I’m looking into “firewall events” and I see a lot of entries when “cmdagent.exe” tried to open connections to various IPs like 199.66.201.xx or 91.199.212.xx
I understand those IPs belong to comodo and cmdagent.exe is a part of comodo firewall/cis. But as I turned automatic updates off, I do not see any reason for this traffic. So I’d like to know, why is this puppy trying to call home? How can I trust this software if it makes something on its own, without my permission? I do not like the idea of software spying on my computer, and sending whatever information to whoever, whenever it wants…
What DonZ is referring to are the settings in Defence+ Settings/Execution Control Settings tab (see image) These ‘cloud’ lookups continue to function even if D+ is disabled, assuming they’re checked, which is the default.
I unchecked everything on Defense+ Settings, except for “Deactivate the Defense+ permanently”, which is activated. Nothing else is activated on “General Settings”, “Execution Control Settings”, “Sandbox Settings”, and “Monitoring Settings”. And in “More → Preferences → Update” I also unactivated update-host…
Yet when I block on firewall everything, “Firewall → View Firewall Events” still shows a lot of entries like:
“C:\ProgramFiles\COMODO\COMODOinternetsecurity\cmdagent.exe Blocked TCP MyIP SPort Destination 80”, where Destination is either 91.199.212.132, or 199.66.201.28.
This is very-very bad behaviour, if security software opens connections (or tries to open connections) without any knowledge to user, without his permission, and user has no way to prevent this. Honestly, I would never believe you can expect it from Comodo, had I not seen it with my own eyes. Comodo Group, is this what you call “security software”? Should one trust such a software which he can not controll?
I’ve made this: for ~10min I open connection for that cmdagent.exe and then I closed it again. Immediatelly after closing my log started filling up with the same entries again. I counted a few hundred of them per hour. I do not believe it is just for checking digital signatures. Why should any software check its signature every minute? And even if it were so, why one can not find any info about it in help/manual?
ip’s can be spoofed…but can you verify how often it’s checking?
Please post a netstat images as well… run command as admin (if your running win7) And type netstat -n a few times.
this will list all ip’s initiated by software on the pc. Or incoming connections. Strangely cis does not list all connections, edit out your ip addy.
Also post firewall and D+ logs. particularly ones that contain this event.
port 80, isn’t abnormal and these ip’s are ok. but we don’t know what computers are in the route to them or if the software has been curropted or not. Do you notice anything else unusual? Have you un-installed and re-installed…and notice the same frequency of requests?
Did you download any other software recently, that you normally wouldn’t use? Or didn’t choose to?
cmdagent requesting access or communicateing to comodo, is not unusual, but it should stay connected or listen/wait status…it shouldn’t need to reconnect so often but i’m unsure about how comodo configures this…, unless your on wifi, or are recieveing dedicated/dynamic denial of services…check your router logs.
The cloud is actually a good thing, and offers greater protection then cis without it. but maybe comodo should be useing secure protocols…they have their own drivers, but it uses the same ports as everything else…my pc also seems to be using port 443 with this program as well…
Well, this is definitelly not normal! Comodo fills my logs with such a speed, it gets rotated a few times per day. Thousands of messages caused by comodo itself trying to connect to some sites, which I never allowed! How can I trust such a software which keeps trying to deceive me?
I’m definitelly moving away from this highly suspicious software. It used to be good firewall once, but is not anymore. Software, which takes power of making decisions away from user (because a coder thinks he knows what is the best for customer) is not a good software. Shame, comodo slipped into this…
I was watching my Comodo connects in TCPView and all I saw was two connections; one to catchfly and one to Comodo. I only saw it send/receive once in 5 minutes and it was a small amount of traffic.
The only thing that was strange was the connections were in a closed/wait state when the transmissions appeared but that may be due to the way TCPView reacts to burst traffic.
In any case, I certainly didn’t see anything suspicious going on. You have to trust someone and if your can’t trust your firewall source manufacturer, then you can’t trust anyone.
