Why Comodo firewall still trying to access Comodo CA Ltd IP ?! [MERGED TOPIC]

I can think of a way to block it, but there should be more elegant way. Adding Comodo addresses as a network zone and then blocking that zone in general rules should do the trick. But at the end we come up to the fact that a lot of people, by people i mean admins on this site, tried to convince me that a firewall should have OCSP, and it shouldn`t. The component inside the firewall uses it even after it has been disabled. If we put conspiracy theories aside, i am still not sure that Comodo is only downloading harmless data and not reporting the current position of my home built nuclear sub ;D ;D ;D

[attachment deleted by admin]

I think the OnlineArmor is just as good firewall as Comodo is. But you should see the interface on that one!!! It looks like a something from a fairytale about how something went wrong in making of an interface. I think the main problems with comodo are the facts that they bundle useless software with a great firewall, and the fact that they do keep an eye on the users. GMER & RootkitRevealer as well as Avast will identify comodo agent as a malware, but i think we can thank that to comodo internet security and bundled antivirus. I am still not sure how anonymous is Comodo, but you should check out the other discussions currently going down on this forum.

OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources. The other, older method, which OCSP has superseded in some scenarios, is known as Certificate Revocation List (CRL).

OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently downloaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for certificate status information{meaning comodo home server}. The server sends back a response of “current”, “expired,” or “unknown.” The protocol specifies the syntax for communication between the server (which contains the certificate status) and the client application (which is informed of that status). OCSP allows users with expired certificates a grace period, so they can access servers for a limited time before renewing.

comodo firewall is a trojen and is data mining~spying, its that simple .
Next time make your intention clear comodo + have the option to 100% disable that junk + give the server admin the ability to only do offline updates only on this topic.

you can pull this trick once then your done in my mind then its over for life.
that’s why for the same reasons i won’t touch avira and avg anti virus for installing a down-loader Trojan askstub.exe with out asking the end user. same old same old.

If i start seeing your app~exe hammering my firewalls and or theirs ports listening and blowing in the wind for no resion just waiting for the firewall to ■■■■ out i have a very short fuse on this topic if no way to turn that kind of behavior off.

The delete key is coming fast at that point & imho thats a dos-attack and network hammering.
anyways im done with this topic.

http://oi46.tinypic.com/3xyps.jpg
http://oi45.tinypic.com/k3iqd.jpg
http://oi49.tinypic.com/2ntwm8o.jpg
http://oi48.tinypic.com/2cnv8s4.jpg
http://oi45.tinypic.com/16bc77o.jpg
http://oi47.tinypic.com/nfkvq1.jpg
http://oi46.tinypic.com/kn9t3.jpg

Prove it or stop trying to spread FUD, because that is all it is currently. It’s actually that simple.

Something else is fairly simple, if you cannot trust a software vendor (especially a security software vendor) then you really shouldn’t be running their software in the first place.

Is that this topic or the other topic you posted the same stuff in? But, never mind I’m just about to merge them together as they are now about the same thing.

Actually i started the other topic, but you have a point, both topics are pretty much talking about the same thing. Like the bagelman7 said, there is no evidence that can prove our claims, without access to comodo servers or reverse engineering the software we won’t be able to prove anything. But if it smells like a chicken, tastes like a chicken, and looks like a chicken, then it should be chicken. I wrote the letter to matousec.com , because they are the unquestionable authority in the field of firewall security, the letter pretty much consists of my original post in the topic comodo firewall phones home. Their answer is;

Hello,
thank you for your message.
This is really more a question for Comodo support rather than for us.
Still, there are a few comments we can share with you on this topic.

Switching the ports is natural behavior that is actually provided by the operating
system, not the application itself, usually. Nothing suspicious here.

Comodo CA is a certification authority. It should be noted that certificate business
is the very core business of Comodo. Their certificates are used world wide. According
to Certificate authority - Wikipedia Comodo currently has about 27 %
of this market share. This is why it is natural that by using your computer commonly,
browsing the Internet, using various applications, from time to time you work with
certificates that are signed by Comodo CA. The whole system of certificates relies
on updates and hence it is expected that there will be some communication from your
computer to Comodo CA servers. Some features of Comodo Firewall may rely on this too.
What exactly Comodo Firewall is trying to do there is unknown but it is more likely
than not that these connection attempts are legitimate rather than unwanted.

However, the only correct and detailed answers could come from the vendor itself.
Our research is not focused this way and we do analyze communiction of products
with their vendors’ servers. We can thus just guess what is going on there and our
answers may be inaccurate.

Kind Regards,

www.matousec.com Research

Well, there’s always the CIS Help Documentation for an indication of what the CIS Firewall might be doing with digital signature authentication in regards to such things as Safe Mode and what is actually involved in that.

Chicken? Should, indeed.

https://dl.dropbox.com/u/53401400/Trust%20Me.jpg

:slight_smile:

On a more serious note, claims are usually presented as such… but, these claims have been presented as something else entirely (read them yourself carefully). In the absence of any evidence to the contrary, the assertion (claim) must be fact?

The absence of something does not make it fact and under these circumstances I strongly doubt that “correct and detailed answers” … “from the vendor itself” would make any difference to those making such assertions.

I`m not saying that any claim is a fact, but I would like an opinion of a third party that has done some testing on this field. That is the reason i asked matousec.com for their opinion, and that is the reason i am posting my concerns on this forum. The fact that you haven’t shut this topic down is a good indicator that you are willing to talk about the issue, and that by itself is telling me a great deal. At one hand i am really worried that none of you gave me conclusive evidence that contradicts my “foolish” claims. I expected backed up answers or at least some kind of resistance to my claims, i got neither which tells me that there is nobody on this forum that can answer my questions. Is there an email address at which i could direct my concerns?

Register at Comodo Support and raise a ticket on this or failing any satisfaction from that you may, if you wish, direct your concerns at Comodo’s CEO via a PM (Personal Message). He’s called Melih.

And on a final note…

Based on what has been present so far, it seems that your claims have no real basis in fact and are, at best, considered somewhat fanciful currently.

I do hope this meets your criteria of resistance and clarifies said absent position. :slight_smile:

You have not shown any proof for this other than your belief the information obtained by the OSCP server is being used for date mining.

GMER & RootkitRevealer as well as Avast will identify comodo agent as a malware, but i think we can thank that to comodo internet security and bundled antivirus. I am still not sure how anonymous is Comodo, but you should check out the other discussions currently going down on this forum.
This asks for proof. The ball is now in your field.

I just ran GMER and like other times I have used I have not seen comodo agent being reported as rootkit. Can you show a screenshot? I am using v6 beta on Win 7 SP1.

It has been a while since I ran Rootkit Revealer but it never reported Comodo agent as rootkit.

Not running Avast I am certain that is a false positive by Avast.

The latter really has me wonder… 88)

At one hand i am really worried that none of you gave me conclusive evidence that contradicts my “foolish” claims.
How can I proof that Comodo is not doing such a thing with no access to their servers? I operate in good faith this is not happening as it never has been reported any CA was practicing this.

Philosophically it is not possible to prove something does not exist. That’s why conspiracy theories are so hard to fight; the paranoid folks always come up with something new that is hidden… :smiley:

I expected backed up answers or at least some kind of resistance to my claims, i got neither which tells me that there is nobody on this forum that can answer my questions. Is there an email address at which i could direct my concerns?
As kail instructed you can send a pm to the CEO and hear his stance on this.

You are right, but then again, you havent proven that it isnt. One of us is right. Which one, it`s impossible to tell with this level of information.

The dude i was corresponding with said that GMER and RootkitRevealer detected Comodo as a spyware. I do not agree with that one bit! Ive shouldve said “Then GMER & RootkitRevealer, as well as Avast will identify comodo agent as a malware”, cause I only know for a fact that Avast identifies Comodo Agent as a trojan, and that is a mistake (already cleared up with Avast guys). I will upload a screenshot.
When i said “The fact that you haven’t shut this topic down is a good indicator that you are willing to talk about the issue, and that by itself is telling me a great deal.” i meant that in a most positive way possible. If you knew for sure i was right, there would be no discussion about the topic, would there.

How can I proof that Comodo is not doing such a thing with no access to their servers? I operate in good faith this is not happening as it never has been reported any CA was practicing this.
I understand that, and i appreciate the help you are providing me with. You guys are awesome, and i truly appreciate forums like this one. I would just like to hear some "more technical" explanation. If there is a bug in software, then it should be cleared out, cause firewall that doesn`t use defense+ should not connect to Comodo CA servers. I think we all agree on that. I just want to know why this is happening. I am not claiming that comodo is spyware or a virus. But if the firewall is connecting to servers, and there is no bug in the software, or no apparent reason why, something is wrong.

