4U, Tech:
that's what he wrote.
Message 1
By the way, I found a VERY interesting leak in COMODO yesterday. I was downloading CureIt! and it needs port 21 (FTP) and a very high port (somewhere around 64.000). I had it set to VERY HIGH security, which means it is supposed to let you know EVERY connection to EVERY remote port. It didn't recognize and/or warn me about the 64.000 range! So, it's either a bug, or COMODO itself is calling home through that range, which wouldn't surprise me. Too much 'snake oil' around this product if you ask me...
Paul
Message 2
Hi, Nick!
I got some BS letter as a reply today from the COMODO dev guys. They are trying to say that this is not a remote address issue. The remote address 'just spawns the ftp' or something. According to them, this is not a remote connection issue. My logs show SYN flags from my computer to the addresses below on high ports, but this is not a remote connection issue... :=)
Here are the addresses that have to be allowed to download Dr.Web's CureIt! Of course port 21 (ftp) but also:
* us.drweb.com (209.160.33.73) port range 64000-65535
* msk+msk2+msk3.drweb.com (81.176.67.170-81.176.67.172) port range 64000-65535
* msk1.drweb.com (192.168.255.255) port range 64000-65535
* msk4.drweb.com (83.102.130.174-83.102.130.178) port range 64000-65535
* If you allow ALL TCP Out to Any address, Any port you can download CureIt, but you won't get an alert about high ports in COMODO.
* If you restrict remote ports (21, 80, 90, 443, 5190) then you cannot download CureIt and you will see an Outbound Policy Violation log. No alerts however.
* If you allow the addresses above, you can download CureIt, but you won't get an alert about high ports in COMODO.
It's very strange also that there are no application logs. Only Netmonitor (packet logs).
I think I've witnessed a very bad case of 'snake oil' here and I will never again recommend COMODO to anyone. And the lesson is clear: packet rules should be VERY rigid, whatever firewall you are using.
Paul