To judge from the many Forum posts on the subject, many of us are troubled by the frequent occurrence of OLE automation events in which Application X is using this to do something via Application Y; this occurs in connection with “suspicious activity” of Application Z and typically leads to eventual blocking of Z. Often there is little or no association between Z and X, but usually (always?) Y is the parent of Z. In a detailed e-mail from Alex in Comodo Desktop Support, I have learned that this is normal behavior by CF.
There is what seems to be a workable solution for certain cases of these events, although not really for all. Alex suggested simply disabling the checking of OLE automation, which CF allows, but I do not believe this is really viable because of its effects on general security. However, in at least a few cases, one can simply check the “Skip parent” radio button. This will omit checking the parent and thus omits those OLE automation alerts that would otherwise occur.
This must be done judiciously, however. I have used this twice. First, my network time client (Dimension 4, d4.exe) checks with a time standard at 15 minute intervals; if it is blocked, it keeps trying. This can produce a long series of alerts about various applications trying to use its parent, explorer.exe, eventually blocking d4.exe from access to the Internet. Very distressing as it happens usually when the machine is completely unattended. Just skipping the parent checks here not only works well, but appears to have no security implications at all.
Second, I use AVG Free as antivirus protection. Its component avginet.exe checks for updates to the AVG components and signatures at 24-hour intervals, a few minutes before the scheduled scans. One result can be a series of OLE automation alerts that avgw.exe, another component, is trying to use avgamsvr.exe, yet another component and the usual parent of avginet.exe. If the machine is unattended, there is a series of three such alerts followed by access being denied to avginet.exe. The eventual result is that AVG is not updated at all and the next scheduled scan proceeds with the old signatures and old components as well. This is also avoided by just omitting the parent checking for avginet.exe.
Finally, omitting the parent checks should never be done without being sure that security is not affected. Only a few repetitive and safe applications should receive this treatment.
TNX, pudelein! While I have had some instances of the OLE automation issue, it hasn’t been too extreme (for me). Good to know there is somewhat of a solution.
A lot of times it seems to be almost completely random (this has happened w/XnView - sometimes it triggers it, sometimes it doesn’t. ??? ). I don’t think I’ve seen it since I blocked the apps specifically in the connection rules.
I read your post and I would like to ask you a question. My mother in law has comodo on her computer along with the free AVG.
She would like the computer to be user friendly as she is in her 70’s. She is tired of seeing the alerts come up all the time. She never knows what to allow or deny.
How can she have the alerts disabled and not show up at all? I know there has to be a way.
Sure, you can disable those entirely (requires disabling the associated protection). Simply go to Security/Advanced/Application Behavior Analysis and uncheck any box you do not want monitored. I would suggest leaving (if you can) DLL Injection and Parent Application checked.
You may want to reboot after completing that, just to clear out any memory and set the new configuration.
Your MIL will still have Network Control and Application Control. If Monitor DLL Injections is left enabled, this will work in conjunction with Component Control.
For a 70-yr old to use internet, email, etc (I’m presuming all pretty low-key stuff) DLL Injections and Parent Application changes should only come up if there’s actually an issue. However, you will have to judge that based on her tolerance level, combined with perceived risk as well. You can certainly disable all the ABA monitoring to stop all such alerts.
Personally, I don’t see what all the fuss is about. Whenever those OLE alerts pop up, they always include the full path. So if you know you installed program XYZ, then you have the choice of allowing it or not.
It’s only an issue if the application is something you don’t recognize. If you’re unsure, click the “Deny” button, but don’t checkmark the permanent option. Then navigate to the path shown in the alert and determine which application it is which is trying to connect.
Even in the event that you give a program permission, you can still undo it via the Application Monitor at a later date. Simply change “Allow” to “Ask” so that the next time you launch it, you can decide whether to allow it or not.
