Reply
Regular Contributor
nottyn
Posts: 25
Registered: ‎10-26-2011
Accepted Solution

CONSTANT GUARD BOT WARNING

Constant Guard bot warning popped up a few days agoSo I did the full scan which found nothingThen I did the Norton whole system scan, which found nothingI've done this several times now and it still finds nothing

 

I uninstalled Constant Guard and the Comcast softwareThe next day my PC started to run very roughOpened Task Mngr and noticed the CPU was 75% with only Task Mngr runningIn the process list was "Comcast Spyware"  (can't remember the exact name) running with a huge thread countI disabled the process and the CPU went back down to 2%.  This was after the uninstall and after I rebooted several times since the removal.

 

Then I removed the Constant Guard browser helper objects and active x controls.

 

Today I was on a website submitting an important form and the big pop-up Constant Guard window came up reading, "One or more of your computers has a bot...." or whatever it says... but refusing to let me submit my formThis was being submitted on a legitimate site

 

So I temporarily disabled all the Norton browser protection, thinking maybe Constant Guard is incorporated with that programIt still wont let me submit the formIf I don't get this submitted by today, it will cost me $30!

 

This "Comcast Guard" is haunting me and ruining my life.

How can I stop it?

 

Thanks for reading.

 

Nancy

Regular Contributor
kim0620
Posts: 36
Registered: ‎10-02-2011

Re: CONSTANT GUARD BOT WARNING

hey nancy!!! as long as you have a norton protection installed, that should suffice... constant guard does nothing anyway... :smileyhappy:

Security Expert
USAF_E-8_RET
Posts: 5,137
Registered: ‎10-28-2003

Re: CONSTANT GUARD BOT WARNING

"In the process list was "Comcast Spyware" (can't remember the exact name) running with a huge thread count. "

 

This sounds very much like the Comcast Toolbar.  Look in the Add/Remove Programs (Programs & Features) for Comcst Tool Bar and remove it.  There may also be a CA Real-time enttry that will also require removal.

 

Norton should not be casuing any of these problems and is fact a separate program from Constant Guard Protective Suite.  Check you installed programs and if present, remove these: Constant Guard Protective Suite, Guided ID, ID Vault plus the two I mentioned above.

 

Please post back with results.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Gold Problem Solver
BruceW
Posts: 7,554
Registered: ‎12-03-2007

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

nottyn wrote: ... Today I was on a website submitting an important form and the big pop-up Constant Guard window came up reading, "One or more of your computers has a bot...." or whatever it says. ...

If the "pop-up" appeared in a browser window and looked like this:

 

CgBotBrsr.png

 

then it was generated by Comcast's bot detection system, not by any software on your computer.

Bronze Star Contributor
Posts: 131
Registered: ‎12-12-2009

Re: CONSTANT GUARD BOT WARNING


nottyn wrote:

 

 

Today I was on a website submitting an important form and the big pop-up Constant Guard window came up reading, "One or more of your computers has a bot...." or whatever it says... but refusing to let me submit my formThis was being submitted on a legitimate site

 

 


 

Nancy

 

It’s unfortunate that CC still allows downloads of their bugware. Looks like you may have three issues, one you can do something about, one you have no control over, the last one a maybe.

 

1) CC software, as mentioned uninstalled it, don’t know if this is the cause or not trying to submit a form.

 

2) Html injection – your bot pop-up. Can’t do anything about it but complain if it’s at fault.

 

High level overview - CC monitors everyone’s connection requests on port 80. If they think you have a bot, your ip address goes on a list in their servers. When they feel like issuing a bot notice, they re-direct the response from a website you visited, by inserting their servers address so the response comes back to them. Unfortunately they do this on legitimate sites.

 

They do deep packet inspections of the data to determine the protocol. If they think they can, they will inject the html bot notification, and return the response to your computer

 

Simplified overview, CC is free to comment if this isn’t correct.

 

That may or may not be the issue, I would call them about it, they owe you an explanation why they are injecting when you are submitting a form. If you want to read exactly what they do;

 

http://www.rfc-editor.org/rfc/pdfrfc/rfc6108.txt.pdf

 

3) Browser settings, if you never have submitted this form before, maybe some issue in your browser / or settings. You could try and call and explain your problem.

 

Good luck getting it submitted, wish I had a fix for you.

Regular Contributor
nottyn
Posts: 25
Registered: ‎10-26-2011

Re: CONSTANT GUARD BOT WARNING

Thanks everyone for the help.  Uninstalling the Xfinity Toolbar seems to be
the solution to the pop-up “Bot warning” windows.

However, I still cannot submit the form from that website.  My pc was restarted after the uninstall.

I tried adding the site to Internet Explorer’s “Trusted Zone”
with no luck.

Even tried Firefox with the same results.

Checked the page info to see the permissions, security and
general site info….nothing blocked or anything.

If anyone knows of a fix for this, maybe a registry entry or
anything that might help, please post it. 

 

Very grateful for the uninstallation of Xfinity Toolbar idea.... at least this wont happen again.

Thank you.

 

 

Nancy

 

 

Gold Problem Solver
BruceW
Posts: 7,554
Registered: ‎12-03-2007

Re: CONSTANT GUARD BOT WARNING


nottyn wrote: ... I still cannot submit the form from that website.  ...

What happens when you try to submit the form? Is there an error message? If the form is public, could you provide the URL?

Regular Contributor
nottyn
Posts: 25
Registered: ‎10-26-2011

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

BruceW wrote:

nottyn wrote: ... I still cannot submit the form from that website.  ...

What happens when you try to submit the form? Is there an error message? If the form is public, could you provide the URL?


I click the "Submit" button and it shows the browser "transition icon" spinning ....you know that little thing that spins on the left in the tab....and I can see the url change in the address bar...then the page stops with all the data in the form still there.  No matter how many times I submit. It happens with Internet Explorer and Firefox.  I have been at this website several times in the past with both browsers with no problems.

There is no error messages or anything at all to explain what is wrong. 

 

Any ideas on this would be immensely appreciated.

 

Nancy

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


davegreen wrote:

nottyn wrote:

 

 

Today I was on a website submitting an important form and the big pop-up Constant Guard window came up reading, "One or more of your computers has a bot...." or whatever it says... but refusing to let me submit my formThis was being submitted on a legitimate site

 

 


2) Html injection – your bot pop-up. Can’t do anything about it but complain if it’s at fault.

 

High level overview - CC monitors everyone’s connection requests on port 80. If they think you have a bot, your ip address goes on a list in their servers. When they feel like issuing a bot notice, they re-direct the response from a website you visited, by inserting their servers address so the response comes back to them. Unfortunately they do this on legitimate sites.

 

They do deep packet inspections of the data to determine the protocol. If they think they can, they will inject the html bot notification, and return the response to your computer

 

Simplified overview, CC is free to comment if this isn’t correct.

 

That may or may not be the issue, I would call them about it, they owe you an explanation why they are injecting when you are submitting a form. If you want to read exactly what they do;

 


You provided a link to RFC 6108 but indicated it uses DPI, which it does not. From the abstract of the document:

 

There are other proprietary systems that can perform such notifications, but those systems utilize Deep Packet Inspection (DPI) technology.  In contrast to DPI, this document describes a system that does not rely upon DPI, and is instead based in open IETF standards and open source applications.

JL
National Engineering & Technical Operations
Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


nottyn wrote:

This "Comcast Guard" is haunting me and ruining my life.

How can I stop it?

 



Have you tried acknowledging the noticed and clicking Close or Go to Constant Guard Center? That should make the notice disappear.

 

You have malware on your computer - seen as recently as this morning (11/1/2011). The variant most recently observed was seen active over 25,000 times in the last 30 days or so. 

JL
National Engineering & Technical Operations
Security Expert
LoPhatPhuud
Posts: 2,829
Registered: ‎11-01-2005

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

Glad to see you here JL. We can always use your assistance on the bot issues.

 

 

 

 

nottyn;

 

I suggest you have your computer checked for malware. You'll find info here:

http://forums.comcast.com/t5/Security-and-Anti-Virus/Where-to-Seek-Malware-Removal-Assistance/m-p/88...



"Once I talked to the inmates of an insane asylum in Hartford. I have talked to idiots a thousand times, but only once to the insane..."
Mark Twain

Microsoft MVP, Consumer Security, 2005-2014
Regular Contributor
nottyn
Posts: 25
Registered: ‎10-26-2011

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

I have clicked on the notice in the past and did the Constant Guard system scan with the latest updates.  It never finds anything.  From that kind of an alert, I was very worried about having malware on my PC, so after doing a couple scans with Constant Guard, I did the Norton scan.  Nothing was found by either program. 

I was very surprised at first when Constant Guard could not find it. 

So what else can I do?

 

Nancy

Gold Problem Solver
BruceW
Posts: 7,554
Registered: ‎12-03-2007

Re: CONSTANT GUARD BOT WARNING


nottyn wrote: ... after doing a couple scans with Constant Guard, I did the Norton scan.  Nothing was found by either program. ... So what else can I do? ...

Unfortunately for all of us, some kinds of malware (malicious software) are able to hide from, and even disable, security programs like Constant Guard and Norton.

