Author Topic: Invisible dialogue and a mystery process  (Read 2261 times)

Offline markof

  • Newbie
  • *
  • Posts: 2
Invisible dialogue and a mystery process
« on: June 30, 2019, 12:50:57 PM »
Hello all,

Recently (though I don't know when it started), I noticed in COMODO Network Intrusion logs a series of blocked intrusions from processes which either don't have any name/identifier, or they have a description in ideograms (Chinese?). Source and destination are always the same, 0.0.0.0, and COMODO claims that the "action taken" is "Asked" (see the attached image). However, I never got any dialogue pop-up for these processes. Furthermore, I can't locate them by name anywhere else in COMODO, either in other logs, or in filtered lists or wherever.

I've checked the services and running programs on my system (Win 10 with the latest patches), and haven't noticed anything unusual. Full system scan with both Avira Antivirus and Malwarebytes didn't return a single issue, and I generally try to run my system as clean as possible.

Does anybody have any idea what these processes are, and how to access/remove them?

Offline Mathi R

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 149
Re: Invisible dialogue and a mystery process
« Reply #1 on: July 02, 2019, 05:23:13 AM »
Hi markof,

Thanks for reporting,could for please check your personal message and provide the requested logs.

Offline Mathi R

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 149
Re: Invisible dialogue and a mystery process
« Reply #2 on: July 04, 2019, 09:36:57 AM »
Hi markof,

Thanks for getting back to us,the error message may be caused due to administrative privileges. Can you try to run the tool with administrative rights.

Offline markof

  • Newbie
  • *
  • Posts: 2
Re: Invisible dialogue and a mystery process
« Reply #3 on: July 04, 2019, 04:08:21 PM »
 Hi Mathi,

That's the second thing I've tried, and it didn't help as far as I've seen. But in any case, now it worked and I've uploaded the logs.

Offline Mathi R

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 149
Re: Invisible dialogue and a mystery process
« Reply #4 on: July 06, 2019, 09:22:51 AM »
Hi markof,

Thanks for providing the requested logs, our development team is working on it.

Offline Metathesus

  • Newbie
  • *
  • Posts: 4
Re: Invisible dialogue and a mystery process
« Reply #5 on: July 07, 2019, 04:40:36 AM »
Hello,
Same here:

Partial Firewall logs:

Code: [Select]
Date & Heure Programme Action Direction Protocole IP source Port source IP de destination Port de destination
2019-07-07 10:11:06  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant, Sortant  186  0.0.0.0    0.0.0.0 
2019-07-07 10:10:45  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant, Sortant  66  0.0.0.0    0.0.0.0 
2019-07-07 10:10:35  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant, Sortant  TCP  0.0.0.0  1538  0.0.0.0  256
2019-07-07 10:10:32  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant  196  0.0.0.0    0.0.0.0 
2019-07-07 10:10:21  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant  136  0.0.0.0    0.0.0.0 
2019-07-07 10:10:01  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant  16  0.0.0.0    0.0.0.0 
2019-07-07 10:09:51  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  146  0.0.0.0    0.0.0.0 
2019-07-07 10:09:48  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  146  0.0.0.0    0.0.0.0 
2019-07-07 10:09:37  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  86  0.0.0.0    0.0.0.0 
2019-07-07 10:09:27  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  26  0.0.0.0    0.0.0.0 
2019-07-07 10:09:17  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  104  222  0.0.0.0    0.0.0.0 
2019-07-07 10:09:07  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  104  96  0.0.0.0    0.0.0.0 
2019-07-07 10:09:04  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  104  96  0.0.0.0    0.0.0.0 
2019-07-07 10:08:53  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  104  36  0.0.0.0    0.0.0.0 
2019-07-07 10:08:33  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant, Sortant  172  0.0.0.0    0.0.0.0 
2019-07-07 10:08:23  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant, Sortant  46  0.0.0.0    0.0.0.0 
2019-07-07 10:08:20  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant, Sortant  46  0.0.0.0    0.0.0.0 
2019-07-07 10:08:09  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant  242  0.0.0.0    0.0.0.0 
2019-07-07 10:07:59  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant  182  0.0.0.0    0.0.0.0 
2019-07-07 10:07:49  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Entrant  122  0.0.0.0    0.0.0.0 
2019-07-07 10:07:36  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  252  0.0.0.0    0.0.0.0 
2019-07-07 10:07:25  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  192  0.0.0.0    0.0.0.0 
2019-07-07 10:07:15  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  Sortant  132  0.0.0.0    0.0.0.0 
2019-07-07 10:06:55  랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  Demandé  100  202  0.0.0.0    0.0.0.0   

Not sure at all, but seems to be related to Firefox...

