kaspersky, introduce a trojan in one of the updates and hey, presto, the FSB will have access to nearly every computer in the West.

    Maybe it's happening already. OMG! Let's nuke them before it's too late!! Or take the simpler solution - ditch Windows.

  13. Anonymous Coward
    Flame

    Double edge sword

    This is alarming, both incidents are serious enough to cause IT people a nightmare, but something as simple as testing explorer.exe, how they missed that ??

    I were in a planning stage to change all our clients from AVG/Panda to Kaspersky, after these incidents, I think I will sit tight until further notice.

  14. Duncan Hothersall

    Erm, explorer.exe isn't IE

    IE is iexplore.exe

    explorer.exe is the Windows file manager component.

    I know they are linked, but hosing explorer.exe is far more system-destroying than hosing iexplore.exe

  15. Mark Allen
    Pirate

    @Tawakalna

    Windows Explorer is not the same as Internet Explorer. I can't believe that people are still confusing these two terms. Shows how daft the M$ naming scheme was.

    The "Windows Explorer" is your shell and file manager within Windows. If it is deleted, it does make life a little tricky getting anything done in XP. Though one could revert to the old Win 3.x progman.exe (found in Windows System32 folder...)

  16. Herby

    Now if could only flag Vista

    As being a virus, it might get some attention.

    I can see it now. "Your computer is infected with the Vista virus, do you want to upgrade to XP?".

    I'd mention Linux, but that just arouses more flamage....

  17. Anonymous Coward
    Black Helicopters

    Good pun, but...

    Isn't the point of AV software to stop things slipping through the net?

  18. Anonymous Coward
    Thumb Up

    *snork*

    "stuck in '80s Linux retro land" huh? If you're going to toss in a random mild insult because you're sore about yet another problem with Winduhs while you helpfully correct someone's confusion of IEXPLORE.EXE and EXPLORER.EXE, at least get your decade right. :o)

    I think Kaspersky could improve on this by having it delete any C:\WINDOWS or C:\WINNT directories it finds, since having them on your computer is definitely a security hazard.

  19. James O'Brien

    Re: Now is could only flag Vista

    I wouldnt nesscarily say virus so much as a world wide beta gone bad.

    (I can see this now 'When OS' attack tonight on FOX')

    Though with most people Linux is not an option because they have gotten so used to the way Windows works even what should be a minor change will cause them to forget everything that they have learned and be completely clueless.

    (Celebrity deathmatch 'Linux vs Vista' WHO WILL WIN!!!!)

  20. combatwombat
    Gates Horns

    Wrong name

    I reckon they had it right in the first place, but the wrong name. It should have been W32.Monopoly.Worm.

  21. Lee Dowling Silver badge

    Whatever happened to system integrity?

    I thought that you'd weren't supposed to be able to delete critical Windows files like that? Surely even as an admin, deleting explorer.exe from WITHIN explorer.exe (as a shell) should be one of those impossible things? Shouldn't Windows be disallowing it anyway, with all it's fancy system file protection etc.? I'm not going to try it but even as an admin I didn't think you could actually delete explorer.exe. Or does Kaspersky put it on the list of files to delete on the next startup?

    I know that Linux wouldn't stop you doing "rm -rf /" if you're daft enough to do it when running as root but I thought that Windows didn't like you having that sort of control over your own machine.

  22. Anonymous Coward
    Gates Horns

    There's a hole in my bucket dear Liza

    Henry: Karspersky's deleted explorer.exe, dear Liza, dear Liza, Karspersky's deleted explorer.exe, dear Liza, deleted.

    Liza: Well fix it dear Henry, dear Henry, dear Henry, well fix it dear Henry, dear Henry, fix it

    Henry: With what shall I fix it, dear Liza, dear Liza, with what shall I fix it dear Liza, with what?

    Liza: with progman.exe, dear Henry, dear Henry, dear Henry, with progman.exe, dear Henry, dear Henry, with progman.exe.

    Henry: But how do I run progman.exe dear Liza, dear Liza?

    {There are ways, thanks to DOS. ..and win3.1 comes in handy too sometimes. We still can't live without 'em)

  23. James Butler

    Quarantine, not delete

    Setting Kaspersky AV to delete anything it deems suspicious is an incredible show of faith in its accuracy. Setting it to quarantine suspect items is much safer, and explorer.exe could have been simply recovered using the recovery shell, could it not? For that matter, if one knew what had happened, simply extracting explorer.exe from the same recovery shell would have fixed things right up.

    Probably the bigger issue was with not knowing what had happened, and being unable to contact Kaspersky to find out.

  24. Anonymous Coward
    Coat

    COMRADES! STUDENTS! CO-MILITANTS!

