Comodo firewall really doesn't let anything pass

Wireshark may be a helpful tool to see what they're trying so desperately to phone in.

 

I think that the connection is over HTTPS, so Wireshark will not be that useful in this case.

 

The screenshots provided show the attempts on port 80.

 

They do indeed... hmmm. I thought there was something that made the 5.X connections I saw opaque. I have 5.12 on an XP computer and will revisit this.

 

For some reason, I remembered that the connection was secured (HTTPS), but it is not, so it is easy to find out what is inside it

Basically, cmdagent.exe is connecting to downloads.comodo.com and tries to retrieve a file from /av/tvl/deletedvendors.txt . The content of the files looks like this (I listed only the first few entries):

Aignesberger Software GmbH
Alienware Corporation
ALIKET SOFTWARE CO., LTD.
Ask.com
Bolide Software
ByteSphere Technologies LLC
Conduit Ltd.
CyberDefender Corp.
Digital River, Inc.
[...]

From the file name and it's contents, it looks like a list of "Trusted software vendors" that need to be removed from Comodo.

 

Good job, at least now we know for sure. Of course it would better if it just stopped after doing it, but i guess they have it on auto-pilot to constantly updating that list.

Maybe if one disabled the option "automatically allow trusted vendors" in sandbox settings or if one was to empty the list, it will stop trying. But at this point i m not interested to try that. Blocking works.

 

Lets not declare full understanding yet. We have to collect information for awhile, report what we see, and try to merge it to be sure. FWIW, my initial report would be:

[Comodo Firewall (free), 5.12.256249.2599, XP Pro SP3]

1) cfpupdat.exe connecting (because I manually checked for updates) to:

download.comodo.com:80 = 91.199.212.171, reverseDNS=download.comodo.com
downloads.comodo.com:80 = 178.255.82.1, reverseDNS=downloads.comodo.com

to check for newer file versions and retrieve product announcements and retrieve dialog information. Edit: the product is up to date.

Note that neither my cfpupdat.exe nor Nebulus's cmdagent.exe appears to be connecting to the hosts you saw Fuzz. There may be some location/load switching involved but then again maybe we haven't yet caught all the scenarios. I'm still waiting for cmdagent.exe to try to connect out. Edit: can you tell us more about what you are seeing Fuzzfas?

 

Fortunately, since i made a block rule without logging only for Comodo, i am not seeing anything anymore! Ahahahaaha!

Anyway, it's the usual story. I changed the rules to "outgoing only", i even manually checked for updates, in the hope that it would do whatever it needs to do and settle down, went back to "blocked application" as rule and here it goes again. License activation and secure comodo server.

BTW, i don't have the Ask.com, Bolide etc, in the trusted vendors list, so i guess that it suceeded in removing them (assuming they were there), still it tries to connect. Maybe there is a bug after importing configuration as someone suggested.

Anyway, same story:



It's like in a loop. It's not worth it to spend more time on this. Block works fine.

 

To simplify things, I disabled auto-updates (as Fuzzfas said in the first post), so I didn't see any connections from cfpupdat.exe . As for the addresses that cmdagent.exe connected, I just listed the resolved address from where Comodo downloaded that list. But there are more addresses:
1. An initial connection to download.comodo.com (resolved to 91.199.212.171), which returned a HTTP code of 302.
2. Redirection was to downloads.comodo.com (notice the final 's'), resolved to 178.255.82.1
3. Comodo tried to resolve fls.security.comodo.com, which returned 7 IPs, but there was no further attempt to connect to any of them (199.66.201.21, 199.66.201.22, 199.66.201.25, 199.66.201.26, 199.66.201.20, 91.209.196.27 and 91.209.196.2. From Fuzzfas' screenshots, I see a connection to 199.66.201.28 which I didn't have, and I will assume that it is also an IP for fls.security.comodo.com

 

It's license activation server in Comodo's UK center (licenseactivation.security.comodo.com). I suppose since i am in Europe, it prefers their european HQ.

 

Nope. That doesn't work, nor does anything else I've seen theorized in here. I have that option disabled, as well as every option in sandboxing. I also have the TVL deleted entirely. Have both cloud scanning options disabled. And also both updating options disabled, in Preferences, under both the General & Update tabs.

The connections also are not needed for Comodo Secure DNS to function properly. I know because I use it, and have seen it block sites even though I have both cfp & cmdagent blocked.

I don't trust anything 100%. If that was a requirement, I wouldn't own a computer in the first place, or run a Windows OS at all. And this discussion would be moot. Discretion should also be an end users #1 tool, before any software or hardening, IMO. Telling people to uninstall it because they inquire about it is pompous and condescending... and I got the same remarks when I asked about it quite awhile back myself, and no real answer as to what they're trying to do.

