What is BOClean doing at this address [Resolved]

Hello all i just recently installed BOClean on my XP machine.The first thing i noticed was that it was at address 74.52.200.146 using port 21, that’s fine, for updates. But what is it doing at 74.52.200.146 using port 41403. By the way i use CFP 2.4

Whois:

74.52.200.146
Record Type: IP Address

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 74.52.0.0 - 74.54.255.255
CIDR: 74.52.0.0/15, 74.54.0.0/16
NetName: NETBLK-THEPLANET-BLK-14
NetHandle: NET-74-52-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2006-02-17
Updated: 2007-07-11

RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: admins [ at ] theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse [ at ] theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: admins [ at ] theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins [ at ] theplanet.com

Who the hell is ThePlanet.com, i don’t mind if they are the company hosting the updates but what’s on port 41403. Better yet, what are they using that port for? I am in no way bashing your products, i appreciate your free products. I just don’t like any information gathering hounds. I have confirmed that if i manually update it does not use that port all the time, it sometimes switches to another port, 45???, i missed it , it was too fast to catch, haha. Gonna see if it uses it tomorrow on it’s auto update. What’s really funny is that on the header of the manual updater it says connecting to Comodo.com, should read ThePlanet.com

Ok 3 days with BOClean and happy with the fact that it is light on resources BUT why does BOC425.exe have to access the internet to that same ip? I thought BOC4UPD.exe was the updater not BOC425? It is set to the default schedule of updates every 24 hours but BOC425 hits that ip every time i reboot.

On another note how can someone notify the developers that BOClean is flagging “Real VNC veiwer 4.1.2” as a trojan horse, that has got to be a FP.

One last thing does anyone know if BOClean is safe and compatible to use with “ThreatFire”?

Hey Becho,

Firstly, they are using ThePlanet.com as an updater to help spread the load.

The BOclean executable will check whether an update is available X minutes after startup. This option is buried somewhere in the apps options.

You can manually add the VNC viewer and/or server to the Excluder. This will prevent BOClean reporting it again.

Cheers,
Ewen

The FAQ covers how to report suspected false positives.

[u][b]Suspected False Positives?[/b][/u]

Q: Where do we send the files that are being alerted on that we suspect are FPs?

A: You can email them to: malwaresubmit [ at ] avlab.comodo.com .
You may want to specify in the subject line “False Positive?” for clarity’s sake.
As usual, zip and password protect with “infected” including that information in the body.

BOC uses FTP (passive) to do updates. Thus, it connects first to Destination Port 21 (this is where the FTP server listens); then it will connect to two different high-numbered Destination Ports to complete the download.

Comodo uses several different server farms throughout the world to host its updates; ThePlanet.com is just one of them. BOC is set to contact updates.comodo.com; the end-site will vary depending on geographic location (thus, not everyone is connecting to ThePlanet.com).

Hope that clears up that issue for you…

LM

Thanx guys, it all makes sense now. One last thing, someone at Wilders mentioned that BOClean and ThreatFire together would be a waste of resources cuz they basically would be doing the same thing.

One poster said:

You can save some resources by only running one anti-malware, either BOClean or ThreatFire.

Another went into detail by:

You are the maser of your own PC, but I think adding Boclean to your setup provides little extra protection, because:

1. Boclean provides on execution protection, meaning the malware has already landed on your computer. ThreatFire will catch it a little later (when it starts to behave bad), but neither will protect it to enter your PC.

2. CyberHawk (predecesssor ofThreatFire) cheats a little as behavior blocker, because it also has sniplets of code to fingerprint malware (sort of mini-blacklist) which is hard to catch with user friendly behavioral blocking. So in a way its on execution protection mini-blacklist overlaps with Boclean (catching real nasty Malware like Trojans etc). There is a fair chance Avast’s on execution blocking will tackle the others.

3. Running in IE protected mode all the time (with Avast webshield and ThreatFire as backup) and for real dangereous surfing Returnil, would minimise the chance of being infected. Average PC is not protected against zero day threats. Most of the heavy posting Wilders Members are protected against 95% of the real baddies. Those 5% which would bring our security down, will problably also pass Boclean, so I think WSFUser makes a point.

The point is i wanted HIPS protection but didn’t want to overlap protection. Any suggestions?

BOClean is not made to catch malware when it enters your PC but when it wants to be executed. That’s a different philosophy and not a drawback. BOClean complements many Antivirus-Scanners that way.

Folks, the topic question has been answered, and the issue resolved. Any further deviations on the issue should have its own thread. Please understand.

Thanks.