Unaddressed Problem in all releases, including latest beta

OK, I’m really annoyed now.

When using firefox 5 minutes ago to download 10 items from ftp (yes, I know I should be using FTP software).
I had a comodo pop up box asking me if I wanted to allow synaptics mouse driver to access the internet via firefox.

I clicked deny, only to find that firefox had been completely banned and all my downloads were terminated.

This happened as I was typing on another forum and clicked on a drop-down-box on a web page !!! (at the exact same second)

The log suggested that the mouse driver had tried to modify the browser by special windows messages!! - That’s what mice do in their normal operation!
Click the mouse on minimize = windows minimized, etc.

Unfortunately, I cannot post the exact message, as the latest beta deletes its logs on restart - which is what I had to do to get firefox working again. :frowning:

Why does clicking the mouse button on a link in a browser fool comodo into thinking it is accessing the net?

Why is ALL access to firefox blocked when I clicked deny?

Why didn’t my downloads continue - they had nothing to do with synaptics.

This is NOT a ‘feature’ ffs.

Just acknowledge this as a problem PLEASE.

Hi,

I use FireFox a lot, i can’t say i’ve ever had this problem. And in fact i’ve just purposely tried to create it, but couldn’t :cry:

Since i just tried to create the same situation and failed, the only thing i can say is that the issue is most likely with your mouse and CPF (for some reason). As i initiated 3 FTP downloads in FireFox and found some sites with links in drop down menus and started clicking away.

Hope you get it sorted out - whatever it is

Red,

Apparently you can get by the loss of the logs, by manually exiting CFP before shutting down your computer. I haven’t tried it, but several users have said it works.

Inasfar as the mouse driver issue. It’s not you clicking on the menu, minimize, etc, that it’s referring to. The “special window messages” alert means that the mouse driver has been seen to (in some way) try exert a form of control over the way that the target application (ie, Firefox) functions. This is perhaps most commonly seen in browser hijacks.

When you choose to Deny the mouse driver this access, CFP considers the action by the driver to be a threat (ie, a malware trying to get out), and blocks the application(s) from accessing the internet.

IF you can verify and/or are completely confident that your mouse driver is completely safe and legit, you can choose Allow (with the Remember option checked you shouldn’t get the popup unless your mouse driver changes; without the Remember option, it will be allowed for that session only), and your connection won’t be blocked. If you choose to Deny without Remember, you should be able to restart your connection by restarting your browser (ie, close and re-open).

Be aware that there are documented cases of malware being caught by CPF in this way, where the user was initially convinced that CPF was at fault. It came to be known that CPF had caught malware which the user’s AV should have been able to spot, but did not. That’s not to say that your mouse driver is malware!

I would personally do an online AV scan (such as Housecall, Panda, VirusTotal, etc) to see if they came up with anything. I would also want to watch for this occurrence to see if there’s a pattern to it… it doesn’t sound like it happens with every mouse click to interface with/within FF; so is there a trigger? The behaviour would appear to be suspicious; I’d check it out some more. Do a search online to find out more about the synaptics driver, etc.

Hope that helps,

LM

Thanks LM, I knew you’d have some input on this one!

The trigger has been fired in opera as well now - the exact same second I selected which country I was in on a web page (to register for something).

However, the problem is essentially non-reproducable!

It has happened with nero.exe as well.

My synaptics driver is the latest official (downloaded from manufacturer last month).
I have submitted it to virustotal and it comes out 100% clean.

I have also ran nod32, a2, kaspersky online, panda online, rootkit unhooker, revealer and blacklight, spyware terminator, combofix and never found an active threat.

Why can’t comodo just block the mouse driver from accessing the net, without stopping firefox completely?

I should add that this has happened with the 2 most recent betas and the official 2.3.

Also, I am in no way the 1st person to report this kind of crazyness !

The very 1st time I saw this (on 2.3) was when I simply minimized a browser.

This was reported by Aowl in October!

https://forums.comodo.com/index.php/topic,2925.msg22269.html#msg22269

Update:

I’ve just opened I.E.7, then opened a forum thread in a new tab, in Opera 9.1 and suddenly i have a popup saying that…

internet explorer has tried to use explorer to access the internet via opera.

WHY WHY WHY would I.E. or explorer (which both have internet access already) want to use opera to get online? :-\

The new tab I tried to open in Opera would’nt load until i clicked accept… >:(

Date/Time :2007-01-11 17:46:45
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (Opera.exe)
Application: C:\Program Files\Opera\Opera.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 216.126.201.152::http(80)
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.