 

If you have more than one computer, you need to scan each one.

 

If all your scans are negative, you have a couple choices:

 

  1. Ignore the bot notices. If Comcast is wrong about your system being infected, you'll save a lot of time, hassle, and/or money. But you must understand that if Comcast is right and you do have an infected computer, it is running software that is under the control of a criminal. If you ignore the bot warnings you are taking the risk that a criminal has full access to all your information and can use your computer to spam and infect other computers.
  2. Check out your system yourself. In message #11 LPP provided a link to the Security forum's malware removal guide. The first step in that guide is here: http://www.dslreports.com/faq/13616. Please read that page and decide if you feel able to follow the steps involved. It's rather technical: some will feel confident enough to proceed with the process, and some will not. Only you can decide.
  3. Ask a friend. Perhaps you know a technically-minded person who can help you.
  4. Hire someone to check out your system. There's Comcast Signature Security, Geek Squad, your neighborhood computer shop, and many others.
  5. Wipe your hard drive and reinstall your system. This is drastic, but if done correctly, will get rid of any infections. Unfortunately, it also gets rid of all your data.

Those are all the answers I can think of to the question "what can I do?".

 

Whatever you decide, if you have any other questions, please ask. We're here to help if we can.

Bronze Star Contributor
Posts: 131
Registered: ‎12-12-2009

Re: CONSTANT GUARD BOT WARNING


jlivingood wrote:

You provided a link to RFC 6108 but indicated it uses DPI, which it does not. From the abstract of the document:

 

There are other proprietary systems that can perform such notifications, but those systems utilize Deep Packet Inspection (DPI) technology.  In contrast to DPI, this document describes a system that does not rely upon DPI, and is instead based in open IETF standards and open source applications.


What I wrote,

 

“They do deep packet inspections of the data to determine the protocol. If they think they can, they will inject the html bot notification, and return the response to your computer.”

 

Based on the following, I believe you do use DPI for the HTML injection. CC clearly states it uses a "customized layer 7 inspection policy is used to differentiate between HTTP and non-HTTP traffic on TCP...."

 

I didn’t say CC used it for bot detetion, but for injections. You need to clarify your documents, you can’t have it both ways. Either CC uses it or not, to me it looks like you do.

 

****************************

 

“Anderson also explained what happens at layer 7:”

 

"Layer 7 is the application layer, the actual messages sent across the internet by programs like Firefox or Skype or Azureus. By stripping off the headers, deep-packet-inspection devices can use the resulting payload to identify the program or service being used. Procera, for instance, claims to detect more than 300 application protocol signatures, including BitTorrent, HTTP, FTP, SMTP and SSH. Ellacoya reps tell Ars that their boxes can look deeper than the protocol, identifying particular HTTP traffic generated by YouTube and Flickr, for instance. Of course, the identification of these protocols can be used to generate traffic-shaping rules or restrictions."

 

Excerpt from;

 

http://www.zdnet.co.uk/news/it-strategy/2008/07/31/deep-packet-inspection-what-you-should-know-39454...

 

 

“DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model, in cases DPI can be evoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. DPI functionality is evoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases.”

 

Excerpt from;

 

http://en.wikipedia.org/wiki/Deep_packet_inspection

 

 

“S4.1.5. Session Management Broker (SMB ) : A Load Balancer (LB ) with a

customized layer 7 inspection policy is used to

differentiate between HTTP and non-HTTP traffic on TCP

port 80, in order to meet the requirements documented in

Section 3 above. The system uses a LB from A10 Networks.

The SMB functions as a full stateful TCP proxy with the

ability to forward packets from existing TCP sessions that

do not exist in the internal session table (to meet the

specific requirement "Must Handle Pre-Existing Active TCP

Sessions Gracefully"). New HTTP sessions are load balanced

to the web proxy layer either transparently or using source

Network Address Translation (NAT [RFC3022]) from the SMB.”

 

“C5.2. Session Management: TCP port 80 packets are routed to a

Session Management Broker (SMB ) that distinguishes between

HTTP or non-HTTP traffic and between new and existing

sessions. HTTP packets are forwarded to the web proxy by the

SMB. Non-HTTP packets such as instant messaging (IM) traffic

are forwarded to a TCP proxy layer for routing to their

destination, or the SMB operates as a full TCP proxy and

forwards the non-HTTP packets to the destination.

Pre-established TCP sessions on port 80 are identified by the

SMB and forwarded with no impact.”

 

 

Excerpts from CC document;

 

 

http://www.rfc-editor.org/rfc/pdfrfc/rfc6108.txt.pdf

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING

We'll have to agree to disagree. IMO looking at the protocol used is not deep packet inspection. 

