Peerblock Comodo Currports Smartsniff

diverxl · July 9, 2011, 10:47am

Dear friends

once again I need your assistance in order to understand things thoroughly.

I use a pretty vanilla Win7 32 bit and got the following tools running that are of importance here:

Comodo firewall
Peerblock V1.1
Currports (Nirsoft)
SmartSniff (Nirsoft without Wincap or so)
CloseTheDoor (sourceforge)

I have got installed Nuance/Scansoft Paperport 11 & Omnipage 16 - and registered. I notice in Peerblock that this tool blocks TCP connections towards Scansoft’s servers. This is of course the case since I have the appropriate blockfiles installed in Peerblock that block en masse IP ranges of corporations.
Well, no problem with me.

But I am really interested which of files belonging to the above software is connecting out.

I do not notice anything in Comodo’s firewall or defence+. This must be the case I blocked or allowed things concerning this, either in learning mode or consciously. Does not matter.
Fact is that Peerblock shows the outgoing con.

So, how can I get to know which service, exe, dll etc. it is?

As I said, I also run Currports and Smartsniff in order to look for the servers of Nuance.
These look by the advanced filters for:

include:both:tcpudp:198.71.64.0-198.71.75.255

These are Scansoft's servers as far as I know by a tool of Nirsoft...

All in all, in order to understand things I think I need to know the priority of layers working here.
E.g., if Comodo firewall would be the first that looks at IP/TCP/UDP … then Peerblock should only see the connection above if Comodo lets it through, isn’t that the case?

Where do Currports and Smartsniff come into play?
Is it possible that they can not see the connections towards 198.71.64.0-198.71.75.255 since Comodo or Peerblock catch and block these in advance?

What have I to do in order to get a picture of what process is connecting towards Scansoft or why Peerblock shows me the block?

PS:
Currports and Smartsniffs log do not show anything…of
include:both:tcpudp:198.71.64.0-198.71.75.255

Radaghast · July 9, 2011, 12:12pm

The program responsible for making the connections, in Paperport at least, is called agent.exe, which typically lives in:

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

The reason you don’t see this process making a connection is simply because the peerblock IP filter kicks in before the process can register in the log or generate an alert. The same would be true if you added the IP address for Scansoft as a Blocked Zone in CIS. The same is also true for Currports, which like most network monitors of it’s type will only see the connection once it’s in progress.

diverxl · July 9, 2011, 4:16pm

Mh, I do like to echo but I have to at least now in order to make sure I got it.

First,
I do have some IPs in CIS’s blockzone but not one of the above belonging to Scansoft.
So, if agent.exe or anything else goes out then it is caught
a) first by Peerblock
b) if Peerblock is not running or has no active filter then of course CIS will get it and I might got a rule prompt if I do not got one already
c) if b) is the case then Currports/Smartsniff and all tools the kind will see the traffic before CIS kicks in with ask/allow/block.

Eventually, I have to let the traffic in question through Peerblock to make sure Currports/Smartsniff see it and can register it and to finally got a CIS allow/block/ask.

I think I will risk it to deactivate Peerblock for some time

Radaghast · July 10, 2011, 1:50am

Peerblock or CIS Blocked Zone will, intercept before a connection can be made.

b) if Peerblock is not running or has no active filter then of course CIS will get it and I might got a rule prompt if I do not got one already

That will depend on the sensitivity of your firewall settings and whether the application is on the TVL. If using Custom policy mode with alerts cranked up, you should receive an alert.

c) if b) is the case then Currports/Smartsniff and all tools the kind will see the traffic before CIS kicks in with ask/allow/block.

Loopback requests will appear in the utilities at the same time an alert is received in CIS. Network requests will provide an alert, which needs to be allowed, before the connection appears in the utility (see image)

Eventually, I have to let the traffic in question through Peerblock to make sure Currports/Smartsniff see it and can register it and to finally got a CIS allow/block/ask.
I think I will risk it to deactivate Peerblock for some time

Personally, I’ve never been a big fan of these blockers, but each to his own

[attachment deleted by admin]

trscsaeg · February 18, 2012, 7:27pm

is it possible to import block list into cis like peerblock

Radaghast · February 18, 2012, 7:36pm

Unfortunately, no. It’s something that’s been on the wish list for quite some time.