Application Access Denied?

hi

I’ve just noticed in my log file this morning a period of activity for svchost.exe

there are a number of logs about “Suspicious Behaviour” (svchost.exe) where it maintains that
“.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.”

this isn’t the case “at that moment” since hasn’t run since the previous evening - the “tried to use” must be historical

this seems to trigger further logs shortly thereafter of “Application Access Denied” for svchost.exe - the log reports the parent app is services.exe (as is normal)

I have an explicit App rule which ALLOWS TCP/UDP In/Out for svchost.exe with parent services.exe

the only reason I can think of for this blocking behaviour is that the IP address in the “Application Access Denied” request MATCHES that in a preceding “Suspicious Behaviour” log entry

does this “Suspicious Behaviour” prevent further (possibly legitimate) connections to these addresses?

the only other reason I can think of for this blocking is that the PC was unattended - no doubt the “Suspicious Behaviour” error brought up a pop-up alert to which I would not have responded - would that block certain activity for a period of time afterwards?

just want to clear this up!

  1. why I’m seeing the logging
  2. why it thinks is in someway responsible, even though it hasn’t run for hours

I’ve read a bit about this OLE Automation issue on the forums before - it seems to hang around forever afterwards - if some process X does something to some parent Y, then forever afterwards any other child of Y suffers firewall pop-ups - even well after X has gone (this is a big nuisance if Y is something system-global like explorer.exe!)
…this case it appears slightly different - some process X has done something to a child Y (svchost.exe), then forever afterwards, anybody else who tries to use that svchost.exe will receive a warning

more info

OK I’ve seen this patter of behaviour repeated (about 1hr later)

by running Sysinternals’ Process Explorer, I can see there is a svchost.exe process running a sub-process during this period of activity
the subprocess is wuauclt.exe (the Windows Automatic Updates client)
and the full cmdline for this particular instance of svchost is “svchost.exe -k netsvcs”
which the control-panel/administrative-tools Services applet reveals as the full command path for the “Automatic Updates” service

all of the IP addresses in the logs/popups are those for M$ofts windows update servers (64.4.x.x, 207.46.x.x prefixes, as well as my local ISP’s proxy-server)

so it seems that COMODO has decided this svchost.exe was adjudged to have been “modified through OLE Automation” many hours ago by a now-defunct DVD player process and forever afterwards it is raising alerts

is there a safe way to prevent these popups and still maintain security integrity?
how can I ever know what the nature of a past OLE Automation activity was - good or bad? - can I somehow declare/certify that process X will always behave safely in respect of “automating” process Y from now on??

m

Svchost.exe OLE automation popups are usually harmless. The best way is to enable Do not show alerts for the applications certified by COMODO option and let CPF decide. This way, you will not deny legitimate accesses. Current CPF version does not intercept and block such requests unless there is an internet connection attempt. But we will be providing this in the upcoming releases.

When svchost.exe is blocked, it will be blocked until it is restarted or PC is rebooted.

hope this helps,
egemen

Egemem, you said :
“Current CPF version does not intercept and block such requests unless there is an internet connection attempt”

sorry, but which “such requests” did you mean exactly?

thanks

m

ps - the only thing about the “Do not show alerts for the applications certified by COMODO option” is that you are giving carte-blanche to an unkown (to me or the typical end-user at least) group of apps - OR is it the case that if you have a user-defined app rule that denies access to an app (which COMODO may have certified safe), that app will still be blocked (i.e. user rule overrides COMODO safe assertion)??

A now defunct DVD player process? Download Agent ransack and find it and delete it. This is typically what I do to processes that won’t quit this behavior. Harry’s plugins for eg…(for gimp)will do this . I uninstall etc…but it will constantly cause Comodo to pop this up. So, as stated, find the file that is causing this and delete the ■■■■■■. You may have to try to delete it and perhaps reboot as the first time it will say it’s in use. Try to delete it anyway, reboot, then find and delete it. I have a rule, when I uninstall something and it keeps trying to find access anyway by leaving that nasty little file behind causes some concern to me. If it’s an application I just installed and I know of it very well, I don’t worry. So while most are safe and use IE or whatever to connect to the internet since they don’t have their own method, as said, watch the ones that won’t give up.

As far as OLE good v.s. bad, I don’t believe any anti virus or firewall can detect the difference either way.

