---

Baric wrote:
Oh, boy.  What sort of false positive rate are we looking at here?

---

To avoid false positives we aggregate the data from various sources.

---

BlueJay wrote:
 

---

NSM998 wrote:

 The Service Notice appears as a message layered in front of the page content as shown here:

---

NSM998, looking at the above snipped image from your initial post, it appears that the notice is covering the comcast home page..

I, along with other internet users DONOT use that portal..

Will this notice be geared to show up on ALL entrances to comcast services? i.e. Help Forums, Smartzone, community...

 

ciao, bj

---

 A customer that is notified will see the Service Notice on any web site.

---

NSM998 wrote:

 

The purpose of Service Notice is to let customers know whether their computer is infected with a bot (virus). Bots are the leading cause of spam, are responsible for identity theft, information theft, and distributed denial of service (DDOS) attacks.

 

What will the “Service Notice” be used for?
Service Notice may be used for messaging time sensitive critical information to you about your Comcast High-Speed Internet service such as computer security.

---

 

I get the part about bots.

 

But what kind of information does "critical information to you about your Comcast High-Speed Internet service" include? 

---

Queen-Evie wrote:

I get the part about bots.

 

But what kind of information does "critical information to you about your Comcast High-Speed Internet service" include? 

---

"You haven't paid your bill yet this month, please do so immediately so we can turn off this notification."

---

Barmar wrote:
Read the technical description above, bj. When they've determined that you're infected, all your web traffic is routed through a proxy, and it adds the notification to the returned web page.

---

Thanks Barmar, I guess I'm just not astute enough to understand any of the technical descriptions above...

Give me a complex recipe and I can interpret, understand and complete to the desired objective..

I was just asking a simple question based on the visual supplied.. 

There would have been no need for such if the statement had read something along the lines of once a browser is opened this notification would pop up..  Or am I again making an incorrect assumption?? 

ciao, bj

---

slouke wrote:

---

Queen-Evie wrote:

I get the part about bots.

 

But what kind of information does "critical information to you about your Comcast High-Speed Internet service" include? 

---

"You haven't paid your bill yet this month, please do so immediately so we can turn off this notification."

 

---

I suspect that the temptation to use this mechanism to deliver ads will soon prove irresistable.

Please read my post HERE,

I do not know when Change Password screen changed.

However, coming on the heels of the announcement here, along with some of the

things I read at recaptcha, I tend to think the password issue is somehow related

to Constant Guard.

Someone in-the-know at Comcast please confirm or deny my theory.

Whether it does or does not have anything to do with it, someone needs to get

the change password function to work correctly.

It does no good to recommend a password change if it doesn't work.

QE wondered if "the password issue is somehow related to Constant Guard."

I'd think not.

It is most likely coincidental, but I had to ask.

We all know that in the past, Comcast has "broken" one thing when fixing things or adding an "improvement".

Amen!! to that QE, Amen!!...  

ciao, bj

SANS NewsBites October 09, 2009 Vol. 11, Num. 80  includes this reference

to Comcast Constant Guard.

"TOP OF THE NEWS --Comcast Testing Malware Alert Service (October 8, 2009)
.
On Thursday, October 8, Comcast began testing a service that alerts its
broadband subscribers with pop-ups if their computers appear to be
infected with malware.
.
Among the indicative behaviors that trigger alerts are spikes in overnight
traffic, suggesting the machine has been compromised and is being used
to send spam. Comcast also uses information supplied by research groups
about IP addresses that appear to have been infected with malware.
.
The Comcast test program appears to be the first in which a major
Internet service provider (ISP) is taking measures to alert customers
to potential security issues.
.
Comcast Constant Guard is being piloted in Denver. The alerts will
direct users to Comcast's antivirus center where they can receive help
cleaning their machines of malware.
.
http://news.cnet.com/8301-27080_3-10370996-245.html?part=rss&subj=news&tag=2547-1009_3-0-20
http://www.pcmag.com/article2/0,2817,2354001,00.asp
.
[Editor's Note (Schultz): Comcast has taken a big step forward. The
question now is whether users who are warned about having virus
infections will do anything given that over the years they have been
bombarded by pop-up ads, Windows Vista User Access Control warnings, and
more.]"

---

[Editor's Note (Schultz): Comcast has taken a big step forward. The
question now is whether users who are warned about having virus
infections will do anything given that over the years they have been
bombarded by pop-up ads, Windows Vista User Access Control warnings, and
more.]"

---

That's what worries me, too. Most of the time, if you get a security warning from a program other than the security programs you've installed, it's a fake. And users have been warned not to click on the links in these programs; rather than cleaning your system, they usually take you to malware sites masquerading as security applications.

The image above shows a link "How do I know this notice is from Comcast"? What stops a bogus site from using a link like that? And how do you know it's safe to click on that link?

Then again, the people who are infected are probably not the ones who have learned to be suspicious of these things. That's presumably how they got infected in the first place. 

The idea of an unsolicited browser "Pop Up" that describes an event requiring time sensitive personal action and also contains an actionable Link for remedy can not be tolerated.

This modus operandi is a known infection vector. No knowledgeable browser user would respond other than by terminating the browser session using an operating system task killer function, such as TaskManager in XP.

I'd suggest that the Comcast Constant Guard pop-up UI must not include a clickable link, but instead provide text direction for using a Constant Guard function on the Comcast Home page that the user navigates to using vetted URL or shortcuts in the user's environment.

