CFP and Directory Opus (DOpus.exe) - [Resolved]

Hi everybody (:KWL)

(English is not my mother thong so try to understand me please. (:LOV)

I am a new user of Comodo Firewall (before I was using Kaspersky Anti Hacker which is discontinued).

Now with CFP I have some problems. The most important : as you know, a lot of applications want to connect to their site even if you desactivate “search for update” in their settings. For example, Directory Opus, a very good replacement for windows explorer but with a little spy attitude. There is no way to keep it ofline ! I use it only for copying files in my drives, so it has not to connect to the internet. So I block it (TCP-UDP in-out) in the CFP applications monitor. Now I run my Maxthon web browser (or firefox) and CFP comes to say : directory opus is trying to inject itself to maxthon to connect to the web. So I click deny. And now, this is maxthon (or firefox) that is blocked also and I can not navigate the web ! And what is more starnge : when I accept the CFP offer to send the problem to Comodo, it sends “maxthon.exe” and not “DOpus.exe” !

Anybody had the same kind of problem please? (:NRD)

Yes, others have the same/similar issue. This is all related to Application Behavior Analysis (ABA) as found in Security/Advanced/Miscellaneous. What you’re seeing for DO sounds like a .dll injection; in this scenario, the application (or a component of it) cunningly inserts itself into another application (like your browser) in order to gain a connection to the internet. And no, once connected, it would not show the connection belonging to DO; it will show it for the browser…this is the whole point of the injection technique. As far as sending it to Comodo, I believe it will send all pertinent information (including the injection) but I’m not certain on that; it may just submit the browser application, since that is what is actually connected (DO is now a subset of the browser).

Any action you take (without selecting “remember”) will be for that session only. If it’s Deny, it will block both applications; typically a restart of the browser will resolve the block (as it’s only temporary for that session); sometimes a reboot is needed.

When I have had this issue for an application that just won’t seem to quit, I have generally had success by creating a Block rule in the Application Monitor, as you mention doing. It may be that your block rule isn’t set up quite right. Will you do the following, please:

Open Application Monitor to full-screen size. Click on your DO entry just once, to highlight it (and show the detail at the bottom). Capture a screenshot, and save it as an image file. If you need help with this, please check the tutorial in this link: https://forums.comodo.com/index.php/topic,6770.0.html There are explanations of how to capture the screenshot, save it as an image file, and upload it here (either by using a filehosting service, or directly under Additional Options below the textbox of each post.

This way we will see exactly how your rule is created, and perhaps identify ways to make it work better.

LM

(:WAV)
Thanks for your reply.

I attached the screen capture you asked for.

I think I have not yet understand how to use component monitor. I did nothing but there is a lot of dll in it and all of them preconfigured to “Allow”. So what do you think if I find all dll related to “dopus” and block them?

[attachment deleted by admin]

Tnx for the screenshot. I don’t see any problem with that rule; it is very similar to what has worked for me.

Can you capture one more screenshot for me? I’d like to see one of the alerts you get from the DO and browser interaction, if you can grab and post that.

As for Component Monitor, it’s set to “Learn” by default on install, and it’s probably best to leave it there until you have run most (if not all) of your internet-connecting applications, before turning it to “On.” This way you will reduce the number of popups you get get about components. If at this point, you find DO components and set them to Block, I think they will revert to Allow due to “Learn” mode being on. If you try that, be sure to click the “Apply” button after changing them to Block.

LM

Ok I have no more problem with dopus.exe, so I can not send you screen shot. What I did : I deleted all entries related to dopus exe and its company from Component Manager, then I created a new rule to block all tcp & udp activities of it.

But I have other screenshots for you because I have a very big problem with my… screen capture utility ;D. In fact, I installed it (FullShot) for doing what you asked me. So I run it, do the capture and close it. And I say again : I clos it. Then I run IE and now I have alerts from CFP. I Attach screenshot.

As you can see, this soft uses even my anti-virus updater to connect to the Internet. I am so surprised that there is no way for CFP to stop this wothout stoping my online activities. I had never such problems with Kaspersky Anti-Hacker.