    GET BACK TO WORK, STUDY FOR YOUR UPCOMING EXAMS, GET A BEER OR GO OUT TO A PARTY AND GET SOME INSTEAD OF POSTING RETARDED/PREDICTABLE STUFF IN THE REG COMMENT SECTION ABOUT HOW INTERNET EXPLORER IS NOT THE SAME AS EXPLORER AND HOW QUARANTINING EXPLORER IS ACTUALLY A "DO WHAT I MEAN" KINDA THING.

    This Message has been brought to you by the Reg Overwatch and Desensitization One-Man Committee.

    Thank You.

  25. Thomas Jolliffe
    Boffin

    @ The Reg Overwatch and Desensitization One-Man Committee

    You are confusing explorer. exe with iexplore.exe, the Internet Explorer application file...

    Had to be done.

  26. system

    RE: Forget cyber terrorism

    "Or take the simpler solution - ditch Windows"

    This problem was not actually caused by windows itself, but by a trusted process being given permission to delete core files. Do the same on linux or mac and the results will be exactly the same (a hosed system).

    If all windows users switched to linux or mac (or even BSD), it would not be a simple solution. Given that windows users like to run "admin" or root accounts, the security implications on any OS would be major. All OS's including *nix and macOS are susceptible to viruses, rogue code and mistakes. If you believe your OS is invulnerable then you're just asking for trouble.

    If you believe your OS is able to withstand treatment from the average windows user, I dare you to run every single process as root for a week. When bind or sendmail are not attacked with exploits you may have a point.

    This message comes to you from a windows machine that against all common beliefs held by *nix and apple fanbois is not actually a virus drone, and has never sent a single unauthorised email.

  27. This post has been deleted by its author

  28. Cormac

    yo

    Nod32 and bit Defender Internet security 2008 i use here at office and home (nod32 in office casue i have ISA in place and Bit Defender at home casue of its uber firewall) i Hate symantec casue its shite.... and kapersky i dont use cause its ... well ok but not as good as afore mentioned.. most i have tested have mist common virusus such as bagle but not nod or BT !! both updated hourly too

  29. John F***ing Stepp

    iexploder eexploder, I'm the one with the hosed system.

    I set my default shell to sol.exe and was moderately happy for a while but this cut my output at work by at least 10 percent and I had to change it back.

    That sucked.

  30. Christopher A Newman
    Pirate

    Kasperspy sucks

    I don't understand why anyone is suprised. It's a naff piece of software and anyone with an ounce of common sense is running NOD32.....

  31. Paul Talbot
    Linux

    re: RE: Forget cyber terrorism

    @system

    Erm, yeah you've actually made the last guy's point for him. Linux/OSX users don't run every process as root, therefore it's actually very difficult for a process to delete core system files. They're not invulnerable (and anyone who claims as such is a fool), but this is the second time in as many weeks that we've heard of a userland app hosing Windows systems (the last one was the update for an MMORPG - can't remember which one - that removed boot files if you restarted after an update). It would be difficult for this to be replicated in the OSes, especially since the current favourite, Ubuntu, doesn't even allow root login in the standard way (everything's sudo-ed).

    Most users aren't going to run bind or sendmail, but everyone in Windows land (including you I suspect) are running an AV checker like Kaspersky. Maybe you haven't got a virus, but how do you know that your virus checker won't do something like this next?

  32. sean bone
    Unhappy

    Stop Talking about IEXPLORE & EXPLORE

    PLEASE PLEASE PLEASE stop talking about the above, its getting boring now!

  33. Phil Cooke
    Paris Hilton

    to Paul Talbot

    EVe-Online is the MMORPG you mean - it deleted the boot.ini file. Lets hope XP SP3 adds at least a little protection for key system files!

    Anyone found the paris hilton angle yet?

  34. TheThing
    Thumb Down

    Love it

    ... reminds me of when they did the same thing to SQL Enterprise Manager when we were trialling it last year. I do seem to recall shouting at them something along the lines of "....and what if it does the same thing to explore.exe?" Glad to see that they're learning by their mistakes.

  35. amanfromMars Silver badge
    Alien

    @Forget cyber terrorism

    "No need for Chinese or Russian covert hacking activities then? All that Putin and his mob need to do is to infiltrate Kaspersky, introduce a trojan in one of the updates and hey, presto, the FSB will have access to nearly every computer in the West.

    Maybe it's happening already. OMG! Let's nuke them before it's too late!! Or take the simpler solution - ditch Windows."

