Global hook security alert doesn't make sense

I installed Comodo for the first time yesterday , and followed the “set up and forget” procedure posted by Little Mac. In addition I created an application rule and a single incoming port rule for Azureus bittorrent pgm. With Azureus running I then opened my music manager pgm (Media Monkey), which triggered the following security alert:

Security Alert
Azureus.exe is trying to connect to the Internet. What would you like to do?

Application: Azureus.exe
Remote IP : port 13726 – TCP
IP : Port: upnp-mcast(1900

Security Considerations
MediaMonkey.exe has loaded MMHelper.dll into Azureus.exe using a global hook which could be used by keyloggers to steal private information.

In the security alert box when I click on “allow this action” Comodo then creates an Azureus application control rule that allows all TCP or UDP in or out on all IP’s and all ports. Before opening MediaMonkey I was running Azureus fine with an application rule only allowing outgoing TCP and UDP.

I have used Azureus and MediaMonkey at the same time for over a year with no apparent security problems, and without having to create specific firewall rules.

Can someone help me make sense of this seemingly bizarre action of a music manager pgm using a hook into bittorrent software?

Hi wirechuck, welcome to the forums.

The Global Hook Alert from CFP is a warning (note the “could be”). CFP is warning you that MediaMonkey.exe loaded a DLL (MMHelper.dll) onto Azureus.exe via a Global Hook. This is method that the famous Firewall Leak tests attempt to exploit. So, CFP wants you to authorise the actions of MM.

I don’t use either MM or Azureus. But, after searching… I can’t find any reason for MM to hook a DLL onto Azureus. However… MM does hook MMHelper.dll on to explorer.exe (it adds shell extension stuff). Now, explorer.exe is probably the parent of Azureus, now this would generate an alert CFP. Are you sure the message didn’t say the hooks were put on explorer.exe (the parent) rather than Azureus (the child of explorer.exe)?

If is was explorer.exe, then you should Allow this Remembered.

I presume you also checked the “Remember” box, or it should not have created an Application rule.

Looking at this, the reason it creates this “Trusted Application” rule (that’s what it is), is the down-side of using the “set & forget” configuration. By putting Alert Frequency on Very Low, this generates only one alert per application/parent combo; on an Application-only level of detail. No direction, port, protocol, or IP. In this scenario, I think it creates these broad-scope rules, as they are more general than the port-specific rule you created for Az; port-specificity is not included in the detail level of Very Low. Also, Application Behavior Analysis (ABA) may figure into it as well, since the alert you have responded to falls outside the detail scope of Application Monitor; it may also cause this “trusted app” rule creation (version 3 of the FW changes that by creating ‘exceptions’ rather than broader rules).

All the ABA stuff pretty much relates to the way applications share components and/or communicate ‘behind the scenes.’ MM may not be directly interacting with Azureus, as kail pointed out, but because it’s all related, it creates a scenario that looks suspicious.

You may be able to work around it by creating a custom rule for MM. I would try it with Azureus as the Parent to MM, first. Then maybe Explorer.exe, and so on, until you find a combo that works. Obviously, you’d have to do that with the Trusted App rule for Az removed and just your regular rule remaining.

Hope that helps,


Thanks so much Little Mac and kail – this is exactly the level of feedback I was hoping for. Yes I will experiment with creating a custom rule now that I understand the basic principles of what is going on.

No problem. Be sure to let us know how you make out with it - especially when/if you get a working combination! Ask more questions as you need…