CFW appears to be using other processes to connect to Comodo server

As the title says, thus curious what is going on.

Details:

Yesterday i installed V7, (7.0.55655.4142), Firewall only, all D+/HIPS related stuff disabled.

As soon as i started Thunderbird, thunderbird.exe requested to connect to 178.255.83.1

Rule for Thunderbird at that time: EmailClient.

Since that request popped up every time i ran Thunderbird i added a block for 178.255.83.1 to Thunderbirds rule.

Then i started Firefox. After a few seconds firefox.exe requested to connect to 178.255.83.1

Rule for Firefox: WebBrowser.

By then i knew that the connection requests wouldnt go away, so i added a block for 178.255.83.1 to Global.

A direct result of this, besides of course the concern over the process hijacking itself, is that my mail server queries are now taking several times more time than before since Thunderbird will be kept from establishing a connection to the mail server until the connection attempt to 178.255.83.1 has been ‘processed’. (Which causes a lag of several seconds, since CFW apparently keeps running against its own block.)

Any idea what is going on here?

Im using Comodo since version 2.4 and never had anything like that happening until the update to V7.

I love writing rules :slight_smile:

my mail server queries are now taking several times more time than before since Thunderbird will be kept from establishing a connection to the mail server until the connection attempt to 178.255.83.1 has been 'processed'. (Which causes a lag of several seconds, since CFW apparently keeps running against its own block.)
Of course it'll take more time. Thunderbird will keep trying to establish a connection and it will fail until it get to 178.255.83.1. <----it will try a bunch of different numbers until it gets to that and that takes time. Its not the complete reason, its just a overly simple way to explain it. I did left a few things out like tcp and udp as well as others as this post can get really big

Lets change the rules around a little bit (this info was for a older comodo firewall. since the “user interface has changed” it might be slightly different. In either case firewall rules should be easy to create if your used to writing rules :slight_smile:

The instruction WILL be slightly off

Right click on the Comodo icon in the system tray and select open. Click on security, and then application monitor. That should display a list of applications and their rules. If there is a existing rule for Thunderbird select it. Press edit (or right click on the rule and select edit from the context menu). Press the application browse button and browse to your Thunderbird.exe file. Select "Specify a parent". Press the parent browse button and browse to Explorer.exe (Windows Explorer) in your windows directory. The general tab should have allow , "TCP or UDP", and IN/OUT. If it doesn't, change the settings. Press OK. Otherwise press Add. Press the application browse button and browse to your Thunderbird.exe file. Select "Specify a parent". Press the parent browse button and browse to Explorer.exe (Windows Explorer) in your windows directory. The general tab will default to allow , "TCP or UDP", and IN. Change the direction from IN to IN/OUT. Press OK.

The list of rules should have a line with Thunderbird.exe, [any], [any], TCP/UDP In/Out and a green check mark next to Allow.

Comodo Firewall Pro, by default, keeps track of each parent (host process) for a given application [6]. For example, Comodo doesn’t have just one rule for Thunderbird, it creates rules that also specify what application launched Thunderbird. This can include one for Windows Explorer, Firefox, and even Thunderbird launching itself when it upgrades. If you don’t need this fine grained control rather than pressing the parent browse button select “skip parent check” to make it use one rule (and avoid specifying who can launch it). If it already has multiple rules selecting “skip parent check” in any of those rules should automatically delete the other Thunderbird rules.

Hope this helps

Actually its exactly the other way around. The very first thing that Thunderbird is now doing after startup is trying to reach 178.255.83.1, which is one of Comodos servers. And while CFW is handling that request, Thunderbird can not connect to my mail server because CFW blocks all other requests during that time. In fact, without the block rule set, when the request pops up, and i dont manually Block or Allow 178.255.83.1, the popup can literally sit there for minutes and nothing will happen because Thunderbird cannot talk to the mail server. Only when the 178.255.83.1 request is processed, either by my allowing or blocking, Thunderbird is able to establish a connection with the mail server.

Thanks, i appreciate your trying to assist, but my rules and settings are in perfect order. In fact its the exact same rules and settings i used up until yesterday, (which was on 6.2.23257.2860), and i have rechecked every last item in the settings menu multiple times just to be totally sure. The stuff that 6.2.23257.2860 didnt yet have (some HIPS additions, WebsiteFiltering, etc), is disabled because i only use the FW part.

No, the real question is, why would the processes of Thunderbird and Firefox suddenly request to connect to a Comodo server? Obviously they themselves have no reason to do that, (and like i said, they never tried to before in all those years), so the only explanation that i can think of is that some Comodo component is trying to use their processes to communicate with 178.255.83.1 since the rest, including system and svchost, is either shut tight or highly restricted. (I.e. no getting through there.)

But if so, then the question is why.

Why is it doing this, and most importantly, what can i do to stop it from continuing to do so.

These are the questions i hoped to find an answer for, because quite honestly i am a bit concerned right now.

That IP resolves to oscp.comodoca.com. Looks to be a certificate lookup/update. What mail service do you use and are they using encryption?

Well, its the mailservice of my ISP. Whether or not i use an encrypted connection is up to me. At any rate, it in deed seems to be connected to this, because when i set the encryption option in Thunderbird from STARTTLS to None, Thunderbird no longer wants to connect to 178.255.83.1 and goes straight to the mail server.

It would appear that when i changed from unencrypted to encrypted connection a couple of weeks ago i granted Thunderbird permanent access to 178.255.83.1 and so i never saw any difference in behavior. Then when i updated to V7 i imported a config from before the change (i.e. one that contained everything except the allow rule for 178.255.83.1) which is why i suddenly started to see the alerts and why even 6.2 and 5.8 would show them now. With Firefox i never saw them until the update because it was always set to WebBrowser (which means the request was always granted automatically) except when i temporarily removed the rule to see whether it would try to connect to 178.255.83.1 as well.

This explains the situation on my end. Unfortunately it still leaves open the question why TB and FF would want to initiate any connections to 178.255.83.1 in the first place, and whether it is really them that do it or if some component of Comodo is responsible for it. Since i have no way of determining this through the alert message i would be most grateful for any details that could shed some light on this.

Is the certificate issued by Comodo?

From my understanding, it is related to certificate status-- whether it was revoked or not. More information here.
Additionally, check here.