Comodo Rules - App behaving weird

Hello -

I am new to this, after just having dumped ZA :slight_smile:

I setup a rule for FireFox with:

Security > App Monitor

  • Destination: Any
  • Port: Any
  • TCP/UDP In/Out
  • Parent App: C:\Windows\explorer.exe

Yet I still recieve the following message in the logs:

Date/Time :2007-08-18 16:53:41
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 70.42.134.17::https(443)
Details: C:\Program Files\Mozilla Thunderbird\thunderbird.exe has tried to use C:\Program Files\Mozilla Firefox\firefox.exe through OLE Automation, which can be used to hijack other applications.

Why is that?


For the next app, I have it setup the same as above, but get the following message:

Date/Time :2007-08-18 16:36:21
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (MyApp.exe:X.X.X.X: :pop-3(110))
Application: C:\Program Files\MyApp\MyApp.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: X.X.X.X::pop-3(110)

Why is that happening and how do I solve it?

Thanks

corule, welcome to the forum and congratulations on finding the hell exit door :wink:

That’s a different feature of CFP kicking in, not Application Monitor. The details of the log indicate it was triggered by the feature known as ABA (Application Behavioral Analysis), one of the anti-leak ones.

OLE Automation Alerts https://forums.comodo.com/index.php/topic,4728.msg35532.html#msg35532 https://forums.comodo.com/index.php/topic,4875.msg36088.html#msg36088 https://forums.comodo.com/index.php/topic,5207.msg38857.html#msg38857
To summarize, since both explorer.exe and firefox.exe are safe applications (assuming they are not malware versions on your pc :)), then you have to allow the OLE Auto alerts or else your connection to Firefox is broken. You'll have to restart Firefox and remember to allow it. If it still fails you'll have to reboot the pc. Only deny these alerts if either 1 of the 2 programs is something you don't recognize.

This one shows it was triggered by Application Monitor; you must’ve denied an alert on this. If you enable the Remember option on that alert, you’ll have to remove the rule in Application Monitor and restart the program. This one is much easier to understand the OLE thing.

You’re welcome.

Wow - Cool. Thanks for all the help and the great reply :slight_smile:

One last question: If I see this in the log:

Description: Suspicious Behaviour (firefox.exe)

Does that mean that it was blocked, or just that it was suspicious behavior?

Good question. It could mean either. LOTS of things on computers and the internet are suspicious lol. CFP doesn’t have the ability to determine whether some program is legit or not, only detect the actions or behavior of that program is out of the ordinary. I suppose the AI isn’t that high yet (wait for version 3). There have been many cases where legit programs like Firefox performs does something that CFP deems suspicious, but in reality isn’t. e.g. virus.exe can be performing the same actions as firefox.exe. Which one is legit is something the user has to determine.

Even though you (intentionally ??? >:() didn’t include the rest of the log info on that alert, it should mean the attempted connection related to firefox.exe was blocked. Sometimes I receive an alert just like that and it means if I don’t answer (allow/deny) quick enough and CPF will log it for every attempt it failed. You’ll notice that programs often attempt more than 1 connection at a given time and you can tell by looking at the bottom of the alert that’s numbered like 1 of 5 alerts… If you don’t answer in x seconds then CFP will automatically deny it. These things can be changed in Security > Advanced > Miscellaneous > Configure.