    IT is not cyber terrorism, AC, it is the Beta Use of CyberIntelAIgents and one would hardly XPect anything less from an Intelligence Man such as a Mr Putin. It is said that "Once a KGM officer, always a KGB officer" and such shenanigans are Stock and Trade Elements in all such Services. Making Better Beta Use of them though, is what sorts out the Men who know what they should be doing with them from the Boys who really don't.

    And when Home forces are doggedly in the Boys camp, for whatever dumb reason, deaf, dumb and blind to home-grown CyberIntelAIgent Help, then IT easily finds a Ready Home elsewhere in the more Enlightened Surroundings/Regimes which display their Increased Awareness for a Reinforced and Reinforcing IntelAIgents Match...... CyberIntelAIgent Cultural Attache XXXXChange.

    Now there's AI Novelty for the Boys in the Militarising Band of the Foreign and Commonwealth Office to mull over........ but only if they are in Fully Funding Support of dDeep Private Initiatives..... in Virtually Real, Out of this World, State Matters.

    One is always hopeful that they can grown into Future Men rather than remain as Lackeys, lacking the System. It is not as if they do not receive regular upgrades and taunts to jog their own brains into working the much wwwider Fields of Global Operating Devices C2C Communications rather than relying on duff, short-sighted, Visually and Intellectually Impaired orders and instructions.

    C2C???? Copy to China and Control to Command. Both Viable Options for XXXXPorting in AIRegister of Mutiple Use Interests.

  36. breakfast Silver badge
    Alien

    Thank goodness!

    Thank goodness for amanfromMars, whose cogent discussion of... erm... whatever that was a discussion of, made a refreshing change from endless discussons of Explore.exe and IExplore.exe.

    For anyone still not aware of the distinction, Explore.exe is the windows file explorer, iExplore.exe is the Apple version.

  37. Anonymous Coward
    Anonymous Coward

    COMRADES! STUDENTS! CO-MILITANTS!

    As a direct result of failing to extricate its head in a timely fashion, The Reg Overwatch and Desensitization One-Man Committee has suffered massive implosive rectal failure, and will forthwith be taking some much-needed time off to become familiar with the uncomfortable procedure of delivering thru a plastic tube.

    This Message has been brought to you by the Doctors of the Reg Overwatch and Desensitization One-Man Committee.

    Stay Safe

  38. Matthew
    Flame

    @Stu Reeves

    If you're going to make snide remarks about others, it's probably a good idea not to make any mistakes in your critique.

    That would especially include making a fundamental error in grammar such as mistaking 'your' for 'you're'.

    (If I've made a mistake here, I'll now feel really silly.)

  39. scott
    Alien

    I thought Explorer got iced a couple of weeks back?

    http://www.theregister.co.uk/2007/11/23/ms_explorer_ufo_sinking_ship_not_software/

    I'm *so* glad my enterprise don't use Kraperski - the support calls would be hell....

  40. Shakje
    Paris Hilton

    PH angle...

    Clearly PH doesn't know the difference between explorer.exe and iexplore.exe.

  41. Joe

    Explorer

    Well I loaded Explorer, and played it for a while, but I can't see what all the fuss is about. We are talking about the ZX81, right?

  42. Anonymous Coward
    Anonymous Coward

    explorer.exe is indeed a massive virus

    ... and not a clever one as it takes a CD and 40 minutes to install.

  43. Anonymous Coward
    Anonymous Coward

    @Paul Talbot

    You said something to the effect of "...AV is a userland app, how come it can kill Windows system components?..."

    What would the point of it running in the user's context be? It would only be able to protect the user's files, it has to run at a relatively low level, just in case a system component is infected, as it will need to interact with the component (delete/move/deny access etc) therefore it has to be installed by the Administrator (root, if you have Apple/Linux/UNIX AV - yes, it is out there!)

    You'll also find that all the people who installed and operated whatever game it was that killed boot.ini, in their user's context didn't end up with a knackered system. It was the eejits who insatlled and operated the game with Administrator that were the victims.

    Duh!!!!

  44. system

    re: re: RE: Forget cyber terrorism

    "Erm, yeah you've actually made the last guy's point for him. Linux/OSX users don't run every process as root"

    That was kind of the point. It's about the users rather than the OS. Windows users are used to doing things with a single login. If you encourage them to jump to linux, they'll take the single login habbits with them and run as much as they can under root. Windows can support none-admin logins (which would have prevented this), just like linux, but it is not something the average windows user will consider.

    Yeah, there are some distros and software coming out on linux that do their best to discourage running as root, but it's not all like that. The majority of distros are susceptible to all kinds of bad things happening if they were run like the average copy of windows.

    Moving the majority of windows users to another OS is not a "simpler solution". If the other OS is not going to end up as bad as windows, it would require hardening of the OS and training of the users.

