CPF Confused? [RESOLVED]

CFP BETA Corner
1

This was originally posted in another topic. But, I probably shouldn’t have done that… since it sort of got ignored. So, I decided to post it separately…

CPF said something that was a little… well off. At the time I was running Firefox & I had just selected “Open Link in IE Tab”, something that I hadn’t done since updating Firefox to 1.5.0.6. So, CPF noticed… But, it seemed to get confused as to what was happening. Because it generated the following 2 popups (these are log copies).

Date/Time :2006-08-13 12:51:39 Severity :High Reporter :Application Behavior Analysis Description: Suspicious Behaviour (B2.exe) Application: D:\B2\B2.exe Parent: C:\WINDOWS\explorer.exe Protocol: TCP Out Remote: 127.0.0.1:12110 Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2006-08-13 12:51:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.133.10:dns(53)
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe
through OLE Automation, which can be used to hijack other applications.

Now, B2.exe (an email client) was running minimized in the tray at the time & may well have been active (checking for or downloading emails). But, I really don’t believe it deserved CPF’s attention & it certainly wasn’t doing anything that had not been previously authorised by CPF.

Edit: Added [RESOLVED]. Sorry, I forgot.

2

I have seen some behaviour like that as well in the latest beta I am using. I’m just waiting to retest in the next Beta due tomorrow.

3

They are all about the parent application explorer.exe which is the parent of all applications started manually.

Firefox has somehow communicated with explorer.exe which is the parent of b2.exe. So when b2.exe tries to connect internet, CPF warns you about its parent may have been manipulated negatively so it is asking for convenience.

The same sequence is valid for the other. When b2.exe COMs to explorer.exe which is also the parent of firefox.exe.

If you frther run internet explorer from the desktop, CPF would ask you both of these COM popups before allowing.

explorer.exe is the parent of all these sort of applications.

So no confusion here. This is because of full parent based controlling. There is no difference in modifying the parent application and modifying the child.

But you can always disable, parent leak checking from Advanced section.

4

OK. But, in that case, why didn’t CPF report all the processes that explorer.exe was the parent for?

5

If they requested internet access, he would warn you. Or once you allow, it wont ask for that instance of leak attempt again.

6

Why would CPF care about the parent application?

7

Hi,

Some trojans and other malware may attempt to use, for example, internet explorer to access the internet. In this case CPF would alert that internet explorer had a new parent using it and thus alert you to the trojan.

Mike