Author Topic: CPF Confused? [RESOLVED]  (Read 2674 times)

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
CPF Confused? [RESOLVED]
« on: August 16, 2006, 03:10:02 PM »
This was originally posted in another topic. But, I probably shouldn't have done that.. since it sort of got ignored. So, I decided to post it separately..

CPF said something that was a little.. well off. At the time I was running Firefox & I had just selected "Open Link in IE Tab", something that I hadn't done since updating Firefox to 1.5.0.6. So, CPF noticed.. But, it seemed to get confused as to what was happening. Because it generated the following 2 popups (these are log copies).

Quote
Date/Time :2006-08-13 12:51:39
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Remote: 127.0.0.1:12110
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.


Date/Time :2006-08-13 12:51:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.133.10:dns(53)
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe
through OLE Automation, which can be used to hijack other applications.

Now, B2.exe (an email client) was running minimized in the tray at the time & may well have been active (checking for or downloading emails). But, I really don't believe it deserved CPF's attention & it certainly wasn't doing anything that had not been previously authorised by CPF.

Edit: Added [RESOLVED]. Sorry, I forgot.
« Last Edit: August 23, 2006, 02:44:32 PM by kail »
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline ~Daniel~

  • I used to be indecisive, but now I'm not so sure.
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 906
Re: CPF Confused?
« Reply #1 on: August 16, 2006, 10:32:06 PM »
I have seen some behaviour like that as well in the latest beta I am using.  I'm just waiting to retest in the next Beta due tomorrow.
OS: Win 10 Enterprise x64 build 1809
Comodo: CIS 11.X (latest version)
Backup/Imaging: Macrium Reflect Home v7.X
Win10 Phone: N/A
Personal Website: Comodo SSL (via CloudFlare)

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: CPF Confused?
« Reply #2 on: August 16, 2006, 11:22:25 PM »
This was originally posted in another topic. But, I probably shouldn't have done that.. since it sort of got ignored. So, I decided to post it separately..

CPF said something that was a little.. well off. At the time I was running Firefox & I had just selected "Open Link in IE Tab", something that I hadn't done since updating Firefox to 1.5.0.6. So, CPF noticed.. But, it seemed to get confused as to what was happening. Because it generated the following 2 popups (these are log copies).

Now, B2.exe (an email client) was running minimized in the tray at the time & may well have been active (checking for or downloading emails). But, I really don't believe it deserved CPF's attention & it certainly wasn't doing anything that had not been previously authorised by CPF.


They are all about the parent application explorer.exe which is the parent of all applications started manually.

Firefox has somehow communicated with explorer.exe which is the parent of b2.exe. So when b2.exe tries to connect internet, CPF warns you about its parent may have been manipulated negatively so it is asking for convenience.

The same sequence is valid for the other. When b2.exe COMs to explorer.exe which is also the parent of firefox.exe.


If you frther run internet explorer from the desktop, CPF would ask you both of these COM popups before allowing.

explorer.exe is the parent of all these sort of applications.

So no confusion here. This is because of full parent based controlling. There is no difference in modifying the parent application and modifying the child.

But you can always disable, parent leak checking from Advanced section.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: CPF Confused?
« Reply #3 on: August 16, 2006, 11:35:05 PM »
OK. But, in that case, why didn't CPF report all the processes that explorer.exe was the parent for?
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: CPF Confused?
« Reply #4 on: August 17, 2006, 03:52:37 AM »
OK. But, in that case, why didn't CPF report all the processes that explorer.exe was the parent for?

If they requested internet access, he would warn you. Or once you allow, it wont ask for that instance of leak attempt again.

Offline Alexo

  • Comodo Family Member
  • ***
  • Posts: 70
Re: CPF Confused?
« Reply #5 on: August 23, 2006, 11:09:30 AM »
Why would CPF care about the parent application?

Offline mike6688

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2112
Re: CPF Confused?
« Reply #6 on: August 23, 2006, 02:29:37 PM »
Why would CPF care about the parent application?

Hi,

Some trojans and other malware may attempt to use, for example, internet explorer to access the internet.  In this case CPF would alert that internet explorer had a new parent using it and thus alert you to the trojan.

Mike
Volunteer Moderator: Opinions are my own and may not reflect those of Comodo.  Please read and abide by the forum policy!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek