Hi,

Couldn´t really find a thread so I started a new one, but why isn´t it possible for firewalls to control BHO´s? I mean, I do know it´s because firewalls see them as part of the browser, but isn´t there a way to control them separately? Because basically, a BHO can do pretty much anything it likes not? ::)

Hello Rasheed.

A firewall does packet filtering, that's all. Controlling BHOs, as they are basically DLLs, is a job for HIPS. There are some firewalls with integrated HIPS ('component monitor' i.e.) which are able to control loaded DLLs on allow/deny principle. As the DLL has to use some process to do damage, I suppose allow/deny is sufficient.

OK, so with component monitoring you should be able to control them? And is there any legit reason why BHO´s should make any outbound connections, probably not right? At the moment I´m using PopUpCop and IE7Pro, and I just started wondering about this stuff, guess I´m becoming a bit paranoid again. :)

But I do know that spyware often install themselves as BHO´s, because they can then do just about anything they like, and your firewall will most likeley not notify you about any suspicious outbound connections. So you have to be damn sure if you trust a BHO or not, and even then it´s hard to figure out if they are behaving themselves. :shifty:

{QUOTE-> And is there any legit reason why BHO´s should make any outbound connections <-QUOTE}

Yahoo Toolbar (example) is a BHO. If you do a search from it, I suppose you will want it to do outbound through your browser's process.

{QUOTE-> your firewall will most likeley not notify you about any suspicous outbound connections <-QUOTE}

A HIPS should warn you that DLL is about to be loaded. As I said, BHO cannot make network connections on its own, it has to use some process. So yes, it is up to you to decide whether you trust the loaded DLL or not :) As with any HIPS, user intervention is required. No matter how good a firewall (HIPS) is doing in leak-tests (among other things, they test DLL loading as well) it is up to user to decide if the process/dll is to be allowed or not. A firewall/HIPS is there just to prompt you.

Don't some programs like SpywareBlaster monitor BHO installs and watch for nasty things?