Windows Operating System Connecting to Internet?

Hi all! First, I wanted to say that I’ve been using Comodo for years now, and must say that I LOVE it! It’s far superior to the competition and it’s the firewall I always recommend to friends and family in need of a firewall! Thank you for making such an awesome product, and giving it away for FREE! :slight_smile:

I have a couple of questions…

Recently I reformatted my hard drive and the first thing I installed was CIS, with the maximum proactive defense (set on paranoid mode) and firewall running in custom policy mode.

Every time I log on, after some time I’ll get a message saying:

Windows Operating System is trying to connect to the internet

The IP address it’s trying to connect to is 199.66.201.28, which appears to belong to Comodo. I’m guessing it’s trying to check for updates, but I just wanted to make sure it’s normal and my CIS is configured properly.

I was also wondering about Comodo’s anti-keylogger protection. In the Defense+ settings, I see that it can monitor for accessing the keyboard directly - but what about encrypted keyloggers, can it detect those as well? Since my firewall is set to custom policy mode, I would know if a [encrypted] keylogger would be phoning home, right? Is it normal for a web browser (Chrome) to access the keyboard directly?

I probably sound super-paranoid because of these questions, but I had my email compromised a couple of weeks ago and have since been concerned that I’ve been keylogged somehow, even though none of my security apps detected anything, and I’m always careful about the sites I visit, the files I download, and the attachments I open. Hech, I browse the web with JS and plugins disabled unless I absolutely trust the website!

I even ended up reformatting my hdd last week because of this but I’m still feeling uneasy - knowing that the above issues are normal and that CIS can protect against the above threats would make me feel better!

Thanks guys!

The ‘Windows Operating System’ pseudo process really shouldn’t be trying to make outbound connections, so there’s a possibility you may have misconfiguration somewhere. Typically, CIS will make outbound connections to Comodo via cmdagent.exe and cfpupdate.exe. It might be helpful if you could post a screen shot of your application rules.

With regard to the keylogger question and the firewall, it would really depend how the keylogger makes it’s calls. If it’s programmed to use an existing process to make outbound connections, then unless your rules limit the endpoints to which those connections may be made and unless you have Alerts settings on very high, you may never know. Really, the detection of malware such as keyloggers is the province of Defence+ and possibly the AV

Thanks Radaghast!

Sure, I’ll post my app rules - Are those the rules in Defense+ | Computer Security Policy | Defense+ Rules?

So a keylogger could execute another app and phone home through it? Would that be detected by Defense+ (eg BadApp.exe is trying to execute TrustedApp.exe) and alerted?

I’d need to see the firewall application rules. please. Also check and post any entries in the firewall log.

So a keylogger could execute another app and phone home through it? Would that be detected by Defense+ (eg BadApp.exe is trying to execute TrustedApp.exe) and alerted?

Indeed, some malware can quite happily send it’s information disguised as normal web traffic, perhaps through an existing connection opened by your browser. However, I would hope that any malwae would be detected by the other components in CIS, before they were allowed to make use of a connection in this way.

I guess the point is, if your system is so badly compromised that a piece of malware can actually make use of the firewall, there’s not a great deal you can do. The firewall in this situation is going to have minimal impact, if any, in stopping malwae from getting out, particularly if the firewall rules simply allow processes to connect to wherever they wish.

Okay, I’ve attached my current firewall app rules and log to this post - let me know if any more info is needed, and thank you for having a look at them for me!

I don’t think my machine is compromised, but it’s been in the back of my mind that it’s a possibility. I really haven’t noticed anything unusual in the logs or in the inbound/outbound traffic, but like you said, if the malware was advanced enough, Comodo wouldn’t even be able to detect it!

[attachment deleted by admin]

I don't think my machine is compromised, but it's been in the back of my mind that it's a possibility. I really haven't noticed anything unusual in the logs or in the inbound/outbound traffic, but like you said, if the malware was advanced enough, Comodo wouldn't even be able to detect it!

I wouldn’t go so far as to say Comodo wouldn’t be able to detect it, obviously, there’s no such thing as 100% guaranteed detection from any security application, however, D+ with the sandbox and the AV do a pretty good job.