 

 

JL
National Engineering & Technical Operations
Contributor
FrankMcLeod
Posts: 5
Registered: ‎11-07-2011

Re: CONSTANT GUARD BOT WARNING

Regardless of all the explanations from Comcast, I consider the "Comcast Service Notice" a bigger nuisance than any other malware that may be hiding on my system.  I respond to the "Go to Guard Center" notice and ran the software ... still get the message.  My complaint with the popup message: It is intrusive, sometimes it is on top of a sign in form on a site ... it has no "X" to close it ... or, you cannot even move it ... it just sits there and you cannot conduct your business.  Please give us a simple way to "Go to Constant Guard Center"  .... OR ... CLOSE THIS NOTICE ..... Please fix this intrusive problem!!!

Gold Problem Solver
BruceW
Posts: 7,554
Registered: ‎12-03-2007

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

FrankMcLeod wrote: ... it has no "X" to close it ... Please give us a simple way to "Go to Constant Guard Center"  .... OR ... CLOSE THIS NOTICE ..... Please fix this intrusive problem!!!

The sample Comcast has posted (see message #4) has both a close "X" and a Close button. Does the real thing not have these this?

Contributor
FrankMcLeod
Posts: 5
Registered: ‎11-07-2011

Re: CONSTANT GUARD BOT WARNING

The real thing that shows up on my screen (FireFox and IE) does not have either.  That is what makes it so intrusive.  It basically blocks me from doing anything on that portion of the screen because it seems to be positioned absolute ... i.e., I cannot get to anything beneath the annoying box.  It is somewhat transparent, probably about 15-20%, and I can see what is underneath it, but there is nothing in the popup window itself that allows me to close or move it.

 

Thanks,

Frank

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


FrankMcLeod wrote:

The real thing that shows up on my screen (FireFox and IE) does not have either.  That is what makes it so intrusive.  It basically blocks me from doing anything on that portion of the screen because it seems to be positioned absolute ... i.e., I cannot get to anything beneath the annoying box.  It is somewhat transparent, probably about 15-20%, and I can see what is underneath it, but there is nothing in the popup window itself that allows me to close or move it.

 

Thanks,

Frank


We've tested it with both browsers. Pehaps you have JavaScript disabled or something like that? In any case, the malware you should be concerned with seems highly active based on my dashboard (check your PMs).

 

Jason

JL
National Engineering & Technical Operations
Regular Contributor
nottyn
Posts: 25
Registered: ‎10-26-2011

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

 

We've tested it with both browsers. Pehaps you have JavaScript disabled or something like that? In any case, the malware you should be concerned with seems highly active based on my dashboard (check your PMs).

 

Jason


The same thing happens to me with both browsers, Firefox and IE, as what Frank describes....the pop-up Constant Guard window cannot be closed or moved. Trying to work on the page underneath is impossible.  My javascript is enabled.  Another irritating thing is when the link in the Constant Guard window is clicked, you will go to the Constant Guard webpage, however, if the "Back" button is clicked on either browser, the Copnstant Guard pop-up window is still there.

 

Nancy

Visitor
llarevo21
Posts: 3
Registered: ‎12-18-2011

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

If you get a constant guard alert in your browser, don't look to Comcast for help or information.  It is obvious to me that the company has implemented this strategy without informing or educating their customer service reps. 

 

To Comcast:  At least insert a page into the script that your people read from that states the following:

 

  I am a Comcast customer service representative.  Please be put on notice that I am neither listening to you or attempting to resolve your problem.  My primary function is to attempt to convince you that resetting your modem is the ultimate problem resolution.  If you are at all familiar with your Windows registry or Network Communications you already know more than I do, and therefore should not be wasting your time calling me.  During the course of our conversation (or chat if you choose the live chat option), I will only provide scripted answers provided by Comcast.  I will not deviate from the script, and would appreciate your doing the same.

 

This disclosure at the beginning of any call to customer service will save everyone involved a lot of time.

 

After a week of attempting to resolve the Bot Notification Issue, I was able to get a response from Comcast's security team.  They gave me the times of the "suspicious" activity, and it was a legitimate web site of a state government.....I was looking at a Sales Tax form.

 

From their point of view, it was determined that there was nothing that I can do on my end to stop the notifications.  In a nutshell, those injections are sent to my (and your) computer through port 80 (which is the host you are connected to......and multiple browser windows have multiple connections to port 80, but the connection on my (and your) end are different ports for each instance of the browser window.

 

This abstract was mentioned in a previous post:

 

http://www.rfc-editor.org/rfc/pdfrfc/rfc6108.txt.pdf

 

Paragraph R3.1.7 requires that the notification system not be disruptive.  I think that we can all attest that they failed miserably in meeting that requirement.