Mod Edit: Added quote tags to define the quotes, Captainsticks.

[attachment deleted by admin]

With regards to the apparent Avast Malware detection. It seems to me, based on Avast’s message, that it is raising a threat alert because it cannot gain access to CIS’s memory. This is no surprise, as by default Avast (or any other non-CIS process) will be denied access to CIS’s memory for abundantly obvious reasons.

It seems that Avast made the named trojan determination based on the memory access block type and this should probably be reported to Avast as False Positive.

Nope, the burden of proof is with you. The world would not be functioning properly if we were to believe every statement made without proof.

The dude i was corresponding with said that GMER and RootkitRevealer detected Comodo as a spyware. I do not agree with that one bit! I`ve should`ve said "Then GMER & RootkitRevealer, as well as Avast will identify comodo agent as a malware", cause I only know for a fact that Avast identifies Comodo Agent as a trojan, and that is a mistake (already cleared up with Avast guys). I will upload a screenshot.
As kail suggested please submit the detection by Avast as a false positive to Avast.

I don’ know why this third party thinks Rootkit Revealer or Gmer think cmdagent.exe is spyware. I think his reasoning is flawed.

When i said "The fact that you haven't shut this topic down is a good indicator that you are willing to talk about the issue, and that by itself is telling me a great deal." i meant that in a most positive way possible. If you knew for sure i was right, there would be no discussion about the topic, would there.I understand that, and i appreciate the help you are providing me with. You guys are awesome, and i truly appreciate forums like this one. I would just like to hear some "more technical" explanation. If there is a bug in software, then it should be cleared out, cause firewall that doesn`t use defense+ should not connect to Comodo CA servers. I think we all agree on that. I just want to know why this is happening. I am not claiming that comodo is spyware or a virus. But if the firewall is connecting to servers, and there is no bug in the software, or no apparent reason why, something is wrong.

Mod Edit: Added quote tags to define the quotes, Captainsticks.

CIS relies on signatures, and hash checks, to verify a file’s integrity and that makes checking certificate authorities OSCP servers a necessity. It is one of the cornerstones of CIS and as such not a bug nor something that will change.

I’m not sure about Rookit Reveaker, but I suspect it probably reports something similar to GMER…

https://dl.dropbox.com/u/53401400/GMER.png

… and given how some people, at least, seem to interpret such data…

… I can easily see where this type of misinformed (dis-informed?) nonsense starts. :slight_smile:

“It seems that Avast made the named trojan determination based on the memory access block type and this should probably be reported to Avast as False Positive.”

This is true, it already has been reported. More than a year ago!!!

Providing that you don’t use defense+, sandbox or auto updates, which i don`t, is it safe to put all the Comodo CA addresses in one zone, and then block that zone?

Comodo zone
178.255.83.0-178.255.83.255
91.199.212.0-91.199.212.255
91.209.196.0-91.209.196.255
91.212.12.0-91.212.12.255

Global rules
Block TCP/UDP in/out from MAC any to Comodo Zone where ports are any

No answers? ???

Very interesting read this as a newcomer to Comodo firewall i to was wondering why Comodo kept connecting to the net every few minutes,before i came to this forum though i did a bit of surfing this is a nice piece about this subject
Comodo Group Issues Bogus SSL Certificates - Schneier on Security interesting read and some might find it useful.

Just curious what was the purpose of posting a link for a article Posted on March 31, 2011 in a 2012 topic.

I can think of one :frowning:

Please note we may not lock old topics, but this does not entitle you to post in them without good reason.

Dennis

The bottom line is, my security is exactly that, “my security.” Not comodo’s or anyone elses. I’d rather be the fool than to be fooled. Do you know how many companies try and tell me that their background phoning here and there is for my benefit? The truth is it’s my computer, and I say when it can and can’t phone anywhere. That way if in fact I’m compromised, I can only blame myself. Do you really want to put your security completely in my hands? And neither do I want to do likewise.

Don’t get me wrong, I truly appreciate your firewall, and have every since I only believed in zone alarm, thanks to Steve Gibson of GRC.com. And I recommend your product to everyone, because I like how it watches all programs accessing whatever they try and access. But I’m nobodies fool, as I’ve been doing internet computing since it’s inception. Actually before it’s inception via ARPANET. Everyone has reasons for background phoning, and there are none. At least that make any real sense. My computer, my rules.