If it’s typically a known program then chances are it’s fine. If you get an OLE running process, or an erroneous svchost.exe, then I would be suspect. If it’s trying to access the internet, it’s already on your pc(obviously) if that helps, but is for you to decide if it’s good or bad. Me for example, I browse all my processes, startups, etc…after an install that I am not familiar with and if anything seems funny or wants to access the internet, I don’t allow it, but also know how to look for any funny business. Did you try turning off auto updates to see if you still get these first?

Hope I didn’t misunderstand what you’re asking here. :wink:

Cheers,

Paul

there’s nothing wrong with the DVD player process, and I certainly don’t want to delete it - I know exactly where it is!

I’m still confused about the way so many processes which have stopped running hours ago can interfere with totally different processes so much later on - it is perhaps a nuisance to be tolerated if you want total internet security, but I would say it places an undue and bewildering burden on the average user to read through every popup and guess whether or not the next internet access is going to be safe!

@Egemem, which requests did you mean when you said :
“Current CPF version does not intercept and block such requests unless there is an internet connection attempt”
?

Well , I will add this and bow out…you did mention…<> You did not say you needed it.

also,

<<I’m still confused about the way so many processes which have stopped running hours ago can interfere with totally different processes so much later on - it is perhaps a nuisance to be tolerated if you want total internet security, but I would say it places an undue and bewildering burden on the average user to read through every popup and guess whether or not the next internet access is going to be safe!>>

 If you know about OLE automation, this should explain it. Also, the burden would in fact be intollerable to us as users had there not been firewalls to lift the burden of attack from the many shoulders of people. Perfection is-- blocking every port there is , however we will no longer be able to access anything. Good luck, take care..

Cheers,

Paul

thanks for your comments Paul

my point about the DVD player process was that it had run and finished running hours ago - I still need it on my system, I was pointing out that it wasn’t running at the time, and hadn’t been for hours

my point about OLE automation is that we are told that “in the past” some process X has performed an OLE automation activity on some process Y which is affecting the firewall’s opinion of allowing access to some process Z
the user is in the dark as to the nature of the automation in question - we are not given any information about what the automation was and whether or not the automation did something unsafe
(I don’t mean to say the user doesn’t understand what OLE automation IS - just that they’re unaware of what automation OPERATION or ACTIVITY had specifically occurred)

Ok, I thought you meant the DVD process was no longer needed. There are still updaters and thing s like that , that will try to access for changes etc…If it was popping up after being off a while, it was in fact probably an update control of some sort. I will get this as well with my DVD \ Cd software. Although not on for days sometimes, it still kicks up. This is fairly normal and when I had ZA it wouldn’t even alert me of this but could see it in the log file. If it’s a known process, I would set it to always allow\deny. I feel I can update on my own so this is the route I take as I don’t even trust some known programs enough to allow them full access. Only my security software. So if you are stuck and don’t know what to allow or not, or how you tell what is legit or isn’t, you can do what I do, if i’m not running it, if it doesn’t need internet access to run, or if I can update it on my own, I deny it.

Now that you put it that way, I understand what you are saying a bit more, and I too have seen the pop ups, some say possible Hijacking even if it’s a read me help file from a new installed program, even a trusted one. My OE alerts the firewall to say the same until I allow it. I can see where many would get confused on this. Another thing was denying the application using the parent application which I had brought up, when you deny an application, it shuts the parent down as well. This can be confusing also and may make people think they need to allow the rider. This happens particularly with IE understandably as many applications tend to use it to connect to the internet. Perhaps one big security hole among the many in IE. When denied in other firewalls, you don’t have to restart the browser to keep connected and I have found myself in the middle of workings and having to allow such things so I didn’t lose my connection. Egemen has told me there will be an advanced button to take care of this particular problem. But back to your statement so I don’t fly off track here , I think this was stated in another thread that the one area Comodo CPF is lacking in is that they are on the lower end of library process data. They don’t have the library that some of the others do but were working on building this up. This may be the biggest factor, if not in a library it will give us warnings without knowing if the app was safe or not. Perhaps a statement , like a read more about what an application is trying to do when using the parent for access would be a good way to help solve this. Also, the more we as users report applications from the pop up, this better serves Comodo to implement a safe or not safe status of the application in question.

Cheers,

Paul