Banning child application stops firefox

Hello,
Whenever I ban an application from broadcasting out, that uses firefox as a parent/gateway, e.g. my most recent one was MSPaint trying to send out data using firefox. When I ban the software (which I assume Comodo is banning the calling program, e.g. mspaint in this example), Firefox stops working and I have to restart Firefox (or the computer) to get it to work again. When banned I can still use IE, btw.

I also noticed when trying to fix my network (that had stopped communicating with my wireless router) that for some reason svchost was banned (although it is actually in the list about 10 times, all with the same signature on the details but enabled in those instances) and I’m sure I haven’t banned it and it’s the same reason (banning an application which then bans the program it is calling).

Is this a known issue and is there a way to stop it from doing this?

Thanks.

I’m using the latest version of Comodo and Firefox, btw.

Hi chucklepie, welcome to the forums.

I think that you might be misreading those alerts from CFP… CFP is not saying that MS Paint tried to send out data using Firefox. It probably said MS Paint has done something to explorer.exe and explorer.exe is the parent of Firefox, so MS Paint maybe trying something sneaky. Which it isn’t, since its MS Paint, it doesn’t do that… someone would have screamed by now if it did. So, when you said Deny… you said Deny to the whole explorer.exe (parent) - Firefox (child) relationship and that’s why you’re loosing Internet connection with Firefox. Until CFP learns what your system uses, you can expect lots of these. Loads of things “mess with” (OLE, messages, context menus, shell integration, file associations, etc…) explorer. All these relationships will need to be approved by you as CFP detects them.

Where did you find the 10 SVCHOST.EXE blocks? Signatures?

Hello,
Thanks for the reply and the welcome. It seems like was the program (mspaint) as it’s done it before with adobe cs3 and a few other applications. But if what you’re saying is true, what do I do? if I say deny, firefox stops working when all I wanted to do was ban the calling program, and if I say allow then the program I don’t want to allow sends data out? or if it’s just the case of a program not really sending data and just tinkering with explorer, how do I know?

As for svchost. Here is a sample of my log, I’ve removed the entry that stopped my network from working:

This one is repeated every 7 seconds or so (until I allowed it that is):

Date/Time :2007-06-26 19:02:09
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:255.255.255.255: :bootp(67))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 255.255.255.255::bootp(67)

This is another that pops up now and again every few minutes:
Date/Time :2007-06-26 18:54:19
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250: :upnp-mcast(1900))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

Before I answer your question… a quick barrage of questions from me first, thanks… What is your Internet connection? Is it a router? Does the router use UPnP? Do you use UPnP? Also do you use DHCP to get your IP number? Thanks.

Hello,
I have a broadband connection via a BT home hub router. It does use upnp and I have a dynamic ip address.

One other thing that just happened. In my Application Monitor I have Thunderbird in my list twice - For tcp/udp in and out and for all ports and destinations and no entries that are banned. Yet Thunderbird suddenly failed this morning (no warning), and in the log is the following (whenever I try to send). The difference was instead of sending via thunderbird direct I sent an email via a url from firefox:

Date/Time :2007-06-27 08:18:52
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (thunderbird.exe:192.168.1.254: :1274)
Application: C:\Program Files\net\thunderbird\thunderbird.exe
Parent: C:\Program Files\Mozilla Firefox\firefox.exe
Protocol: UDP In
Destination: 192.168.1.254::1274

Date/Time :2007-06-27 08:17:43
Description: Application Access Denied (thunderbird.exe:192.168.1.254: :1235)
Destination: 192.168.1.254::1235

I don’t know if it is linked but the following was at the start of the failed messages:
Date/Time :2007-06-27 07:34:24
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.64
Destination: 224.0.0.22
Reason: Network Control Rule ID = 8

The only solution now to send mail is to disable Comodo, so it’s getting to the point where I can’t enable it (Thunderbird) as there is nothing banned and I’m going to have to stop using Comodo, unless there’s an obvious solution?

thanks.

OK, addressing the pressing problem first… If a Deny has been issued against Firefox (the parent) without it being remembered, as previously discussed, then a reboot should clear it. The 2nd alert you posted (timed at 17:43), seems to be missing some lines. Is it only partial in CFPs Log?

Assuming a reboot doesn’t resolve the problem. The Thunderbird (TB) block might be against the parent (Firefox). Do you have any Blocks listed in either Application or Component Monitors?

You might have 2 TBs rules because of different Parent-Child relationships. Certainly a URL triggered email might have a different relationship than when TB is run manually.

The Outbound Policy Violation (the last alert you posted). I don’t believe this is related to TB. The 224.0.0.2 IP is a UPnP broadcast IP, it is related to the UPnP service & the router… which we will look at later. Otherwise, my post will become difficult to read/follow.

Does your router have its own LAN IP? If so, have you set-up a Trusted Zone that includes all trusted LAN IPs?

Hello,
I cut out some of the non-essential lines from the log to make the post smaller. As mentioned there are no blocks in comodo (other than adobe acrobat). If the outbound block is not related, it was triggered at the same time as the mail was sent and stopped only thunderbird from working.

As for my router. In comodo I set up a trusted zone for 192.168.1.x which is my entire LAN (of which the router is within - .254).

As for the thunderbird problem with email, that seems to have worked after a reboot. But it does seem to be far too common comodo banning some of my main networking programs randomly (firefox, thunderbird).

do you think the self-learning stuff isn’t quite as good as it should and it might be best turning it off? or do you think things are originating from my router?

[edit]Yet again I’ve booted my computer and Firefox and Thunderbird have stopped working. Rebooting has fixed it. Clearly there’s something very wrong with comodo.

[edit]And again after the reboot Comod has thrown a wobbler because I used a secure address. Yet there’s nothing in the application log denying it:

Date/Time :2007-06-28 21:12:06
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\Program Files\Mozilla Thunderbird\thunderbird.exe
Protocol: TCP Out
Destination: 212.72.99.40::8443
Details: C:\Program Files\Mozilla Thunderbird\thunderbird.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-06-28 21:12:05
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\Program Files\Mozilla Thunderbird\thunderbird.exe
Protocol: UDP Out
Destination: 192.168.1.254::dns(53)
Details: C:\Program Files\Mozilla Thunderbird\thunderbird.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-06-28 21:04:23
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.64
Destination: 224.0.0.22
Reason: Network Control Rule ID = 8