dll injection false alarm....over and over and over [Closed]

I keep getting messages stating that has loaded browseui.dll into when no such thing has happened. I’ve used process monitoring software to verify this. I’ve made certain the system is virus free.

This even happened on a test PC where I zero filled the harddrive, installed winXP pro, and installed comodo and nothing else, ran notepad and closed it, ran internet explorer, and watched comodo tell me that notepad loaded browseui.dll into ieplore.exe using a global hook.

My WTFometer is ready to break here.

Browseui.dll is a component of Windows; it resides in c:\Windows\System32…
It is an Approved Shell Extension. As such, it may interact with browser, the Windows shell, and various applications regarding:

Most Recently Used
Addresses
Download Status
Search
Autocompletes
Accessibility

And the list probably goes on and on, but that should give you an idea. It exists, and is part of Windows.

Now as to why you’re seeing these alerts that are sending your WTFometer thru the roof… :wink:

This is a “behind the scenes” activity that the user is not normally aware of, but is quite normal. The downside is that because it is so normal, some malware utilize the same type of interprocess communication to hijack a computer, gain internet access, etc.

CFP does not distinguish between “good” and “bad” other than by use of its encrypted safelist (which at present is not all that large; it will very large once v3 goes final release); if both applications/components are on that safelist (and you have not disabled the safelist) then you should not see these alerts (no, I don’t know what’s there).

That said, if either application (or both) are not on the safelist, CFP simply notifies the user that an action has occurred which is similar to that used by malware. If you know and trust the application, it is safe to Allow w/Remember and you should not see that specific combination alert again. If you do not know and trust the application, you Deny and start looking for what it is…

If you Deny or Allow without Remember, this will be for the current session/instance only. A Deny will block both applications (which could also mean your browser) for that session, as CFP presumes your system to be compromised if you are Denying the alert (typically, restarting the “innocent” application - such as the browser - will clear the memory).

Please note that these alerts do not necessarily mean the “offending” application (ie, browseui.dll) is actually connecting to the internet. They only mean that the application is communicating with another application, where the 2nd application is connected to the internet; this could give access to the 1st application, if its intent were malicious.

Hope that makes sense, and helps reduce your WTFometer level…

LM

The problem is its telling me all sorts of mundane ■■■■ is loading that dll, and they aren’t. It shouldn’t be wasting my time with this. Its not just that its asking me - its that it is claiming something happened that did not. Last I checked, mspaint does NOT interact with my browser.

I shouldn’t have to add mspaint to my firewalls safelist to make it ■■■■. I would have to add every fecking executable on my pc to not see that message after running it and then my browser. Thats just absurd. Looks like I’m going to have to switch firewall products again.

Because the firewall does what it is supposed to do?
Don’t get me wrong, at first it can be a pain until you properly train your firewall. But thats the same with every good firewall. Don’t you want any warnings and let possible malware connect to the internet via another program? Or do you want to trust a person you don’t know to preset the rules in a way you maybe dont want? I think the truth is in the middle ^.^

However, there is an easier way out. I guess.
For example: I never had that specific dll pop up. Maybe you just missed one option that could save you a lot of trouble.

I think the secret would be in the “Component monitor” (sorry, i got it in german) where you can set rules for dll’s and such.

If your so much worried why not upload the file to virustotal.com or virusscan.jotti.org and scan it by anti virus programs??
and i believe the legitimate programs that modify or do something to other programs are not harmful.
I have a Trojanhunter installed and it modifys memory of application when starting TrojanGuard i think i should allow it to modify cause it has been programed to hunt down bads.

and I click [Remember this App] Checked / Allow in CPF Pro.

Actually, this is exactly what is happening, but it’s happening at a level you don’t typically see. LOL, we’re talking Windows here - it would load its components into someone else’s computer if it could! :smiley: The same thing started up on mine (I had not seen it before) after the last round of Windows updates; something they did has changed something, and sparked a whole new level of yuck.

I realize it can be irritating and frustrating to deal with, but I think it’s helpful to realize that this dll is truly being loaded into other applications, and it’s quite normal for this sort of behavior in a Windows OS. This is exactly why HIPS applications are so important to security.

Another option is to set Alert Frequency to Very Low. Make sure you are using Comodo’s safelist - Security/Advanced/Miscellaneous/Do not show alerts for applications certified by Comodo is checked. Make sure you’ve run the Application Wizard - Security/Tasks/Scan for Known Applications. Reboot. This will give you one alert only for every application. OLE alerts fall under Application Behavior Analysis, so you will still get some, but it should help cut the frequency down (safelist, known applications).

You also always have the option to turn off OLE Monitoring - Security/Advanced/Application Behavior Analysis/COM-OLE Monitoring - uncheck. This reduces your security, but that’s the trade-off.

