matousec and comodo

[Guest]

[Little Mac]

ok so far we have 3 main issues raised by Hillsboro:

1)OLE: come up with some other mechanism because of too many pop ups

Melih,

I know it's off-topic, but I don't think the OLE issue is one of too many popups...  It's one of the warning not being accurate, and of shutting down all internet connection if denied.  The issue seems to occur with programs that are not actually connecting to the internet, even long after they've been closed down.  For some reason CPF thinks there is an OLE Automation attempt occurring when you activate the browser.  (I've had a lot of luck with apps this happens to, by creating a Block rule for those apps; however, it's not 100%, and if you need the app to be able to connect, that's out as well).

Then, once you get the warning, if you deny, your entire internet is blocked, rather than the allegedly-offending app.  In other words, if CPF says Winamp is trying to hijack IE and we deny, CPF blocks everything, rather than just Winamp.  Maybe with OLE it's impossible to block just the offending app from a security standpoint, but from a user standpoint it's doggone irritating/frustrating.  It seems to me that there should be some way to block the OLE without shutting everything down and requiring a reboot to reset.

LM

[panic]

G'day,

I've got to agree with LM on this, Melih. It's quite common to start application X, end application X, start application Y, start application Z and suddenly get an OLE alert that application X is attempting an OLE connection to application Z. This alert is despite application X not actively running, not being resident in memory and not hiding behind the couch.

These aberrant OLE alerts can occur any time. I've had them warning me about an application that was closed (completely) more than 5 minutes prior to receiving the warning.

Example:
1. Start Netstumbler
2. Do something in NS
3. Exit NS
4. Do a "netsh winsock reset" to reassert IP stack
5. Double check process tree and services to ensure NS is not running.
6. Start GIMP
7. Do something
8. Exit GIMP
9. Start IE
10. Get a warning about NS attempting an OLE connection via IE.

There was just over 4 minutes between steps 3 and 10. It isn't always reproducible, it isn't always consistent and it isn't always there. I had to try 4 combinations of apps until I got one of htese alerts. Strangely, I couldn't reporoduce the results using the same apps when executed in the same order.

This inconsistency could lead users to start blindly clicking on alerts, thereby negating the security provided.

Cheers,
Ewen :-)

[red502]

Hello! and thanks for such a well supported free firewall!

I installed comodo last week (after years using sygate) and have found this "OLE issue" to be extremely frustrating.

In my frustration and noob-ishness I started ticking allow boxes without even reading them and even resorted to disabling the firewall altogether, to defeat OLE popups and ensure my system isn't inadvertently locked down.

I have 3 minor requests to make.

1. If I create a rule denying ALL access for a particular program, then I don't want a popup 5 minutes later asking if it can then connect via Opera or Firefox (Or Outlook Or Word).

2. Please don't force a reboot after denying an action.

3. (off topic) It would be great if the log entries were re-orderable by columns from within the UI.

[ 4 ] I would also love  to be able to allow access - for a certain program only - to a specific set (not range) of I.P. addresses.   Like in Sygate's advanced application rules.   In particular I wish to only allow internet explorer access to Microsofts's update  I.P.s eg. 64.4.63.255,207.46.157.125,xxx.xxx.xxx.xxx etc. Have I missed something here?

Thanks again!

[egemen]

Then, once you get the warning, if you deny, your entire internet is blocked, rather than the allegedly-offending app.  In other words, if CPF says Winamp is trying to hijack IE and we deny, CPF blocks everything, rather than just Winamp.  Maybe with OLE it's impossible to block just the offending app from a security standpoint, but from a user standpoint it's doggone irritating/frustrating.  It seems to me that there should be some way to block the OLE without shutting everything down and requiring a reboot to reset.

To clarify the issue :

Your example must not cause all internet connection to be blocked but just the iexplore.exe. You possibly answered an OLE Automation popup for svchost.exe which is also responsible for DNS queries. Thus all internet connection seems blocked since it cant resolve any names.

OLE messages have changed in CPF 3.0 and modified a bit in upcoming 2.4.

Egemen

[egemen]

G'day,

I've got to agree with LM on this, Melih. It's quite common to start application X, end application X, start application Y, start application Z and suddenly get an OLE alert that application X is attempting an OLE connection to application Z. This alert is despite application X not actively running, not being resident in memory and not hiding behind the couch.