I suspect that it's for the TVL, cloud, and submit/pending files purposes. And that it's just defaulted to do it no matter how you have those settings. And that it's just an oversight, not malicious intent. But it would just be nice to actually hear that from somebody instead of snide remarks telling you: "then don't use the #@%*ing thing if you don't like it"

I personally just block them and disable logging so that it doesn't spam my logs, and increase my footprint. And everything works just fine.

P.S. - I would be interested in knowing if this happens on the paid version(s) too though, with all those options I mentioned unchecked and the TVL deleted. Because if it doesn't, then that would look shady, and perhaps a case of "you get what you pay for".

 

Good to know.

Yeah, definitely not related to that. I don't even install Secure DNS.

I agree with everything. And yes, it seems like a permanent enabled thing. I haven't been able to see that it's something triggering it. With zero unrecognized files it phones home, without installing anything it phones, without browing to a new page it phones. Could be also they are gathering usage statistics and hardware configurations. Or, a crazy idea. Maybe, it's phoning out about blocked applications, just in case they 're malware. So, you block cmdagent, it tries to phone out to report what the blocked application was, but it can't cause it get blocked again. So it triggers new attempt to phone out to report the blocked application and a vicious circle begins with no end.

Exactly.

 

How would i go about deleting the trusted vendors list if i wanted to do that?
Thanks.

 

D+ ---> Computer Security Policy ---> Trusted Software Vendors. Click on the name you want and click "Remove".

Also there is an option to simply not use that list in order to automatically allow the applications out of the sandbox.


EDIT: Just talking about "trust" and Vendors, i just got the idea to look out of curiocity and yes, my beloved Iobit is in the Trusted Vendors List. Oh, yeah, i trust Iobit...

 

You could rename or delete the file vendor.n from c:\Program Files\COMODO\COMODO Internet Security\database\

 

No need as he's using CIS6 where there's already an option to not use the TVL

 

That would take ages... if using v.5, go into your Comodo FW program folder and navigate to the "database" folder. Delete the vendor.n file.

and poof... they're all gone.

It's good that there's an option in v6 to remove them without having to do that.

 

Thanks a lot everybody for the great replies.Im just getting used to the new version and i like it a lot.
The one and only gripe i have is the av alert pop up.I tested with the eicar test file and a geek buddy screen appears offering to clean the file.Is there anyway of disabling this and just having the ordinary av alert pop up.?

I know it is only a minor quip and its just me being picky but i would sooner the geekbuddy pop up wasnt there.
Many thanks.

 

FWIW, I have been keeping an eye out for cmdagent.exe Internet related activity and have some to report...

1) While installing Adobe Reader XI on a Win XP SP3/CFW 5.12.256249.2599 machine I was prompted to allow cmdagent.exe access to the Internet (localhost:12080 due to Avast). Started Wireshark then allowed cmdagent access. Saw requests for:

[noparse]http://csc3-2010-crl.verisign.com/CSC3-2010.crl[/noparse]
[noparse]http://crl.verisign.com/pca3.crl[/noparse]
[noparse]http://crl.verisign.com/pca3-g5.crl[/noparse]

2) While Avast 6 was updating its definitions on a Win XP SP3/CFW 5.12.256249.2599 machine I was prompted to allow cmdagent.exe access to the Internet (localhost:12080 due to Avast). Started Wireshark, then allowed cmdagent access. Saw request for:

[noparse]http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt[/noparse]

Some additional information about the nature of this requestion:

http://technet.microsoft.com/en-us/library/bb457160.aspx

I think this specific scenario occurs once a week despite Avast updating its definitions more frequently.

3) While Avast 6 was updating its definitions on Win 7 SP1/CFW 5.12.256249.2599 machine, I was prompted to allow cmdagent.exe access to the Internet (localhost:12080 due to Avast). Started Wireshark, then allowed cmdagent access. Saw requests for:

[noparse]http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?XXXXXXXXXXX[/noparse]
[noparse]http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl[/noparse]
[noparse]http://crl.microsoft.com/pki/crl/products/WinPCA.crl[/noparse]

I've seen this behavior happen several days in a row.

The Avast local proxy mechanism is effectively hiding destination information from the Comodo warning dialog and logs, but I seem to have zeroed in on related requests. On the XP machine I've tried configuring Comodo to use a proxy (a transparent proxy that just logs requests/responses, listening on localhost:9522) but it doesn't capture any of the traffic described above, as if cmdagent.exe might be ignoring the setting in such scenarios.