BTW, v3 of the firewall (when Final) will have a very much expanded Safelist of Known Applications; this will greatly reduce the number of alerts of this nature. So far on v3 (without the complete safelist), I have yet to see an OLE alert, so it appears they have made some other changes to the way it’s handled.

Hope that helps.

LM

Because the firewall does what it is supposed to do?
Because its not. Its generating a false alarm that can't be eliminated without rendering it functionally useless to me.
If your so much worried why not upload the file to
I'm [i]not[/i]. Hence titling it a [i]false alarm[/i].
Actually, this is exactly what is happening, but it's happening at a level you don't typically see.

Other products do not generate this false alarm. While commodo is currently the only firewall tested to 100% pass teh breakout tests I have used others* that can stop the type of attack commodo thinks is happening, without generating this specific false alarm.

Additionally, you are still wrong, that is not “exactly” what s happening. The firewall says an application that is no longer present has loaded that dll.
I don’t know what else to say. If your not someone who works on this software of the company that made I guess don’t bother trying to help me because I guess you can’t :frowning:

No offense meant - just not getting anywhere. I emailed them, I did the support ticket form, its been a week with no answer back so I tried posting here. I’m just going to go to another product.

http://tinypic.com/view.php?pic=53oma2o

Thats the message, on 2 different programs that were run and closed, are not currently up at the time the message was generated. If I open notepad, close notepad, then open a browser (any browser, ie, firefox, anything) that pops up saying notepad loaded a dll. Notepad didn’t load a dll. FACT. Windows loading a dll is not the same as an aplication that IS ALREADY CLOSED loading a dll and as far as I’m concerned there is no room for argument there. The firewall needs its detection changed to not generate this false alarm. The only way I see to do so in the current version removes a lot of other things as well, and that simply will not do.

*with horrid interfaces, hence my switch in the 1st place

Don’t keep a cat from catching mice.

Bye.

forgotten,

I’m sorry you’re so frustrated with not getting the answer you are looking for. As far as my help, I’m sorry you feel it is not sufficient. I am a volunteer here, not an employee; thus I give of my time and knowledge completely for free. The information I have provided is directly from the software developers. You are not the first to take the view that these alerts are false alarms; the developers have explained again and again that they are not false alarms - as in referring to activity that is not occurring. The activity is occurring, period. That’s not me, that’s the developers’ statement. The alert may be considered excessive, in that the activity may not specifically be a threat; but it cannot truly be considered a false alarm, in that the activity is occurring, and resembles activity which could be a threat.

For some reason, some systems generate far more of these activities than others. That’s an Operating System issue, not an issue with the firewall.

As a result of so many user complaints, the developers have modified the way that the firewall monitors and alerts on these activities, so that users may not see as many alerts. Version 3, as I have noted previously, is greatly improved over previous releases.

Comodo is a Free firewall, and provided so that computer/internet users may have the freedom to select a powerful firewall providing top-of-the-line security without having to pay bloated prices for bloated software. It is a full version, not a partial version for free release, versus paid release. The only way it could be more free is if it were Open Source software. (However, given that it is proprietary software, the code and operations are entirely in the hands of the developers.)

Thus, all users are “free” to use this firewall or not, as they wish. Some do not care for it, and have gone on (or back) to other products with which they are more comfortable. This may be the route for you to take as well, if you are not comfortable with these alerts, and cannot accept that they are anything other than false alarms.

Once again, I am sorry that the assistance and explanation that I have provided has not been of a nature sufficient to provide you with the answer you are looking for.

LM

How about from bringing me everything in the house and swearing its a mouse?

Adding everything to a list rather than take care of this one instance of windows loading a dll then not leaving “support” up to volunteers is pretty backword logic. FOR THE LAST TIME - THE APP IN THE MESSAGE IS NOT EVEN RUNNING. SO IT CAN’T BE THE MOUSE.

If your just going to post count+1 with witty comebacks like a fanboi why are you even posting?

@ mac
Thank you anyway. I did not realize the developers had said anythging about this before - I don’t read around here and this thread was a last resort after they never spoke with me (the most irritating part of this).

@devs, if they ever look…
I think the you need your head examined. Yes an activity is taking place - its not accurately described. A not running program can’t load anything into a running one. browsui.dll is loading yes, but notepad didn’t do it, neither did virtualdub as neither were running. In fact virtual dub was closed more than 4 hours before the message saying it was loading that dll. The only option on the message box is to submit MY BROWSERS EXE…Yeah that helps…Not… And if your free products only get volunteer support you should say so, not leave support tickets in limbo.

This was my final post here ever, I won’t be reading looking for a response from someone who’s job it is to help with this product. Theres no point, and thus no point in making further replies to me other than for people with their nose up comodo’s ass to feel good about defending their beloved comodo which can’t possibly be making a mistake noooo. (lucky ■■■■■■ me off)Goodbye.