Comodo Reporting User's Every Move?

Hi all,

A few days ago, as an experiment, I decided to block Comodo itself from accessing internet except for updates. For this purpose, I removed all the pre-defined Firewall rules for Comodo’s modules, performed a manual update, and manually created rules for cmdagent.exe to allow access to the update servers but block and log every other internet access. I also disabled “Cloud Lookups” to make sure Comodo would not need to access internet for this purpose.

To my surprise, I noticed that in many cases, when I launch an application that I had already launched many times before and is already in the known file list, the application’s launch is delayed by 10-15 seconds while Comodo is trying to send some data out which gets blocked by itself. Similarly, whenever I perform an action that generates a new alert, again the alert is displayed with a very long delay with Comodo trying to send some data out of my machine which gets blocked. There are probably many other cases where the same thing happens that I haven’t tried yet. It seems that Comodo is doing exactly what it is designed to prevent other applications from doing: logging and reporting the user’s every move to its servers; even worse, all the connections go over port 80 which means the connection is not encrypted (see attached screenshot).

After years of using Comodo, I am now starting to doubt my choice of security software. I hope the developers of this software have a good explanation for this behavior.

Comodo 10.2.0.6526
Windows 10 x64

Strange and unwanted, please report more

Except none of those servers belong to or point to comodo and I bet you didn’t turn off show messages from comodo message center or disable send anonymous program usage statistics. You should use wireshark to see what is being sent but you would need to remove the block rule to allow the connection. I tried your experiment and I don’t see such blocked connections nor any delays with launching applications, then again I’m using 11.0.0.6728 and have disabled send program usage and comodo message center.

Both options are [obviously] disabled. If those servers do not belong to Comodo, then why is cmdagent.exe, which is a component of Comodo, trying to connect to those addresses? Or maybe disabling anonymous usage statistics does not work as intended and data still gets sent (over port 80 to servers that are not run by Comodo?!).

why is cmdagent.exe, which is a component of Comodo, trying to connect to those addresses?

Is it connected and data packets are getting sent out or is it trying and trying to connect to those addresses but failed because your blocking comodo from itself except for updates.

I tried your experiment and I don't see such blocked connections nor any delays with launching applications, then again I'm using 11.0.0.6728 and have disabled send program usage and comodo message center.

Futuretech, I did the same thing and got the same results as you

maftul, if you really think comodo is reporting users every move. Use wireshark to verify for yourself. Its free https://www.wireshark.org/ Although wireshark is not the simplest program to use, I wont be able to help you with that part. Ill try it again in a day or so :-TU

I updated to the latest v11.0.0.6728 manually. The same problem still occurs but at a far much lower frequency than v10. I don’t think I am going to spend my time figuring out what data Comodo is trying to send out of my machine; I will just block it similar to what I do with every other application. However, I am still waiting for an official explanation as to why Comodo is trying to connect to IP addresses that are claimed not to be even associated with Comodo; whether Comodo is just trying to connect to them or send data to them does not make any difference in this case.

I will just block it similar to what I do with every other application

easy enough

I am still waiting for an official explanation as to why Comodo is trying to connect to IP addresses that are claimed not to be even associated with Comodo; whether Comodo is just trying to connect to them or send data to them does not make any difference in this case.

I'm only a mod and not a comodo employee. Maybe you can write in a "support ticket" to get a offical answer. Also Just curious, can you tell us what ip addresss is it?

As for the support ticket, heres an address to submit a ticket or you can ask on the live chat. I hope they give you the answer your looking for
https://support.comodo.com/index.php?/comodo/Tickets/Submit&track=8294

There are a lot of different IP addresses, you can see some of them in the screenshot I attached in the first post. Most of them seem to be Cloudflare IPs or cache servers; hopefully they are used to act as DDoS protection for Comodo’s servers (rather than hiding the real destination of the connections).

P.S. The connections seem to be most easily reproduced when launching an application for the first time since machine reboot via the start menu; subsequent launches do not seem to trigger the connections.

Most of them seem to be Cloudflare IPs or cache servers

agreed

I think your best option is the support ticket or maybe the live chat feature on the page. Thats the only way I know how to get any official answer

https://support.comodo.com/index.php?/comodo/Tickets/Submit&track=8294

So you’re not going to provide real proof such as wireshark packet capture of the data being sent? Seems legit, sounds to me like you are intentionally spreading misinformation a.k.a Fear uncertainty and doubt. Why is that?

Even when I launch an application that has never been executed before, no connection attempts by cmdagent are being blocked with the block rule in place. Or executing an application for the first time since reboot.