 

The next paragraph requires that our acknowledgement (clicking on the button that takes you to the Constant Guard Center) must stop the notification.  It does, however, it doesn't allow you to go back to what you were doing.  Comcast should review this section of code and adjust accordingly.

 

I know that this will not help with the frustration the notifications are causing, but I'm hopeful that Comcast will take seriously the disruption caused by the system, and the irritation caused by the lack of knowledge of their staff.

 

 

 

 

Security Expert
USAF_E-8_RET
Posts: 5,137
Registered: ‎10-28-2003

Re: CONSTANT GUARD BOT WARNING


llarevo21 wrote:

If you get a constant guard alert in your browser, don't look to Comcast for help or information.  It is obvious to me that the company has implemented this strategy without informing or educating their customer service reps. 

 

To Comcast:  At least insert a page into the script that your people read from that states the following:

 

  I am a Comcast customer service representative.  Please be put on notice that I am neither listening to you or attempting to resolve your problem.  My primary function is to attempt to convince you that resetting your modem is the ultimate problem resolution.  If you are at all familiar with your Windows registry or Network Communications you already know more than I do, and therefore should not be wasting your time calling me.  During the course of our conversation (or chat if you choose the live chat option), I will only provide scripted answers provided by Comcast.  I will not deviate from the script, and would appreciate your doing the same.

 

This disclosure at the beginning of any call to customer service will save everyone involved a lot of time.

 

After a week of attempting to resolve the Bot Notification Issue, I was able to get a response from Comcast's security team.  They gave me the times of the "suspicious" activity, and it was a legitimate web site of a state government.....I was looking at a Sales Tax form.

 

From their point of view, it was determined that there was nothing that I can do on my end to stop the notifications.  In a nutshell, those injections are sent to my (and your) computer through port 80 (which is the host you are connected to......and multiple browser windows have multiple connections to port 80, but the connection on my (and your) end are different ports for each instance of the browser window.

 

This abstract was mentioned in a previous post:

 

http://www.rfc-editor.org/rfc/pdfrfc/rfc6108.txt.pdf

 

Paragraph R3.1.7 requires that the notification system not be disruptive.  I think that we can all attest that they failed miserably in meeting that requirement.

 

The next paragraph requires that our acknowledgement (clicking on the button that takes you to the Constant Guard Center) must stop the notification.  It does, however, it doesn't allow you to go back to what you were doing.  Comcast should review this section of code and adjust accordingly.

 

I know that this will not help with the frustration the notifications are causing, but I'm hopeful that Comcast will take seriously the disruption caused by the system, and the irritation caused by the lack of knowledge of their staff.

 

 

 

 


Hi llarevo21,

 

This is a customer to customer forum, so there is no one from Comcast Security Team who would normally see this, however I will try to get the Security Folks to respond in this thread. 

 

Just curious are you talking about a Washington State Myvote form as I answered a somewhat similar post on the Norton Forums yesterday,

 

Be advised, it may take a few days for Comcast to respond, when they dorespond, their user name with be in RED.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

New Visitor
dak_kol
Posts: 3
Registered: ‎12-19-2011

Re: CONSTANT GUARD BOT WARNING

I've been getting these for approx 6 months now.  Ignoring them is no longer possible because Comcast now layer splash screens over the top of web pages while browsing.

 

I run Trend Micro and often run MSERT.  There are no bots on any machine I use.  However Comcast insists there is.  As a computer expert, I know what to do and check for.

 

Comcast computer technicians are totally unaware of how to deal the the alerts or splash screens.  They press to get you to sign up for the $139 technical service.

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

dak_kol wrote:

I've been getting these for approx 6 months now.  Ignoring them is no longer possible because Comcast now layer splash screens over the top of web pages while browsing.

 

I run Trend Micro and often run MSERT.  There are no bots on any machine I use.  However Comcast insists there is.  As a computer expert, I know what to do and check for.

 

Comcast computer technicians are totally unaware of how to deal the the alerts or splash screens.  They press to get you to sign up for the $139 technical service.


We observe bot activity as of today in the TDL/TDSS bot networks. 

JL
National Engineering & Technical Operations
Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


llarevo21 wrote:

I know that this will not help with the frustration the notifications are causing, but I'm hopeful that Comcast will take seriously the disruption caused by the system, and the irritation caused by the lack of knowledge of their staff.

 


We observe 4 separate botnets active in the last 72 hours. We plan to have an 'expert' interface available for more info very soon and hope this will help address concerns you have raised.

