Constant queries for delven.txt on download.comodo.com [Semi-solved]

[b]SEMI-SOLVED[/b] so far 178.255.82.5 and 104.16.60.31 are necessary for Comodo updates (thank you, futuretech for the hints) Question remains why checks were so frequent for delven.txt

Hello,

I was checking my network traffic to reassure my paranoia when i noticed that my PC sends frequent requests to download.comodo.com which seems like requests for a certificate.

This is an excerpt of the network traffic:


"Source:192.168.2.104","Dest:178.255.82.5","TCP","Length:66","53349 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1"

GET /av/tvl/delven.txt HTTP/1.1
Accept: */*
Host: download.comodo.com
Cache-Control: no-cache
Cookie: __cfduid=d06c96f3a6206bc50f81d393538b513171519061919

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 21 Feb 2018 20:13:27 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Keep-Alive: timeout=1
Location: http://cdn.download.comodo.com/av/tvl/delven.txt
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>



"Source:104.16.60.31","Dest:192.168.2.104","HTTP","Length:483","HTTP/1.1 200 OK  (text/plain)"

GET /av/tvl/delven.txt HTTP/1.1
Accept: */*
Host: cdn.download.comodo.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: __cfduid=d06c96f3a6206bc50f81d393538b513171519061919

HTTP/1.1 200 OK
Date: Wed, 21 Feb 2018 20:13:27 GMT
Content-Type: text/plain
Content-Length: 108
Connection: keep-alive
Last-Modified: Mon, 19 Feb 2018 13:30:57 GMT
ETag: "5a8ad191-6c"
X-CCACDN-Mirror-ID: rmdccgdown3
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 3f0c5dc687e61ac3-DUS

Kuzyakov Artur Vyacheslavovich IP
OOO Firma "Blek-Pljus"
Pointstone Software, LLC
Megaify Software Co.,Ltd.

There is not a lot to be found except for a few mentions of “OOO Firma Blek-Pljus” in relation to malware, which is sort of distressing.
I was not able to determine the process responsible for this traffic and hence am a bit concerned.
For now I manually have blocked any IPs involved in the queries in Comodo.

Are there any known programs to cause these queries or maybe even related software?

Greetings,
Leza

bump Nothing?

You either have CCAV or CIS/CFW/CAV installed as that traffic is related to the trusted vendors list and removing those vendors from the list.

Thank you for your reply; Yes, I have Comodo Firewall installed (which I am ironically using to block the traffic to download.comodo.com, respectively the involved IPs)

Is this a bug or a feature that it sends that same request every other minute?

It happens when you have check for database updates enabled under update settings.

I just checked and it is set to standard (6 hours)

I also see that an artifact remains. Every 300 seconds (exactly 300 seconds) I get 3 packets from
178.255.82.5, which my computer doesn’t reply to anymore (At least thats what Wireshark is reporting)

3 Packets each time with 0.5 seconds between each; content respectively

“178.255.82.5”,“192.168.2.104”,“TCP”,“54 bytes”,“port 80 → 49990 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0”

Also I checked by now manually if Comodo can update and got the response that no connection could be established. (After Allowing 178.255.82.5 it works again)

Still odd, that Comodo never nagged me about not being able to reach update servers and also that it was constantly querying for this delven.txt before… Thanks for pointing me to the updates, futuretech