False OLE automation alerts?

I have just started using Comodo, coming from Zone Alarm. I like it alot, but I keep getting these false alerts (I think) whenever I use Firefox while another program is running. See atachment: you can substitute Steam with many other programs, PoverDVD and Cpu-Z among others. The worst thing is if I deny this my internet connection dies needing a reboot.

Should I just allow and remember them. Or will this create rules that will be do more damage than good?

[attachment deleted by admin]

I also get these from time-to-time! They usually (maybe always?) involve opening one application while another one is running. I usually just allow them, as they seem to be inconsequential, but they are a real nuisance and Comodo ought to be trying to avoid them IMHO.

Hello Moquia and pudelein,

welcome to the forums. Comodo monitors for COM/OLE automation attempts, and this is perfectly normal and one of many reasons why Comodo’s security is so powerful. Please see the screenshot for all the different types of “application behaviour analysis” that Comodo offers, including the COM/OLE one, found under: Advanced->Application Behaviour Analysis->Configure . This is just one of several techniques malware can use to infect a pc. Of course, it is also a technique used by legitimate apps, so it is necessary to allow these. Yes, these prompts can be annoying for the first little while, but once you do allow the legitimate attempts, choosing “Remember my answer…” you will not see those prompts again. The key, really, is to know which ones are legitimate before allowing them. If you are confident your machine is clean of malware, then it is most likely ok to allow them. If you are not sure, you could deny them without choosing “Remember my answer…” and see what happens. If your Internet access is blocked, then you could try again, then allow and choose to remember it.

Finally, if you really don’t want to be bothered by this additional security for certain applications, you could choose to “Skip advanced security checks” for them. Please see the second screenshot I posted.

Hope this helps. Please feel free to ask any more questions you may have.

[attachment deleted by admin]

Thanks for the help cprtech, this really is very different form ZA. There still something I don’t understand, see attachment: This came up long after both HL2 (episode 1) and steam was shut down. I like to run a tight computer, so steam does not get to run unless it has to. ;D

[attachment deleted by admin]

Unfortunately, I’m not familiar with Steam. However, UDP on port 68 is part of the ip address renewal process, so you may need to allow it, even though Steam is using the OLE attempt. Once again, I would suggest you choose “Deny” without the “Remember” option and just see what happens. If you lose Internet access or functionality with Steam, then maybe you do need to allow it and choose “Remember…”

Well, Steam should not connect to the internet, it was not running anymore. There is really something dodgy going on here: Again look at the attachment: I start Firefox and get this alert. If I deny this Firefox cannot connect anymore, even though there is an application rule giving it full acces. And Im fairly shure ATT is not phoning home.

[attachment deleted by admin]

Okay, a possible fix: try exiting Comodo, re-enable it, then try accessing Firefox again. There has been talk of this being a possible bug with comodo where it holds the COM/OLE attempt in memory until Comodo is re-launched. BTW, the next time you get that alert, click the “Show Libraries” button and check out the component)s) that are trying to access the Internet. If upon inspection they appear to be legit, ensure the “Allow” radio buttons are selected (they should already be by default) then click the “Apply” button. You will never get alerted by these libraries again unless a future update changes any or all of those components and you have Component Control turned “On” rather than in learn mode Again, this is one of the security features that nakes Comodo so powerful. It not only alerts on libraries that try to connect to the network, it also detects any changes in those components (yet another common malware trick).

I would suggest reading over the Component Monitor functionality in Comodo’s help menu, just to get a better understanding on the differences between how it works in “Learn Mode” and “Turn On” mode.

All these alerts can be frustrating for a while, but if you can get a basic understanding of why this is happening, you will see that Comodo is protecting your pc far beyond that of a typical packet/application filtering firewall. If you do not care for all this extra security, these “Application Behaviour Analysis” options can be disabled partly or completely for all or individually selected applications. It is up to you and it really comes down to how much this matters to you and how much you want to bother dealing with alerts and learning about how these features work.

Just remember that the more of these features you disable, the lower your overall system protection will be.

Thanks for your patience cprtech. I went into the libraries and denied the ATT thing. Now Firefox still has access. I think you are right about the bug though, with programs connecting long after they are shut down. Anyway I will also go into learning mode 8) and read up on the more advanced features of this great firewall.

Here’s the thing. I am trying to connect Total Commander to an FTP server. I don’t do anything out of the ordinary – start Total Commander, i get three pop-ups one after another (see attachments), and in the mean time, the FTP connection times out. I DO have a rule to allow totalcmd In/Out TCP/UDP any… In this case, it is true, winamp, thunderbird and, obviously explorer, are running but have nothing to do with totalcmd…

It does not happen every time – sometimes the connection goes through with no questions asked, other times only one pop-up about svchost being hijacked is displayed, and yet other times lots of pop-ups from the twilight zone like the ones in the screenshots appear…

[attachment deleted by admin]

elfstone,

Try running the Application Wizard:

Go to Security/Tasks/Scan for Known Applications (lower right). Follow the prompts. When finished, reboot the computer. I know you already have a rule set for Total Commander, but sometimes a “reminder” in this way helps CPF realize you’re serious about it. :wink:

Sometimes, because of the way software programs interact with this type of communication, you will get this OLE Automation popup warning. If you choose Deny, CPF will shut down your internet connection (since it deems you must be under attack), and you may have to reboot to reset. If you choose to Allow, it will allow only for that instance. If you choose “Remember” (on an application you know/trust), you should not see the same popup for that application, for that issue.

As cprtech noted previously, there is an issue in the way CPF monitors this. We (the users) are not certain exactly why it occurs in this way, with applications that are already closed still showing in the OLE alert popup. Rest assured, Comodo is aware of it; I’m sure they will be addressing it.

LM