JL
National Engineering & Technical Operations
Contributor
Posts: 6
Registered: ‎05-29-2008

Re: CONSTANT GUARD BOT WARNING

Help...I am also getting notices regarding a bot infection from Comcast. Notices on 12/1/11; 12/5/11 and even after thinking I had fixed any problems, I received another one today 12/21/11. The first notification happened the day after I had downloaded a huge program from Nuance Dragon Naturally speaking that is an entire program that replaces my older software. The download took nearly a half hour (1.2 GB program).  Then once I received that notification of a bot a day later; I suspected the program was the entry point. Never having had any bot infection before, I naturally took it all serious and went around to check on the computers in the house; updating windows, making sure I had anti virus and spyware on each (I did) and then downloading malwarebytes and a couple other programs. I followed the Constant Guard installation and was immediately surprised at the url that opened up upon clicking on install:smileysad: ringo.idvaultservices.com). Why would Comcast use an outside source for this? Valid? Or is this a redirect? Anyway - Constant Guard was downloaded. Then 4 days later...I get my second notification on Dec. 5th. So I delete the Nuance program and do a restore to an earlier date. Then no more notifications for two weeks. So thinking I'm clean, but I still need this program to work, I re-install the Nuance program and voila!..Another bot notification 2 hours later. Any connection? And is this ringo site affiliated and valid for Comcast ?

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING



rdhpools wrote:

Help...I am also getting notices regarding a bot infection from Comcast. Notices on 12/1/11; 12/5/11 and even after thinking I had fixed any problems, I received another one today 12/21/11. The first notification happened the day after I had downloaded a huge program 


 The malware is associated with about 5 or 6 variations of different things. This includes http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=603891 and http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=732186 and http://home.mcafee.com/virusinfo/virusprofile.aspx?key=694086 and http://home.mcafee.com/virusinfo/virusprofile.aspx?key=552973 

 

All of this detail will soon be available from a beta test version of a malware infection information site in early January - stay tuned.

 

  Times Seen: 65 First Seen: 2011-09-19 02:26:15 Last Seen 2011-12-20 15:14:03
JL
National Engineering & Technical Operations
Contributor
FrankMcLeod
Posts: 5
Registered: ‎11-07-2011

Re: CONSTANT GUARD BOT WARNING

That was my nightmare exactly, Nancy.  No one at Comcast seemed to care that their warning was invasive, intrusive and downright inappropriate in the way it would not let you move it or minimize it.

 

I finally resolved it by deleting my existing Norton Internet Security and installing the free Norton Security Suite that is available to Comcast customers.  After that, the bot warning went away.

 

However, regardless of the legitimacy of a warning, it should not stop you from doing productive work.  It should allow us to acknowledge it, finish our tasks, and then take care of it. GEESH, Comcast, get it right!!

 

Frank

Contributor
FrankMcLeod
Posts: 5
Registered: ‎11-07-2011

Re: CONSTANT GUARD BOT WARNING

It did not suffice for me! I had the Norton Internet Security and Antivirus installed and running automatically every night ... yet the INVASIVE bot remained.  Only when I deleted that Norton install and used the Norton Security Suite provided through Comcast did the problem go away.

 

I kept hearing people way what you said, but did not explain that it had to be the Norton Security Suite that would solve the issue.

Security Expert
USAF_E-8_RET
Posts: 5,137
Registered: ‎10-28-2003

Re: CONSTANT GUARD BOT WARNING


FrankMcLeod wrote:

 

I finally resolved it by deleting my existing Norton Internet Security and installing the free Norton Security Suite that is available to Comcast customers.  After that, the bot warning went away.

 

Frank


Frank, did you ever consider that perhaps your installation of NIS was corrupted and had you removed NIS, run the NRT and did a fresh install of NIS, it may have corrected your problem as did removing NIS and installing NSS??

 

 

 


 

 

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Contributor
FrankMcLeod
Posts: 5
Registered: ‎11-07-2011

Re: CONSTANT GUARD BOT WARNING

Did I ever consider?  Man, I have considered everything.  I did the reinstall of NIS, I have done a safe-mode resolution of all malware using three different products plus MSMWRT.  And, what you are saying still does not answer the concern that I, and others, have expressed on here ... A pervasive, persistent, intrusive pop up box that cannot be removed or moved.  To me, that is the major issue, not trying to figure out the WHY of the warning, but figuring out WHY the warning must stay fixed in one spot over crucial areas of an internet screen.

 

Why will not Comcast address that idea?

Contributor
Posts: 6
Registered: ‎05-29-2008

Re: CONSTANT GUARD BOT WARNING

Thanks. That helps me show that the Nuance download on 12/1 wasn't the entry point. The mcafee was something offered free and I let it install figuring it couldn't hurt to have too much AV software even though I had other AV already installed (Norton on 2 and WebRoot on the other.) . I am trying to figure out how McAfee could be an entry point if it is supposed to do the opposite.

