v5.3 cmdagent.exe tries to connect to the internet with any setting

i installed a clean 5.3 installation.
in the early past (v4 - 5.1), cmdagent tried a few times a day to connect to the internet. (i asked myself allready “why?”).

now it tries it in 15 minutes over 100 times (and i am like “WHAT?”). i have disabled everything in the userinterface to avoid traffic from the firewall. no updates, no lookup, no sandbox, no antivirus.

this even happens if you install “firewall only”.

what is so important in the internet for a firewall that it has to try to connect several times a minute?

since i use a router, i use a firewall to have control over outgoing traffic. this firewall produces un-understandable outgoing traffic itself. and i even dont know what it tries to send or to receive!

this is a behaviour that i really dont expect by using a firewall.

what is that? around seven times a minute.

this seems to happen every 20 to 30 seconds. each time 4 tries from a same source port with around 2 seconds pause between each try.
the used ports are random.

in 3.5 hours there were over 1300 outgoing attempts by cmdagent.exe.

totally unexpected, and i dont see any reason for this behaviour. a firewall should control traffic… it should not produce it itself.

To what IP address and ports are the queries?

i installed an older version again. because the problem was allways while using version 5.3 (some tries of reinstallation showed it permanent appearing).

you can easily reproduce this with version 5.3:
disable everything that is related with online activity of the product, inside the comodo userinterface.

you could choose a rule for cmdagent.exe “block and log”. and you will see 4 tries from a same port in a row, after 20-30 seconds another 4 again. different source ports (the ones that i saw were around port 50000-65000).
as i didnt allowed a process to go into the internet when there is obviously no need, i just can tell that it tried to contact dns server (my choosed ones). destination port 53.

whatever, isnt it possible to let the people choose if they want the firewal/suite to have any contact to the internet or not? by disabling things in the userinterface.
no matter what adresses it may try to connect to.

I don’t use Any Auto-updates check, Lookup, Submit, Comodo Message Center and cloud service. Please stop the TCP Requests from starting automatically.

OMG, The cmdagent.exe connection attempts include my ISP route node IP (Black Mask…)
Also include crl.microsoft.com connection attempts…

Certificate Revocation List Auto Update Check?
Please give me a choice to disable it.

For example(you can disable it), IE, Mozilla Thunderbird, Adobe Reader, Java Runtime Environment…

Affected Version: CIS 5.3.174622.1216
Non-Affected Version: CIS 5.0.163652.1142 or below

[attachment deleted by admin]

Screenshot this the only connections I get with latest version.

Are you sure you have disabled cloud in Defense+ if you disable Defense+ please do this before to disable cloud second screenshot.

Dennis

[attachment deleted by admin]

I’m sure I don’t use this features.

Version rollback to 5.0.163652.1142
My CIS restore to No DNS Resolution & No TCP attempts (cmdagent.exe “block and log”)

[attachment deleted by admin]

while different reinstalls i have tried once to import my old settings of version 5.0. of course i controlled the setting again. (i have disabled everything of that kind too).
with version 5.3 i got really about 7 tries per minute from cmdagent.
with version 5.0 not. i guess version 5.0 tried to connect to the internet when i used a program, at least it tried to connect very few. and that was too often for my taste allready.

it would be very userfriendly, if we can not only decide the settings… but if we also can decide of “connecting or not”.
its somehow a strange feeling to have maybe not the full control over a security products actions.

this even happened as i installed “firewall only”. i made some different installations to get rid of this tries. no chance with 5.3

cmdagent CAN connecto intenet for the following purposes:

1 - If cloud scanning is enabled, it uses this feature actively for rescanning unrecognized files, scanning unknonw files etc.
2 - If AV DB updates are enabled
3 - If you submit files
4 - While verifying digital signatures of applications

All of these options can be disabled but strongly discouraged. You would not like to disable cloud or AV updates.

If you gve me the IP address and port, i can tell you which service was being used.

1 - cloud disabled , updates disabled and news center(?) disabled. (like i said: as in version 5.0, where very few tries appeared with that setting).
2 - no antivirus installed
3 - no submitting initialized
4 - verifying digital signatures (how to disable? that might be a usefull hint!) … but, while one installation i made an “manual update”. so the digital vendors list should have been updated (like it happened in 5.0 lately).

i see no reason for 1300 tries in 3.5 hours.

starting a connection try, blocking a try, this all uses cpu capacity. as this is something that i dont need, i would like it not to happen.
i was very happy with the old versions. i was safe. and it was a lightweight though. i dont need the most of the extra online features.
dont forget users like me :slight_smile:

It must NOT check for anything under these circumstances. But i need to understand what these connections are. Can you please paste your firewall logs here so that i can see which connections are blocked?