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
CIS : Weird app names in blocked apps
« Reply #6 on: July 13, 2019, 04:37:40 PM »
So found this in my blocked apps

On a level from 1 to 10, how freaked out should I be? :).


Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25669
Re: CIS : Weird app names in blocked apps
« Reply #7 on: July 13, 2019, 06:51:03 PM »
They were blocked so I would not immediately worry.

Could you post a screenshot of the firewall logs? They will show in more detail what the blocking is about.

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
Re: CIS : Weird app names in blocked apps
« Reply #8 on: July 14, 2019, 05:08:31 PM »
Sure, Its not adding much in terms of data....


Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25669
Re: CIS : Weird app names in blocked apps
« Reply #9 on: July 15, 2019, 11:06:27 AM »
It shows you are being asked. When you didn't resond to the alert it will be blocked. So, you're safe thanks to default deny principle.

Do you see programs in Programs and Features or with Autoruns that you do not remember installing?

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
Re: CIS : Weird app names in blocked apps
« Reply #10 on: July 22, 2019, 02:59:10 PM »
Sorry .. been down with a nasty stomach flu...

Nope.
Well actually, I have tried out CAMEdit and XMLPad from sourceforge for some xml/xsd modelling I had to do .. but other than those no.

Do you know where comodo keeps its lists? Local file? Registry? sqlite? I bet I can extract that filenames and give them a proper encoding, reverse the encoding somehow.

Ideas? I mean I could try and run procmon on comodo to figure it out but I also figure that it wont let me, right off the bat.

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
Re: CIS : Weird app names in blocked apps
« Reply #11 on: July 22, 2019, 03:15:45 PM »
its cislogs.sdb and yes its sqlite :) .. gonna have a dig

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
Re: CIS : Weird app names in blocked apps
« Reply #12 on: July 22, 2019, 03:49:00 PM »
So ... for an example :

select strftime('%Y-%m-%d %H:%M:%S',LogDate) as dt, * from FwEvents order by dt desc

Right (the "dt "cause I dont read julian dates real good)? And I get something like this

2019-07-22 19:09:02   296265   2458687.29793981      2544456   0   0      273      1   8            3      -1

You see that after the logdate in julian? thats supposed to be "PATH" .. read as binary it comes up as 0000 02, but its supposed to be "text" according to the DB layout.
Also, i presume that the Pid is process id (thats the 2544456 number), while no evidence of anything I have no process id higher than 23000 running right now.. Source address is a mess too "02000000000000000000000000000000" (blob).

I am not comfy about whats going on here, id much rather I hit a snag in comodo or something :).

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
Re: CIS : Weird app names in blocked apps
« Reply #13 on: July 22, 2019, 04:27:07 PM »
This is that path of one of the chinese looking blocks (as hex)

e6b9afe695b4e791aee7819ce695b2e695a6e695b2e68daee78da5e6a8ae73

Now I've been decoding it from any known chinese codepage in existence and come up short.
I have nothing for BOM on ~e6b9++
Its not html encoded or anything like that...
I am drawing short here.

Help?

Offline helloworldz

  • Newbie
  • *
  • Posts: 14
Re: CIS : Weird app names in blocked apps
« Reply #14 on: July 23, 2019, 07:53:57 AM »
bugging me is that e6 b9 ... ae has a maximum span of 90 characters (if you imagine them to be ascii encoded is some fashion), what obfuscates a little bit is that the trailing ".exe" in no way matches the pattern of the trailing byte stream.


echo anyone out there? :).

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek