I occasionally click on a link in an email, and every time Comodo warns that “Thunderbird has modified Firefox User Interface, which may be a sign of a trojan”. I always ensure the “Remember answer” box is unchecked because I like the warm feeling of protection when Comodo tells me it is on the job.
Last week I felt an icy blast through my fire wall, a door had fallen off its hinges and it no longer protected me from Trojans. I have “cured” it by a minimally invasive hack of the registry, but I do not know if this repair will be any more permanent than using sticky tape to hold a door in place.
I exported the Comodo registry keys and compared with a similar set from a few weeks earlier. Can’t be done - There are approaching 900 “Component White List” keys, regrettably “humanised” without leading zeroes, hence keys “…\2]” and “…\20]” are listed between “…\199]” and “…\200]”,so when a new key is inserted before “…\199]” then “…\2]” etc are shifted between neighbours they were never close to before. This also happens to “…\3]” etc etc etc.
My file comparison utilities throw a wobbly. I would appreciate advice upon a freeware utility that can deal with this situation.
New approach - I searched for “thunderbird.exe” and found brand new entries.
This is for “C:\Program Files\Mozilla Firefox\firefox.exe” and gives a CRC32 value, and has “Num”=dword:00000002.
This is for “C:\Program Files\Mozilla Thunderbird\thunderbird.exe”
That is the culprit. I used RegEdit to change its location from C:\ to W:\ (which does not exist), and that has restored my protection against Trojans. I again get warned if I click on an email link.
Under Comodo > Advanced > Miscellaneous > Configure I have now removed ticks from boxes
2. “Do not show any alerts for the applifcations certified by COMODO”, and
5. “Automatically check for program files updates”, and
6. “Automatically check COMODO certified applications updates”
I removed those ticks because I assume that …\IPC\etc are where Comodo certified applications are stored, and I do not want this weakness sneaking in again.
Relevant information and advice would be appreciated.
I trust Thunderbird, but NOT the emails it might handle.
Thunderbird 220.127.116.11 itself does not trust emails;
I have one particular email mailshot from CNET which sometimes, but not always :-
- may get a “possible spam” warning the instant I open the message;
- may ask “Are you sure you want to visit …” when I click on a link that is overlaid with a human invitation.
There have always been “Buffer Overflow” vulnerabilities. I guess there always will be unless we exterminate incompetent programmers!!! Only a few months ago there was yet another security patch to fix yet another Buffer Overflow.
Many years ago there were emails that had embedded links that were disguised to lure a naive user into a click and then disaster.
Then there were emails that auto-clicked upon being read - no need for the user to do anything but open to read.
Then disaster if they got to the pre-view pane - user did not even have to read it.
Then malformed headers - if the email was received then Outlook Express etc would automatically read the header so it could list it with subject, sender, and date, and that gave disaster.
Although I hope Thunderbird will never make a mistake and let through something nasty and old, I would rather not depend upon it;
Although I hope Thunderbird will be updated to deal with anything nasty and new, I suspect I could be unprotected for several weeks when something new has been invented.
Whatever the problem, If something nasty, old or new, should cause Thunderbird to get on the Internet for evil purposes, I would like to think that Comodo will give me protection. This is why I have restored protection against Trojans.
Whilst looking at …\IPC\8\ etc, I also noticed something horrendous at …\IPC\9.
“C:\Program Files\Windows Live\installer\WLSetupSvc.exe”
This is malware.
It is bloatware which has put 2 Giga Bytes of crud onto my external hard drive, which holds over 20 historical images of my internal system drive.
Last week I discovered that Windows Live Messenger included a 16 MByte rubbish *.msi installer that has NO purpose other than to POSSIBLY remove SOME of the registry settings if I remove Live Messenger, BUT if I do remove Live Messenger this rubbish installer can just about remove most of the stuff in C:\Program Files\Windows Live\Messenger, BUT IT CANNOT REMOVE ITSELF !!! I will admit that this rubbish installer can also re-instal Messenger if it gets broken, but this shows lack of confidence by MicroSoft in a product that can get broken, AND I would far rather download it again than put up with 100 MByte of permanent rubbish on my drive. How does 16 MByte of rubbish become 100 MBytes ? Simple, When Microsoft disables an existing version of Messenger my daughter can no longer communicate until I allow MS to update it, and that gives me yet another rubbish installer - they do not have the intelligence to remove the obsolete version that cannot work any more. Last week for a totally un-related purpose I did a search for *.msi, sorted in size order, and amongst the top runners I discovered that over the years I had accumulated 6 different versions of windows Live Messenger, every one of them totally anonymous, mostly with 6 hexadecimal digit names in C:\Windows\Installer, but some in alternative and totally unrelated and unexpected locations and with far more complicated (but still anonymous) names.
If MS has its way, I will finish up with so much rubbish installer junk for Live Messenger (and probably also for anything else created by MS) that my Internal drive will not have any room for any applications !!!
Last week, immediately I saw the 100 MByte wastage, I removed it.
Today, having seen …\IPC\9, I have changed it to permit “W:\ etc.etc.”. If I am to have another rubbish installer dumped on me it should be with my explicit knowledge and consent so that I can instantly minimise the accumulated junk, and not have it happen automatically without my knowledge because MS thinks it will be good for me, and because Comodo have certified it. I would prefer to simply remove …\IPC\9, BUT I suspect I would have to rename/renumber other keys, and perhaps there are other gotchas awaiting the unwary.
n.b. I assume that …\IPC\etc is where Comodo certified applications are held. Does anything else go there ? What is its purpose ?