Comodo firewall + google desktop + firefox? [resolved]

Hey, I’m getting crazy soon with popups about Google Desktop Search (googledesktopindex.exe) which want to connect to internet through Firefox.

Does anyone has any rules for Google Desktop Search? I don’t know what I should permit and not, since I’m quite paranoid about it sending personal information to the Google Corp… But I guess that is unavoidable unless I stop using the program…

It seems to be using http(80) and https(443) ports to a wide range of ip’s.

I don’t know why it wants that really, since i’m not searching for anything. Or, it’s the other way around, that firefox is going through google desktop to recive data, if that is the issue, why is it doing that? Perhaps it’s logging my browser history so I can search it later… or? (R)

If you can grab a screenshot of one of the popups, save it as an image file (jpg, png, gif), then you can attach it to your post here using the Additional Options. There are detailed instructions about such in this thread… https://forums.comodo.com/index.php/topic,6167.0.html

That will help, if we know exactly what it’s telling you.

Tnx,

LM

Hi Ted, welcome to the forums.

Whilst you’re gathering LM’s images, I’d like to state the obvious & attempt to make this a mute issue. ;D

The Net is abound with rumors and allegations of spyware concerning Google Desktop Search. Some believe it is a security threat. Personally, I doubt if it is any of these things… Google maybe evil, but they’re not stupid. Any how, it most obviously does track where you browse, it does this in an attempt to feed you relevant (to you… based on your browsing habits) content. Since you use it, I’m not sure why you don’t trust it. You either trust it (and give it access) or not trust it (and uninstall it).

edit

http://temp.uppladdning.net/1180730905.JPG

http://temp.uppladdning.net/1180730947.JPG

Thanx

hm, I belive I’ve allowed some traffic which has eliminated the worst amount of popups…
[popup] No, just kidding, arrgh:

http://temp.uppladdning.net/1180731169.JPG

This is one of the the most usual popup… Some IP and either port 80 or 443, though before it used firefox sometimes aswell…

I’m guessing my rules for both firefox and google desktop are screwed up… And I belive it’s better to have a somewhat tight ruleset instead of allowing all traffic.
I hope you can make anything out of the screens(i’ve attached the rules-screenshot), otherwise just tell me what to do

[attachment deleted by admin]

Okay, the first popup you show is partially because of Application Behavior Analysis (ABA), based on the “special windows messages” thing. I’m gonna hazard a guess that this is very common with google desktop, given what it’s supposed to do, and that it’s connecting to the localhost/loopback. Which is the other aspect of the alert. Unless you are connecting my proxy server, it is not a concern to disable monitoring of loopback connections, since it’s entirely internal at that point. You may do so by going to Security/Advanced/Miscellaneous and make sure both boxes “Skip loopback… TCP/UDP” are checked. OK, and you’re set (certainly by next reboot).

Can’t tell much from the application rules; the one highlighted is not an Application & Parent match for the alerts shown, so that doesn’t give much to go on. You should have a rule that shows as the application Firefox.exe and the Parent of googledesktop.exe. You may find it helpful (rather than facing all these alerts) to open that rule to Edit, go to Misc tab, and check the box, “Skip advanced security checks.” So for that combination, it will disable ABA.

For the last popup, that’s all about a change in components. If you click on that button for “Show Libraries” it will open a new window that shows each one of the components in GD.exe that has been changed or is new (this will come after every update). If it did not update or change in any way, and you know that, then you have reason to be suspicious.

It boils down to kail’s “mute” point (hmm, am I supposed to shut up?), as in

You either trust it (and give it access) or not trust it (and uninstall it).

Please keep in mind, he’s not grumpy, just misunderstood… He has a fair assessment of it though, at the core - if you want to use google desktop, you have to realize that by its nature it has to be somewhat invasive, or it is of no benefit; it you don’t want to use it, or feel its invasiveness is not justifiable, then uninstall…

Hope that helps,

LM

Not at all mate, I was trying to save everybody the “risk” of looking at the INs and OUTs of Google Deskstop. It was made by the… dark ones you know.

Absolutely.

It sure helped (umm… a little )

“Skip loopback… UDP” was checked but not TCP. Checked that one now.

Just so I understood the first thing you said there:

Unless you are connecting my proxy server, it is not a concern to disable monitoring of loopback connections, since it's entirely internal at that point. You may do so by going to Security/Advanced/Miscellaneous and make sure both boxes "Skip loopback... TCP/UDP" are checked. OK, and you're set (certainly by next reboot).

The “Skip loopback…” options are only there for internal networks, right? which surely shouldn’t be a problem if it’s a home network?(like I have?)

Ok, so now, I’m a little confused, there are so many “variables” that needs to be taken care of ???

Also, what happens if I say “Allow all” and “skip parent check” for GD? And then just clean up my FF rules? Could that work, or is it unsafe?

risk? what risk? :-\

As far as I have realized, it’s all over the place… hm…

Sorry Ted, I was joking. I didn’t mean to alarm you. If you follow the popular Net press, you’ll discover that there are claims that Google is evil. Really. And it sort of stuck. Google are evil, they’re trying to take over. True? I’ve no idea… but, it is funny.

