Is this a bug, or something my brain doesn't get?

I wanted to attach the popup, but I miskeyed grabbing it, so the log entry will have to do; please check the screenshot below.

In my screenshot, I have MailWasher (3rd party e-mail spam helper) attempting to go out to my ISP to inspect my e-mail. The highlighted record corresponding to the details section is that attempt, and the log entry below it in the list is the call to the NS to get the IP for my ISP’s pop3 server.

Some helpful background… MailWasher.exe loads with windows on startup (into the systray), and as such, seems to have been assigned the parent of explorer.exe. I have App rules in place to allow mailwasher to do access the web.

So my PC is all freshly booted… I load up Firefox off my QuickBar… and it gets associated to explorer.exe as its parent as well. I do my browsing & decide to check my e-mails with Mailwasher. And no sooner do I press its button to check my e-mails… the suspicious behavior popups start rolling in.

And in this lies my confusion…

  • How can “Child B” of “Parent A” be considered a threat to “Child A” of “Parent A” when the 2 of them never interact?
  • Is it that CPF assumes a parent can have only one child?
  • If I trust the Detail message and block the action, why is it MailWasher that gets blocked? … I thought it was firefox that was “misbehaving” (according to the details)
  • Does the Detail message even belong to the activity at hand?

Is there a bug here? Or am I just not understanding something? Which of the 6 things monitored under Application Behavior Analysis does CPF think is going on here?

I’d get similar “collisions” in many applications with services.exe as the parent of svchost.exe (if i remember correctly).

Are there some configuration steps I can take to eliminate these kinds of “collisions”, while still maintaining my security?

[attachment deleted by admin]

Hey Dan,

  1. While A and B don’t interact, for this association to be made, there must be a common factor - I smell OLE cooking.
  2. CPF correctly acknowledges multiple children for a single parent.
  3. MailWasher gets blocked because it is the subject of the rule/condition violation. The details are reporting how the nominated app was being affected. If a wheel falls off the car, the effect is “car don’t go” - cause is lack of round bit. CPF, in the case of OLE alerts, looks like it highlights “effect” and details “cause”. Sort of vice versa thinking, but I can see their logic (providing I’ve interpreted it correctly ;))
  4. Only through the common element - OLE.

Dan, I think you’re at the point where you will have to compromise between security and productivity. Glad it’s you and not me. LOL

Hope this helps,
Ewen :slight_smile:

P.S. If I’ve got any of this wrong, or if someone else can explain it better, please jump in. I’m married - I’m used to corrections. LOL

Ah… when reading the Application Behavior Analysis list… my brain stopped at “Monitor COM attempts” when it should have read Monitor COM / OLE Automation attempts… at least that clears the “what setting” question…

According to the “Comodo_Firewall_2.3_vs_The_Leaktests.pdf”, OLE Automation is defined as…

Windows operating system also provides inter process communication mechanism through COM interfaces. By using a COM interface hosted by a server application, a Trojan can hijack the application to connect to the Internet.

Which was the server application in this experience? The shared parent explorer.exe?
And how was Mailwasher’s desire/action to check my e-mail a result of inter process communication from Firefox? I thought I pressed the button.

Hey Dan,

Please bear in mind that I’m no OLE guru, I only delve into that stuff when I have to - similar to entering a teenagers bedroom - only done under duress, in dire circumstances and usually with a sense of dread! And a gasmask! LOL

My guess is that the server app would be explorer.exe - the windows shell. Objects initialized from the Quick Launch are actually init’d by explorer, as are autostarted apps from startup. There’s one link between the two apps before we even get to OLE.

I don’t know e3nough to go any further without researching. Did you want me to have a dig around and see what I can come up with?

Cheers,
Ewen :slight_smile:

No, this wasn’t homework for you ewen :■■■■

I have no problem waiting for an official response. I know they are busy developing, but I might get lucky!!
(:NRD) :THNK

Like you said…

… it’s just been one of those little things gnawing at me that I finally just had to write the question for.

Ah, it seems I am regurgitating what others have already asked… like comicfan2000

And upon further reading…

So I guess I’ll wait for the “It’s fixed” or “It’s been enhanced” postings.

Like mentioned by other users… I have gotten pretty good at eyeballing the popup, unchecking the “remember” box, and selecting Allow/Deny on the fly… I just don’t think I should have to. (:TNG)

No worries Dan. I’m like you, I leave OLE warnings turned on and just eyeball them. If they look odd, I deny, if they look good, I allow (even if its for an app that I recently closed - I think CPF is not keeping up with OLE connection close calls as quickly as it should.

cheers,
EWen :slight_smile:

Howdy m0ng0d,

I copied my answer to you in my topic and will paste it here, two topics may be better than one :wink:

<< Yes, I just wish I had an answer for everyone if this was going to be fixed or not. I haven’t heard any definate on it or even a fraction of an answer to be honest. I know for a fact that other firewalls , when a USER denies the OLE, you can still connect to the internet after. This is the one and only irritation I have with CPF. I do feel it’s a security risk EG… If I am in the middle of something, I simply allow the darn thing so I don’t have to reboot. Another EG…I don’t like to allow WMP, I was doing some other online stuff, it pops up, if I wouldn’t have allowed it, I would have had lost my ebay page etc…I wasn’t too happy having to leave it slide. It will stop your connection dead even if on a web page. The minute you go to move on or refresh you get >Cannot find server. I am patiently waiting for an answer and irritably tolerating this right now but honestly if it doesn’t get fixed, with all the software testing, graphics stuff, online stuff I do, I simply couldn’t keep doing this with CPF and would have to find another. Cry Sad Cry

Paul Sad >>

Paul

AT EWEN: You hit the teenager’s room right on. I have my closet filled with spare gas masks and rubber suits just in case. For the boys bathroom, I call in specialists! :wink: