Hi,
I’m running Comodo firewall 5.10 for which I’ve disabled automatic updates, but Comodo still tried to access the internet, so I created a program rule where I block all requests for cmdagent.exe.
And still, I can see my computer trying to access port 80 of IP 178.255.83.1 which belongs to Comodo CA Ltd. I assume Comodo firewall is the program trying to do so.
It does so everyday, several times a day.
Is there any good reason for that ?
Thanks in advance for the answers
I noticed the same issue with peerblock.
The IP address resolves to ocsp.comodoca.com. OCSP is short for Online Certificate Status Protocol. OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
CIS is checking if there are revoked Comodo certificates when it is checking a file signed by Comodo. Please allow this traffic.
Let me begin by saying that i use Comodo firewall for more than 5 years. When i installed the newest version i imported the last used profile that i used on an old windows installation, and that profile had Comodo Agent blocked. Then i started to notice that Comodo tried to connect to a certain IP address registered to Comodo CA Ltd. PeerBlock blocked those connections because HTTP blocking was on. Comodo firewall tried to connect every 5 minutes to those IP addresses and it changed the ports from which it tried to make a connection. In every try it used 5 ports. Since all the ports were blocked by PeerBlock, Comodo first tried to connect from ports 52001 to 52005, and then in 5 minutes it tried ports 52006 to 52010. The ports I am using are just an example! I thought the Comodo is trying to phone home, but i searched for a solution to this problem and found the answer. All i needed to do is to let the Comodo access that address once it is installed and it wont be making those TCP requests again. I allowed Comodo and it stopped. I just want to say that i dont use sandbox or defense +, and everything that is not connected to firewall is disabled. A couple of days ago i again noticed that Comodo is trying to connect to one of the addresses connected to Comodo CA ltd. (the list of which is here https://ipdb.at/org/Comodo_CA_Ltd ), but this time the interval between the connection attempts is 8 hours. Why is my firewall trying to connect home? Update is turned off, i only use firewall, it has no reason to connect to Comodo CA. Why is it trying to?
How can i dasable that checking? There is no reason for a firewall to check for online security certificates!
Yes there is. For security reasons, when working with digitally signed files, it is needed to make sure that the underlying certificates are not revoked.
When you don’t allow it you are undermining your system’s security. It is my believe that your concern and caution with the traffic from your system to the web is counterproductive for your security.
“Yes there is. For security reasons, when working with digitally signed files, it is needed to make sure that the underlying certificates are not revoked.”
Why does it have to work with digitally signed files? Im not trying to be a smartass here, but i would really like to know why my firewall, and i have to stress that i use Comodo only as my firewall, i do not use, and i dont want or need to use Defense+ or Sandbox, needs digital certification capability. Firefox already uses OCSP so my firewall doesnt need to check for certificates. I agree that it enhances security (+1 for the extra security it will bring) but only in the case of internet browsing. Maybe i dont browse at all, so i don`t need the extra layer of security. In Comodo CA, CA stands for Certificate authority and incorporating OCSP can truly enhance security, but there are privacy concerns with OCSP and i think it is crucial for software developers to stop bundling software solutions into one package. Do i need crummy Defense+ and sandbox? Hell no! I appreciate the fact that Comodo Internet Security has them both, but i just want the firewall.
I did some reading about OCSP, and i see no reason to incorporate it in a firewall. EricJH, thank you for your answer! I will do some more reading, and i truly hope that then i will be able to ask more meaningful questions.
I bet to differ. Even when not connected to the web one needs to check the certificates of installed signed programs. A check by a browser for web sites security credentials is not enough. Recently Adobe had to withdraw some of its certificates after they had become compromised. That means you may have installed something that seemed trustworthy at first sight but turned out to be malicious.
In Comodo CA, CA stands for Certificate authority and incorporating OCSP can truly enhance security, but there are privacy concerns with OCSP and i think it is crucial for software developers to stop bundling software solutions into one package.What privacy concerns do you see? Are you not comfortable with sending any information to organisations or with the fact these organisations can be obligated by governments to show their logs?
Do i need crummy Defense+ and sandbox? Hell no! I appreciate the fact that Comodo Internet Security has them both, but i just want the firewall. I did some reading about OCSP, and i see no reason to incorporate it in a firewall.File integrity supersedes firewall with HIPS. Even with a firewall only you need something an additional solutions to make sure you are not getting infected. You may be using an on access anti virus solution for this. I think checking file integrity of digitally signed executables is a very useful and needed solution.