Edit: it’s all over the place… perhaps they have taken over now.

ah… I’m just slow…

I found out now that (of course) yahoo! and mirco$oft has their answer to GD aswell.
Yahoo also say they protect your privacy and all that, but I’m having a hard time trusting them…
MS says nothing about it though…

Although, I’ve turned the “Extra functions” off in GD, which google say sends information to them if it’s turned on. So hopefully I’m “safe”…

Its the stuff Google gets into… here’s one and there’s even this one. You just couldn’t make up better if you tried. Now, sorry… I’m polluting your topic. I must self-mod. eek. :-X

I wouldn’t say Allow All for an application just to stop popups, and especially not something like GD (not saying it’s bad, just that I don’t think it’s justified). Reason is, that’s giving it free rein to attempt connections however it pleases; its only controller would be the Network Monitor rules. There’s only one app I’ve done that with, and it was necessary for it to be able to connect when I wasn’t at the computer.

If googledesktop.exe is consistently shown in the alerts as the parent to your browser (leave the nature of the alert out for the moment., just focus on the app-parent relationship), then the scenario I gave should be sufficient (and clean up other rules). That is to say, having a rule for firefox.exe as the app and googledesktop.exe as the parent, and Skip Advanced Checks under Misc tab. Then, because AppMon rules are hierarchical for each app, remove any redundant rules (ie, other iterations of ff combined with gd. You still need FF rules for your browsing, but that might have a different parent. Not sure if gd needs its own app rules, independent of ff.

Not sure where you have your Alert Frequency (security/advanced/miscellaneous) set, but each level introduces additional details to your regular alerts (which you can see if you move the slider around). Decreasing the AF is not a security risk, it simply reduces the level of detail; and thus, the number of alerts. Setting it to Low or Very Low may help as well.

LM

hm, setting the Alert Frequency to low helped out for sure… I read some “secure setup”-guide where it was recommended to have it high, but I feel that it just creates more trouble…

ok, so now I’ve narrowed down the amount of rules for FF, to just 1 rule:

program: firefox.exe
parent: explorer.exe
ip: 162.168.1.2
port: 80,443

That should be enough for firefox right?

What about GD then?

It uses 4 diffrent programs: GDCrawl, GDDisplay, GDIndex and GDUpdate.

Crawl seems to be the most active one, which uses port 80(destination) and probably ports from ~1000-5000 (source port), life FF does. The other ones I doubt uses internet, except for GDUpdate that is…

But I don’t get this, should I set the rules to permit access over the ports 1000-5000 or should it be the same as for FF (80 and perhaps 443?)… or both perhaps? One for outbound and one for inbound?

here is more: Google’s goal: to organise your daily life

The rule for firefox would appear to be limiting it to only one website. Not very useful for browsing…

With an AF of Low, all that is defined is the Application, Loopback (if used), and Direction of traffic. Assigning ports or IP addresses are good to “tighten” up the rules, but are really redundant at that point. The first time the application updates, you will get an alert that it has changed. When you click Allow w/Remember (which you’ll need to do, to stop the alerts for it changing), it will overwrite any and all details with only enough to match the AF Level. In this scenario, it will remove your IP address and Port restrictions, with Any and Any.

Same applies to GoogleDesktop (and it’s variants). My recommendation, at your current AF Level, is to select Allow & Remember for the FF and GD alerts. The necessary rules will be created. Then, when you get an alert based on ABA, you can either Allow w/Remember to not see that alert again, or simply Allow, realizing you will have to do so each time. Given that you use GD a lot, it seems (to me) pointless not to just “remember” the alert response, so as to minimize your regular popups.

In that case, if something “bad” happens, such as GD gets hijacked, or you get malware that tries to use either one to connect with, you’ll get a new alert. If you see that there is Library info that you’re not familiar with, or a new parent relationship of which you’re not aware, changed signature, etc, (always look at the details…), then it’s probably wise to Deny w/o Remember, and check out the situation to see if there’s a reason to be concerned. But for the day-to-day regular stuff, you’ll drive yourself crazy with popups if you don’t allow them more permanently.

The stuff you read about having AF Level on High is for those moderately-to-severely paranoid folks that want to know every detail all the time about how their system is connecting/communicating. They’re already crazy, so they can’t make themselves any worse by responding to popups. Their reflexes are lightning-fast, their eyes quick, and their fingers callused from super-clicking, so they are all set for that scenario… (:KWL)

LM

Wonderful reply Little Mac! (:CLP)
Thank you, I guess this thing is solved now, and I learned a great deal. Woohoo!
(:AGL) (S) (:AGL)

Okay, then Ted, I’ll mark it resolved for others’ benefit, and close the topic. If you find you need it reopened, just PM a Moderator (please include a link to this thread) and we’ll be glad to do so.

Glad we could help, and that you learned something useful…

LM