Hi I am using your firewall and I am very impressed, but although it shows that all components are ‘on’, and not learning, I still get lots of pop up permission requests, even though I have ticked ‘remember my answer’. This is mainly on something as basic as internet explorer (v6). Is this normal, or is there something I can do to stop them? Thanks.
Hi Ceebr & welcome to the forums.
I suspect that the messages are actually different, although they may look very much the same & are probably being generated as a result of Application Behavior Analysis (ABA). But, to be certain… check CFWs Log, find a couple of examples & post them here. You can export the Log to an HTML & from there a simple cut ‘n’ paste should do the trick.
CFW pop-ups that are generated by the Component Monitor in ON mode, usually have an additional button marked “Libraries”. This lists the new/updated components that CFW just encountered. Where as ABA pop-ups are often generated because something meddled (probably legitimately) with explorer & since explorer is often the parent process of MSIE, thus the pop-up warning. These types of message normally decrease over time as CFW learns what you have.
Thanks for your swift reply. I have checked the logs and con only find one from the component monitor, the rest are all from the network monitor, and all are marked ‘medium’. Yes, the pop up does mention ‘libraries’, so that fits in with your diagnosis. They used to refer to OLE automation, (or similar), but I don’t see many of those now - probably because of the learning process. Anyway here is the log - it refers to my email checker. Thanks again.
Date/Time :2006-11-17 11:54:33Severity :MediumReporter :Component MonitorDescription: Unknown Components (ePrompter.exe)Application: C:\Program Files\ePrompter\ePrompter.exeParent: C:\WINDOWS\explorer.exeProtocol: UDP OutDestination: 192.xxx.x.x:dns(53)Details: C:\Program Files\ePrompter\ePrompter.exe contains 1 components to be approvedComponents:C:\Program Files\ePrompter\EP9326.EP1
and a sample of the network monitor one:
Date/Time :2006-11-17 11:53:08Severity :MediumReporter :Network MonitorDescription: Outbound Policy Violation (Access Denied, Protocol = IGMP)Protocol:IGMP OutgoingSource: 192.xxx.x.x Destination: 224.x.x.xx Reason: Network Control Rule ID = 7
Hi, Ceebr!
Could you please edit your post (the part where your DNS server addresses are indicated). No need for anybody here to have those. You could change them like this: 192.xxx.x.x
Paul Wynant
Moscow, Russia
Sorry, have altered. As luck would have it I got 2 more notifications as shown below. I always tick ‘remember my decision’, and as I’ve had the firewall for a few weeks now I thought it would have settled down ???
Date/Time :2006-11-17 13:01:02Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (avginet.exe)Application: C:\Program Files\Grisoft\AVG Free\avginet.exeParent: C:\Program Files\Grisoft\AVG Free\avgamsvr.exeProtocol: TCP OutDestination: 193.xx.x.xx:http(80)Details: C:\Program Files\Grisoft\AVG Free\avgw.exe has tried to use the Parent application C:\Program Files\Grisoft\AVG Free\avgamsvr.exe through OLE Automation, which can be used to hijack other applications.
Date/Time :2006-11-17 12:55:45Severity :MediumReporter :Component MonitorDescription: Unknown Components (napster.exe)Application: C:\Program Files\Napster\napster.exeParent: C:\WINDOWS\explorer.exeProtocol: TCP OutDestination: xx.xxx.xx.xxx:http(80)Details: C:\Program Files\Napster\napster.exe contains 1 components to be approved Components:D:\Documents and Settings\All Users\DRM\IndivBox.key
Thanks again.
If any of AVG’s modules is updated, its hash changes. So, COMODO sees that as a new application module. That’s the price we have to pay for excellent protection…
Paul Wynant
Moscow, Russia
I just saw that Paul posted & there is some duplication. But, I’ll post it anyway.
They used to refer to OLE automation, (or similar), but I don't see many of those now - probably because of the learning process. Anyway here is the log - it refers to my email checker. Thanks again.
ABA (Application Behavior Analysis) is the part of CFW that generates the OLE alerts.
Date/Time :2006-11-17 11:53:08Severity :MediumReporter :Network MonitorDescription: Outbound Policy Violation (Access Denied, Protocol = IGMP)Protocol:IGMP OutgoingSource: 192.xxx.x.x Destination: 224.x.x.xx Reason: Network Control Rule ID = 7
Since the destination IP starts with 224, this means that this is likely to be IP Multicast. If you need it or not, really depends on your system set-up. But, given that its being blocked without any noticeable problems, it is probably best to leave it that way.
Date/Time :2006-11-17 11:54:33Severity :MediumReporter :Component MonitorDescription: Unknown Components (ePrompter.exe)Application: C:\Program Files\ePrompter\ePrompter.exeParent: C:\WINDOWS\explorer.exeProtocol: UDP OutDestination: 192.xxx.x.x:dns(53)Details: C:\Program Files\ePrompter\ePrompter.exe contains 1 components to be approvedComponents:C:\Program Files\ePrompter\EP9326.EP1
Straight forward enough, new component encountered (EP9326.EP1). Might be a problem if the name is dynamic & ePrompter chooses a different name every time.
On the last 2 examples you posted, it seems that this is the first time that CFW has encountered this particular AVG parent/sibling combination & CFW also found a new Napster component in IndivBox.key (the Key file might be problem if it is constantly changing). Do you keep seeing either of these 2 alerts repeatedly?
If I do see them repeatedly I can link back in my mind that the program has been updated in some way so that must be it. I can’t believe that your product is so intense on clamping down on ANY change!! I am very impressed and so long as it’s doing what it should, giving me excellent protection - it can carry on!! Thanks again to you both for such a well explained, quick response.