Latest Comodo Phoning Home

Hello dear all,

I work in a non-profit hospital centre where I deal with sensitive patient data - and as a result of a new tech policy we need to put extra effort into making sure that no patient data is leaked to the outside.

This brings me to a problem with the latest Comodo Internet Security (however the problem exists in all previous versions as well). On a single computer that requires internet access I installed only the Firewall (with Maximum Defense+) and NOT the antivirus part.

I selected to NOT be a part of Threatcast, I am not using Comodo DNS, I unticked automatic checking for updates and I disabled the Sandbox (and also disabled sending unknown files to Comodo).

However, I still periodically see unknown attempts at connection coming from cmdagent.exe. When I whois the IP addresses that cmdagent.exe tries to access it brings me to Comodo servers. I have no idea what these connections contain, and I was not informed anywhere that Comodo would attempt to phone home despite having everything possible checked off.

Now, I appreciate the fact that Comodo lets me block these connections by setting cmdagent.exe to not be allowed to connect anywhere, however I would appreciate it if it was possible to make it so that Comodo does not connect anywhere by itself. All I am asking for is a simple checkbox in advanced settings, or a registry setting.

I do like comodo, but I cannot afford to have unknown connections going to the internet from it. Thank you.

By the way, I appreciate that Comodo no longer bundles other software with it, such as the Ask! toolbar, etc.

what you might be seeing is comodo updating the trusted vendors list. Are you using Defense+?

It could also be looking to see if there is a program update.You can disable the automatic check for program updates under More → Settings → Update.

He said he disabled automatic updates.
Maybe it’s trusted vendors list , but if that’s the case then that should be included in automatic-updates feature.

its a fair request…

should be put in the wishlist…

thanks

Melih

Interesting, yes I am using Defense+ (as I stated in my original post “with Maximum Defense+”) and I did not disable the Trusted Vendors. I read through the helpfile provided with Comodo, and I did not read anything about the list being updated (automatically) separately from the whole comodo application.
Did I miss something about it in the help file?

In any case, how do I put this in the wishlist?

Just to clarify: the main request is to be informed what the connections from Comodo are (even though everything automatic is disabled), and to be given a choice in the options to disable such connections (not just block them in the firewall component). The main reason for this is that we have confidential patient information on the system, and we cannot afford them to be leaked to the outside (such as when Comodo uploads an unknown .exe file to Comodo servers, or when Comodo makes these unknown connections).

Hi,

Besides disabling the settings already mentioned, and IF you really don’t want any update feature you can set “http://127.0.0.1” as your “Updates host” at Miscellaneous->Settings->Connection.

The path above is for v3.14. For v4 you probably have something similar.

This will redirect “home-calls” to your own computer.

G’day a1069177,

Here is the wishlist you’re asking Comodo Forum

The main reason for this is that we have confidential patient information on the system, and we cannot afford them to be leaked to the outside (such as when Comodo uploads an unknown .exe file to Comodo servers, or when Comodo makes these unknown connections).

I see what your saying, but confidential information or personal informaton (BASICLY STUFF THAT GETS TYPED IN FOR THAT MATTER) is stored in databases. Comodo isn't interested in databases, there interested in "unknown" system files

!ot! :-La
Why not encrypt the sensitive data?

The problem is that some of our patient DATA is stored as .exe FILES. As far as I know, Comodo puts unknown .exe files either on the pending list (depending on settings), or runs them in sandbox - but in either case it does send the .exe file to Comodo servers - so it is a leak.

Encryption would not help here - e.g. when encrypted using Truecrypt, the .exe files become transparently decrypted for the system and Comodo to see, therefore Comodo will be able to send the unencrypted files to the Comodo servers. We do use encryption for patient data as a part of our policy, however the data ultimately needs to be accessible - and at the exact moment the data becomes accessible, it can also be seen by Comodo.