Why did Comodo remove the “cancel” option when something is trying to access the net? So it can keep bugging someone until they allow it? If I select “block” then all trafffic is blocked, penalizing me, the computer owner and operator, until I restart my browser, that’s not right. This all “seems” like comodo is attempting to make me comply with it’s wishes, to allow background net access. Also, why not have an option that comodo “doesn’t” remember, then default to the last chosen solution, (either block or allow), instead allowing one to choose their own default, as “block,” would in fact be my default, in other words, to err to the side of caution. Then I never need worry about making a mistake on the fly, when I’m really busy, allowing something I didn’t intend to allow. Again it would “seem” comodo is trying to force my hand at allowing background phoning. Until an upstart firewall company does otherwise, of course.

Look I want to trust Comodo, like I wanted to trust Zone Alarm, but when business’/corporations care more about their bottom line, than their customers, there is a serious problem, because a business’s customers are in fact the totality of their business. What if there was a product, and no one bought it? Not that I’m pointing my finger at any particular entity. I’m just generalizing, as it “seems” to be the status quo of the day.

No, my security is “Only Ever,” my business. No one elses!

Sincerely,

a man on an island, in my home, the castle! :wink:

A philosopher wanna be!

‘I only know that I know nothing’
-Socrates-

I have a couple of questions because not all is clear to me what you are trying to say

Do you mean the Block All Traffic in the main screen? When you are referring to Firewall alerts they never had a cancel option.

So it can keep bugging someone until they allow it?
How can blocked traffic be bugging the user?
If I select "block" then all trafffic is blocked, penalizing me, the computer owner and operator, until I restart my browser, that's not right.
In the button which says Blocked there is an arrow. Push it and get more options. If you want even more control go to Firewall Settings and change alert frequency or for even more control enable Custom Policy Mode and remove application rules you want to control.
This all "seems" like comodo is attempting to make me comply with it's wishes, to allow background net access.
You have nor really looked into the capabilities of the firewall. Also you are jumping from controlling a browser to background traffic.

For me it is not clear what you are complaining about. This topic is about CIS connecting to Comodo CA where your contribution seems about other concerns.

Also, why not have an option that comodo "doesn't" remember, then default to the last chosen solution, (either block or allow), instead allowing one to choose their own default, as "block," would in fact be my default, in other words, to err to the side of caution. Then I never need worry about making a mistake on the fly, when I'm really busy, allowing something I didn't intend to allow. Again it would "seem" comodo is trying to force my hand at allowing background phoning. Until an upstart firewall company does otherwise, of course.
You are speaking about the situation that you disabled the function to not show alerts. In that case when you don't answer an alert CIS will block.

For more control over background phoning set the Firewall to Custom Policy Mode and remove all application rules of applications you want control over.

In fact they did, in version 3.x, I’ve been using Comodo since 2.x; you?

You failed to understand the problem. Apparently you either started using Comodo after 3.x or you’ve forgotten what it included, of course ‘other’ reasons could apply.

When a popup alert advised of outgoing traffic in 3.x the user had 3 options, not like the current version which only has 2 options. They were “Allow,” “Block,” or “Cancel.” Of course “Allow” would allow the traffic, and depending upon your selection would either do it and remember it as a rule or do it that one time causing future reoccurrences.

Choosing “Block” of course, blocked the traffic, and likewise was either remembered or otherwise.

“Cancel” of course is what is missing in today’s version, and is the subject in this particular part of my complaint. It allowed the user to turn off the alert for that particular instance of outgoing traffic, basically it was the same as “ignore, do nothing and don’t remind me again.” The coders should put that option back, because it was a valuable tool, a smart way to proceed. It gave the user more power in choice, instead of being nagged to choose either one of ‘two’ choices, like it does now.

Yeah, I both know of, and use all that. which has nothing to do with the problem, see my comment above and reread this last bit to understand.

Not at all, The OP was talking of Comodo accessing Comodo CA in the background, as I was; and additionally all background traffic, no matter the destination, or by which program. I’m sure you’ll not argue that a firewalls mission is to control traffic, right? Especially ‘background’ traffic!

Yeah, I’ve already done that, actually I wouldn’t run it online until such settings were set.