>>>>A mystery ... this will be of interest to Windows 8 users particularly...
>>>>
>>>>I've noticed some funny behavior going on since installing Windows 8 on a new laptop. This was a clean Windows 8 install. I have Comodo firewall running (latest release, 64 bit) and it is set to custom rule set and alerts - I want to know whenever any application wants to connect to the internet.
>>>>
>>>>So Comodo pops up and says that an application, TBO_WS_Downloader.exe, wants to connect to the internet. But this is one of my own programs and I didn't start it and I'm not running it. A review of task manager confirms that it is not running. Furthermore, this program (that I wrote) only connects to a single IP address - our own company web server and that is not the IP address Comodo reports this application wants to connect to ! So whats going on?
>>>>
>>>>Well I can think of these explanations:
>>>>
>>>>1) Comodo is making a mistake - the application is not running but it thinks it is.
>>>>
>>>>2) Another application, perhaps malware, is pretending to be this application and reporting itself with this name.
>>>>
>>>>3) Another application is trying to access the internet but Comodo is reading/reporting the application name incorrectly.
>>>>
>>>>So the next question is where is this application trying to connect to, IP address 213.199.148.155 ? Well that leads to Microsoft London Internet Data Center.
>>>>
>>>>What do you make of that?
>>>
>>>Hmm, a bit of a poser.
>>>
>>>I can only think of some SWAGs:
>>>
>>>1. Could there be a time delay in Comodo's reporting? Is it possible your app was running but Comodo didn't generate the report until some time later, when it was no longer running?
>>>
>>>2. Did you build your app using any 3rd party libraries or components that might "phone home"?
>>>
>>>3. I don't know if it's present in Windows 8, but Windows 7 has a so-called "Microsoft Customer Experience Improvement Program" ( http://www.microsoft.com/products/ceip/EN-US/default.mspx ). Maybe it's enabled on your computer?
>>
>>
>>Reply to 1) The last time I ran it was yesterday. Computer has been in sleep mode for 8 hours since then. Comodo is quick to alert and blocks the app until you say yes/no. I have never seen it not alert and block the app waiting for user-reply within seconds of the app requesting internet access.
>>
>>Reply to 2) This particular app uses no 3rd party tools. But even so, the IP address is Microsoft Internet Data Center ...
>>
>>Reply to 3) I will have to check but still - wrong app name -> implies Comodo doesn't know what its doing - I doubt this as it is rated as the #1 personal firewall system.
>

>Sleep mode - did you get the warning immediately after the computer "woke up"?

No, I had been working on the computer awhile.


>3rd party tools - OK, expand that to include MS libraries/components. Any of those? What language did you use to create your app?

This particular one is WinDev. no 3rd party tools, not VFP.


>Malware with same name as your app: there are at least 3 ways that could happen:
>
>- separate malware EXE with same name as your app
>- malware directly patching your EXE
>- malware hooking your shell (explorer.exe or cmd.exe) so any EXEs that are run are wrapped e.g. instead of the shell running "yourapp.exe [optional params]", it's running "malware.exe yourapp.exe [optional params]"
>
>Still, it's a very good point that malware or 3rd party processes are unlikely to want to talk to MS.

This really is the key point of this discussion. It's not malware because they don't contact Microsoft London Internet Data Center.


>This may be a wild goose chase but ISTR someone in a thread here reporting VFP "phoning home" to MS unexpectedly. Might have been during product installation (which as you know doesn't require activation, but does require a valid product key), or during first use (?) Can someone search UT?
>
>To see if the Comodo warning is a false positive there are a couple of things you could try:
>
>1. Briefly disconnect your Internet connection at your computer or router just before telling Comodo to allow the access. When the connection attempt fails there are 3 possible outcomes:
>
>a. You get a nice informative error message on-screen
>b. Some legitimate background processes like CEIP will log error messages to the Application or System Event Log
>c. Silent failure would indicate a low importance/low priority task or stealth/malware
>
>2. Many routers, even consumer devices, are able to log traffic, both incoming and outgoing. You could tell Comodo to allow the access attempt, with our without your Internet access temporarily disconnected at your router. Then review the logs to see what, if anything, happened.

I have now cleared Comodo's rule-set and set it to alert every connection and not remember any connection/application. I took a screencap the last time it happened and will watch it. The bottom line is that an app masquerading as another app tried to connect to MS. I don't suspect malware as I run a very tight environment using multiple tools. But in any case, even if its malware, why connect to MS ...

Anyone else running Windows 8 I recommend to setup an outbound firewall, check all connection attempts, set to not remember prior permissions given. Do it for a week or two and see what happens. I find this all very weird.