WHAT is Comodo trying to do here?

See screenshot:
http://i.minus.com/iXg5PSmcG7AQs.png

Every 5 minutes Comodo seems to run the following sequence. It tries to reach out to “secure.comodo.net” once, [is blocked], advances the port number, tries again, [is blocked], advances the port number, tries to go to “licenceactivation.security.comodo.com”, [is blocked], advances the port number, tries again, [is blocked], waits 5 minutes and then repeats this sequence of 4 attempts ad infinitum.

TraceRoute to 91.199.212.132 [secure.comodo.net]
TraceRoute to 91.199.212.132 [secure.comodo.net]
TraceRoute to 199.66.201.28 [licenseactivation.security.comodo.com]
TraceRoute to 199.66.201.28 [licenseactivation.security.comodo.com]

I don’t know why this began at 4:00AM Saturday morning (maybe that is when a new log was created?) but it is still continuing as I write this.

I tried unchecking the Enable box for update checking but this does not seem to have stopped these actions. So WHAT is Comodo trying to do here?

Comodo seems to be sucking up a lot of resources and this may be one area that is causing that.

Are you using a paid or a free version of CIS?

The free version as far as I know.

[attachment deleted by admin]

Additionally, I had rebooted my computer but left it at the Windows logon screen w/o logging on until I returned home a few hours later.

after getting booted and initialized, I checked the Firewall log and could see that Comodo had continued the sequence of 4 reach out attempts every 5 minutes EVEN WHEN I WASN’T LOGGED ON!

Weirder & weirder!

This morning I take a look at the firewall log and see almost the same thing happening as yesterday including the log restarting at 4:00AM all over again and the disappearance of the previous days firewall log.

There is no footprint of the 3/17 firewall log to be found. Did I hit the 10MB limit I have set which forced log deletion? I have changed the disposition to save logs now instead of deleting them.

Also, the pattern of attempts to reach the Comodo servers varies a bit now. I am seeing two and sometimes three reaches to the .132 IP address and only one reachout to the .28 address.

Maybe Comodo has some sort of trojan buried in it? [lol]

So with no one being able to help about this problem here, I opened an official support request a couple of days ago. When I saw a response in my email box today, I was hoping for an answer.

Instead I got a rather dumb request from Geekbuddy support to install their software so one of them could log into my system.

Hi,

Thank you for contacting COMODO

In order to help you with this issue, we suggest you to download and install the COMODO Geekbuddy software which will help us to remotely connect to your pc and do the necessary steps to fix this issue. The steps to be followed is provided below.

1. Download the Geek Buddy software from this direct link
   http://download.comodo.com/lps/download/client/geekbuddy/cgb_setup.exe

Install the downloaded program and then open the Geek Buddy icon in your desktop. You will be getting connected to COMODO Geek Buddy operator who will be assisting you further.

Alex
GeekBuddy Technical Support
www.comodo.com

Of course, it looks like Geek buddy would charge $49.95 to “fix” a problem. However, this log problem IS NOT MY PROBLEM. It comes from Comodo.

So I declined his request to install any remote connect software. I see no reason why there is any need to allow someone to connect to my system for this problem, other than provide them the opportunity to pitch me on paying them for fixing something I did not cause or signing up for some sort of annual support contract.

I understand that Comodo owns Geekbuddy but does that mean that anything sent to Comodo support automatically get routed to Geekbuddy so they can scam people into paying $49.95 or more for fixing problems created by Comodo? Sheese.

Can you provide some more detail regarding the settings you’re using for the firewall. Specifically, your Application rules and Firewall Behaviour Settings. It would also help if you could post an sample of the log.

At the very top of my original post is a link to a log sample.

As to your other requests, I don’t see why you would be interested in them and would request you take a look at the 1st post again.

The question is why is COMODO trying to send these requests outbound that are being blocked? And why they keep trying every 5 minutes? What is Comodo doing and how do I stop it from continuing to do this?

Comodo reaching out to its own servers for whatever reasons has nada to do with my app rules or behavior settings.

I read you first post and the image in the link is unreadable. The information I requested, is to help assess your configuration, so that we might be able to get some idea about why you’re seeing these connections.

CIS will make a variety of connections to Comodo and CDNs used by Comodo, - no where near the number you claim you’re seeing - for things like updates, cloud lookup etc. All of these may be disabled. You can also prevent CIS from making any outbound connections by changing the firewall application rule for ‘Comodo Internet Security’ to Block without logging, but doing so will prevent all updates.
Whilst it’s quite normal to see connections to Comodo, it’s certainly not normal to see the number you’ve said you’re seeing.

