First of all, thank you for your great efforts in providing a free and effective firewall! :-*
I had no problems in the past months, but a small issue is occurring more and more often. Some dll components of different applications (Office, makro managers, etc.) are blocking all other applications, if I try to block the dll. In general, the dll tries to hook into an application that tries to establish an Internet connection (e.g. any browser) and I block the component, but this results in blocking the browser, too.
Is there a possibility to just mute the dll and not the whole application?
The dlls themselves are harmless, but there is nothing more I hate than software trying to connect to anything without permission/notice. >:(
Hey Melvin, and welcome to the forums.
If you know they’re harmless, just allow it and set it to remember it. Usually when you block a DLL from using your browser, it won’t work till you restart the application.
If you don’t want to allow it, then you could disable DLL-injection monitoring by openening up CPF interface, then click ‘Security’-tab, and then ‘Advanced’ in the left meny.
Under ‘Application Behavior Analysis’ choose configure, then uncheck monitor DLL injections.
Hope it will help you.
With “harmless” I just wanted to indicate that it is not a real problem atm. As far as I understand your solutions, the connection will be allowed/ignored.
But in case that it is not “harmless”, but unknown, e.g. if I try shareware that I do not trust initially, can I block the dll permanently without blocking other applications?
It happens rarely that some software has such intrusive global hooks, but it would be nice if there is a solution to block them.
If you take the ‘disable DLL monitoring’ route in Security/Advanced/ABA, you will turn this security feature off globally - that is, for all applications. Probably don’t want that.
And yes, if you Deny the connection when the injection alert appears, you block the browser for that session. Generally stop/restart of the browser will clear that block (as long as you didn’t check “Remember”).
You may find it helpful to open Component Monitor afterwards, find that specific DLL (or whatever filetype). Change the Allow to Block, and click “Apply” at the top of the monitor window. Note that this will only work if CompMon is set to ‘On’ rather than ‘Learn.’ Also note that it is generally considered good to keep CM to ‘Learn’ for such time as it takes to run pretty much all connectivity programs, so as to minimize your component popup alerts.
Yes, the browser (or any other application) is blocked, but if I just restart, the dll tries to hook in again and I achieved nothing.
Tried that already, but blocking the dll kills my Internet connection totally or at least the applications affected, e.g. IE(I just need it for the pages that do not work with FF or Opera) is affected by other MS products or special cases.
Hmm, then it sounds like the dll is doing more than just injecting and not being related; it sounds like it is integrated with the browser. This is not uncommon with Windows components, unfortunately. It’s not that the component is connecting, but just that it’s integrated with an application that is connecting.
If this is happening only with IE, there is an extension for FF called IE Tab (I think that’s the name) that allows you to open IE-dependent webpages from within FF. Don’t know if that would get you around this annoyance or not, but it might be worth a shot.
I agree with you on the IE part, although an office component != IE component, but thats m$ policy. 88)
FYI: It’s the Microsoft Office HTML Icon Handler (MSOHEVI.DLL) in this case.
It is not a threat of course, just an example how a dll blocks an application (if the user does not allow it out of mistrust).
Now the next example blocks everything: Hot Keyboard Pro (http://www.hot-keyboard.com/hkpro.htm) The hkhook30.dll is injected into all applications, and I assume it just tracks the keyboard events.
Both examples are not a threat, I guess, but it would be a useful option, if technically feasible, to separate external dlls from applications.
I guess that you guys decided to either allow (harmless) dlls or that a user should kick the injecting application at all from the HD, since it is not trustworthy.
I was just concerned with the gray area, where I want to use an application, but do not want it to interfere with Internet connections.
Well, part of the problem comes from how these things work at a lower level. By injecting or hooking into an application, they (in a sense) become part of that application. AFAIK, there isn’t a way to “separate” that back out, once it’s been allowed to integrate, as far as the application connecting to the internet.
You should be able to block the component in Component Monitor, and Apply that setting. If the component is not an integral part of the connectivity, that is. The HTML icon handler might be considered a part of the browser to the extent that it’s part of the connection. For that matter, the keyboard macro-maker might be as well; it has to be watching for keystrokes to combine while you’re surfing.
All you can do is try…
BTW, the rule of thumb on all these things (as per the lead developer) is that if you recognize the application in question, it is safe to Allow w/Remember. The concern would be where you don’t recognize the application. Obviously, this is built on the presumption that if you have installed and run the application yourself, you trust it to run as it needs to on your machine, thus negating the “gray” area.
You can always (just to indulge any inherent paranoia) regularly check CFP’s Activity/Connections to see the IPs your browser and other applications are connecting to. Then you can do a DNS lookup on those to see who/what they are. Or you can run an application like CurrPorts or TCPView (etc) to check open connections and probably automatically do the DNS lookup.
I’ll go ahead and mark the topic as resolved then, and close it. If you need it reopened, just PM a Moderator (please include a link back here) and we’ll be glad to do so.
