I don’t know if this is important, but I’ve just upgraded the firewall to version 5.0.163652.1142. After installing I opened the Firewall window and was that there were over 200 open connections. Over 100 of these were to location 18.104.22.168.
I’ve no idea why there should be so many open connections or what’s at this address, but I’m concerned at what it’s done. After about 5 minutes the connection count had dropped back to something more reasonable (about a dozen). Does anybody know what’s going on?
I’m a bit concerned because during the installation procedure the old firewall was taken down before the new one was enabled which means that for about 5 minutes I was on the net with out proper protection. Obviously not good Could something have attached my machine in that time?
22.214.171.124 = FortressITX
Extra connections probably cloud lookup. You could temporary disable cloud to check number of connections, don’t forget to reenable after if desired. Hope this helps and Kind regards.
Thanks for getting back to me. I appreciate it. At the risk of sounding naive:
- Who are FortressITX and what do they do?
- What is a “cloud look up”? In the thread you’ve linked to you say that you don’t recommend disabling the lookup, so obviously it does something important. I don’t recall the old version of the firewall reporting so many outbound connections, so am I right in assuming this is something new.
Yes cloud analysis is new in Version5. FortressITX is all to do with the cloud lookup facility. Hope this helps. Below is found in the help section of Defense + settings. Bottom left corner of defense+ setting GUI for help. Kind regards
Perform cloud based behavior analysis of unrecognized files – When checked, any file that is marked as unrecognized and is sent to the Comodo Instant Malware Analysis (CIMA) server for behavior analysis. Each file is executed in a virtual environment on Comodo servers and tested to determine whether it contains any malicious code. The results will be sent back to your computer in around 15 minutes. Comodo recommends users leave this setting enabled.
More details. The behavior analysis system is a cloud based service that is used to help determine whether an unknown file is safe or malicious. Once submitted to the system, the unknown executable will be automatically run in a virtual environment and all activities, host state changes and network activity will be recorded. The list of behaviors recorded during this analysis can include information about processes spawned, files and registry keys modified, network activity, and other changes. If these behaviors are found to be malicious then the signature of the executable is automatically added to the antivirus black list. If no malicious behavior is recorded then the file is placed into ‘Unrecognized Files’ (for execution within the sandbox) and will be submitted to our technicians for further checks. The behavior analysis system takes around 15 minutes to report its results back to CIS. If the executable is deemed a threat then it will be automatically quarantined or deleted. This threat report is also used to update the global black list databases and therefore benefit all CIS users.
Automatically scan unrecognized files in the cloud – Selecting this option will automatically submit unrecognized files to our File Lookup Server to check whether or not they are on the master Comodo white list or black-list (White list = files that are known to be safe. Black list = files that are known to be malware) and the files are rated accordingly. The important features of the cloud based scanning are:
Cloud based Whitelisting: Safe files and trusted vendors and trusted publishers can be easily identified;
Cloud based Antivirus: Malicious files can be detected even if the users do not have an up-to-date local antivirus database or a local antivirus database at all;
Cloud Based Behaviour Analysis: Zero-day malware can be instantly detected by Comodo’s cloud based behavior analysis system, CIMA.
The cloud scanning, complemented by automatic sandboxing and application isolation technologies, is very extremely fast and powerful in preventing PC infection even without a traditional antivirus signature database while keeping the user interaction at minimal levels.
Comodo recommends users leave this setting enabled.
Thanks so much for the explanation. It’s really put my mind to rest.
Glad to hear, and enjoy the new version. Kind regards