cmdagent.exe outgoing attempts on port 80 to limelight, level3 comm, MS

habanero · October 31, 2008, 8:50pm

I have noticed cmdagent.exe attempting to communicate with limelight networks, level 3 communications, and microsoft on port 80. This happens several times a day. Has anyone else noticed this? Why would Comodo be attempting this communication? I have only the firewall installed (latest version 3.5.54375.427), but have noticed this from back in the beta/RC days.

Ideas anyone?

Habanero

thor222 · November 2, 2008, 8:30pm

I’ve noticed this too, and I think it’s related to certificate checks. I notice this when running some digitally signed executables.

You’ll notice that Windows Explorer will also make some internet connections to certify the certificate (i.e., make sure that the certificate used to sign the executable has not been revoked).

As an example, I noticed that cmdagent connected to a site that resolved to a Verisign site.

Maybe it’s an additional security feature, but new for me since upgrading from CFP 3.0.

Hopefully someone can confirm this.

Citizen_K · November 3, 2008, 12:20am

That would be my guess as well. I am also interested to know if that is a correct assumption.

rhgtyink · November 3, 2008, 8:45pm

There was a bug in the subscription checking for the “Pro” version, should be fixed in the latest release, 3.5.54375.427
See also the release notes for this version.

habanero · November 4, 2008, 1:18am

I am aware of the bug, but this is something different. I am running the latest version .427.

Habanero

rhgtyink · November 4, 2008, 7:51am

I suppose you have changed settings to notice this ?
Can you post a screenshot of the logged rules ?

habanero · November 5, 2008, 2:06am

Here are a few examples. I set the comodo group to block and log all.

Habanero

[attachment deleted by admin]

rhgtyink · November 5, 2008, 9:12am

Did you by any chance add entries to the Defense+ My Trusted Software Vendors ?

habanero · November 5, 2008, 1:06pm

I have not added any. There are 2 for Comodo and Microsoft is also there. I thought the trusted vendors list was only for Defense+?

Habanero

rhgtyink · November 5, 2008, 7:44pm

You could try to run nirsoft’s smartsniff and capture the data that is flowing to those servers.

See here for more info on the tool:

That should give us a good idea of what it’s looking for, if your having trouble using the tool feel free to PM me.

habanero · November 6, 2008, 2:26am

I will try the packet sniffer this weekend and see what I can figure out. Thanks for your help.

Habanero

habanero · November 14, 2008, 3:42am

Looks like code signing and certificate stuff. I don’t remember older versions of CFP having this traffic.

Habanero

[attachment deleted by admin]

dchernyakov · November 21, 2008, 9:01am

That’s by design. CIS verifying certificates in this way.

erty · January 7, 2009, 8:46pm

Hi,

with version 3.5.57173.439 i got the same cmdagent.exe events when i start speedcommander.
Defense+ is disabled.

Does CIS verifying certificates with disabled defense+ ?

[attachment deleted by admin]