Comodo’s own log is more than real proof (unless you are gonna say I have also photoshoped those to which I would say I have better things to do with my life). I am not going to waste my time inspecting Comodo’s packets to make sure it is not stealing information from my PC; that is not my responsibility. It’s Comodo’s devs responsibility to respect the user’s privacy. And as I said before, it does not even matter what is being sent out; there is no reason for those connections to happen in the first place. You obviously don’t have anything useful to contribute so you can assume I am “Fake news”.

Sucks to be me, then; maybe there is something on my machine that Comodo is very interested in.

P.S. I am gonna open a ticket directly with Comodo; this discussion is not going anywhere.

Sorry to say, but it very improper to accuse Matul of sending fake news!! You better give some straight answers when someone asks in common polite terms why something is happening. CIS is more than important in keeping pc’s and personal stuff safe. Otherwise one might trust Micr0$oft-defense aswell.
More people are very curious to learn,
regards Biteater (biteater[AT]protonmail.com)

Thanks Maftul for sharing here your concerns about this unwanting data sent by Comodo.
Please keep me/us posted, and inform what has to be stopped and/or disabled !! (biteater[AT]protonmail[DOT]com)
The formal answer of Comodo might be coming soon?
Regards Biteater

Wholeheartedly agree with the above poster that accusing a user who raises a valid concern of something nefarious is a very bad optic, especially when the concern is about the very thing the product touts to be distant from, whether the product is provided free or not. The point of argument is whether the accuser has provided sufficient proof but sufficiency has to be coupled with reasonableness. The fact that the accuser showed evidence produced by the product itself is reasonably sufficient to me personally. Now the product manufacturer needs to step in to explain.

It be one thing if you started with asking why CIS was making these connections and you didn’t come out and say

It seems that Comodo is doing exactly what it is designed to prevent other applications from doing: logging and reporting the user’s every move to its servers;

but you made a false claim of CIS tracking users without real proof which btw, showing blocked connections isn’t proof of anything other than it is making outbound connections. Had you taken the time to see what was being sent, which I was finally able to replicate the connections, you would see they were related to OCSP requests.

I said what seemed to be the most logical explanation to me at the time based on the behavior I was seeing (a message being sent out every time I launched an application or received an alert). You initially denounced the whole report by saying the IP addresses do not even belong to Comodo and “bet” that I have not disabled Comodo’s static usage report. Then went ahead and completely denied my report and implied that I must be lying because I am not providing the proof you want. Now you yourself are showing a packet capture of the very same connections I was talking about. Yes, it seems I jumped to a conclusion too early but my report was certainly NOT false.

Now I understand that those connections are being made so that Comodo checks the executable’s Digital Signature. However, this is still a privacy concern (as also written on the Wikipedia page) since I see no reason why I should trust the third-party the requests are going to. I would assume every request includes at least the information related to the Digital Signature (if not also the executable name and metadata), which can be mapped to the entity it has been issued to and from there it can usually lead to the application(s) developed and signed by that entity. This coupled with the fact that Comodo sends this request right when the application is launched could allow the third-party receiving the requests to make a database of the IP addresses, certificates which get mapped to the applications, and timestamp of the requests which show when the applications are used; basically, “application usage statistics”.

The question that now remains is how to disable this; blocking it using the Firewall rule is not the best solution due to the delay it causes when launching applications that trigger the signature check.

I did the same as [at]matful did and I get this (see the attachment)

This thread is not for nothing for me, because it shows me, what you have to pay attention to. But because of what [at]futuretech writes I feel again confirmed in my feeling that comodo protects my computer and my privacy. But can I feel even better protected in my privacy with other protection programs?

But what about the protocol TCP Port 4448 and 4447? Have I captured a Virus or Trojan that used this port and I didn’t knock because I trusted Malwarebytes that never raised an alarm?
What I don’t know: Must mb have detected a Trojan or does this ignore this software? I’ve had no problems so far, especially not with online banking, no access to my account. Isn’t that a good sign regarding a highly sensitive activity? I am looking forward to answers! Now I’m insecure.

Now I understand that those connections are being made so that Comodo checks the executable's Digital Signature. However, this is still a privacy concern (as also written on the Wikipedia page) since I see no reason why I should trust the third-party the requests are going to.

You dont have to trust the thrid party. If you go in that direction, you'll need to figure out how to do that and do it correctly with out causing issues or side effects. From the day you bought the computer UNTIL the today. Nobody know what has been done to the computer (what software was been installed, settings, old and new drivers, etc) and for that reason you'll have to go to comodo support (they'll propably (I'm just guessing) want to remote connect to your compueter to investigate to see what has been done to the computer and Analise it. But that option is up to you

The question that now remains is how to disable this; blocking it using the Firewall rule is not the best solution due to the delay it causes when launching applications that trigger the signature check.

Are you using "Proactive settings" ?

Did you add a checkmark to “Create Rules for safe appications” ? <—

Can you write a firewall rule for cmdagent.exe. lock down the ipaddress and ports its allow to go, IF ANY. <—This is my best idea I can think of for you.

I have bad news for you if you don’t trust these connections, Windows does these checks too when you run applications, you know the file open security warning where it shows the publisher name? That is the signer name and Windows verifies to make sure the certificate is still valid. Also OCSP is done by every web browser when you connect to any HTTPS enabled site. As for the frequency of these checks it doesn’t need to happen on every execution due to nextupdate field in OSCP responses which indicate when the OSCP request should be made to re-check validation.

I did not mean to say I didn’t have faith, but that I am insecure, certainly because of the lack of deeper knowledge. Are the ports 4447 and 4448 gates for Trojans?

Looking for the cmdagent I found this (a German site):

About file.net:

file.net ist ein zertifizierter Microsoft Partner Als Microsoft Silver Partner geh?rt file.net (Neuber Software) zu den 5 Prozent Top-Microsoft-Partnern weltweit. Damit zeigt file.net die f?hrende Rolle auf dem Gebiet der Klassifizierung und Analyse von Dateien und Prozessen.

file.net is a certified partner of Microsoft and belongs to the 5 percent-top-microsoft-partners world wide, So it has a leading role in classification and analysing of files and processes.

There you can read about cmdagent:

1. Diese Datei ist von einer zentrale Signatur-Stelle signiert. Cmdagent.exe kann Eingaben aufzeichnen und Programme ?berwachen. Deshalb bewerten wir diese Datei zu 35% als gef?hrlich, aber vergleichen Sie diese Wertung mit den Mitglieder Meinungen.

This file is certificated by a central signature authority. Cmdagent.exe can record and monitor programs and therefore we rate this file as 35% dangerous but read/compare the opinions of other members.

2. Sollte sich cmdagent.exe in einem Unterordner vom Profilordner des Benutzers befinden, dann ist diese zu 0% gef?hrlich. ....Mehrere Mitglieder halten den Prozess fuer sicher. ....Cmdagent.exe kann Eingaben aufzeichnen und Programme ueberwachen.

If the file is in a subfolder of the user’s profilfolder, then the file is rated as 0% dangoerous. Severel members consider this process as secure which is certificated by a trust center. Cmdagent.exe is able to record input and monitor programs.

And now:

avast: avast!Antivirus.exe Windows Prozess - Was ist das?

Avast!Antivirus.exe kann andere Programme manipulieren. Deshalb bewerten wir diese Datei zu 72% als gefaehrlich, aber .....

Avast is able to manipulate other programs and therefore we rate it as 72% dangerous!

Kaspersky:

therefore we rate it as 3% dangerous!

But:

TRUEGERISCHE SICHERHEIT

WiWo (Wirschaftswoche is a highly respective busniss magazin in Germany):

Antivirensoftware bietet Schutz? Doch keiner weiss, wie gut genau.
von Juergen Berke
04. Juli 2018

DECEPTIVE SECURITY
Antivirus software offers protection - but nobody knows how good it is
by Juergen Berke
July 4th, 2018

And there you can read:

Im vergangenen Jahr hat die US-Regierung das Unternehmen offiziell der Spionage verd?chtigt. Seitdem d?rfen US-Beh?rden viele Kaspersky-Produkte nicht mehr einsetzen. Der harten Linie haben sich inzwischen auch L?nder in Europa angeschlossen. .....Die Software koennte 'missbraucht' werden, da sie auch 'Spionage und Sabotage' ermoegliche, heisst in einem Schreiben von Justizminister Ferd Grapperhaus.

Last year, the US government officially suspected Kaspersky of espionage. Now US authorities are not longer allowed to use many of Kaspersky’s products. European countries also have joined this hard line. The software could be abused because it makes “espionage and sabotage” possible, (Justice Minister Ferd Grapperhaus).

And now? Which software do you trust 100%? Where shall we/will you go? To avira:

avira: Avira.exe Windows Prozess - Was ist das?

Therefore we rate it as 42% dangerous!

My very personal Conclusion:

I never had problems with comodo security. I have to trust many programs whether I want or not and when I want to work with them. We have to “trust” programs from Acronis to Microsoft to Zxxx-programs. I have no other choice and cis very often asks me if I want to allow xxxx to connect/allow to internet/launch the program and I can choose from allow to block.