I need to know exactly which (IP address, Port, Protocol) are being blocked in order to see whats going on in your computer.

i use version 5.0 again.

as i blocked cmdagent, it was blocked allready by trying to reach the dns server which i have choosed myself. so i cant tell the later intended destination.

an example of how it looked by showing an usual minute happenings in version 5.3 (the real logs are erased while reinstallation of 5.0):

the protocol is UDP (in version 5.0).
cmdagent.exe blocked (source ip), source port 52599, destination DNS IP, destination port 53 21:15:20
cmdagent.exe blocked (source ip), source port 52599, destination DNS IP, destination port 53 21:15:22
cmdagent.exe blocked (source ip), source port 52599, destination DNS IP, destination port 53 21:15:25
cmdagent.exe blocked (source ip), source port 52599, destination DNS IP, destination port 53 21:15:27

cmdagent.exe blocked (source ip), source port 58538, destination DNS IP, destination port 53 21:15:51
cmdagent.exe blocked (source ip), source port 58538, destination DNS IP, destination port 53 21:15:53
cmdagent.exe blocked (source ip), source port 58538, destination DNS IP, destination port 53 21:15:55
cmdagent.exe blocked (source ip), source port 58538, destination DNS IP, destination port 53 21:15:58

an example of how it looked. it didnt stopped to happen.

Can you do this for testing, just ALLOW and LOG(just change the rule for testing purposes) and lets see where it tries to connect?

Thanks
Egemen

ok. i will do this test.
when i find the time i will install version 5.3 again soon.

and i should look if it is still udp, because i am not sure that there WASNT tcp.

last thing before the test:
how to disable digital signatures verfying?

This is not optional. Howver it happens only if you use AV and a malware is found. It can not be your case.

Why don’t use System DNS Client Service?

Use System DNS Client Service
Svchost.exe destination DNS IP, destination port 53

Not-Use System DNS Client Service
ApplicationName.exe destination DNS IP, destination port 53

Please use System DNS Client Service
ipconfig.exe /displaydns & nslookup.exe is your friend.

But, I don’t use Any Auto-updates check, Lookup, Submit, Comodo Message Center and cloud service.

If AV DB updates are enabled
Firewall only

If you submit files
no file exists

TCP connection attempts

cmdagent.exe
destination IP: crl.microsoft.com
destination port: 80

DNS Resolution attempts

ipconfig /displaydns

Windows IP Configuration

     crl.microsoft.com
     ----------------------------------------
     Record Name . . . . . : crl.microsoft.com
     Record Type . . . . . : 5
     Time To Live  . . . . : 19
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     CNAME Record  . . . . : crl.www.ms.akadns.net

     www.comodo.com
     ----------------------------------------
     Record Name . . . . . : www.comodo.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 1175
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . : 91.199.212.176

cmdagent.exe
destination IP: crl.microsoft.com
destination port: 80

But in your original thread, you said DNS stops at www.comodo.com. When does it try to connect this address?

At that time I have no check box to allow log firewall event at cmdagent.exe (Only Block Rule) ^^;

Two questions

www.Comodo.com Only DNS Resolution 5-minute intervals, But if DNS Resolution(www.Comodo.com) has failed, I am getting [u][i]continuous www.Comodo.com(DNS Resolution) attempts[/i][/u] from svchost.exe (until complete the DNS Resolution)

Maybe you met this problem, clockwork :wink:

crl.microsoft.com DNS Resolution & TCP connection attempts Unknown... (intervals or etc...)

My System Eventlog also have the log
DNS Client Events 1014
Name resolution for the name crl.microsoft.com timed out after none of the configured DNS servers responded.

made the test.

first just looking what happens after installation, and after making the setting:

version 5.3, install, all settings for “no online feature”. no settings-import. no antivirus, no sandbox.
as i expected, cmdagent tried to connect. again 4 tries in a row, with 20-30 seconds until next tryings, non stop in sequences.

i allowed the dns requests after a while. cmdagent connected to each dns server with 3 connections. a bit later one connection to each dns server stayed in the active connections window.
when there are still more connections staying, each involved source port is connected with each dns server.
there are no other requests made until this point. just dns. (what for? and why so insisting often?)

then all connections of cmdagent disappear sometimes.

until:

and this happens, when i open a program like everest home edition:
one connection to the dns server by cmdagent.
and with one try i found out these ip adresses, which are destinations when such a “program start related cmdagent action” happens:
protocoll tcp, destinationport 80, initiated by cmdagent.exe:
188.111.53.32
188.111.53.56
188.111.53.33
188.111.53.49

nothing in my setting points to any online activity of the program, though it happens.

when i block cmdagent in version 5.3 while those tests, after a while the sequences of 4 in a row all 20-30 seconds appear again.
this did not happen that much in other versions. even though there had been these “application start related cmdagent actions” once in a while too.
would be nice if that can be disable-able :slight_smile: