cmdagent.exe - is it necessary? Wants to connect to all sorts of IP's.

insession · June 5, 2021, 3:43pm

Running CIS Premium 12.2.2.7098 on Win 8.1. Cmdagent.exe wants to connect to all sorts of domains that don’t make a lot of sense once looking them up.

Is cmdagent.exe necessary?
Which connections/ports does it have to have allowed?

Thanks,

Peter

kyl · June 5, 2021, 8:02pm

maybe it’s sort of web protection/scanning process
:P0l

aim4it · June 5, 2021, 8:18pm

Yes cmdagent.exe is necessary, its the component that does most of the protection i.e. HIPS, firewall, etc. cis.exe, cistray.exe, are GUI components, and cavwp.exe is the anti virus component.

Its uses:

TCP OUT 80, 443
UDP OUT 4447 File Lookup Service
TCP OUT 4448 File Lookup Service Fallback

If you use CIS to upload files to Comodo for analysis it will use a really random port kinda like ftp. I haven’t been able to figure out the whole range for that service yet, nor I have seen it in the documentation or forums posts.

insession · June 5, 2021, 9:44pm

Thanks aim4it - does that mean, for all practical purposes, that it should be allowed unfettered access to go out, at least the ports you mentioned?

domo78 · June 6, 2021, 6:06am

It is possible to complete the post of aim4it by :

UDP OUT 4447 199.066.201.016
TCP OUT 4448 199.066.201.016

aim4it · June 6, 2021, 8:26pm

If you make use of the trusted file list & signatures, cloud lookup, then you should allow at least those rules or just use the default of allow outgoing. If your a HIPS only kinda person then you may only need the standard web ports 80,443 for program updates.

CIS is very flexible, it’s however you want to use it, but then it’s your responsibility to know what your doing.

CISfan · June 6, 2021, 9:49pm

A side effect that may happen when blocking cmdagent.exe from having proper internet access, see this thread here: cmdagent.exe is delaying apps from loading

insession · June 8, 2021, 3:55pm

Thank you all for chiming in. Thanks for the link to the drawbacks of disabling cmdagent.exe

Yes, CIS is very flexible at the risk of having to know what one is doing - I’ve learned that the hard way, but now appreciate it!

I’ve actually got HIPS disabled. I also have cloud lookup disabled - wondering if that is a poor idea, given that you (aim4it) talked about cloud look up OR HIPS…

I should confess that one thing that had made me uneasy (prior to talking to you all about it) about cmdagent.exe is that I couldn’t make sense of all the IP’s it was trying to connect to - couldn’t find rhyme or reason among them after looking some of them up…

Many thanks.

Peter