cmdagent connecting to unknown IP

I have just upgraded to the latest Comodo firewall (4.1.150349.920) and noticed that cmdagent.exe is showing connections to (and possibly sometimes. These IPs show up as belonging to Fortress ITX - not sure if that is right. Is this normal and expected or is this a problem (malware, virus)? The connections seem to disappear, if I turn of the automatic submission of unrecognised programs in the sandbox settings - not sure if that is just coincidental.

Any ideas?


Same here, on both machines that I upgraded CIS from v3 to v4. Even though I only installed the firewall, the sandbox was also activated and seems to be responsible for this attempt.

comoodo IP, ( cloud part of 4.1 is what you are seeing) - Geo Information
IP Address
Location US US, United States
City Clifton, NJ 07014
Organization FortressITX
ISP FortressITX
AS Number AS48447 Comodo CA Ltd - Geo Information
IP Address
Location US US, United States
City Clifton, NJ 07014
Organization FortressITX
ISP FortressITX
AS Number AS48447 Comodo CA Ltd

Fortress ITX are housing the servers.

Thanks, but still… why would cmdagent need to contact an address if only the firewall is running and threatcast is disabled?

IMHO the only component that should be allowed out is the updater.

do you have sandbox enabled? If so it is the sandbox that is contacting.

Thank you :slight_smile:

So if the sandbox is enabled and you’re just sitting on your desktop with no active connections to the internet, and just playing in Windows you’re going to get these connections?

I was just digging around in My Documents doing something, when I thought to open the firewall and it said it had 105 connections, I was like WHAT!


I was wondering the same thing when I first saw over 200 outbound connections to and I read on this thread that it was because the Comodo Sandbox was enabled so I disabled it and another 200+ outbound connections occurred again later on in the evening.

Since then I have learned that these internet addresses are the Comodo Servers and these connections are the Comodo Cloud Scanning which is optionally enabled in Defense+ Settings> Execution Control Settings…

Yesterday as a test I purposely left Cloud Scanning disabled to see if the flood of outgoing connections would cease, and they did although I have enabled Comodo Cloud Scanning once again.


As I said, only the firewall is enabled, Sandbox is not.

Do you have Comodo Cloud Scanning enabled under the Defense+ Execution Control Settings?


Ok, what part of “Firewall only” enabled was unclear? :stuck_out_tongue:
Please also remember that this topic was about Firewall v4, you should probably open a new topic for related issues in v5.

(only) Comodo Firewall Version 5.0.163652.11472

Updated to this firewall version couple of days ago.

Nothing else has been enabled by me.

The following out going yesterday to:
and was observed.

Never observed before updating to current firewall version.

From firewall records,appeared to record as originated by firewall.

firewall only has been enabled by me. This is observation only, not a complaint. A Comodo supporter.

Traffic on ports 4447 and 4448 is port of the cloud look up. Comodo is using Fortress ITX for hosting the cloud services.

That has been stated before, but it’s not the point. The point is, a firewall product has absolutely no business of making any kind of connection on its own. Marketing the product as a stand-alone firewall as it’s being done on many websites like betanews or even the Comodo homepage is purposely misleading the user, when in fact the product ALWAYS try to connect to a cloud server for whatever reason.

Comodo is not doing itself a favor since the internet community can react very harshly to that kind of thing. ALL connections, including updates and this cloud stuff must be user-controllable if the product wants to succeed. Btw, I’ve disabled the update server in my v4 and it still keeps reminding me of new available updates.