Why do Components connect to the Internet?

There is a lot of confusion about what Component Monitor does, why CFP even watches such things, and why these various components have to connect to the internet. So here’s a brief explanation…

In the Windows family of Operating Systems, there are core system components (extensions such as .dll, .com, .drv, .ocx, and so on); these are frequently ‘shared’ by multiple applications at various times. Applications frequently add their own individual components; product ‘suites’ will frequently share these as well. Given that so many components work within the context of an application that is connecting to the internet (and are so frequently shared resources), they are frequently a target for malware to attempt exploitation of an application.

It’s important to remember, too, that just because an application is connecting, doesn’t mean the required components are connecting. This is a critical distinction. The backseat passenger is going down the road in the car, yes; but he’s not driving the car, and isn’t in control of reaching the destination (route, speed, etc). In this scenario, that passenger is a normal component (dll, com, sys, etc). If he pulls a gun on the driver, that changes the situation, and gives him control; but that’s a hijacking attempt, and is where you get a different kind of alert - ie, the component has changed, the dll has injected code, etc.

With a default installation of CFP, the Component Monitor will be set to ‘Learn.’ On the presumption that you are installing CFP into a system that you know/trust is clean & free from any malware, it is set this way to reduce the popup alerts you will receive. While CompMon is set to ‘Learn’ all components utilized by applications that are connecting to the internet will be Allowed. The idea is to keep it this way until the majority (if not all) of your internet-connecting applications have been run, so as to maximize the authorized component database. Then change the mode to ‘On,’ and press Apply; from that point forward, you will receive alerts for all new, changed, or hijacked components.

The thing to watch for is getting a Component alert about an application that has run before, doing something it has done before, when there have not been any updates since the last time the application performed this function (such as playing a video in your browser). If nothing has changed, but you get a warning for a change to a component, it would be advisable to Block (just for that session) and start investigating. If you see an alert for a component hijack or dll injection, Block for the session (without Remember) and investigate.

Be aware that if you want to permanently Block individual components within Component Monitor, you must click the ‘Apply’ button after making changes. You may also find that you end up blocking an application for which the component is an integral part; that is sometimes the nature of the Windows OS.

I have heard people ask why these components are wanting to connect/do this or that now, when they never have previously (with other firewalls). The answer is simply that the components have always behaved the same in a Windows OS; it was the other firewalls that do not monitor this type of activity. This is one of the reasons CFP ranks so highly against leaktests.

I hope this helps answer some of your questions…