Curse

Caleb · Dec 13, 2006, 12:36 AM // 00:36

Tonight while playing, my firewall popped up with an alert. In 18 months of playing GW I have never had this happen, was wondering if any of you gurus knew why or what the issue is.

Details:
Application denied access (svchost.exe:207.138.234.114:http(80))

Application: C:/Windows/System32/Svchost.exe

Parent: C/Windows/System32/Services.exe

Protocol: TCP out

Destination: 207.138.234.114:http(80)

Description: C:/Program Files/Guild Wars/GW.exe has tried to use C:/Windows/System32/svchost.exe through OLE automation, which can be used to hijack other applications.

Some background- I have had 10 plus Err7 disconnects over the past week. Prior to this, I had a total of 2 or 3 over 18 months. Nothing seems to have changed other than some new firewall alerts (same firewall program I have been using forever).

The IP it was trying to connect to belongs to Global Crossing.

Any ideas what's up with this?

Thanks alot,
Caleb

aeroclown · Dec 13, 2006, 06:27 PM // 18:27

What firewall are you using ?

It looks like CF but it doesn't matter much. Applications quite often use OLE for other functions, in most cases if you trust the application and are running no third-party software the OLE actions are harmless and should be allowed. In many cases applications pass information to each other via OLE. I don't believe the denial of such an access attempt would have much of an effect at all on your connectivity depending on what the application is trying to do with the OLE activity. My suggestion would be to check your firewall rules and see about approving the OLE activity for guildwars. That in itself may or may not resolve your connection problems.

Linda Heartilly · Dec 13, 2006, 07:04 PM // 19:04

Yes, applications indeed often use OLE services and yes it is also commonly used for application interoperability.

But... let's not miss the vital detail: Guild Wars contacts someipaddress.plaync.com servers and to my knowledge only someipaddress.plaync.com servers...

It could very well be that some malicious program picked a random target process, injected itself into it's address space and - while running in the context of it's target (in this case Gw.exe) - attempts to access the internet.

This is a very common technique used by all sorts of spyware and/or virusses used to trick the user into allowing them access since they'll appear as an application the user most likely trusts.

Caleb · Dec 13, 2006, 10:34 PM // 22:34

I am indeed running Comodo firewall. My hesitation lies in exactly what Linda pointed out - the IP is random and does not appear affiliated in any way with arenanet/plaync.

I have had this firewall on this pc for months, without ever having a similar message or alert (been playing GW since April 2005). With my recent err7s, I have been getting these odd firewall alerts, and they seem to only appear while I am playing Guild Wars.

I have run every virus/malware scan I could find (all on http://wiki.castlecops.com/Malware_R...ti-Virus_Scans for example), and each of them says I am clear of anything as harmful as a cookie.

I played GW for a few hours a bit earlier, and was eventually disconnected when GW.exe tried to connect through OLE to the same IP address again, and was prevented.

Today I am receiving a huge amount of network "medium risk" alerts, all seeming to be the same thing:

Network monitor

Outbound Policy Violation: (Access Denied ICMP = Port Unreachable) where the source IP listed is that of my linksys router, and the destination IP is that of my provider's DNS server.

Protocal: ICMP

I have the destination IP for the dns server listed in safe zone, but it is still saying that the port is unreachable.

I am in no way trying to blame GW for any of my connection issues, just hoping one of the gurus here will be able to diagnose what may have happened over the past week or so to change my previously rock solid connection.

Thanks for the help guys, nice to see ya again Linda.

aeroclown · Dec 14, 2006, 07:09 AM // 07:09

I figured it was CF, there a number of complaints about the frequency at which CF reports OLE activity. Check the Comodo Support forum for more on that, from what I understand its a system that is still a bit cranky about OLE assignment. In such a way that no 2 applications can share a parent for OLE activity. Though thats a bit sketchy, there are some threads on the comodo support site addressing OLE checks and problems with the current release of CF and the way in which it handles the creation of rules for an application and its OLE counter parts. Keeping in mind that having your dns in a safe zone does not in and of it self create all the rules to allow all protocols to and from/within a zone. Check your rules.

I would not to my knowledge consider an ICMP Echo (ping) to your Primary DNS malicious. If anything it's more then likely a keep alive request. While I won't give you an end all be all answer, I can say this, that my installation of CF frequently ask about OLE activity after patches especially large ones. I would happily accept it but thats up to you, if you want to do some work and verify the application and packet location I am sure there are ways though I can't think of anything other then a sandbox off the top of my head.

As a speculation its quite likely by denying the OLE activity your are in effect temporarily removing your access, to your Primary Domain Names server, which is a system to translate text names into ip addresses. In other words the server does not receive the keep alive request and assumes that you no longer require the information. Though in an optimal circumstance I would have thought caching the information in the client would be the best choice though I don't know how the client (GW) itself works. If guildwars is relying on non-static ip ranges and domain names instead of static ip ranges, by denying the activity and causing a connection death guildwars can no longer locate the specified location it is attempting to retrieve data from thus an E7.

Thats my take on it, ultimately its up to, you can easily visit the comodo support forums and request help there. There are a large number of users who are quite familiar with comodo and may even be able to help you verify or check the OLE activity.

Caleb · Dec 14, 2006, 10:56 AM // 10:56

Thanks a ton Aeroclown, both for the assistance and the direction towards their user forums.

Greatly appreciated. I am going to go check their forum now.

Caleb