Hmmm. I checked the link immediately before my last post and it was quite readable for me. I will try attaching the screenshot here.

I have update checking disabled and I have the cloud stuff also disabled. Let me know if there is other info you need.

What you see in the log sample is the ONLY traffic in the log. I’ve reached almost 4000 entries in the log! Whew. The destination addresses are straight forward and going to Comodo servers. Why is Comodo reaching out to he licensing server and why won’t it stop?

I thought this would be an easy question for the real Comodo support (not the volunteer) to answer, since the traffic is to their own servers. Instead, I get a stupid post from Geekbuddy requesting that they be allowed to roam around on my computer and try to pitch me on a support subscription.

[attachment deleted by admin]

Can you tell me which of the suite components you’re using and the destination port number(s) used by the 199 address.

Using only the Firewall. There is no info related to a destination port in the firewall log that I can find.

I include an updated firewall log snapshot.

[attachment deleted by admin]

The destination port is the last column in your image.

I include an updated firewall log snapshot.

I really have no idea why you’re seeing so many connections to Comodo. Usually, I have all updates/cloud look-ups/TVL updates etc. disabled and the processes responsible for making the connections blocked in the firewall. However, as an exercise, I re-enabled these settings and removed the firewall rules. After 4 hours of continuous use, I’ve only see three requests. One of these was to update the TVL:

    Source: 192.168.1.208 (192.168.1.208)
    Destination: 91.199.212.171 (91.199.212.171)
Transmission Control Protocol, Src Port: 49387 (49387), Dst Port: http (80), Seq: 1, Ack: 1, Len: 108
    Source port: 49387 (49387)
    Destination port: http (80)
    [Stream index: 156]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 109    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgement: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 16611
    [Calculated window size: 66444]
    [Window size scaling factor: 4]
    Checksum: 0xf371 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [Bytes in flight: 108]
Hypertext Transfer Protocol
    GET /av/tvl/deletedvendors.txt HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /av/tvl/deletedvendors.txt HTTP/1.1\r\n]
            [Message: GET /av/tvl/deletedvendors.txt HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /av/tvl/deletedvendors.txt
        Request Version: HTTP/1.1
    Accept: */*\r\n
    Host: download.comodo.com\r\n
    Cache-Control: no-cache\r\n
    \r\n
    [Full request URI: http://download.comodo.com/av/tvl/deletedvendors.txt]

0000  e0 cb 4e a8 6e f3 08 00 27 0e db 64 08 00 45 00   ..N.n...'..d..E.
0010  00 94 0a 6b 40 00 80 06 00 00 c0 a8 01 d0 5b c7   ...k@.........[.
0020  d4 ab c0 eb 00 50 0f c6 90 8f 1c 71 c1 15 50 18   .....P.....q..P.
0030  40 e3 f3 71 00 00 47 45 54 20 2f 61 76 2f 74 76   @..q..GET /av/tv
0040  6c 2f 64 65 6c 65 74 65 64 76 65 6e 64 6f 72 73   l/deletedvendors
0050  2e 74 78 74 20 48 54 54 50 2f 31 2e 31 0d 0a 41   .txt HTTP/1.1..A
0060  63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 74   ccept: */*..Host
0070  3a 20 64 6f 77 6e 6c 6f 61 64 2e 63 6f 6d 6f 64   : download.comod
0080  6f 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f 6e   o.com..Cache-Con
0090  74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a   trol: no-cache..
00a0  0d 0a                                             ..

and the other a cloud check.

Source: 192.168.1.208 (192.168.1.208)
    Destination: 91.209.196.27 (91.209.196.27)
User Datagram Protocol, Src Port: 53817 (53817), Dst Port: n1-rmgmt (4447)
    Source port: 53817 (53817)
    Destination port: n1-rmgmt (4447)
    Length: 54
    Checksum: 0xe2ac [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Data (46 bytes)
    Data: 042a470000010004003ecbf89990c4ba6d8aae8c856d54ba...
    [Length: 46]

0000  e0 cb 4e a8 6e f3 08 00 27 0e db 64 08 00 45 00   ..N.n...'..d..E.
0010  00 4a 08 28 00 00 80 11 00 00 c0 a8 01 d0 5b d1   .J.(..........[.
0020  c4 1b d2 39 11 5f 00 36 e2 ac 04 2a 47 00 00 01   ...9._.6...*G...
0030  00 04 00 3e cb f8 99 90 c4 ba 6d 8a ae 8c 85 6d   ...>......m....m
0040  54 ba 7c 02 8b 58 dc d4 28 75 9d 36 33 a1 4b cf   T.|..X..(u.63.K.
0050  c6 2a 8c b6 de b6 6d e5                           .*....m.

