cmdagent.exe outgoing attempts on port 80 to limelight, level3 comm, MS

I have noticed cmdagent.exe attempting to communicate with limelight networks, level 3 communications, and microsoft on port 80. This happens several times a day. Has anyone else noticed this? Why would Comodo be attempting this communication? I have only the firewall installed (latest version 3.5.54375.427), but have noticed this from back in the beta/RC days.

Ideas anyone?

Habanero

I’ve noticed this too, and I think it’s related to certificate checks. I notice this when running some digitally signed executables.

You’ll notice that Windows Explorer will also make some internet connections to certify the certificate (i.e., make sure that the certificate used to sign the executable has not been revoked).

As an example, I noticed that cmdagent connected to a site that resolved to a Verisign site.

Maybe it’s an additional security feature, but new for me since upgrading from CFP 3.0.

Hopefully someone can confirm this.

That would be my guess as well. I am also interested to know if that is a correct assumption.

There was a bug in the subscription checking for the “Pro” version, should be fixed in the latest release, 3.5.54375.427
See also the release notes for this version.

I am aware of the bug, but this is something different. I am running the latest version .427.

Habanero

I suppose you have changed settings to notice this ?
Can you post a screenshot of the logged rules ?

Here are a few examples. I set the comodo group to block and log all.

Habanero

[attachment deleted by admin]

Did you by any chance add entries to the Defense+ My Trusted Software Vendors ?

I have not added any. There are 2 for Comodo and Microsoft is also there. I thought the trusted vendors list was only for Defense+?

Habanero

You could try to run nirsoft’s smartsniff and capture the data that is flowing to those servers.

See here for more info on the tool:

That should give us a good idea of what it’s looking for, if your having trouble using the tool feel free to PM me.

I will try the packet sniffer this weekend and see what I can figure out. Thanks for your help.

Habanero

Looks like code signing and certificate stuff. I don’t remember older versions of CFP having this traffic.

Habanero

[attachment deleted by admin]

That’s by design. CIS verifying certificates in this way.

Hi,

with version 3.5.57173.439 i got the same cmdagent.exe events when i start speedcommander.
Defense+ is disabled.

Does CIS verifying certificates with disabled defense+ ?

[attachment deleted by admin]