Spawning inheritence

I have installed Comodo Firewall Pro v2.4.18.184 and am very happy with it so far. My OS is Windows XP SP2 using FireFox. My machine is a home desktop and I am administrator.

Here is what I would like to do with my firewall: I want to deny permission for a link within an email in MS Outlook to open a link to the internet. Right now, Outlook spawns explorer.exe which spawns Firefox which connects to the internet.

How can I deny Outlook>explorer.exe>FireFox>internet?

Right now, Outlook spawns explorer.exe which spawns Firefox which connects to the internet.

I am not sure if this is the way it works (on my system at least). I have only 2 rules for explorer.exe, both initiated by userinit.exe.
As for Firefox, I have a rule where Outlook (msimn.exe) is the parent.
Also, when I switch the default browser to IE and click on a link on an Outlook e-mail, CPF pops up the allow/deny message. That is because there is no Application Monitor rule for IE with msimn.exe as a parent.

I know this is not much help, but I think the question is excellent and I am interested in seeing what others have to say.

Cheers

G’day,

The easiest way to do this is to create a BLOCK rule in the Application Monitor for Outlook for ports 80 and 443.

The parameters are as follows;

Application : msimn.exe (I think this is the Outlook executable but you’ll need to double check this)
Parent : Skip parent (I assume you don’t want Outlook to ever go to the net, regardless of the parent)
Criteria : Apply the following criteria
Action : BLOCK
Protocol : TCP or UDP
Direction : OUT
Destination IP : ANY
Destination Port : A set of ports - 80, 443

In line with this rule, you should also double check that any existing rules for msimn.exe DON’T allow all ports outbound. The correct ports for getting and sending emails are 25 and 110 (POP and SMTP)

Let us know how this works out.

Hope this helps,
Ewen :slight_smile:

Here is what I have done: In Comodo I opened Security/Tasks/Define New Banned Application. In the “Specify Application” field I pointed to explorer.exe. In the “Specify the Parent Application” I pointed to outlook.exe. This stopped the spawning of explorer.exe by outlook.exe.

This brought up user prompt alerts to make rules caused by outlook.exe spawning FireFox. I created deny rules for this parent/child attempt.

This works after a fashion. Instead of explorer.exe being spawned by outlook.exe, a window is opened to my directory for me to select a browser, then FireFox is opened automatically and I receive a message stating that my proxy has denied the connection.

In effect the link in outlook is denied internet access, but it could be less messy. Any more good suggestions?

Regards,
Red_Cloud

Sorry to hijack the post, but …
I don’t think it is normal for Outlook, or any other process for that matter, to spawn explorer.exe.

On my system (XP SP2), msimn.exe spawns FireFox or IE directly when I click on an e-mail link. I can verify that using Sysinternal’s Process Explorer.
In Application Monitor rules, explorer.exe’ only parent is userinit.exe, and I never got a popup from CPF asking to allow explorer.exe with Outlook as a parent.

I guess I’ll start a separate thread to discuss this, it is worth it to do a sanity check every once in a while.

G’day,

CFP only tracks the immediate parent of an application - i.e. if I click on a web link in an Outlook email, Outlook is the parent of the web browser that is called. I’ve NEVER seen CFP track back two generatiions - i.e. the parent of the parent of an application.

Can you provide screenshots showing what is happening on your system.

Alternatively, could you provide more detail, in a step by step manner.

Example:

  1. Click on link in Outlook
  2. CFP alert stating application X is starting application Y
  3. Click ALLOW
  4. CFP alert stating application Y is starting application Z
  5. Application Z starts

Cheers,
Ewen :slight_smile: