That thread seems to talk about automation of a process that communicates over the network (IE in this case), not its parent.
OK. That thread is mainly talking about OLE & the leak test called pcflank. Pcflank uses OLE to communicate with an open MSIE window. OLE is one way that a parent process can send messages to a child process. Another method is something referred to as code injection. This is where a DLL, or “hook”, is added to something like Windows Explorer. This is used legitimately by many applications to add additional functions to Windows Explorer. However, any of these methods can also be exploited by trojan/virus to gain unauthorised access to the Internet. This is can happen when a Firewall is only paying attention to the child processes that access the Internet directly (ie. iexplorer.exe) & not the parent process as well, which may not necessarily access the Internet directly (ie. explorer.exe). That’s why CPF, and many other Firewalls, also carefully pay attention to what is happening to parent processes as well.
Does that help?
Unfortunately, it doesn’t.
OLE can be used between unrelated processes, no parent-child relationship is needed (a product I develop at work does that).
Hooks and code injection can be performed by an unrelated process, no parent-child relationship is needed (a product I developed in the past did that).
Sure, that’s what pcflank does. But, I’m certain CPF would notice if something attempted to inject/OLE to an application/component that had direct Internet access.
However, in the case of a parent application that calls a Net enabled application… why would you not be interested if it had been subject to either OLE or injection?
This is what CPF does in that area (from CPFs help)…
[b]Monitor Process Injections[/b] - Forces the firewall to monitor common code injection techniques that can be used by viruses.Monitor DLL Injections - Forces the firewall to monitor common DLL injection techniques used by viruses.
Monitor Window Messages - Forces the firewall to monitor special window messages that can be used to manipulate an application’s behavior by a virus.
Monitor DNS Queries - Forces the firewall to monitor DNS requests so that viruses trying to use Windows system services for DNS queries will be detected.
Monitor Parent Application Leaks - Forces the firewall to check if there is a leaking attempt in the parent application. i.e. if Process Injection is selected above, Comodo Personal Firewall will look for the parent application to see if there is a process injection in it before allowing the internet request.
Monitor COM/OLE requests - When enabled, forces CPF to detect any program hijacking attempt which may occur by misuse of COM/OLE interfaces by other programs.
Considering the topic subject & your initial question (I’m assuming CPF is giving you grief in this area)… you can always turn off those elements that you feel do not pose any risk/threat or are superfluous to your requirements.
Hi guys,
A post in this topic was reported as thread pollution by one of the Comodo Forums members, I will not say any names however, just be sure to stick to the topic, leave your comments to the Please Tell Us Your Views board. Please remember to stick to the topic to prevent problems in the future.
Thanks,
Justin
Because I am getting too many false positives.
Consider explorer.exe. Automating it is quite common (shell integration) and it is the parent of all processes launched via the UI.
How do I disable this?
Open CPF, Click on the Security button, select the Advanced tab & under Application Behavior Analysis hit the Configure button. All the options in my above post are in there.
thanks
But if you turn off those features, be sure to know, that a “bad” application could easily start a new instance of IE, invisible of cos, and use it for talking to any IP. This can be even done with a 400 Byte script (VBS,JS), or by OLE automation API (wich is of cos both the same interfaces in IE).
I really would like to know wich parent startet an internet enabled app. And after some time, there will be no more pops, only if you do something you never done before.