OLE Automation - any way of blocking a particular app?

Good evening,

I am using an application that constantly attempts to hijack Firefox through OLE automation, in order to connect to the internet. Comodo identifies this and lets me block Firefox, which is better than nothing, but quite time consuming since it requires re-starting Firefox each time (if you have lots of open tabs, this can take a while…)

Is there any way of blocking the hijacking attempt as such, rather than blocking Firefox’s internet access? Say, by blocking the misbehaving app from using OLE Automation, or disabling OLE Automation for Firefox?

After all, Comodo is able to identify what is going on and which applications are involved, so I was hoping that either Comodo or some other software might be able to deal with this. Sofar I have not been able to find a solution though.

hi,

what thing is name that hijacks firefox on the popup?

might theres a resolution.

Mike

The freeware version of xplorer2.

From tracing, it appears to try to connect through a number of proxies in order to do a license key verification. I.e. probably harmless (and one might presume pointless on a freeware version?). Still, IMHO a file manager has no business hijacking apps and sneaking out on the net.

re,

absolutely, did you set alert level high?

so possible you cut the xplorer2 on talking to localloop?

its ok to ask once but hammer is a fraud.

plse report, and pay attention in new popups if a dll is called.

Mike

1. Why would the setting of alert levels be relevant to my question regarding ways to disable OLE Automation between given applications?

2. I assume you refer to localhost loopback(?). AFAIK this has no relevance to disabling an application from hijacking another via OLE Automation.

3. Hammer is fraud? You’ve lost me…

re,

if not have used with full alert level, you dont know this firewall;

you dont think youll see.

Mike

PS: if need a on the fly cure might obless other safeness im the wrong

Right,

thanx for trying to help Mike, but you evidently do not understand the question.

Any input on ways to disable or block the OLE Automation hijacks that Comodo identifies will be greatly appreciated.

Regards

I cannot test this ATM but you should check component monitor. That is the only section that could handle such issues.
Change it from learning mode to On or deny the component causing that alert (you’ll have to test if that affects other softwares as well).

re,

i was too short, yes ole automation is a process, but if data is transfered from EXE to EXE via localhost,

i cut data, then i dont care what which ole.

why i want alert level high, due for my errorresearch i need that info.

at least a EXE cant object linked and embedded then rather a dll or subcode,

so we stick again to app monitor and switches there.

hey easiest is edit registry and cut the ole- tree?

or look which dll is about, and i wonder why no xplorer2 dll showed up in a popup

Mike

PS: i often sound easy but i dont handle problems of ppl easy

PPS: ole means nothing other then a unregistered dll works as plugin to target app

ifs a pure outlead exe adressroom, would grab rule check modification of app in memory

i assume you havent unticked

PPPS: and while im about it, IE is normally a very safe app, as all modern apps should be

IE dns: IE goes to localhost ask connection then localhost goes outside to dns.

understand? nt does ask localhost, there you could block and localhost goes outside where you can block again.

this not a proxy blah, thats NT.

any app goes trough localhost, so if i cut there tcp data, i dont care what ole or what ever, it never gets outside.

same for inside, so localhost, localloop whatever you call it, is so important.

i dont care if get on listeneningsport attacked, but if localhost acts, is ALARM

localloop, localhost whatever you call it and equal what ips are bind, is you KERNEL and there fully remoteable.
you dont need a remotesoftware for NT, you need only access to localhost.

w9x is nothing do with localhost, it had an internal autoforwardport to listeningsports /////////// even nt3 aka (w3.11 pendant havent strong local host msg) NT5 and linux are build total different, which will say sofar nothing.

except virtual handling of adaptors as localhost but in differrent manner.

hence your life sticks on section, its localhost. and have mac adress which only tell us MS coders.

ndis protocol says, if i want reach a target by ip, i need its mac adress.

as us legen GRUE stated again with arp protocol.

if know this tell the problem is really and which firewall did make it.

sorry it slipped me out, no hick hack on you, but many read this

often problems disarrive if ppl understand software

IWB,

I have done what you are wanting to do with many applications successfully.

Simply open Application Monitor, and create/add a new rule.

Browse to the executable you need to identify.

Set the parent as “Learn.”

Block.

OK, and reboot.

If you really want to be thorough, you can go to Security/Tasks/Define an Untrusted Application (don’t remember the exact wizard name, as I don’t have 2.4 here - but you can find it). It will walk you through black-listing an application, which will automatically add a Block rule to AppMon.

OK and reboot.

Should do it for you.

LM

Guys,

thanx for your input sofar. Unfortunately, none of this appears to help.

