cmdagent connecting to unknown IP

GlassFeather · June 10, 2010, 7:02am

I have just upgraded to the latest Comodo firewall (4.1.150349.920) and noticed that cmdagent.exe is showing connections to 208.116.56.20:4448 (and possibly 208.116.56.21:4447) sometimes. These IPs show up as belonging to Fortress ITX - not sure if that is right. Is this normal and expected or is this a problem (malware, virus)? The connections seem to disappear, if I turn of the automatic submission of unrecognised programs in the sandbox settings - not sure if that is just coincidental.

Any ideas?

Thanks

Jorgosch · June 10, 2010, 10:53pm

Same here, on both machines that I upgraded CIS from v3 to v4. Even though I only installed the firewall, the sandbox was also activated and seems to be responsible for this attempt.

languy99 · June 10, 2010, 11:26pm

comoodo IP, ( cloud part of 4.1 is what you are seeing)

208.116.56.20 - Geo Information
IP Address 208.116.56.20
Host 208.116.56.20
Location US US, United States
City Clifton, NJ 07014
Organization FortressITX
ISP FortressITX
AS Number AS48447 Comodo CA Ltd

208.116.56.21 - Geo Information
IP Address 208.116.56.21
Host 208.116.56.21
Location US US, United States
City Clifton, NJ 07014
Organization FortressITX
ISP FortressITX
AS Number AS48447 Comodo CA Ltd

languy99 · June 10, 2010, 11:27pm

Fortress ITX are housing the servers.

http://www.fortressitx.com/index.php?tpl=products

Jorgosch · June 10, 2010, 11:34pm

Thanks, but still… why would cmdagent need to contact an address if only the firewall is running and threatcast is disabled?

IMHO the only component that should be allowed out is the updater.

languy99 · June 10, 2010, 11:39pm

do you have sandbox enabled? If so it is the sandbox that is contacting.

GlassFeather · June 11, 2010, 8:39am

Thank you

DasFox · September 17, 2010, 7:09am

So if the sandbox is enabled and you’re just sitting on your desktop with no active connections to the internet, and just playing in Windows you’re going to get these connections?

I was just digging around in My Documents doing something, when I thought to open the firewall and it said it had 105 connections, I was like WHAT!

THANKS

Maxxwire · September 17, 2010, 9:27am

I was wondering the same thing when I first saw over 200 outbound connections to 208.116.56.20:4447 and 208.116.56.20:4448. I read on this thread that it was because the Comodo Sandbox was enabled so I disabled it and another 200+ outbound connections occurred again later on in the evening.

Since then I have learned that these internet addresses are the Comodo Servers and these connections are the Comodo Cloud Scanning which is optionally enabled in Defense+ Settings> Execution Control Settings…

Yesterday as a test I purposely left Cloud Scanning disabled to see if the flood of outgoing connections would cease, and they did although I have enabled Comodo Cloud Scanning once again.

~Maxx~

Jorgosch · September 17, 2010, 12:53pm

As I said, only the firewall is enabled, Sandbox is not.

Maxxwire · September 17, 2010, 10:25pm

Do you have Comodo Cloud Scanning enabled under the Defense+ Execution Control Settings?

~Maxx~

Jorgosch · September 17, 2010, 10:31pm

Ok, what part of “Firewall only” enabled was unclear?
Please also remember that this topic was about Firewall v4, you should probably open a new topic for related issues in v5.

darth · October 4, 2010, 4:15pm

(only) Comodo Firewall Version 5.0.163652.11472

Updated to this firewall version couple of days ago.

Nothing else has been enabled by me.

The following out going yesterday to:208.116.56.21
and 208.116.56.21 was observed.

Never observed before updating to current firewall version.

From firewall records,appeared to record as originated by firewall.

firewall only has been enabled by me. This is observation only, not a complaint. A Comodo supporter.

Citizen_K · October 4, 2010, 8:25pm

Traffic on ports 4447 and 4448 is port of the cloud look up. Comodo is using Fortress ITX for hosting the cloud services.

Jorgosch · October 4, 2010, 8:49pm

That has been stated before, but it’s not the point. The point is, a firewall product has absolutely no business of making any kind of connection on its own. Marketing the product as a stand-alone firewall as it’s being done on many websites like betanews or even the Comodo homepage is purposely misleading the user, when in fact the product ALWAYS try to connect to a cloud server for whatever reason.

Comodo is not doing itself a favor since the internet community can react very harshly to that kind of thing. ALL connections, including updates and this cloud stuff must be user-controllable if the product wants to succeed. Btw, I’ve disabled the update server in my v4 and it still keeps reminding me of new available updates.