With regard to the Windows Operating System alert, it’s a bit of a mystery. I don’t believe you PC has been compromised, but there’s nothing obvious in the rules or logs to suggest why this may be happening.

My initial guess is that this has something to do with cfpupdate.exe or cmdagent.exe, as the connection endpoint is the same. That said, these processes are included, by default, in the Comodo Internet security group in D+ and this group has an entry in the firewall, so there’s no obvious reason why this should not be working.

out of interest, what happens if you manually check for updates via the CIS control panel/More tab. Likewise, if you’re running the AV and you manually update the virus definitions? Also. when checking for updates, open a command prompt and type netstst -ano and look for the entries with a PID of 0 (zero) are there any trying to make connections to the 199 address or are they all in TIME_WAIT?

On a slightly different note, in you firewall you have two entries for the System process, one for TCP and one for UDP. These rules allow inbound communication but not outbound. You’ve also allowed only a partial subnet, by restricting the range to 192.168.0.198. Has this been done for a reason? If you’re on a LAN sharing resources, you will need to allow both outbound and inbound connections, for the System process.

The alert definitely seems to be related to Comodo somehow. When I manually check for updates, cpfupdat.exe is executed (see attached file for details) and sure enough connects to the 199 address. Immediately after the update check finishes, I get the Windows Operating System alert, again trying to connect to the 199 address. This is bizarre! Netstat shows the pid of cpfupdat.exe connecting to the 199 address too - nothing for pid 0. I’m not sure if I should block or allow it now…

I’m honestly not sure about the rules for System you’ve pointed out - I didn’t create them. We do have multiple PCs on our LAN, but we don’t really share any files or anything - I’ve actually just disabled file/printer sharing on my PC today because I don’t need it. Could Comodo have created the rules based on our network setup? I’ve removed the rules, but is it possible something malicious could have slipped through due to those rules?

[attachment deleted by admin]

It’s definitely odd and right now I can think of no logical reason for why WOS should be doing this. To give you a little background, WOS (Windows Operating System) is not a real process, in the sense something like svchost.exe is a real process. Essentially WOS is used to tidy things up, in the same way System Idle Process does in Windows.

For example, when a network connection is made by an application or process and then the application is closed, there’s no longer an endpoint for return communication, so in Windows the connection is picked up by System idle Process and it goes into a TIME_WAIT state. A similar process is happening in CIS with WOS. Incidentally, WOS and System Idle Process have the same PID.

The point is, in Windows SIP doesn’t attempt to make outbound connections, so I can’t logically understand why WOS is doing so. As far as blocking is concerned, I think it’s your choice. I don’t believe it will have any adverse effect on the system.

With regard to the System process rules, as you’re running Custom Policy mode it’s pretty certain these were created automatically by CIS. If you’ve disabled NetBIOS on your network adapter, you probably won’t need rules for this process, apart from IGMP, which you can choose to allow or not.

CIS is logging WOS making outbound connections when it cannot see the process responsible for the connection. There could be another driver blocking view as a matter of metaphor.

What applications do you have installed that have a driver that works at networking level? See if uninstaling one by one helps to “clear the view” for CIS.

Could Avast Internet Security be the culprit? I disabled the firewall, but the “avast! Firewall NDIS filter driver” is still installed in my network connection properties. Should I completely uninstall the driver through the properties dialog?

I am not familiar myself with Avast but it could be the culprit. May be an Avast user could comment on this?

Well, I went ahead and completely uninstalled the avast firewall module (since I’m not going to use it anyways, Comodo is far more powerful), rebooted and I no longer receive the WOS alerts (and boot time is a bit quicker too)! So, it definitely seems that avast firewall was not playing nice with Comodo (even when turned off), just as you suggested Eric.

Thanks so much for putting up with my paranoid questions and helping me out, Radaghast and EricJH! :slight_smile:

Also, slightly off topic, but what AV do you use, Eric? You said you’re not familiar with avast - do you use the Comodo AV or another product?

I use the Comodo AV as part of the complete suite since v3.5 I think. Before that in reverse chronological order Antivir, AVG and Norton.