Also -  What can you tell me about the Constant Guard Download site Ringo.idvaultservices  ?. Is this the download site that should pop up just after they click "download" on the comcast Constant Guard ( and just before they click "install") ? I stopped the download after I saw this ringo site come up.

Security Expert
USAF_E-8_RET
Posts: 5,137
Registered: ‎10-28-2003

Re: CONSTANT GUARD BOT WARNING

[ Edited ]

@ FrankMcLeod

 

As a fellow customer, I can not tell you why Comcast does anything, nor can I tell you why they select different methods for displaying their popups.  I asked what I thought was a simple question, about a "fix" you wanted to share with others.  

 

At this point I have two suggestions of ways to attempt to obtain an answer from someone who can perhpas explain the reason you are seeking.

 

- Contact the Customer Security Assurance folks:
Normal business hours (M-F, 9:00 am to 11:30 pm EST S-S, 10:30 am to 6:30 pm EST) 888-565-4329

 

- Private Message jlivingood and ask him your specific question.

 

Just in case you need info on PM's:

 

 

Private Messages (PM’s)


 


At the top of each Forum page you will see a small white envelope screenshot.108.jpg


 


This is the icon for Private Messages, referred to as ‘PM’s’. A Private Message is a way to communicate in private, to another User, Moderator, or Administrator out of public view in the Forums.


 


 


The white envelope turns to yellow when you receive a PM. screenshot.107.jpg


 


To open a PM to read it, double click on the yellow envelope. If you click on the white envelope a window will open with tabs for your Private Message Inbox, Sent Messages, Friends, Ignored Users, and Compose new Message. You can also access this area by clicking on the Username in a Thread or post. By default, Private Messages are enabled. You can disable this feature in My Settings>Preferences> Private Messenger.

A veteran - whether active duty, retired, national guard, or reserve - is someone who, at one point in his or her life, wrote a blank check made payable to The 'United States of America', for an amount of 'up to and including my life.'

Contributor
Posts: 6
Registered: ‎05-29-2008

Re: CONSTANT GUARD BOT WARNING

rdhpools wrote:

Help...I am also getting notices regarding a bot infection from Comcast. Notices on 12/1/11; 12/5/11 and even after thinking I had fixed any problems, I received another one today 12/21/11. The first notification happened the day after I had downloaded a huge program 


 The malware is associated with about 5 or 6 variations of different things. This includes http://www.mcafee.com/threat-intelligence/malware/​default.aspx?id=603891 and http://home.mcafee.com/VirusInfo/VirusProfile.aspx​?key=732186 and http://home.mcafee.com/virusinfo/virusprofile.aspx​?key=694086 and http://home.mcafee.com/virusinfo/virusprofile.aspx​?key=552973 

 

 

Okay ....Sorry ---You are referencing the Mcafee sites virus definitions. Stupid me.

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


rdhpools wrote:
rdhpools wrote:

Help...I am also getting notices regarding a bot infection from Comcast. Notices on 12/1/11; 12/5/11 and even after thinking I had fixed any problems, I received another one today 12/21/11. The first notification happened the day after I had downloaded a huge program 


 The malware is associated with about 5 or 6 variations of different things. This includes http://www.mcafee.com/threat-intelligence/malware/​default.aspx?id=603891 and http://home.mcafee.com/VirusInfo/VirusProfile.aspx​?key=732186 and http://home.mcafee.com/virusinfo/virusprofile.aspx​?key=694086 and http://home.mcafee.com/virusinfo/virusprofile.aspx​?key=552973 

 

 

Okay ....Sorry ---You are referencing the Mcafee sites virus definitions. Stupid me.


Not sure what you mean. As you know there's not detail on the date/time of botnet activity or the specific malware. Based on feedback here, we'll have a beta version of a tool to provide this in early January. I looked up your malware infection and did a quick Google search on each variety. Due to SEO, McAfee happened to have the first links. You can search based on the names at other sites if you like - I was just trying to help point you in a direction to remediate. (Like everyone, I wish remediation tools were more effective and mature.)

JL
National Engineering & Technical Operations
New Visitor
dak_kol
Posts: 3
Registered: ‎12-19-2011

Re: CONSTANT GUARD BOT WARNING

COMCAST will not resolve the issue.  They want you to pay for their in-home or on-line service - usually $50 to $130 each incident.

 

The in-browser nag interrupts normal internet browing without the option to exclude it.  This is an infringement of personal rights and security.

 

Everyone must register a compaint to the FCC and their State Attorney General for unfail business practices and illegal fees and charges for an issue that is a personal security concern.

