Suspect traffic, but the port target is 80 or 81


I would like to ask this question:

This is only an imaginary situation:

I have my pc and some troyan gets into my computer. I have Comodo Internet Security. I know that some trojans connect to port 80 or 81 (Trojan bitfrost) and the victim is only a client that goes to the server which the hacker installed for this purpose. Therefore, it has no need to NAT-T because as a client, my computer can connect to a server in that port.

My question is that if the firewall could suspect something about that traffic, because in theory it is a normal connection from your pc to a server in the cloud heading for port 80.

Could Comodo be of some help in such cases?

Thanks a lot in advance

If I understand correct you are asking if CIS Firewall does deep inspection of port 80 traffic to see if is suspicious for some reason?

At this point the answer is No, CIS does not inspect packets beyond it’s headers for outgoing traffic.
There is no ‘smart’ stuff for bot-net detection or blocking by cloud features etc.

Only thing it can do is inspect protocol analysis for ‘standards’ in the header, as soon as they violate the RFC’s it will block the traffic.
You can find this feature on Firewall → Firewall behavior settings → Advanced → Do protocol analysis.

But the downside of this feature is that it doesn’t log a single block, so if it’s active and something isn’t working as expected it might cause troubleshooting issues.
As it’s not the first time a (large) company did something ‘strange’ to it’s traffic that wasn’t in the RFC.

Thanks a lot Ronny,

Then, if I had that trojan which, as a client, connect to the port 80 0r 81 of the server (in the hacker´s pc), the firewall wouldn´t suspect anything? Would it understand is a legitimate traffic?

Since I am not a security expert at all (though I like that field a lot), I´ll have to study deeply your reply.
As you suggest, I have activated this option: Firewall → Firewall behavior settings → Advanced → Do protocol analysis.

But I didn´t understand what you said about “…the downside of this feature is that it doens´t log a single block”.

Thanks a lot for your help!!

It depends on the firewall software used but in general the firewall should alert at least ‘once’ for the ‘trojan’ to connect to the outside world.

But a ‘simpel’ firewall that isn’t leak-proof could be abused by the Trojan.
The assumed trojan is active on the system and ‘uses/abuses’ an other trusted process to connect to the internet.

CIS can prevent against this, but that’s done by Defense+ so if you disable that ‘completely’ you depend on your other security software to catch the malware before it is able to connect.

About the logging.
CIS logs normal blocked traffic in it’s logfiles, but protocol anomalies are not logged, thus it can cause blocks without it showing in the logging.
That might cause issues during troubleshooting if something isn’t working as expected.

Thanks Ronny for the reply,

And Apologizes for my delay in answering.

You said this: "but in general the firewall should alert at least 'once' for the 'trojan' to connect to the outside world." . 

I guess that´s the typical pop-up saying "Firefox/IE is trying to connect to the internet, do you want to allow this?" . But the trojan has nothing to do with none of the Browsers, so, I suppose the alert would be a different one like (maybe): "The service svchost is trying to connect to the internet, do you want to allow it?" .

The problem is that many trojans hide themselves in such a proccess (svchost) or others which seem normal to a medium user.

As far as I know, svchost.exe is in System32, therefore, is the outgoing connection is going to take place from svchost places in c:\windows or any other different folder than System32, that would be the key to suspect that that is not a legitimate traffic ?

If I understood you right, you say that having activated “Do protocol analysis” is a very good thing even though it won´t appear in the logs, is this so?

Thanks a lot, and again, sorry for the delay in my answer.

If you run CIS and leave Defense+ activated you are protected against these attacks against valid process injections.
If you run other Security suites it’s up to the power of the suite to prevent this.

If I understood you right, you say that having activated "Do protocol analysis" is a very good thing even though it won´t appear in the logs, is this so?

Thanks a lot, and again, sorry for the delay in my answer.

Yes that’s correct.

Thanks once more!

Very good to know that Defense + acts against such ways of trojans, the ones who hide in well-known proccesses.

I have been taking a look at all the Defense + features and they are amazing, though I don´t understand some of them. I´ll review all of them in order to know how powerful can be such a software like Comodo.

I am becoming quite fond of this software though now I am testing it to check how good it works, and , so far, I like it.

The “problem” is that you don´t have a Enterprise product to manage networks, do you?.

Thanks! :slight_smile:

They have just released (I’m not Comodo Staff) Enterprise Service Manager version 2 a few weeks ago.
That product is specially aimed at managing multiple installs of CIS over a few and up to at least 1000 endpoints.

See a introductory video here (Small business) ESM Business edition by Glen

Many thanks!

Didn´t know you weren´t a Comodo Staff. You are a volunteer? That´s very great of you! . I admire that in people.

I´ll see the video, thanks a lot Ronny!!

Yes I’m volunteer, I try to place that in my signature and under my avatar but for some reason it doesn’t seem to work :wink:

Actually, it´s my fault because it is just as you said: it appears in both your avatar and your signature, I just didn´t see it :-\ , hehe.

Why is Comodo not so well known?. Among my colleages they always tell me other products (I guess I am not allow to name them here?) , but I discovered a year or so ago this product and it seems to me that it works suitablely , but I am not a security expert (though I have some knowledge in the field).

I´ll keep checking the product to take advantage of all its features to see if it can meet all the requirement in a company. Sorry, I am not questioning the product, just that I am very concerned about companies security, for their data are very valuable.

Thanks a lot!!

Internet Security came from Comodo Firewall + HIPS (Defense+).
It didn’t have an AV component, if you know how it works HIPS is much stronger that AV but the downside is it’s not user friendly because you have to answer popup’s.

And security aware users don’t mind reading them, but people who just use their computer to do whatever don’t read and just ‘click it away’.
So they introduced AV to minimize the number of alerts for the avg. user.

It’s less known because of marketing and money. You need to invest big in marketing to promote a free product.
You can’t bundle your software with OEM installs like having it pre-installed on HP/DELL etc products because those that do have to pay X to the OEMS to get pre-installed etc.

So it basically needs mouth to mouth advertising…

Gee! , very helpful reply Ronny.

HIPS stands for (as far as I know): Host Intrusion Protection system, which is too good. I didn´t know Defense+ was an HIPS. That´s quite good for I love Security though I am , as I remarked, a beginner.

I knew a very famous product being both an HIDS and NIDS , but as “D” indicates, it is only a detection system which alert you to act against the malware but doesn´t act itself again such malware.

The good thing is that Defense is an HIPS and not only a HIDS, therefore, it acts rather than only warning by email. That´s quie good!

Now I understand why many pc´s bring a certain known AV!

As for “normal” users having to answer a “yes” or “no” when it comes to allow a connection, I totally agree with you ; it´s bothering for them and they just click on “yes” probably, I myself used to do it :-\ long ago.

It is quite information this and the “mouth to mouth” advertising, I´d dare to say is the best.

Thanks for sharing all your knowledge Ronny!

No problem Lou, glad I could be of some help.