Hi!
Constantly any applications try to access the Internet Explorer in memory, e.g. previously an alert of Defense+ concerning permission for “Babylon is trying to access iexplore.exe in memory”. Maybe the translator Babylon gets an information in the internet, but why the hell it needs the memory of IE therefor? And for other applications I cannot see any reason to access the Internet Explorer at all.
Can anyone explain this please?
Thanks in advance
eynhuf (:NRD)
Can you post a screen shot of your logs? What are your global rules? Do you have Internet Explorer set as a web browser under the Firewall policy? Does this only happen when your using Internet Explorer? Does it happen if you use Firefox? What other security software are you using?
Today it didn’t happen up to now. For the translator Babylon I allowed the access to the iexplore.exe in memory finally some days ago, because Babylon needs really informations from online-dictionaries. Maybe I have it allowed for other safe applications too, because the repeated requests harassed and I thought, if I forbid it, the application could make later problems, where I would then not recognize the reason …
My last Firewall Events
http://img254.imageshack.us/img254/2092/20080728133045nf4.th.jpg
Here the Application Rule for the Internet Explorer
http://img214.imageshack.us/img214/5811/20080728123821ii3.th.jpg
And here the Global Rules
http://img185.imageshack.us/img185/3563/20080723160654ac3.th.jpg
It happened when I used Firefox, because I use Internet Explorer only for Windows-Updates.
My other security software is Avira AntiVir Personal 8.1.0.326
Regards
eynhuf
Do you need those global rules? Why don’t you try removing your global rules and running the stealth port wizard.
I applied the stealth ports wizard already. That created the last of the Global Rules, if I remember right. Only the first 2 (blocking) rules are my own input - I had that from a Sygate tutorial. The rest occured automatically.
Try deleting your rules and only using the default ones that Comodo gives you when you run the stealth port wizard.
Your first two blocking rules are good rules, intended no so much to keep things , but more to keep Windows and some other associated chatty application . While I recognize almost all of the ports listed in your two rules, I did have to do a search on port 593/tcp. And given that it is an RPC mapping port used by Windows, its a good one to block. I learned something new, so Thank you!
CFP Firewall rules shouldn’t have any effect on in-memory application queries. That’s the bailiwick of the CFP Defense+ rules. Since you are getting CFP Defense+ alerts about such access, that would imply that the rules are working.
Now, as to your original question:
Constantly any applications try to access the Internet Explorer in memory, e.g. previously an alert of Defense+ concerning permission for "Babylon is trying to access iexplore.exe in memory". Maybe the translator Babylon gets an information in the internet, but why the hell it needs the memory of IE therefor? And for other applications I cannot see any reason to access the Internet Explorer at all.Can anyone explain this please?
Not having written the software that is Babylon, and not know about the Internet Explorer API, I’m not in a position to be able to answer your question. Only the folks who wrote Babylon can give a definitive answer, without going thru a debug trace or a disassembly of the product.
It should be possible to turn the alert off, by changing the Access Rights for Babylon so as to explicitly allow memory access to Internet Explorer.
Aside form the memory access, is there anything in your CFP Defense+ log?
The reason for the desire for this access would interest me, therefore I took back the permanent permission for the translator Babylon in order to ascertain under which circumstances the alert appears. The notice comes not if I use Babylon but when starting the Internet Explorer.
http://img292.imageshack.us/img292/3208/20080729114611xj0.th.jpg
I was curious whether Babylon still works completely with a prohibition of this access. The contact with the online-dictionaries and the text-translation via internet still works anyway, also the monetary-units let themselves update. So why should Babylon need the Internet Explorer?
Babylon was trying to access a-squared anti-malware in memory too - is this suspicious? I checked babylon.exe with Jotti’s Online malware scan and all running processes with a-squared anti-malware - no malware found.
My last Defense+ Events:
http://img440.imageshack.us/img440/4958/20080731132207hs9.th.jpg
My last Firewall Events
http://img254.imageshack.us/img254/2092/20080728133045nf4.th.jpg
Quite offtopic perhaps, but I was curious, how do you get your firewall events to also show the allowed ones? Mine remaines totally empty :E (Using Vista x64)
Edit: Never mind, I think, you need to set the flag at global rules for each global rule regarding zones.
If that’s not the case, or if it just won’t log, do tell 
