YahooMessenger injects idle.dll into almost every application, I think in order to be able to see if I am using an application or if I am idle.
When one of the applications idle.dll has been injected into tries to access the internet, even if it is allowed to do that by an application-monitor-rule, I keep getting the warning attached in the first picture. Allowing it with “remember” checked creates an uneccessary new rule, as the rule for the internet-access is already there. And it does not keep the injection from being reported every time.
When choosing “Show libraries…”, I get the second attached window. The idle.dll is always set to “ask”, even if I choose “allow” and click apply. idle.dll is also set to allowed in the component-monitor, but that does not help. Switching off “Monitor DLL injections” helps, but that is certainly not a satisfying solution.
I suspect that comodo simply does not recognize idle.dll as a known component, as I had the same problem with “YahooMessenger.exe” itself. Although I created access-rules for it by clicking “allow” with “remember”, comodo kept asking me for internet-access-rights for this application. In the activity-log is saw a strange thing: Instead of reporting the denied-access for this application using its full name, like for other applications, it showed the name and the path in DOS 8.3-Format! I copied the file YahooMessenger.exe, deleted the original and gave the copy the name of the original, and then everything went perfect. However, doing the same for “idle.dll” did not help.
There are several aspects of Application Behavior Analysis that come into play here - global hook, dll injection, as well as a “new” component - all as it relates to the existing application rule. Using Very High Alert Frequency magnifies these popups, as it will render one for each aspect of the rule’s detail that is not exactly the same. So even if you have “Skip Advanced Security Checks” set under the Miscellaneous tab of the app rule, you will still get an alert for each variation of IP, Port, Protocol, Direction, etc. It’s not the smoothest operation in the book, but Comodo is doing exactly what you’re telling it you want it to do.
Odd that it’s set to “ask” by default, instead of “allow.” Keep in mind, even tho’ the thing is Allowed by Component Monitor, that only applies to the first application instance for which you got an alert to allow it. For each application (and each rule variant, as discussed above), you will get an other alert.
Now that’s just weird. Might want to report to Support http://support.comodo.com/ and see their response to that.
Then it should be editable in some form, otherwise getting rid of it is impossible.
And look at the attached image: There is NO variation in IP, Protocol, Port, injected DLL, parent and target-application, and (although, I always choose “allow” for the dll and “apply”), the same alert keeps reappearing whenever I try to update comodo.
They do monitor the forums; however, if you want to make absolutely certain that they know, it’s best to file a ticket (being sure to include a link to your post(s) here, as pertains to the issue).
I have only encountered one or two scenarios where a user had recurring alerts for a rule that was exactly the same in every detail. If I remember correctly, in at least one of those situations, a faulty install was the cause.
BTW, I did some looking into idle.dll as supplied and used by Yahoo Messenger. In essence, it’s a keylogger; they determine your status by monitoring your keystrokes (and it is capable of recording them). The file is compressed, and considered by some to be suspect at best. Just something to keep in mind…
[quote]This .dll file can be injected to all running processes and can change or manipulate their behavior. The program has no visible window. idle.dll is able to record keyboard inputs.
Uhh – no because I have both ABA and CM disabled for other reasons. I’ve never experienced problems with YIM 7.5 when I did have those monitors enabled, though. One of the reasons is thanks to the old version is in CFP’s safe database. The latest YIM 8 isn’t in the database yet.
Besides, even if a Program is in a predefined Safelist, I would like to be able to deactivate programs in the list or add programs to it myself, as I would like to control myself which programs I allow to communicate to the web, even/especially if they do that indirectly by dll-injection etc.
The safelist is encrypted to keep it from being modified by malware. Unfortunately (from this perspective) it keeps users from doing so as well. You can turn the whole thing off under Security/Advanced/Miscellaneous. 2nd check box, “Do not show alerts for applications…”.
Anyway, as long as you don’t turn off Application Behavior Analysis, or Component Monitor, or disable Advanced Security Checks in the application rule, you will have control over what application connects inasfar as that “indirect” connect of the dll-injection, etc.
Might want to report to Support