    Moving the majority of "boy racers" out of Golf GTIs and into Porsche 911s is not going to solve speeding problems without speed limiters on the cars and retraining of the drivers :-P

  45. Ross

    Genius!

    I knew someone would figure it out eventually. All those people complaining that IE is uncompetitive as it can't be uninstalled have been proven wrong! Thank you Kapersky -you have opened the way for freedom of choiec in the browser market.

  46. Anonymous Coward
    Coat

    @Paul Talbot

    You can actually run Ubuntu as root in the normal way. Login as your normal user, then 'sudo su'. Enter password and Voila, you are now root.

    You could also 'sudo nano /etc/passwd', change your UID to 0, log out and login and you're running as root without having to Sudo ever.

    Of course the more important point is how it works out of the box, which is how most users would continue to use it anyway.

    Now I'll run away and keep my pedantic comments to myself. Merry Christmas!

  47. Anonymous Coward
    Alert

    @Lee Dowling

    You have identified the main flaw with windows and it's supposed user accounts.

    In order to do anything, you have to run as a privileged user so windows lets AV run with all power to do anything, even delete core system files. Great approach eh.

    Its because this would be unlikely on a linux system that so many people here are taking exception to the anti-linux comment further up, by someone who criticises what they dont understand.

  48. Mikey
    Thumb Down

    @Forget Cyber Terrorism

    "Maybe it's happening already. OMG! Let's nuke them before it's too late!! Or take the simpler solution - ditch Windows."

    That sounds great. Will you be paying for all the re-training of the sysadmin and users, software replacement and downtime needed for all the 'upgrades' and changes?

    Despite the anti-windows seniment you get everywhere from overly-vocal linux fanatics, windows is still everywhere. And it will continue to be, as its what people know and can use easily. So unless you're happy to dress linux up EXACTLY like XP, and have it function EXACTLY like XP, then its easier in the long term to stick with what people can already use.

    Linux aint free when it comes to upgrading corporate systems. The hidden costs are still there.

  49. Delboy

    @Ross

    Someone else who hasn't read the thread. How many more posters have got to say it? IT IS NOTHING TO DO WITH INTERNET EXPLORER.

  50. Anonymous Coward
    Coat

    What's that y'say?

    Something wrong with Internet Explorer?

    I use Firefox...

  51. Paul Donnelly
    Linux

    Yo Mikey

    Is that why Microsoft set up XP to look EXACTLY like Mac OSX and function EXACTLY like Mac OSX... which is a proprietary front end to, you guessed it, a Linux Kernel.

    And as to paying the retraining costs.... who paid for all the training in the first place? Was it the sysadmins? I think it was more likely their employers, and unless I'm mistaken, there are new courses with every new version of windows.... so instead of doing the Vista course, why not do RedHat, SuSe (and I defy anyone who doesnt respect Novell as a player in the networking field) or even Ubuntu.

    Right, rant over, I'll get my coat.

  52. James Butler

    Psst ... PDonnelly

    (It's a BSD kernel ...)

    And system ... Posix AVs don't need to run as root, they only protect the userland. If anything gets past that, into the OS core layer, then it's not a virus. It's a rootkit or whathaveyou, and any modern distro comes with some hardening and antirootkit stuff. And, btw, my Linux boxes loaded with Clam AV and Panda haven't seen anything challenging in the past few years. Posix desktop users don't usually need to run servers (bind, etc.etc.) any more than Windows desktop users need to run Exchange Servers or IIS. Besides, Posix anti-attack progs are far superior to anything in Windowsland, because their programmers understand security better and are supporting much more secure systems out-of-the-box than Windows programmers possibly could.

    Flame away!

  53. Not That Andrew

    @Paul Donnelly

    OSX does not use Linux kernel in any shape or form, it is partly based on BSD on and it uses a derivative of the Mach microkernel.

  54. Brendan Murphy

    progman not an alternative

    Since SP2, the progman.exe file explorer has been crippled. It only exists to allow older software installs to run. So you can't run it as an alternative to explorer.exe.

  55. Jeff Hansen
    Happy

    wrong how?

    windows/M$ products ARE viral, period.

  56. jim
    Happy

    Firefox

    I don't care about MS Windows explorer 'cos I use .

    I run Chinese anti virus and it is very good.

  57. Rui Ribeiro
    Jobs Halo

    Anti-virus is so 90s

    Anti-virus are only needed on the desktop because Windows has a flawed architecture, and on top of that almost everybody is dumb enough to double-click anything that comes by, no matter from where.

    Can´t get how many guys can find normal to use an anti-virus nowadays. Been using os/x and couldn´t have been more happier.

This topic is closed for new posts.