OLE Automation, Can I stop it? It scares me!

Discussion in 'other firewalls' started by enum{}, Jan 25, 2007.

Thread Status:
Not open for further replies.
  1. enum{}

    enum{} Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    5
    So I've setup the Comodo firewall......after horror with ZoneAlarm free.

    Yet I block one app and another uses OLE automation on it.

    First what is OLE Automation? I know its implementation of Com+.
    Does it allow programs that I have explicitly blocked to get to the internet through another app? (ie Firefox) What can I do about it? I'm worried about it.


    An example is apps I've denied ALL access to, and they enact OLE automation on Firefox. When I deny, Firefox is denied too.

    Also....I have denied svhost trying to get closer to 100% control to what gets internet access. How can I get closer to 100% control. I don't want even Microsoft integrated apps accessing if I don't let them. How can I get closer to this goal?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Unfortunatly there is nothing you can do about OLE comms, it is the way windows is built. You will only know of such comms when you use a firewall/application that can intercept such comms. Before you installed Comodo, all these comms where being made and allowed. It is just that now you can check that only legitimate applications are doing this.

    As for svchost, this will make internet connections based on the windows services you have running on your system. Disabling un-needed services can minimize svchost access.
     
  3. enum{}

    enum{} Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    5
    Can anybody point in the direction of some good tips in reference to keeping my outgoing traffic under control?

    What are good things to block. How do I block windows itself? Can MS suites like Office route through the windows platform and out onto the internet without me knowing about it?

    Thx.
     
  4. enum{}

    enum{} Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    5
    What's the point of a firewall if this can happen: Comodo Leak Test

    Similar to OLE Automation, a trojan/worm can just modify explorer.exe which can just modify firefox.exe and send out my credit card number.

    Sure comodo can warn me that explorer has modified firefox.exe, but I need to USE firefox.exe and its an app that I have allowed to go through the firewall. So more often than not, the info is going to get through. As previously stated though, OLE automation can't be disabled in windows, and I don't know think explorer can be prevented from acting like this.

    This makes me think that firewalls can't protect you 100%, which defeats the purpose. What gives? Insights?
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Not all firewalls are going to have protection against memory modification or dll injection as used in the test you link (although some already so). But even so, protection against these types of "leaks" can be prevented, as for example, by using SSM free
     
  6. enum{}

    enum{} Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    5
    I gotta check out that SSM Free. However, even though comodo does say "Hey, your firefox.exe has been fiddled with", what am I going to do.....I still need to use Firefox.exe. I'm after ways to prevent Dll injection and memory modifications.

    The solution would be to prevent this inter app modifying in the first place. I'll look at that link.Thanks for the feedback.
     
  7. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I'm a bit curious about this too. Often, after running an installed program, or updating same (particularly if the program was updated rather than just the database) the firewall gives the same warning that enum described. My response is to allow it if it's a program I know (eg AdAware does this after a def's update, or other program I've installed and done something with recently).
    But it is a bit disconcerting...the warning saying "this could be a sign of trojan activity..." and the first time it happened, I blocked it. Then had to restart the browser, of course.
    I suppose the main way this could be a threat is if something nasty actually "fiddled with" another parent program, making the threat genuine, yes?
    How would one know if that had happened?
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    SSM free will do this.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tarq57,
    Most firewall will make a check on an application using a checksum/hash. This basically just checks if an application as been change/modified. So yes, if you update a program then an alert will show if the application as been changed.
     
  10. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Thanks Stem.
    So then, this is generally nothing to worry about, then?
    I guess if I was to see this without knowingly having updated any program it would be a worry. (For stuff that doesn't auto-update, which in my case is most of it.)
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tarq57,
    It is one reason to manually update, as then you will know of the possibility of an application being changed.

    One of the main areas of protection you need, if for memory modification. As not all firewalls will check this.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Why would you have your credit card number stored anywhere on your PC?
    And if you do, why not add another 100 random similar numbers to this list, call the file "calculus 1 extended" and save it in a folder called "polytechnics"?
    Mrk
     
  13. jrx10

    jrx10 Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    85
    I'm somewhat concerned about this also. I have set up my network rules per the comodo forum, and I'm right now just running one computer thru a firewall/router, broadband internet, with dhcp enabled, xp sp2. I have all the updates, and running firefox as my browser. I have auto-updates, and BITS disabled and I update manually. running mcafee AV (auto start) (update manually as 6 of it's programs and countless other subprograms try and access the net every surfing minute). I have all the usuals windows defender (auto start) , avg anti-spyware, spybot, hijack this, Ccleaner, and a couple of rootkit detection programs--all auto updates are configured as disabled (turned off) and scans come up with nothing.
    before reformatting and reinstalling xp fresh, I thought it would be a good time to evaluate several FWs (one at a time, as I'm convinced that a SW-FW with outbound protection is needed because xp has so many holes in it, and from what I've read, vista is no better.--btw after dumping the xp FW, the free zonealarm isn't even in the same class as comodo, but it certainly is a lot easier to configure which is understandable since it's protection seems to be extremely limited ). when booting, I also get that firefox is trying to run as a server for ole automation. (I've got my ethernet/router configured as a trusted zone) [p] does all this M$ xp stuff need to be accessing the 'net thru ole automation with the windows auto-updates set to disable and done manually? thx. ​
    [hr] http://img212.imageshack.us/img212/1644/screenshot022yo1.jpg
     
    Last edited: Feb 11, 2007
Thread Status:
Not open for further replies.