I have blocked xplorer2 both in Application Monitor and Component Monitor (and defined it as an Untrusted Application), but it still tries to use Firefox/T-bird via OLE Automation.

I don’t understand well enough how OLE Automation works, apart from being a subset to COM (Component Object Model). I assume there might be a way of managing Launch and/or Access rights and restrictions on the application or component level, but don’t know where in the registry this can be found or if any handy utilities exist for this.

At least, it seems that Comodo can not handle this. It can identify the hijacking attempts, but can not block them on the COM level.

Regards

Can you post a screenshot about that alert?
Where did you download xplorer2 from?
Are there any log entries after you block that OLE attempt?

gibran,

1. Screenshot of alert attached.

2. Downloaded from CNET Download.com via link from developers site, so should be OK. Also scanned by 32 different virus scanners at VirusTotal, see attached screenshot. Only the heuristics of eSafe and Panda react, probably a false positive triggered by some version/key verification, though the developer claims that this is deactivated in the freeware version.

3. Yes, there is a log entry. See attached screenshot.

Regards

P.S. I get an error message that the upload folder is full and cannot receive the attached files. I will re-post later.

I think the bit you don’t quite grasp here is the HTML part. To display HTML, the operating system uses a browser which can be IE, Opera, Firefox or any other one you care to name. Just because Xplorer2 wants to use Firefox to display whatever it is you want to look at doesn’t mean to say that an outgoing connection is being established. You can prove this for yourself by doing the following:

1. Open Notepad, ■■■■ the keyboard a few times, it doesn’t have to be anything intelligible, and then give it a name and save the file somewhere.
2. Now right click the file, choose “Open With” and choose to open it with Firefox. This will trigger a firewall alert even though you’re not connecting to the Internet.

“OLE” means “Object Linking and Embedding”. In this context, Xplorer2 is linking with the Firefox browser to display objects within the Firefox browser interface. Nothing to get excited about.

Zito,

as I noted in the original post, the hijacking attempt is in order to connect to the internet. I.e. it tries to connect to external IP-adresses via Firefox through OLE Automation. These are unsolicited events, not related to any particular instructions or activities.

What you are referring to are “File Associations”. This has nothing to do with OLE Automation though. The OLE protocol deals with communication and instructions between applications. Something quite different.

Regards

Screenshots:

Attempt to connect to the net

http://img149.imageshack.us/img149/6195/20071022161001oj1.jpg

Attempt to connect to the router

http://img134.imageshack.us/img134/1706/20071022155441ly5.jpg

Log entry

http://img148.imageshack.us/img148/6674/20071022160741xs0.jpg

I downloaded that app and I tested it with V3 beta.
It doesn’t trigger any connection automatically.
I can make it load firefox using check updates menu entry.
It attempt to use csrss.exe and firefox.

Do you have any firefox application rule with csrss od xplore2 as parent app?
Does this happen when xplor2 is unloaded?

gibran,

I currently have no rules w csrss or xplorer2 as parent app. I tried that, but there was no difference. The OLE Automation attempts are not seen by Comodo as attempts to act as a parent it appears.

It does not happen when xplorer2 is unloaded, only when it is loaded. Sometimes, several hours can go by before the first attempt.

Regards

BTW, apart from this issue (which is almost certainly not the fault of xplorer2, rather some other malware using it) xplorer2 is an excellent app IMHO. Has some advantages to TotalExplorer, FreeExplorer, et.al. and well worth checking out.

I see, sometimes V2 parent app matched a previously closed application but it’s not your situation.
As I’m currently testing V3 I cannot provide much help with this issue anyway you can submit a support ticket too https://support.comodo.com/ referencing this topic.

OLE is somewhat different from DDE. In theory I would expect that firefox(or some firefox component) should at least be loaded in xplore2 as component and this scenario could be catched by component monitor (if it was set to ON instead of Learning Mode and those files were not previously allowed).

As things stand out there is no other way to prevent that other than marking that alert to remember but this doesn’t work. Official support personnel may have a better understanding of V2 inner workings so they may be able to figure a workaround or provide a better explanation.

I’m sorry,
gibran

gibran,

my sincere thanks to you and everybody who have pitched in! I will submit this to support and post here if anything comes from that.

My understanding of OLE is rather sketchy, but I figure that Firefox uses an object model(s) that xplorer2 can launch OLE calls to, and that something (a shell process?) running under xplorer2 invokes such calls.

The worrying bit is that all system scans come up empty, showing a clean system w/o malware.

Cheers