EricJH, thank you for your answer! I will do some more reading, and i truly hope that then i will be able to ask more meaningful questions.Please keep us posted on your findings, questions and remarks.
“Even when not connected to the web one needs to check the certificates of installed signed programs.”
I do get that, but I have an antivirus software that does that, I dont need my firewall doing that! Let’s leave the Adobe out of this discussion, God knows they have more than enough updates that deal with security flaws. If I have that sort of a malware on my computer digital certificate wont help me.
You asked me what privacy concerns do i see. “OCSP checking creates a privacy concern for some users, since it requires the client to contact a third party (albeit a party trusted by the client software) to confirm certificate validity. OCSP Stapling is a way to verify validity without disclosing browsing behavior.” Although this may be harmless, it can be used for tracking purposes. One could easily say that cookies are as dangerous as this flaw of OCSP, and the one would be right. Why is the company that works on certificate authority so eager to put it in their firewall? There is no point in it being in this product. But then again, there is no point in sandbox or defense + module if you look at things that way. And I do look things that way. I can find justification for sandbox and defense + but OCSP should not be there, or there should be a way to turn it off. You ask me “Are you not comfortable with sending any information to organisations or with the fact these organisations can be obligated by governments to show their logs?” I am not comfortable with any of it, but I do see the necessity for control of the organizations and I am all for the showing of the logs if the person in question has done any criminal activity. But digital certificates are not used for flushing out criminals, but they sure can be used for tracking purposes and analysis of consumer habits. And it can be used for selling more certificates. I do not feel comfortable with a product that does something that I didn’t ask it to. Comodo is a CA company that pushes its certificate solutions with their firewall. I do not feel comfortable with that. How come there is no process that can be blocked in application rules, so that the firewall wouldn’t behave this way. Even if I block everything the firewall will still connect to Comodo CA IP addresses. It just doesn`t show the application that is used for connecting. The only way to block it is to use global rules.
Once more I have to say… The company that sells certificates embeds the certificate checking solution to their firewall. What is the idea behind this? Sounds as useful as having the image viewing software inside the antivirus solution. I think the real idea behind this is consumer research and data mining. There is no other answer then that. If I don’t use Comodo Antivirus, Comodo Defense+ or Comodo Dragon, my firewall doesn’t need the capability to check for certificate authenticity. And still it does, without the ability to control it. And I am being called a criminal because I think that kind of behavior is unacceptable. I seek the anonymity because I am a criminal?!? You could’ve offered a tech savvy explanation of the problem, something in the lines of … when firewall checks the traffic it needs to check certificates or something like that. I would totally buy it. But you are saying that certificate checking is used for flushing out criminals. Statistics and research are more credible reasons.
As you’ve been previously advised; security is the idea behind this.
You’d buy an implausible explanation, but not the truth? That’s an unusual stance.
BTW Nobody, aside from your good self, called you a criminal. In fact, I don’t believe it was even inferred.
The question i was asked was “What privacy concerns do you see? Are you not comfortable with sending any information to organisations or with the fact these organisations can be obligated by governments to show their logs?” Who beside criminals would be concerned about organizations having to show their logs to government?
“You’d buy an implausible explanation, but not the truth?”
Implausible explanation would be more logical than the truth i was offered with. Firewall that doesn`t check the files, cause the defense+ has been disabled, still needs the digital certificates to check the files, and firewall that is not used to make connections to web sites, i use firefox for that, still needs to check digital certificates and OCSP. Is the firewall acting as a browser in any way? Does it make any connections to web sites? Does it need those digital certificates to verify connections or something like that?
Well theirs other posts on this topic on this forum and out their on the net and from what i can tell comodo is claiming that its for ssl certificates.
Im not buying it, and not that long ago i got hacked something bad so you could say that when it comes to network security im in paranoid mode meaning im packing 5 fire walls back to back all manually setup “full maual network setup” so if one firewall exploit or fails or trys to pull of comodo then the other one takes over.
This hole topic reminds me of the hole comodo + ask spyware topic from some years ago.
As far as im considered it is spyware and douse phone home though not on the ports your talking about.
from what i can tell it just pumps the pile over port 80 yay, i should have wiresharked what was going on but didn’t.
The min i saw it doing that junk i was like SOOOO thats why its free “not” sadly this kind of thing seems to be going on all over the place on the net on the privacy invasion topic.
Seeing as a picture is better then words … heres some links to that im talking about.
off topic, nice firewall though over all , only gripe i have with it is the GUI for it and menu system is really bad.
here some pics for comodo in action note all web browsers were closed it was 100% cmdagent.exe phoning home
tip use alt and {+ or -} to zoom in most browsers
http://oi46.tinypic.com/3xyps.jpg
http://oi45.tinypic.com/k3iqd.jpg
http://oi49.tinypic.com/2ntwm8o.jpg
http://oi48.tinypic.com/2cnv8s4.jpg
http://oi45.tinypic.com/16bc77o.jpg
http://oi47.tinypic.com/nfkvq1.jpg
http://oi46.tinypic.com/kn9t3.jpg
CIS Uninstalled “good thing theirs a custom uninstaller it all most killed my OS install” :-TD
Based on what you posted, I see some potential confusion here. Sorry, I thought you had read up on X.509 digital certificates.
Right, this isn’t exactly my area: X.509 is the international standard for digital certificates used to authenticate digital signatures. This doesn’t just mean digital certificates for web sites, it actually means digital signatures for lots of things including files (applications). In effect, checking that the digital authentication is still valid… not the certificate.
“Right, this isn’t exactly my area: X.509 is the international standard for digital certificates used to authenticate digital signatures. This doesn’t just mean digital certificates for web sites, it actually means digital signatures for lots of things including files (applications). In effect, checking that the digital authentication is still valid… not the certificate.”
I get that, but why is the firewall using it?! Is it normal for the firewall to check for the digital authentication? Even though i do not use sandbox, defense+ and so on. I don`t need checking of digital signatures for applications, my antivirus does that. What I am asking is this… does regular firewall need that sort of capability, or is it connected with defense+ and therefore the Comodo uses it? If it is a part of defense+, and after installation of firewall it cannot be disabled even though you don’t use defense+, i get that and that is cool by me. But you are telling me that a firewall needs OCSP. Is that true?
I believe it is tied in with Defense+.
And that is, AFAIK, always installed.
Comodo is Default Deny, so you will always be protected no matter.
Now we are getting somewhere. So defense+ uses OCSP, firewall has no need for it but it still downloads “list of banned certificates”. How can i stop this behavior?
As i am being said, the sandbox is connecting to download new list of certificates. I am running the wireshark as we speak.
At this time I am not sure that is possible.
Maybe someone else might have this answer?
Doubt you’ll see much with that in any case , probably why in the back of my mind i didn’t bother to go their.
SSL after all stands for Secure Sockets Layer 128bit or better encryption.
I just don’t like the idea that the firewall is permanently connected to the master servers at comodo and douse whatever it wants on that topic and if i haven’t missed my guess seeing as i did a 3x once over on all settings im allowed to play with, theirs seems to be no way to turn this topic off as far as i can tell that and the GUI for the app makes no sense,i mean is it really that hard to tell this app just to do a port range port block.
Apparently it is >:( seeing as a lot of the option pages are contradictory and are in conflict with them self’s as to what their trying to say and do at times, but don’t worry be happy!
If you can"t figure it out just click on “Comodo’s GeekBuddy” and commit privacy invasion suicide.
So really what it comes down to is you have to use the force because with out the source code and the ability to audit the master servers at comodo who knows for shore whats going on but comodo right ?
And as a bonus Mr OCPirat O_o you might as well check for rootkits with 3rd party apps , if i haven’t missed my guess the firewall in question installs A super user rootkit , picked up on that too my friends.
GMER & RootkitRevealer are your friends. anyways …
!ot!
http://oi46.tinypic.com/xvdvr.jpg
in the mean time ill try and track this garbage down.
allow java script to connect your remote desktop port to Google servers over port 80 wtf ??? i think not …i see this every so offend and its really starting to get on my nerves that and i have a anti virus on a different computer that like comodo regardless of setting hammers the network like mad on the DNS port.
yesss one more app for the pile that doesn’t get the idea of
“■■■■ PLZ & DO NOT CONNECT TO MASTER SERVER.”