This is most probably the version check, can you put a network capture on the traffic you are still seeing when setting everything to disabled?

It will probably show an URL like http://download.comodo.com/cis/download/updates/release/inis_600/cis_update_x32.xml

It uses it to determine if there are new versions for all kinds of components, not only program updates, but I think in this case it’s caused by the updates for translations or the already mentioned vendor list etc.

I have the same behavior even with setting automatic updates to disable
the mechanism still checks for this URL.

If you wish to protect your data flowing out I suggest you have a look at the BlueCoat ProxySG an excellent device to control what comes in and what is allowed to go out.

I don’t see why patients records have to be in exe format. Data is not executable.

It is not this hard to keep this leaking, but i believe it to be impossible in the cis 4 version because of the sandbox, even disabled, the drivers do still exist.

The goal does however not seem to be out of sight using cis 3:
-disable updates
-delete everything from the trusted vendors list, excepting comodo itself (you can’t)
-Firewall, network security rules:
You have a outgoing only rule allowed to cis: set cis to custom, and block this rule.

-Defense+
In the protected files, groups, you can edit comodo permissions, and e.g. delete the concerned ones in Windows Updater applications, Windows System Applications (you have a cavscan rule even if you didn’t install cis av), and Comodo Internet Security (cfpupdate).
In the defense+ security strategy, don’t keep any “installer” or “windows operating system” rule: transform all these rules to “custom”, allowing you to write whatever allowing or blocking rule, including for Comodo.

Now, the system shall not connect anymore to Comodo, but it is not the end of it, the problem is much larger.

In every “modern” country, the medical secret is unbreakable, even between husband and wife, and i know in France only of 2 exception situations where a professionnal spontaneously infringing the medical secret is not severely punished.

But in these same “modern” countries, this same medical secret is shared by the new “remote health” practices, saying that the medical files can be transferred, including by networking tools, as long as everyone in this chain himself abides by medical secret, and even leading to remote live surgery.

Such a situation assumes that not only the data can only be sent and received by people being tied by this medical secret, but also that the used networks are not vulnerable to any other people, including the ones, they are not medics and not tied by medical secret, in charge of computing this data.

In most situations, these vpn networks are the property of medical authorities, and one should think that none of their members has whatever interest in infringing the rules, but they are definitely not absolutely safe from attacks from their computings techs or even foreign people.

What to say, then, of somehow using a third-party system, call it CIS or whatever you want, where no shield exists against such possibilities, and where one does only imagine what trick should be applied as not to potentially leak the said informations?

No software should be used in these conditions if it makes whatever calls, and not mattering if most likely the files are only statistically agregated, not actually leaking anything, but having the potentiality to do so.
Revert to CIS3 or use something else. Period.

There is no “leaking” in CIS v4 if you disable several already available configuration options.
The only thing that can’t be disabled at the moment it is check for certain updates.

why do you use comodo if you does not trust comodo ???

Thank you very much Ronny, using wireshark I was able to identify what Comodo accesses. And thank you brucine for the suggestions.

Oh I do trust Comodo, don’t get me wrong, I would even go as far as to say that I am pretty sure that Comodo would not do anything with the data obtained. I am NOT saying that I am leaving Comodo, or that Comodo is spying on users or anything.

I am simply saying that it is impossible to say to my bosses: “This software is fine, it just randomly connect to the internet without the users knowledge to check for some updates” when there are confidential data on the machine. And it is true that patient confidentiality is above all…

It’s the update URL right?

Ever so slighly off topic

Comodo puts unknown .exe files either on the pending list (depending on settings), or runs them in sandbox - but in either case it does send the .exe file to Comodo servers - so it is a leak.

Anything that's not known to them gets scrutinized

I don't see why patients records have to be in exe format. Data is not executable.

i agree, storing records in .exe formant is more vulnerable because hackers generally infect .exe files (In general)

I would also recommend disabling “autoplay” for usb ports too!!