Not true parent application?

Hi I am a comodo newbie
I use firefox and allow the explorer.exe process as its parent
the issue is that I get the following message :

Description : Suspicious Behaviour (firefox.exe)
Application : C:\Program Files\Mozilla Firefox\firefox.exe
Parent : C:\Windows\explorer.exe
Protocol : UDP Out
Destination :
Details : c:\Program Files\Windows Media Player\wmplayer.exe has tried to use C:\Program Files
Mozilla Firefox\firefox.exe through OLE automation which can be used to hijack other applications

Which blocks the current session open in the current firefox tab, thus I have to restart firefox,loosing all the other existing tabs with open sessions!
and if press ‘deny’ and ‘remember’ it dissalows explorer.exe to access firefox and not wmplayer.exe
which I consider to be the ‘true parent’.so the next time I try to use firefox it blocks since it was started by explorer.exe!
What am I doing wrong?
thanks in advance

Hi Omikron1:

I’m also a newbie and I get a similar message, and it happens as you said it blocks ALL of your FIREFOX sessions.
What I notice was, that it happens when I am browsing and want to copy something from FIREFOX to my NOTEPAD, I can do the copy but after I’ll get the message and FIREFOX blocks .

I have the default network rules, and in application monitor I define FIREFOX like:

Application Destination Port Protocol Permision
firefox.exe [Any] [Any] TCP/UDP In/Out Ask

Check the attachments with the message I receive

Maybe there is something we are doing wrong … I hope we get a answer to this problem

McAmbar

[attachment deleted by admin]

hey mcambar
that is the exact message that I get as well.
I want to try the following :
create a rule which sets the wmplayer.exe as the parent of explorer.exe,and deny its access.
I don’t know if it will have an actual outcome but it’s woth a try

Hi mates,

You should allow these messages, as you probably trust notepad.exe and wmplayer.exe. Sure explorer .exe is the true parent, but these alerts mean that some kind of inter-process communication took place between explorer.exe and wmplayer.exe or notepad.exe and firefox (as you copied sg from one program and pasted it to another…there has to be some kind of communication). AFAIK you cant make a rule to aviod these alerts, you can turn off this type of security check btw. Imagine a scenario in which a virus modifies explorer.exe (your legit parent for firefox). You will receive a similar alert, but in that case you SHOULD block it. You get that alert because a virus-modified explorer.exe wants to connect not your original one predefined in the rule. Unfortunately cpf cant make a difference between a virus and wmplayer but at least you receive an alert about sg changed.

As Blas has explained, these are not something to be concerned about. What happens is that applications communicate “behind the scenes” at a level we (the users) don’t see. This is perfectly normal. Sometimes these will involve a call from one application/process to another, long after one has closed (a sort of “timer” function).

Because this normal behavior can be emulated by malware (virus, trojan, etc) to try to gain web access, CFP monitors it (Application Behavior Analysis, or ABA). CFP utilizes an encrypted Safelist in this process; if both applications (ie, firefox and wmplayer) are on the list, you won’t see this alert. With v2.4, the safelist is only a few tens of thousands of applications; with v3, it’s close to a half-million (which will obviously decrease these types of alerts).

The time to be concerned is if you do not recognize both applications in the alert. For example, all of a sudden 23894uysdkfs.exe tries to use firefox.exe in some manner. You know you haven’t installed 23894uysdkfs.exe, and have no idea what it is, so you deny, and start looking for the source of the issue.

Any time you deny (without remember), CFP takes that mean that your system has been compromised, and the malware is trying to access the web via a legit application, so it blocks the connection for both applications, for that session only. In other words, no rule is created; restarting the browser will typically restore the connection, although sometimes exiting and restarting the FW, or even rebooting will be required (especially for COM/OLE alerts).

Hope that helps,

LM

Blas and Little Mac:
(:CLP) (:CLP) Thanks for the explanation it clarifys a lot of things, now I know what to do when I receive those messages.

Omikron1: (:LGH) well, everything is perfect now

No problem, mcambar; glad that helped!

LM

thanks a lot!very informative

Does that answer your original question?

LM

lmac,yes it does.I guess I will have to get used to restarting firefox when the session blocks!

“OLE” is an acronym for “Object Linking and Embedding”. There’s a Wikipedia page on the subject here in case you’re interested in the technology. :wink:

Let me clarify something that may help you out a bit… These OLE alerts don’t mean that your browser has been hijacked (by WMP,etc), just that a communication occurred that could be used maliciously. The rule of thumb from the developers is that if you recognize both applications, it is safe to Allow w/Remember so you won’t see that specific alert again.

If, on the other hand, you prefer to block WMP access, you may find it helpful to create a Blocking application rule for WMP. You can even go to Security/Tasks and use the “untrusted” application wizard. I have done that for a number of applications that always seemed to show up on OLE alerts; I neither wanted the communication allowed, nor wanted to see an alert. For me, this methodology was very effective. I typically created the rule manually, set the parent as explorer.exe, blocking TCP/UDP Out. This of course means that the application probably won’t be able to update itself, unless it has a separate updater module.

LM