component monitor entries

Help for v2
1

Hello everyone,

i am glad to be here as another Comodo FW user. The program works fine. I was surprised it had no advice on firefox.exe. Also, GoogleEarth has not been recognized by ‘scan for known aplications’ function. I thought these to were quite common, but apparently not so.

My main confusion is with component monitor. After 24 hours, there is a staggering number of entries, about 300. All of them are allowed. I checked a few and saw that some dll’s are related to running programs, so my guess is it’s OK to allow them. Other dll’s are from system32, but I don’t now whether and why should they be allowed.
So, how do I decide? Is it safe to allow 300 dlls?

One last thing I could’t figure, was the following. After enabling windows updates, I got the regular prompt saying that svchost.exe is trying to connect, the parent being services.exe, and below, that the connection was initiated by skype.exe. I thought it very odd that skype would have anything to do with windows update service and clicked deny.
Is that a bug? The update service would not connect until the the above prompt was allowed.

2

Welcome, Mike!

Hopefully I can answer your questions satisfactorily…

Here’s the deal on the Components Monitor - When an Application is engaged, Comodo “certifies” all the components (dlls, services, etc) that make up that application. Basically this is Comodo saying, “Okay, all these pieces check out; they are what they say they are.” Then if anything changes, it recognizes and will alert you to the change. It’s a part of the security. Doesn’t mean these components are connecting to the internet; only applications connect, within the context of your Application Rules (Monitor). Yes, you will have a huge list of Components, 700 or so is not uncommon.

After running the Scan for Known Applications, I have found it efficacious to reboot. I don’t know if you did that or not, but it seems to help “set” the information gained by the scan into CPF’s memory.

Sometimes when you have an internet-capable program running (even in background), such as Skype, it engages your internet connection in a way that uses the components for other applications. Thus, when you use an application that is known to Comodo to use those components, CPF recognizes that a different application already has those components “hooked.” In this case, Skype. Thus, CPF gives you an alert that things are not what it thinks they should be. If you read the text in the alert, it should tell you that something’s different (sounds like it did, by telling you about Skype); the exact message would probably be something about an application modifying the memory, sending special windows messages, or something similarly strange-sounding. If you deny, then the known legit program (such as the Updater) will be blocked from connecting, as it may be a hijacked application (from CPF’s standpoint).

Hope that helps. If you need any more clarification on it, I’ll be glad to try to answer.

LM

3

Hi Little Mac, and thanks for the reply. My main problem with Component Manager was the lack of both knowledge and information. I’ve used zone alarm in the past, but it didn’t ask about components. The prompt mentioned in my first post read as follows:

app: svchost.exe

parent: services.exe

Skype.exe has tried to use svchost through OLE Automation, which can be used to hijack other applications. Skype can be using this process to connect to the internet.

The prompt appeared after Windows Update Notification was activated, and had a high severity security warning . What you’ve explained makes sense, but that’s not what the prompt said, and even after your explanation, I do not know if Skype was supposed to use svchost.exe. In fact, I do not know if WMP or Firefox are supposed to use UDP port, and lots of other things asked by Comodo. Now, it’s totally my fault, and perhaps it may sound like I am too demanding. I am not. In a way, it can be useful for self education, and all I really want is to help. Comodo is a very good firewall, but I’d really like to see more informative prompts like, ‘Skype normally uses svchost.exe, but it can also be…’, or ‘Firefox is supposed to use a UDP port, but…’. An alternative is to provide information elsewhere, Help File, Faq perhaps. I really don’t think an average Windows user knows such details. After having used Comodo firewall for a few days, I’ve realized, that I havn’t understood the information of most of the prompts, except the initial ones, and had to guess blindly whether to allow or deny. Most of those prompts do not have any advice available about very common applications, but do have security warnings. I think seeing alot of them can result in disregarding a security warning of real importance.

Regards

Mike (:WAV)

4

Mike,

Okay, so it’s an OLE Automation issue. From a non-technical/regular user standpoint, it’s the same thing - an application is making use of another application in order to connect to the internet; it is a potential hazard (doesn’t mean that it is a hazard, just that it has potential). If you go to Security/Advanced/Application Behavior Analysis, you will see a list of “hazardous” events that CPF monitors and alerts on (provided that you have alerts turned on, which you obviously do).

It’s something about the way that Skype operates, even after closing, that it still has “hooks” in your internet services. It may not be actively connecting, but it looks that way from a security standpoint.

The Help files in CPF (just click the “?” “Help” button at the top of the CPF window) have a fair amount of information about these things. Look up Application Behavior Analysis.

Regarding OLE attempts, if you get a popup and you choose “Deny” CPF will shut down your internet connection, as it presumes your system is under attack from within. You may have to reboot to reset its internal memory of the threat (sometimes just stopping and restarting CPF will do the trick, tho). If you “Allow” CPF will allow it for that instance only.

Here’s some ways to reduce that situation…

Go to Security/Tasks/Scan for Known Applications (lower right). Follow the prompts. Reboot when finished. Make sure there is a rule for Skype in the Applications monitor (if not, add one, setting the Parent to “Learn”). You can also (in the Skype rule) go to the Miscellaneous tab, and select, “SKip advanced…” or “Allow invisible…” if you continue having problems. You can go to Security/Advanced/Miscellaneous and move the Alert Frequency slider down to reduce the number of alerts.

I’m thinking that if you have a rule allowing Skype access, it may not try to connect in a way that violates security.

Give that a try. I realize that if you’re used to other FWs, CPF can be kind of confusing. It has a layered approach to security, and is a part of why it’s currently the most secure firewall out there. And it’s free! :wink:

Hope that helps,

LM