Oh, Red, I’m sorry this is plaguing you. :cry: Welcome to the whole “OLE Issue.” At times like this, I wish I were a programmer in the security area, so that I could better understand and explain what’s going on. I don’t have a good answer for you, I’m afraid.

What I can tell you is that it relates to the way the softwares interact, and how CPF/CFP monitors & reports on them. Comodo took some steps towards a “resolution” with v 2.4.10.131; I have seen some improvement with it, as have others. Obviously, it’s not completely “resolved.”

Comodo knows something we don’t know, and so far, I don’t think they’ve been able to explain that in a way we (the users) can understand and accept. I think they understand what our issue is (tho I could be wrong), but seem to see it more as a popup issue than a functionality issue. They continue to state that it’s a feature; we continue to state that it’s a bug.

I continue to report everything I can on it, to help clarify the issue to them (from the user perspective) so that some resolution/compromise can be reached. Obviously, we don’t want to reduce the security/protection offered. Obviously, we don’t want to have to close applications, reboot, etc to continue to surf.

I have personally had a lot of success by creating block rules for every application (if I don’t want it to connect…). It’s not 100%, but I’d say I get probably 90 - 95% out of it. If you can find an executable for the mouse, perhaps add that to the App Monitor, Skip the parent, and Block. Reboot. If you can’t find an .exe for it, you might try adding the .dll or whatever component the driver is connecting with (if you can find it in the logs, etc); I’ve never tried anything but an .exe in the App Monitor, so I don’t know if it’ll work or not.

To stop the annoyance, you can go to Security/Advanced/Application Behavior Analysis, and uncheck the boxes for “Monitor Window Messages” and “Monitor COM/OLE Automation Attempts.” OK. Reboot. This will stop CPF from watching over those things. Obviously, this reduces your security, so that’s something you would have to decide. Depending on how crazy it makes you (sounds like your “crazy” factor might be rising…) it might be a worthwhile risk for the sake of sanity. :wink:

LM

PS: I moved the topic from Feedback/Comments to here, as it seemed we were more in an active “fix the problem” mode than a rant & rave. This is not to detract from your rant & rave mode in any way. ;D If you search for “OLE” you will find plenty of ranting & raving, and you’re certainly welcome to contribute therein…

Are you using the latest (RC3) beta?
The OLE issue has become much better, but it’s not completely gone…
Let’s hope that they solve it soon… :wink:

Have you tried to add the mouse’s files to safe applications/components? You’d better allow it OR try to find a why you can disable mouse software features (i don’t know if that’s possible or not at your mouse).

This seems like the best option :slight_smile: There’s no point banging my head against a brick wall is there!

But the above would definitely put off a total noob (maybe 75% of users)???

As mentioned before (by you I think): this quirky behaviour will encourage people to click ALLOW without reading or thinking.

There must be a useability “fix”, if this is indeed a feature and not a bug…

ps. I’m using RC3 and it IS better than 2.3 on this.

pps. When is 3.0 due out?

Red

I believe the next version will be 2.4, the RC4 thread says Jan 18th.

I agree on the usability issue; I’m hoping something can be accomplished. I’m glad Comodo is willing to address it and look at it. I don’t want to compromise security, but I would like this “behavior” improved (from my perspective, that is).

LM

I’ve now created an app rule for nero.exe
I chose to block in and out, with ‘learn’ as the parent.

Still I get popups when running opera or firefox saying that nero is trying to connect through them.

Clicking deny always cuts off net access.

So, I clicked deny and remember and restarted.

The popups continue…

It is therefore impossible for me to use the web whilst nero.exe is running.

Any help please? ???

Nero is a cd-burning software, right? Why does it need to be running?

If Nero is at the core of your current problem, can you turn it off while you’re on the net? If you can turn Nero off while you’re surfing, then when you need to run it, just change CPF to Block All. A possibility.

Here’s my thoughts about Application Monitor rules in this situation:

If you’re getting alerts that Nero is trying to connect thru whatever browser you’re using, create the following block rules in the App Monitor (after removing all your current ones; in fact, I’d almost propose that you uninstall and reinstall, in order to start fresh, then create these rules for Nero):

App: Nero. Parent: Firefox. Action: Block. Misc: Skip Advanced Checks
App: Nero. Parent: Opera. Action: Block. Misc: Skip Advanced Checks
App: Nero. Parent: Int. Explorer. Action: Block. Misc: Skip Advanced Checks
App: Nero. Parent: explorer.exe. Action: Block. Misc: Skip Advanced Checks

I have not tried Skip Advanced Checks on a Block rule. However, with the idea being that it won’t monitor all those ABA actions (thus, OLE, etc), perhaps it will block the App without bothering about the details. Since explorer.exe is a common parent for browser applications, I figure it’s good to include.

