This was originally posted in another topic. But, I probably shouldn’t have done that… since it sort of got ignored. So, I decided to post it separately…
CPF said something that was a little… well off. At the time I was running Firefox & I had just selected “Open Link in IE Tab”, something that I hadn’t done since updating Firefox to 1.5.0.6. So, CPF noticed… But, it seemed to get confused as to what was happening. Because it generated the following 2 popups (these are log copies).
Date/Time :2006-08-13 12:51:39
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Remote: 127.0.0.1:12110
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.
Date/Time :2006-08-13 12:51:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.133.10:dns(53)
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe
through OLE Automation, which can be used to hijack other applications.
Now, B2.exe (an email client) was running minimized in the tray at the time & may well have been active (checking for or downloading emails). But, I really don’t believe it deserved CPF’s attention & it certainly wasn’t doing anything that had not been previously authorised by CPF.
They are all about the parent application explorer.exe which is the parent of all applications started manually.
Firefox has somehow communicated with explorer.exe which is the parent of b2.exe. So when b2.exe tries to connect internet, CPF warns you about its parent may have been manipulated negatively so it is asking for convenience.
The same sequence is valid for the other. When b2.exe COMs to explorer.exe which is also the parent of firefox.exe.
If you frther run internet explorer from the desktop, CPF would ask you both of these COM popups before allowing.
explorer.exe is the parent of all these sort of applications.
So no confusion here. This is because of full parent based controlling. There is no difference in modifying the parent application and modifying the child.
But you can always disable, parent leak checking from Advanced section.
Some trojans and other malware may attempt to use, for example, internet explorer to access the internet. In this case CPF would alert that internet explorer had a new parent using it and thus alert you to the trojan.