If I recall, you said you’ve disabled update checks and cloud requests, and yet you’re still seeing these. It may suggest you have a problem with your installation. The first thing to do, is make sure you really have disabled everything. For this, you need to check several locations: (see images)

More/Preferences/General
More/Preferences/Update
Defence+ Settings/Execution Control settings

As mentioned before, you can also block the connections in the firewall

[attachment deleted by admin]

I don’t want to over-complicate this. The question is really simple. Given this sequence:

TraceRoute to 91.199.212.132 [secure.comodo.net]
TraceRoute to 91.199.212.132 [secure.comodo.net]
TraceRoute to 199.66.201.28 [licenseactivation.security.comodo.com]
TraceRoute to 199.66.201.28 [licenseactivation.security.comodo.com]

WHY does Comodo firewall keep trying to get to the two servers listed above? Every time it is blocked, it increments the port, tries once more, then waits 5 minutes, increments the port and tries again.

My guess here is that Comodo seems to think that I have a trial of the PRO version and therefore it keeps trying to check if I have registered yet. It appears that it will keep trying forever. I do not know what would stop it.

This should be a really simple question to answer! But so far, I have not heard back from the formal Comodo support and I have not heard back from those useless idiots at Geekbuddy if they are now handling Comodo support.

Thank you for emboldening the text, that makes it much easier to understand!

WHY does Comodo firewall keep trying to get to the two servers listed above? Every time it is blocked, it increments the port, tries once more, then waits 5 minutes, increments the port and tries again.

Surprisingly, this is what I’m trying to help you find out.

My guess here is that Comodo seems to think that I have a trial of the PRO version and therefore it keeps trying to check if I have registered yet. It appears that it will keep trying forever. I do not know what would stop it.

If you had the pro version we would have known, as you posted the image earlier. clearly it’s not (see image) therefore, there’s another issue. Did you actually read my previous post?

This should be a really simple question to answer! But so far, I have not heard back from the formal Comodo support and I have not heard back from those useless idiots at Geekbuddy if they are now handling Comodo support.

Calling people “useless idiots” is really not the best way to ask for help.

[attachment deleted by admin]

We seem to be going around in circles. We are up to 16 posts in this thread with plenty of screenshots with no real progress.

Maybe I can make this query even simpler!

WHY is Comodo trying to contact its license server when I am running a free product?

[attachment deleted by admin]

To see if there is a problem with your installation could you please import one of the factory default configurations and activate them? That way we can see if your configuration is poblematic or not. The factory default profiles are in the CIS installation folder.

I received a reply on this whole question from the genius help at Geekbuddy, to wit:

"Please be informed that cmdagent.exe is trying to validate the the license key with the Comodo Licensing servers and in case of trial/free users it is trying to check if the product has a licensing information updated or not. This particular request seems to be blocked on your system, this is either a rule has been created or there has been a change in the pre-defined comodo rules. Please reset the policy rules by navigating to Comodo Internet Security → More → Manage my configuration → There select “Proactive security” "

This is a marginal reply at best. I do not want to (or intend to) wipe my whole config and start over again, so the solution proposed is useless as it stands.

I replied asking for more detail - including WHY couldn’t I just allow the licensing connection to go through instead of wiping my settings by making a rules change, WHY Comodo was reaching out to the licensing server on a free product in the first place and how often it does this (once, every 5 minutes)?

There are basically two possibilities. First is you have accidentally downloaded the installer of the Pro version. The other one is that a crash of cfp.exe or cmdagent.exe corrupted your configuration.

Activating an untouched configuration may either show the same or different behaviour. Either way it will tell us something about what exactly is going. But we need your help here other we keep on running in circles.

Changing configs isn’t going to change anything. At best, Comodos attempts to get to the license server are no longer blocked. BUT letting Comodo reach the license server doesn’t solve the problem as it doesn’t explain WHY Comodo is trying to get there nor what Comodo wants to do IF it can get there.

So again, we KNOW what the problem is. It is an easy couple of questions now (or should be):

[b]1. WHY IS COMODO REACHING OUT TO THE LICENSE SERVER EVERY 5 MINUTES?

2. WHAT WILL IT DO WHEN/IF IT GETS THERE?[/b]

Everyone using the free Comodo firewall should be checking to make sure that Comodo isn’t continually trying to get to (or actually getting to) the license server EVERY 5 minutes because that might be a reason why some people complain about Comodo performance issues.