OLE Automation

sherlockbones · March 22, 2007, 1:05pm

hi all!
i just installed cfp yesterday and i like it very much. but some security considerations leave me puzzeled. if i launch outlook.exe it says:

app:outlook.exe
remote: ip:xxx.xxx.
security considerations:
skype.exe has tried to use sky tried to use outlook.exe through OLE automation, which can be used to hijack other applications. skype.exe might be using outlook.exe to connect to the internet.

next one is
app:skype.exe
remote:xxx.xxx
sec consideration
outlook.exe has tried to use skype.exe through OLE automation…

i get these OLE warnings by a couple of other programs too. emule/skype; firefox/skype; emule/firefox (without activating a mule link, just launching one of the 2 progs).

and other issue: how do i know which svhost.exe activity is ok? i get warnings, but i have no clue wether they are serious or normal windows standard procedures.

and how do i reset a setting? i denied emule to use firefox and as a result i could not browse anymore. i tried to remove ff from the cfp list and restart ff but it did not work, so i reinstalled cpf

thx for your help in advance!

Little_Mac · March 22, 2007, 2:23pm

Welcome, sherlockbones!

The OLE alerts (and many other aspects of Application Behavior Analysis - ABA) result from the way that applications communicate “behind the scenes.” You can see these alerts even after one of the applications has been closed. This type of behavior can be utilized by malware to gain internet access; thus CFP monitors it and alerts anytime it detects such activity. The downside, CFP doesn’t know what is good and what is bad, only that it’s happening.

The general rule, as given by Comodo, is that if you know the applications involved, it is safe to Allow. If you Allow with Remember, you shouldn’t see the alert again for that combination of apps. A single Allow will be for that session only, as will a single Deny. Add Remember to the mix, and you create a rule either way.

With your Skype/Outlook scenario, if you go to Security/Advanced/Miscellaneous, and check the box, “Do not show alerts for applications certified by Comodo” then go to Security/Tasks/Scan for Known Applications; follow the prompts and reboot when finished. This should pretty much eliminate those popups for you (they should both be on the safelist).

For svchost.exe, you’re generally safe to allow with remember so that you’re not bothered by it. After you do what I just instructed above, you shouldn’t see svchost.exe alerts any more either, though. For what you “need” to allow svchost on… it’s pretty much guaranteed that you need it for DNS queries (Outbound, destination port 53), DHCP lease (Outbound, destination port 67; inbound, destination port 68), and also for using Windows Automatic Updates (not sure the protocols there, as I don’t use MS auto updates).

For the emule scenario, you probably got one of the ABA alerts, as discussed above. Thus when you deny, CFP deems that you must have malware trying to get out using FF, so it blocks FF as well. If you clicked Remember when you denied it, then that will set rules in place. I’d remove both application rules in that scenario, and reboot. If you ever deny an app in that scenario, CFP will block the application it’s using to access (such as your browser or email client). If you don’t “Remember” and deny, since it will be for that session only, generally closing and reopening the application will do the trick; otherwise a reboot will.

Hope that helps,

LM

system · March 22, 2007, 2:31pm

Elementary

, my dear Macson: https://forums.comodo.com/index.php/topic,6437.0.html

devlishtexan · August 15, 2007, 7:56pm

I keep getting the OLE message with a red X stating c:\windows\explorer.exe has tried to use explore.exe through ole automation which can be used to hijack other applications. Explorer.exe might be using…

It shows different ip addresses such as this one IP:68.87.82.65 port:DNS (53) - UDP as well as a series of numbered messages 1-4 or 106 etc. I’ve clicked remember several times before but it still comes up on occassion. Should I be concerned?

Little_Mac · August 15, 2007, 9:11pm

It sounds like you may be blocking svchost.exe (which would normally verify DNS requests on port 53), thus forcing applications. Not sure on the surface how this would be causing an OLE situation to arise. Check application Monitor for block entries on svchost.exe; that’s the most likely place to start.

LM

Freedom54 · August 26, 2007, 11:00am

Got a problem with the OLE Atomation too.
Went to Youtube and logged in to my profile.
Comodo was warning me wthe something like that: …through OLE Automation, which can be used to hijack other

applications.
Don’t remember which application I had that time open but I think it was: Internet Explorer 7, Mozzila Firefox and Thunderbird ( a newsgroup reader ) Since firewall Comodo never asked me anything before when I went to Youtube, I got scared and pushed " deny ". It was not the first time I did this and it seams to me that when you have more then one application open Comodo suspects that there is a hijack attempt because various applications are using the sam windows dll’s.
Well, since then I can not download videos from Youtube anymore with the Youtube downloader.
Forgot to mention that Youtube did an update to their site a few days ago.
What can I do? Uninstall Comodo and installed again?
But the registery entries might be still there. I went to: Comodo/advanced/Application Behavior Analyses and deactivated " Monitore COM/OLE …
But can’t still use my Youtube downloader.
I can view the videos on Youtube but can’t download them anymore.
Any help appreciated.

Little_Mac · August 27, 2007, 2:45pm

Freedom54,

Any time you get various “hijack” alerts from Comodo and choose to Deny (without Remember) it will be blocked for that session only. Meaning, simply close and reopen the applications in question and you should be fine.

With OLE Automation issues, I have personally found that restarting the applications don’t quite do the trick; for me, it seems a reboot is necessary to clear that out of memory.

You do not need to uninstall/reinstall the FW. Even if you selected “Remember” this will only impact your Application rules; just open Application Monitor and remove the rules for the application(s) in question, then reboot. When prompted the next time you open them, select Allow & Remember and the rules will be re-created.

And as a note, you really need to pay attention to what applications/executables are involved in any “hijack” alerts. If you do not recognize one or both listed in the alert, that is the time to deny and start checking for problems…

BTW, the various alerts are not just because of shared dll files; it is due to the way that applications (even ones that are not open) communicate behind the scenes. The operating system is a complex thing, I’m afraid…

LM