Invisible dialogue and a mystery process

markof · June 30, 2019, 4:50pm

Hello all,

Recently (though I don’t know when it started), I noticed in COMODO Network Intrusion logs a series of blocked intrusions from processes which either don’t have any name/identifier, or they have a description in ideograms (Chinese?). Source and destination are always the same, 0.0.0.0, and COMODO claims that the “action taken” is “Asked” (see the attached image). However, I never got any dialogue pop-up for these processes. Furthermore, I can’t locate them by name anywhere else in COMODO, either in other logs, or in filtered lists or wherever.

I’ve checked the services and running programs on my system (Win 10 with the latest patches), and haven’t noticed anything unusual. Full system scan with both Avira Antivirus and Malwarebytes didn’t return a single issue, and I generally try to run my system as clean as possible.

Does anybody have any idea what these processes are, and how to access/remove them?

mathir · July 2, 2019, 9:23am

Hi markof,

Thanks for reporting,could for please check your personal message and provide the requested logs.

mathir · July 4, 2019, 1:36pm

Hi markof,

Thanks for getting back to us,the error message may be caused due to administrative privileges. Can you try to run the tool with administrative rights.

markof · July 4, 2019, 8:08pm

Hi Mathi,

That’s the second thing I’ve tried, and it didn’t help as far as I’ve seen. But in any case, now it worked and I’ve uploaded the logs.

mathir · July 6, 2019, 1:22pm

Hi markof,

Thanks for providing the requested logs, our development team is working on it.

Metathesus · July 7, 2019, 8:40am

Hello,
Same here:

Partial Firewall logs:

Date & Heure 	Programme 	Action 	Direction 	Protocole 	IP source 	Port source 	IP de destination 	Port de destination
2019-07-07 10:11:06  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant, Sortant  	186  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:10:45  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant, Sortant  	66  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:10:35  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant, Sortant  	TCP  	0.0.0.0  	1538  	0.0.0.0  	256 
2019-07-07 10:10:32  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant  	196  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:10:21  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant  	136  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:10:01  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant  	16  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:51  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	146  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:48  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	146  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:37  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	86  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:27  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	26  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:17  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	104  	222  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:07  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	104  	96  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:09:04  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	104  	96  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:08:53  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	104  	36  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:08:33  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant, Sortant  	172  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:08:23  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant, Sortant  	46  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:08:20  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant, Sortant  	46  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:08:09  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant  	242  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:07:59  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant  	182  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:07:49  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Entrant  	122  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:07:36  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	252  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:07:25  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	192  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:07:15  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	Sortant  	132  	0.0.0.0  	  	0.0.0.0  	 
2019-07-07 10:06:55  	랭ม㛔讙ᆘ蝹訓婠நⶓŗ䪉榻ᝯ薛㤱쟎⇳ṟ⣪ᾂ鸻룥㤄픂ἂ茌῏卆ཋ愃䫀꺊ﻓ????⠎ᴠ턀ꃲ????鹾㽶쳍奲韦롺붭흞䯢ꉾ钤鵘钾鉼蔑番茏傊ⱁ????ቾ娒恠೨䶉셖劈檻⠑檛䘑䠪}  	Demandé  	100  	202  	0.0.0.0  	  	0.0.0.0

Not sure at all, but seems to be related to Firefox…

helloworldz · July 13, 2019, 8:37pm

So found this in my blocked apps

On a level from 1 to 10, how freaked out should I be? :).

Citizen_K · July 13, 2019, 10:51pm

They were blocked so I would not immediately worry.

Could you post a screenshot of the firewall logs? They will show in more detail what the blocking is about.

helloworldz · July 14, 2019, 9:08pm

Sure, Its not adding much in terms of data…

Citizen_K · July 15, 2019, 3:06pm

It shows you are being asked. When you didn’t resond to the alert it will be blocked. So, you’re safe thanks to default deny principle.

Do you see programs in Programs and Features or with Autoruns that you do not remember installing?

helloworldz · July 22, 2019, 6:59pm

Sorry … been down with a nasty stomach flu…

Nope.
Well actually, I have tried out CAMEdit and XMLPad from sourceforge for some xml/xsd modelling I had to do … but other than those no.

Do you know where comodo keeps its lists? Local file? Registry? sqlite? I bet I can extract that filenames and give them a proper encoding, reverse the encoding somehow.

Ideas? I mean I could try and run procmon on comodo to figure it out but I also figure that it wont let me, right off the bat.

helloworldz · July 22, 2019, 7:15pm

its cislogs.sdb and yes its sqlite … gonna have a dig

helloworldz · July 22, 2019, 7:49pm

So … for an example :

select strftime(‘%Y-%m-%d %H:%M:%S’,LogDate) as dt, * from FwEvents order by dt desc

Right (the "dt "cause I dont read julian dates real good)? And I get something like this

2019-07-22 19:09:02 296265 2458687.29793981 2544456 0 0 273 1 8 3 -1

You see that after the logdate in julian? thats supposed to be “PATH” … read as binary it comes up as 0000 02, but its supposed to be “text” according to the DB layout.
Also, i presume that the Pid is process id (thats the 2544456 number), while no evidence of anything I have no process id higher than 23000 running right now… Source address is a mess too “02000000000000000000000000000000” (blob).

I am not comfy about whats going on here, id much rather I hit a snag in comodo or something :).

helloworldz · July 22, 2019, 8:27pm

This is that path of one of the chinese looking blocks (as hex)

e6b9afe695b4e791aee7819ce695b2e695a6e695b2e68daee78da5e6a8ae73

Now I’ve been decoding it from any known chinese codepage in existence and come up short.
I have nothing for BOM on ~e6b9++
Its not html encoded or anything like that…
I am drawing short here.

Help?

helloworldz · July 23, 2019, 11:53am

bugging me is that e6 b9 … ae has a maximum span of 90 characters (if you imagine them to be ascii encoded is some fashion), what obfuscates a little bit is that the trailing “.exe” in no way matches the pattern of the trailing byte stream.

echo anyone out there? :).

mathir · July 23, 2019, 1:45pm

Hi helloworldz,

Could you please check your personal message and provide us the requested logs.

mathir · July 26, 2019, 10:19am

Hi helloworldz,

Thanks for sharing the requested logs, our developers are working on it.

helloworldz · July 26, 2019, 7:22pm

:-TU

helloworldz · August 9, 2019, 12:17pm

any news?

amommy · September 22, 2019, 5:44am

It may be something my computer is doing internally or it may not but Can someone please explain this?