You don’t have to uninstall CPF. My thought with that comment was that, at this point, you’re frustrated, and have been clicking Deny w/Remember in order just to get it to stop. There may be some really funky rules residing in CPF’s memory that may mess with other applications, if you’ve inadvertently blocked a necessary process. By starting over, you are guaranteed to clean all that out.

I hope this helps; I understand what you’re going through.

LM

PS: I presume your post above was what your PM referenced…

Thanks again LM - that was my PM.

I understand your logic, but I thought selecting ‘learn’ might cover it…

I always burn DVDs at 4x with verify (takes 25 mins) and I like to surf at the same time.

I will re-install (still on RC3 anyway).

Then I’ll try the four rules you mentioned - when I can be bothered with it again! 8)

I’ve decided to persevere - won’t be going back to Sygate this time…

None of the OLE Automation popups could say “is using” but “may be using”. An OLE Automation based hijack is only a threat if you dont know the application in question. For example in your case, you know nero.exe is a trsuted program. In windows Operating systems, OLE automation is as normal as moving mouse pointer. So are Windows Messages.

When automatically approve comodo certified applications option is enabled, CFP wont even ask anything to bother you for such known applications.

If there is something more critical you shall see “This is typical of virus/Trojan behavior”. Memory injections or DLL Injections are the alerts which should make you be more careful. But for OLE Automation and Window Messages, you dont need to be paranoid if you know the application. I dont remember I even denied such a popup before unless i was doing testing. And 99% of OLE Automation/Windows Messages popups for the PARENT application should be non-harmful type alerts.

Rules of thumb for understanding what to do :

“If the application in the security considerations section is not a known application(i.e. an application that you did not install but came from somewhere else), deny.”

“OLE Automation and Windows Messages are as normal as a mouse move in Windows”

Hope this helps,
Egemen

Hi Egemen,

I was trying to avoid programs from ‘phoning home’.

It is a bit paranoid, I guess!

Probably should only use fully licensed software… :wink:

[but out of interest, can anyone guess as to why nero.exe behaves like this - from your explanation it is unclear if it is trying to access net… AFAIK updating nero is not done by nero.exe, but by nerostartsmart.exe]

I dont think they phone home by hijacking other applications while they can do that directly. It should be an innocent OLE automation. To make sure, you can check the IP address in the popup and see if it is a different address than you are browsing or not.

egemen

The IP address in the popup is the same as the site I was visiting in opera anyway.

It doesn’t look like nero phoning home tbh.

I just wished I understood OLE/COM automation and special windows messages better!

Can anyone direct me to some decent reading material on this subject…?

THANKS

Thanks for the detailed explanation, Egemen. I think (but I can’t swear to) that all the OLE alerts I’ve seen say that about being typical of virus/trojan behavior. Maybe I’m mistaken on that, though.

I rarely get the alert about window messages. I’ve never gotten any of the others unless I was really pushing things, trying to get alerts. :wink:

Do you have any links handy for recommended reading on OLE stuff, that’s easily understood?

LM

I think OLE Automation - Wikipedia would be a good starting point.

Hope this helps,
Egemen

Thanks for the link, Egemen; I’m sure many users will appreciate it.

Here are a few others I came up with:

http://www.lurhq.com/grams.html This one gives an example of how COM/OLE Automation can be used by malware, and why we need to pay attention to the popups CPF gives us, rather than just Allow and go on.

http://www.dbmsmag.com/9506d13.html Although this digs pretty deep into COM/OLE architecture, I thought it had some good, easily-understood info about how it works, to connect aspects of different applications/processes together, and how such things are shared.

http://www.answers.com/main/ntquery?s=OLE%20Automation&gwp=16 Although the majority of this is actually pulled from the Wikipedia entry, the first paragraph gives a quick, easy overview.

Having read through all this, Egemen, it is easy to realize how the current popups (especially for things like Office, etc) could further train users to Allow without paying attention. Then when something comes that is a threat (such as the “svhost” instead of “svchost”), there’s big trouble… Is it possible that CPF could monitor and not alert for safe applications/connections; but only on the ones that are truly suspicious? In other words, not alert me that Outlook, or Office, is using Firefox, etc and so on. Since the majority of these would seem to be safe, it seems that could be confusing… (and yes, I do have the box checked, “Do not show alerts for applications certified by Comodo”)

LM