From the threat point of view, just because an application is closed does not mean this popup is unnecessary. With OLE Automation, an application can schedule a download for 2 hours later and this can happen anytime the application is closed.

The only way to prevent this is either "intercepting and asking during the OLE operation" or "asking it without caring about the time of occurance". Current CPF applies the latter and this is causing the problems for average users.

As I said before, In CPF 3.0, these problems will be irrelevant. In CPF 2.4, these alerts will be reduced significantly.

Egemen

[red502]

To clarify:

If I create a rule denying ALL access for a particular program, then I don't want a popup 5 minutes later asking if it can then connect via Opera or Firefox (Or Outlook Or Word).

If I block access for winamp then access should automatically be blocked for winamp via OLE automation.

[LUSHER]

Someone can write a visual basic script which sends simulated mouse clicks to the GUI and shutdown the protection as if you do it manually. Password protection would *help* in this case unless you have a defense against such sort of things.

I'm confused, you said it would help but that is not what you are doing?

The password protection is not the correct way to handle this because it is not always activated by the user.

What do you mean by "not always activated by the user".

You say the new beta makes mouse simulation clicks not possible, how exactly is that done?
I like the password idea because it stops dead any and all future attempts based on this attack, while trying to block mouse simulation/script attacks might be only a implementation specific defense.

Another idea would be to implement CATCHPA solutions , I'm not too wild about the idea.

[Little Mac]

To clarify the issue :

Your example must not cause all internet connection to be blocked but just the iexplore.exe. You possibly answered an OLE Automation popup for svchost.exe which is also responsible for DNS queries. Thus all internet connection seems blocked since it cant resolve any names.

Sorry, egemen, but it blocks ALL internet, not just the browser and parent.  No email, no nothin'.  I pay very  close attention to those popups, and the OLE in particular.  When AOwl told a user that you didn't need to reboot after an OLE, I did a lot of tests on it (my conclusion was that that is incorrect; it's true for the other hijack attempts, but not for OLE).  And no, there's not necessarily a reference to svchost.exe; it can be just the offending app, the browser, and explorer.exe (as the parent to the browser).  No svchost in the picture.

That's why it's so problematic.  You are either forced to allow (without remember) and reboot ASAP, or block it and lose all your internet connectivity until you reboot.  I don't use WinAmp, but my big offenders have been XnView and WhatsRunning; occasionally others. 

I absolutely concur with red502; if I create a "block" rule for XnView, I should never see any popup that XnView is trying to connect, modify another app, send special windows messages, OLE automation, anything.  It should be blocked in every way, for all time (until I remove that block rule).  While this mostly seems to be true, sometimes it still pops up at me.

LM

[ravelab]

As I said before, In CPF 3.0, these problems will be irrelevant. In CPF 2.4, these alerts will be reduced significantly.

Egemen

A bit off topic:

Is there an roadmap of what features CPF 2.4/3.0 and future versions would have? Which is public? And finally I would like to know when to expect the gaming friendly features which are on the wish list?

[YANKEE]

  seems to me I started a row here........... wasn't my intention. So to ease things a bit : HAPPY NEW YEAR TO EVERYBODY !!!!!!

[Bluesman]

Is there an roadmap of what features CPF 2.4/3.0 and future versions would have? Which is public?

No, don't think so, I haven't seen one, but it would be nice, but I also like to get surprises when they release a new version

[red502]

Comodo is great for the average user but - after two weeks evaluation - i've decided that this version is not for me.

The bugs (ole, ole, ole, ole!) and the difficulties I've had with emule, shareaza, azureus, avast, sopcast and online gaming have pushed me back to my old security setup:

sygate
cyberhawk
spyware terminator
nod32
windows defender

+disabled xp services

...might try 2.4... can't wait for 3.0. 

[Melih]

Comodo is great for the average user but - after two weeks evaluation - i've decided that this version is not for me.

The bugs (ole, ole, ole, ole!) and the difficulties I've had with emule, shareaza, azureus, avast, sopcast and online gaming have pushed me back to my old security setup:

sygate
cyberhawk
spyware terminator
nod32
windows defender

+disabled xp services

...might try 2.4... can't wait for 3.0. 

go ahead and try the latest beta we have on 2.4.. this should be a release candidate and pls give us your feedback.
thanks
Melih

[Tags:]