Why is Windows Explorer connecting to the internet?


#1

Windows Explorer just connected to a reddit . map . fastly . net domain… Is this normal?

Sorry can’t post the link for some reason


#2

FYI, the Discourse software used for this forum limits new users to minimize spamming and the like. Your trust level would increase to allow more links after browsing the site for ten minutes or so.

Regarding your main question, it is probably normal. But Microsoft, rather than GlassWire, is the primary authority as to whether those specific connections are valid. Microsoft do publish various lists of valid servers.

Typically you’d first check the IP address being connected to. GlassWire has a feature to do this (e.g. https://www.glasswire.com/host/131.253.33.254) but there are many third-party WHOIS sites.

Without the IP address I can’t say why there is a Reddit connection but it might be related to Reddit push notifications to Windows.

The rest of this post just explains more about Windows Explorer, or File Explorer as it is now called, and its various network connections which depend upon the Windows version and the features you use. I hope this helps.

Here’s some ways I can use Windows Explorer / File Explorer to connect the Internet:

  • Integration with Internet Explorer. Older versions of Windows integrated Windows Explorer and Internet Explorer so such connections could show up as either application.

  • OneDrive cloud storage.

  • Sharing.

  • Searching. The screenshot shows how I can search for a website on the Internet using File Explorer:
    image

  • Cortana search

  • Accessing web browser bookmarks

  • Add a network location. See the screenshot from the wizard:
    image

  • and more …

Although I used a number of these features in the latest version of Windows File Explorer to get you these screenshots, none of them showed up in GlasssWire as “Microsoft Explorer”. That is because File Explorer is not like a normal application. It is a graphical user interface (GUI) to access the Windows shell and functions to take us to file locations and shell features much like a web browser takes us to the web sites and web applications.

While “Windows Explorer” or “File Explorer” is a term most commonly used to describe the file management aspect of the operating system, the Explorer process also houses the operating system’s search functionality and File Type associations (based on filename extensions), and is responsible for displaying the desktop icons, the Start Menu, the Taskbar, and the Control Panel. Collectively, these features are known as the Windows shell.

The Windows shell, as it is known today, … is intimately identified with File Explorer, a Windows component that can browse the whole shell namespace.


#3

Thank you for putting my worries to rest. It was probably notifications set up from my web browser


#4

I should also add that malware have been known to create fake explorer.exe files. I didn’t think that to be a concern here but if anyone were to be concerned about this:

  • The fake program will be more obvious because it will probably run all the time and access IP addresses that are not related to Microsoft.
  • Check the VirusTotal scan in GlassWire (a feature I really like) or use another anti-virus to scan of the file.
  • Confirm that explorer.exe runs from the Windows folder e.g. C:\windows\explorer.exe. The screenshot shows a check of the process properties for Windows Explorer in Task Manager:

#5

Is this normal? it says explorer.EXE instead of lowercase

Additionally my created/modified/accessed is different

Thanks again!


#6

(BTW these limitations are annoying)


#7

@frodo I increased your trust level. Sorry, we don’t make this forum software and it’s made to keep spammers and bad users from doing bad things immediately after registering and it works pretty good for that.

I think now you shouldn’t have those limitations? Sorry.


#8

@Frodo

Here is how to use VirusTotal https://www.glasswire.com/userguide/#Virus_Total with GlassWire.


#9

Thanks @Ken_Glasswire , I run ever application through Virus Total as soon as Glasswire sees it by default.

My question is, can it be trusted completely? Would Virus Total be subject to Man in The Middle attacks (MiTM)?


#10

Explorer file details

Your Explorer file has different details because it was installed with Windows on a different computer at a different date and time. Generally, the dates will correspond to the last Windows version update or upgrade.

The case (lower or upper) of the filename does not matter because Windows and its file-system are case-insensitive. See Are all versions of Windows case insensitive?.

Although Windows is case-insensitive this doesn’t stop differences like the example you showed because there is nothing to stop some programs using lowercase and others uppercase, or even a mix of both. Originally DOS (the operating system Windows was built on) made filenames uppercase which is also why file extensions such as .EXE are more likely to be in uppercase. But nowadays it is much more common to display all filenames in lowercase just as GlassWire usually does.

Man-in-the-middle attack

I don’t think that you should worry about this for GlassWire. I don’t, because I have to have some level of trust otherwise I wouldn’t do much on the Internet.

There is little chance of a man-in-the-middle attack provided GlassWire is doing three things:

  1. All communications on the Internet use SSL. You can check that in GlassWire itself:
  2. GlassWire should be positively checking the security certificate including the host name for each server it is communicating with.
  3. GlassWire protects its own infrastructure, including its own security certificates, from hacking.

Us users can’t check 2 & 3 ourselves but @Ken_GlassWire should be able to confirm they’re doing this.

You can find a lot of discussions about this on the Web, e.g. SSL and man-in-the-middle misunderstanding.

VirusTotal

It may interest others to know that GlassWire doesn’t normally send the entire file to VirusTotal to be scanned - that’s why the “scan” is usually so quick and doesn’t waste bandwidth. Instead it calculates a signature (an SHA256 hash) for the file and sends that to VirusTotal first.

You can check this in the screenshots when I scanned Google Chrome at 1.48pm. GlassWire shows several KB of throughput whereas Chrome.exe is actually 1.5MB in size.

VirusTotal checks that signature against those from actual scans and finds that a file with the same signature scanned OK about seven hours earlier. So GlassWire doesn’t need to scan the whole file this time:
image


#11

Wow! Thanks alot @Remah! I feel a lot better now knowing how to use these tools to keep me and those I care about safe.

Just a side note, but I want to go into NetSec in the future… Do you have any resources you would recommend? You seem pretty knowledgeable, about the comfortably that I want to have with IT.