Ole Automation HELP!!

HI, first of all, I`m New to the forum so (:WAV).

Now to the main event … Ive recently started using CPF and Ive noticed a certain behaviour that makes me (:AGY).

I often se a pop up alert telling me that a certain application for wich I don`t want Internet acces is trying to get it through another (say a game trying to acces the web vía eMule -which is always on-). the problem is that when I tell the firewall to deny that behaviour eMule automaticly loses conectivity and I have to restart the program… WHY IS THAT???

PD: I`m from Argentina so if my english is not good please excuse (:SHY)

Hehehe…I have the same problem…they claim it’s a feature :THNK
https://forums.comodo.com/help/what_the_hell_is_wrong_with_this_thing-t9793.0.html

It is not a feature, it’s a bug…period.

Thaks, finally someone that calls it like it is!! I saw your post and I agree, the firewall should unhook the other application and thats all, not behave like it does. And I think I know why this is, CPF ver. 2.4 and others does not have HIPS, so .... It cant detect a Host Intrusion for what it really is, bt that`s my opinion (:KWL)

Will anyone please bother to give me an answer???

Sorry no one’s answered you.

I’ll refer you to FAQs/Threads - Read Me First

and specifically this section

OLE Automation Alerts https://forums.comodo.com/index.php/topic,4728.msg35532.html#msg35532 https://forums.comodo.com/index.php/topic,4875.msg36088.html#msg36088 https://forums.comodo.com/index.php/topic,5207.msg38857.html#msg38857

These are all direct links to posts by the lead developer, explaining the OLE alerts.

Something I have found very helpful to block these applications from (apparently) attempting to connect is create a separate Application Monitor rule, set to Block this offending application. Set the Parent to Skip or Learn. This is obviously only if you actually want to block that application. If you don’t, then simply Allow it and move on. The time to be concerned is if you do not recognize both applications involved.

As to your question of why the “victim” application is blocked instead of just the “offender”… it is because CFP does not make a distinction (indeed, it cannot make such a distinction) between ‘friend’ and ‘foe’ - it only alerts the user that an activity is occurring which could be evidence of a problem. It is up to the user (at this point) to determine if it is a problem or not.

If the user choses ‘Deny’ then CFP considers this to be evidence that indeed, there is a problem (otherwise the user would have chosen ‘Allow’) - the application (in your case, emule) has been compromised by some malware. Thus, CFP will stop both involved applications from connecting to the internet for that session only. Typically restarting the ‘victim’ application will do the trick; I realize with emule this may be problematic if you’re in the midst of downloading your favorite goodies.

Thus in your case, based on Egemen’s “rule of thumb” - if you recognize both applications, you may Allow & Remember, and should not see that combination alert you again. As stated, the time to be concerned is if you do not recognize one or both applications…

Hope that helps,

LM

PS: v3 of the firewall (currently in Alpha testing) will almost completely resolve these issues, once it goes to final release, as it will utilize a huge encrypted safelist. If both apps are on the safelist, you won’t see these.

Yeahhh, that’s the kind of answer I wanted, clear and precise. Thanks a lot, I’m sure I’ll find a way to deal with this. I’ve also noticed that if I ignore the alert then CPF blocks the connection atempt without doing anything else, I know that “ignoring” an alert from the firewall could not be wyse but, If the firewall is set to block if ignored then there should not be a problem, right??

From the security perspective, I would rather be safe than sorry if an alert arose that I had no idea about. CFP’s principle is like deny-everything-by-default (excluding the safe database option). This includes ignoring an alert by not clicking Allow or Deny for x amount of time.

That I understand but, if you consider that for eMule to work properly the connections MUST be kept alive for log periods of time at all cost, maybe ignoring an ole-alert and letting Comodo block the outgoing connection without interrupting the host (hijacked) program can be a better solution, after all, If the hijacker is not a trusted application on Comodo’s list the connection attempt will be stopped and no risk will rise from it, of course it is still a patch to a buggy function to be fixed in V3 of the Firewall… because, like Little Mac said “CFP does not make a distinction” reffering to knowing the ‘victim’ from the ‘offender’ in this particular tipe of situation.

I bet you the alerts are safe to allow anyway. The only difference between 2.4 and 3 is that if the application is really safe and will be included in the much bigger database in the future, you won’t see the alerts because they’re allowed by default.

I think so too, anyway, it’s nice to know you guys are out there answering things for us (:WIN)

We volunteers are just filling in while the official support (devs) team are working on v3 :).

Just FYI, I have not yet seen an OLE Automation message using v3. And this is without the expanded safelist (it’s not in the Alpha just yet).

I’ve run the normal gamut of applications, and have not seen it, so I think that’s promising…

LM

Indeed, that IS promising. One question thow -since I work with this machine and cannot test drive the Alpha V3- what happens If I deactivate the Ole warnings in the configuration of the firewall, am I in any grave danger or could it be safe, I’m getting tired of msn and winamp popping up thos ***ng OLE alerts!!

Well, obviously it decreases security. If you have safe surfing/download/email habits, are not allowing scripts in your browser (ie, you’re using Firefox or Opera rather than Internet Explorer), and have good on-access antivirus/antispyware applications, you’re probably relatively safe.

However, you may also want to try something I did, that worked extremely well for OLE messages. That is to create Application Monitor rules for the “offending” application (ie, MSN, Winamp) to Block by default. I typically set the parent as explorer.exe (the Windows shell) or to Learn. Sometimes Skip. Just play around with it till you find what works best - sometimes it’s different for different apps. Since the application is not allowed any internet access, it seems to stop the OLE (and other communication) alerts; the app is just silently blocked.

That of course, only applies if you don’t want the application to connect. In case you do want it to connect, you could create a specific Allow rule for it. Or, try combination of the browser as application, and MSN or Winamp as the Parent, and Block that. You could also open the AppMon rule for the browser, go to the Miscellaneous tab, and select “Skip advanced security checks.” Those might help.

LM