cmdagent trying to communicate out every 5 minutes. Plus, Telemetry feedback.

Greetings, there was a recent post insinuating that Comodo reports user’s every move. While a bit dramatic and ultimately presumptuous, the post, nonetheless, piqued my interest and had me trying to replicate. For me, Comodo blocks everything, including itself. But, I did notice something which prompted me to post.

I want to start by saying I’m a grateful long time Comodo user, since 2.x days. I’m currently using CIS 11.0.0.6728 on a Win 8.1 x64 system. I employ an custom CIS ruleset and have all Comodo features which would need to phone home either blocked or disabled. This includes malware definitions, program updates, scheduled tasks, cloud features, messages, dns settings, and usage statistics.

In an advanced task manager program called Process Hacker I noticed cmdagent is repeatedly trying to remotely contact comodo ([at] CESM-SBS-2011.brad.dc.comodo.net). Now as I stated it fails because of the rules. What’s alarming is that it’s doing this every 5 minutes. I took screenshots of this behavior for quite a while as I doubled checked and turned on/off several features. It seemingly does this for as long as the computer is on. I’m not sure what to make of this behavior, so my question is as follows. What is cmdagent trying to do that I haven’t otherwise specified? And depending on the answer a follow up question would be, “Is this behavior a bit excessive?”

Note: As I changed settings I rebooted the computer in case there was something that needed to take effect. Also, as you can see, I last properly updated Comodo 15 days ago.

As for the second part to this post, I wish to leave feedback on the Telemetry task that exists in the Task Scheduler. CIS 10.0.2.6396 first introduced this new task and I’ve always been confused as to its purpose. I believe I read that it’s tied to the usage statistics checkbox. But here in lies my confusion, the usage statistic checkbox has existed looong before that Task ever did. Am I misinformed as to its purpose?

What prompted me to ask is that in CIS 11 there now exists an hourly check in which Comodo will always restore and renable this scheduled task. Prior to 11, Comodo would only restore it after a system restart. An hourly check is a decidedly more aggressive approach. Also, around the time this task surfaced there was a poll about adding an option which would enable users to permanently disable it. Is this something I can look forward to? Thank you.

Can you check if you disabled Send anonymous program usage statistics to COMODO?

Also see attached image.

Yes, I had it disabled. I actually show this in next image in that series.

Boy this thread is as exciting as a tumble weed blowing in the wind.

I wanted to post that this behavior is still occurring and can be logged by Comodo itself, as seen in the image. I highlighted the interesting bits in red boxes. Those 3500+ intrusion logs are cmdagent trying to communicate out like clock work. The computer is still running the same configuration, everything disabled except for the firewall. I also have all options for Comodo needing to phone home disabled as well.

I never noticed this behavior before in the Comodo logs because I use a heavily customized CIS configuration. I always port this over when updating to a new version. In the firewall ruleset for cmdagent I do NOT check the log option for the block-all in/out rule. I dislike spamming the Network Intrusions counter (and subsequent log file), especially when the program is one I trust. I do this for several other trusted programs as well.

When I want to update Comodo I use the Firewall Settings widget shortcut. Go to the cmdagent ruleset and drag the block-all rule to the bottom of the list, save, and then update. I then drag that rule back to the top upon completion.

Also, I have another computer exhibiting this same behavior from cmdagent. It is running on Comodo 10.0.1.6294.

Solved the issue with the reoccurring Comodo connections. As I stated above I use a highly configured CIS/firewall configuration and always port it over. What I kept seeing was the initial connection for Comodo licensing. Once you allow it the problem clears right up. If it is blocked it’ll keep trying every 5 minutes. I had specific rules for updating and everything else but somehow missed this.

Now you mention licensing it popped back in my head this has been noticed before a couple of or several years ago.