 

Re: CONSTANT GUARD BOT WARNING

COMCAST is pushing out an in-browser nag that cannot be closed or disabled. This nag reports that a BOT "might" exist on "some" computer either on my network or illegally accessing my network. Multiple calls with COMCAST service results only in an offering to send out a service technician at an inflated rate or charge up to $130 for an on-line service technician.My computers are routinely checked and certified clean of all virus and malware. COMCAST push their in-browser interruption in violation of the rights of the customer to choose how to resolve internet security issues only to push charges out to customers. COMCAST are themselves unable to "clean" a computer to the satisfaction of their in-browser automated service interruption.

 

COMCAST "BOT" detection interrupts normal internet access.  COMCAST is illegally obstructing internet browsing and rendering internet access virtually useless and refuse to deal with the problem unless you pay a visiting COMCAST ONLY service technician or pay the COMCAST ONLY online service fee of $130 or more per use.

 

REPORT COMCAST TO THE FCC AND YOUR STATE ATTORNEY GENERAL - I DID.

 

http://esupport.fcc.gov/complaints.htm

Contributor
Posts: 6
Registered: ‎05-29-2008

Re: CONSTANT GUARD BOT WARNING

Thanks; I understand now. ..Just one more thing..

Any idea on the Constant Guard / ringo.idvaultservices.com connection? I'd like to get this CG program on to my computer if this download site is correct.

R

 

Not sure what you mean. As you know there's not detail on the date/time of botnet activity or the specific malware. Based on feedback here, we'll have a beta version of a tool to provide this in early January. I looked up your malware infection and did a quick Google search on each variety. Due to SEO, McAfee happened to have the first links. You can search based on the names at other sites if you like - I was just trying to help point you in a direction to remediate. (Like everyone, I wish remediation tools were more effective and mature.)

JL
National Engineering & Technical Operations
New Visitor
dak_kol
Posts: 3
Registered: ‎12-19-2011

Re: CONSTANT GUARD BOT WARNING

COMCAST "BOT" detection interrupts normal internet access.  COMCAST is illegally obstructing internet browsing and rendering internet access virtually useless and refuse to deal with the problem unless you pay a visiting COMCAST ONLY service technician or pay the COMCAST ONLY online service fee of $130 or more per use.

 

REPORT COMCAST TO THE FCC AND YOUR STATE ATTORNEY GENERAL - I DID.

 

http://esupport.fcc.gov/complaints.htm

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


dak_kol wrote:

COMCAST will not resolve the issue.  They want you to pay for their in-home or on-line service - usually $50 to $130 each incident.

 

The in-browser nag interrupts normal internet browing without the option to exclude it.  This is an infringement of personal rights and security.

 

Everyone must register a compaint to the FCC and their State Attorney General for unfail business practices and illegal fees and charges for an issue that is a personal security concern.

 

Re: CONSTANT GUARD BOT WARNING

COMCAST is pushing out an in-browser nag that cannot be closed or disabled. This nag reports that a BOT "might" exist on "some" computer either on my network or illegally accessing my network. Multiple calls with COMCAST service results only in an offering to send out a service technician at an inflated rate or charge up to $130 for an on-line service technician.My computers are routinely checked and certified clean of all virus and malware. COMCAST push their in-browser interruption in violation of the rights of the customer to choose how to resolve internet security issues only to push charges out to customers. COMCAST are themselves unable to "clean" a computer to the satisfaction of their in-browser automated service interruption.

 

COMCAST "BOT" detection interrupts normal internet access.  COMCAST is illegally obstructing internet browsing and rendering internet access virtually useless and refuse to deal with the problem unless you pay a visiting COMCAST ONLY service technician or pay the COMCAST ONLY online service fee of $130 or more per use.

 

REPORT COMCAST TO THE FCC AND YOUR STATE ATTORNEY GENERAL - I DID.

 

http://esupport.fcc.gov/complaints.htm


At the Constant Guard site there are do-it-yourself options. The Xfinity Signature Support site is for people that do not want to do it on their own. So you have both options - plus a community here that is willing to help. 

 

The alternative to these notifications is to put people with bots into a walled garden which results in no Internet access at all, which is what some other ISPs do (if they do anything at all). 

JL
National Engineering & Technical Operations
Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: CONSTANT GUARD BOT WARNING


rdhpools wrote:

Thanks; I understand now. ..Just one more thing..

Any idea on the Constant Guard / ringo.idvaultservices.com connection? I'd like to get this CG program on to my computer if this download site is correct.



That download location is correct (for now - we plan to move the location to our own CDN next year).

JL
National Engineering & Technical Operations