So my problem is the same : if I clic Deny, I can no more navigate Internet, and I have to restart the computer to be able again. For now, I have another solution. I uninstall FullShot ! (:KWL)

[attachment deleted by admin]

Excellent resolution for the matter; good work! (:CLP) I will certainly keep that in mind as a way to get it fixed…

As for Fullshot, did you try the same steps with it, to see if that would work there as well?

The popup for Nod32 I would personally consider safe to Allow with Remember, based on that popup. I saw nothing there about anything other than Nod and Windows. Given that Nod is your AV, there is a certain level of trust inherent with that, IMO. If you can’t trust your AV, then… :wink:

The other two, I’m not sure why they’re occurring. They are both Windows components, and make no mention of any “suspect” applications or components. It would appear, based on the ports used (53, 68) that it is related to a DNS request, and/or your DHCP lease (both necessary to maintain your internet connection). If you have blocked svchost.exe from accessing utilizing those ports, it is possible that these other Windows components have taken up the “battle” to try to create the connection for it (I’ve read that this can happen). You may want to check your Application Monitor for Block entries on svchost.exe, and the Activity/Logs for any entries showing svchost.exe being blocked, especially on those ports.

As you note, you see the popups for FullShot after you have closed the application. This is not uncommon. The reason being that in Windows, applications hold a place in memory until well after they are closed. They can also still be in the ‘memory’ of applications with which they had previously interacted. Then, when another application connects to the internet (such as your browser), you can get such a popup.

The reason CFP monitors these things is because the same capabilities are used by malware, trying to make the user think that nothing fishy is going on. Any time you install a new application, I’d certainly keep an eye on its activities. But, the time for a true cause of concern is when you see a popup that says that iexplorer has been global hooked by sdinpip.exe (just made it up to exemplify some application you’ve never heard of…). You know you installed FullShot; if you see an alert there, okay, maybe it’s suspicious, but at least you know what it is. You never installed sdinpip.exe; thus if you see that, you can say “Whoa! Stop!” and Deny the connection, then check it out to see what’s going on.

As for your quote above, I’ll explain why that happens. CFP is monitoring for suspicious activity, and alerts you when it finds some. If you choose to Deny the connection, CFP considers that you are saying the connection between those two applications/components is not desired and must therefore be malware; ie, your computer has been compromised. Thus, it will block not only the hijacking application, but also the browser, which is apparently being used by the malware (the browser may be compromised as well). It should be blocked for that session only. Meaning, if you close the browser, wait a few minutes, and reopen it, you can probably reconnect without an alert. The only time I personally have found it necessary to reboot is when the alert was for a COM/OLE Automation attempt; for that one, restarting the browser (or email client, etc) was not sufficient.

So, it’s not that CFP can’t stop the connect without stopping the browser; I’m sure they could change the code with a little work. It is, however, the way it is designed to work, for security purposes.

Hope that helps,

LM

PS: The reason you never experienced this with Kaspersky is because it doesn’t work the same way. That’s not slamming Kaspersky; just saying that it doesn’t do the same thing as CFP.

Thank you for your reply with so detailled info. (:CLP)

(:NRD) Yes I tried the same steps with FullShot but that did not work. So I finaly uninstalled it. Also, nod32kernel is already in the list of permitted application but when CFP ask me again at same time for fullshot, I think ther is a problem.

(:NRD) And, no, even I am not un expert, but I know that svchost, winlogon and services are safe windows applications so I never put them with blocked applications. What confirms my reply is that I restatrted the computer and connected to Internet and I had no more problem. And since I uninstalled fullshot, I have no more such popups.

Concerning comparaison with Kaspersky, I am sure that CFP is as strong as Anti-Hacker (and perhaps more), but CFP is not yet what we call in French a “Convivial” soft, I mean the GUI has to become more and more friendly and clear to users.

Ok, (:KWL) forget about Kaspersky, for now I am a CFP user ans I have a new problem : CFP seems anable to send a supicious exe to Comodo. But I think it is better that I create a new topic for it. So I hope I will see you there. Thanks. :■■■■

Great, we’ll look for you in the new topic! ;D I will go ahead and close this one, since you’ve tidied everything up, all nice and neat. If you need it reopened, just PM a Moderator (please include a link) and we’ll be glad to do so.

LM