The Comcast Constant Guard pop-up message could also include a unique user-identifer that could be copied and pasted into the Comcast Home page Constant Guard function if unique identification is in fact necessary or useful.

---

MelvinTheGrate wrote:

I suspect that the temptation to use this mechanism to deliver ads will soon prove irresistable.

 

---

Then you must have missed Section 4.1, requirement 11, at http://tools.ietf.org/html/draft-livingood-web-notification-00

   REQ11:  No Advertising Replacement or Insertion: The system must not
           be used to replace any advertising provided by a website, or
           insert advertising into websites where none was intended by
           the owner of a given website.

---

Queen-Evie wrote:

It is most likely coincidental, but I had to ask.

We all know that in the past, Comcast has "broken" one thing when fixing things or adding an "improvement".

---

These systems have nothing to do with one another and are independent.

---

Moms_hooked wrote:
Perhaps an email to customers letting them know about this program before it actually will be used would be a good idea.

---

Customers in the trial area all received such an email. Whenever this goes beyond a trial market, we would similarly notify other customers.

---

CWH803 wrote:

The idea of an unsolicited browser "Pop Up" that describes an event requiring time sensitive personal action and also contains an actionable Link for remedy can not be tolerated.

 

This modus operandi is a known infection vector. No knowledgeable browser user would respond other than by terminating the browser session using an operating system task killer function, such as TaskManager in XP.

 

I'd suggest that the Comcast Constant Guard pop-up UI must not include a clickable link, but instead provide text direction for using a Constant Guard function on the Comcast Home page that the user navigates to using vetted URL or shortcuts in the user's environment.

 

The Comcast Constant Guard pop-up message could also include a unique user-identifer that could be copied and pasted into the Comcast Home page Constant Guard function if unique identification is in fact necessary or useful.

---

We've received similar feedback from a few other people and we're taking it into consideration during the trial.

---

jlivingood wrote:

---

MelvinTheGrate wrote:

I suspect that the temptation to use this mechanism to deliver ads will soon prove irresistable.

 

---

Then you must have missed Section 4.1, requirement 11, at http://tools.ietf.org/html/draft-livingood-web-notification-00

 

   REQ11:  No Advertising Replacement or Insertion: The system must not
           be used to replace any advertising provided by a website, or
           insert advertising into websites where none was intended by
           the owner of a given website.

 

---

No I didn't miss that at all. Since a violation of that restriction would carry no penalty other than people shaking their fingers and calling you "naughty," I still feel it's just a matter of time. Recommendations for anti-malware products will probably come first. Besides, the way that requirement is worded premits unrestricted insertion of ads into any web page that already contains at least one ad.

Mels points out "Besides, the way that requirement is worded it premits unrestricted insertion of ads into any web page that already contains at least one ad."

Sure 'nuff.

Besides, the way that requirement is worded premits unrestricted insertion of ads into any web page that already contains at least one ad.

---

Well, I wrote the requirement and that was not my intent (and I still don't see how that would be the case).  If you were to re-write that requirement, what would it look like?

J

---

jlivingood wrote:

Besides, the way that requirement is worded premits unrestricted insertion of ads into any web page that already contains at least one ad.

---

Well, I wrote the requirement and that was not my intent (and I still don't see how that would be the case).  If you were to re-write that requirement, what would it look like?

 

J

---

How about simply deleting the qualifier, "where none was intended by the owner of a given website." What could the intent of that qualifier possibly be except to allow for the insertion of ads in some cases?

I'd suggest Requirement 11 be in the following form:

REQ11:  No Advertising Replacement or Insertion: The system must not be used to replace any advertising or to insert any advertising into any webpage.

---

Barmar wrote:
I think the intent of the wording was to allow for cases where they have an agreement with the web site that allows them to insert ads.

---

And thus would begin the fulfillment of my prediction that this mechanism will one day be used to deliver ads. Furthermore, since the user is forced to click on something in the pop-up in order to get to the original web page, this will train users to click on any pop-up that appears. This will greatly increase the incidence of infected machines, further justifying use of the mechanism. Lovely vicious circle. Advertisers and vendors of anti-malware products will no doubt benefit greatly. 

It's been well over a month and a half since Constant Guard was put into trial service in Denver...

Do you have any results to share?  Customers response to this trial?

ciao, bj

---

BlueJay wrote:

It's been well over a month and a half since Constant Guard was put into trial service in Denver...

 

Do you have any results to share?  Customers response to this trial?

 

ciao, bj

---

Going really well so far and customer response seems very positive (they are very happy to be advised of a problem).  Work continues...

What does this mean?

"The Service Notice helps inform customers that there is a high probability that something may be wrong with their computer and that they could be susceptible to any of the malicious activity listed above."

Is that going to be the basic "you don't have an anti-virus installed and therefore you;re in serious danger..." type of thing?

I mean, how does it determine  "there is a high probability that something may be wrong with their computer..." without simply guessing?

Because I get pretty sick of that Windows and McAfee stuff insisting I'm going to die horribly within the next few seconds and every computer I own is going to explode if I don't immediately update or install something, and this is what that sounds like to me.

MJ 41865 asked "How does [Constant Guard security program] determine  [if] there is a high probability that something may be wrong with [a] computer... without simply guessing?"

The methodology used is described in the first post of this thread.

"The methodology used is described in the first post of this thread."

Not really. That doesn't say anything, unless it's in the screenshot that you're talking about, but that's extremely low resolution (as well as over-compressed) and so small on my 24" monitor at 1920x1200 that I can't even read what it says.

It does say in the text, however:

"How did Comcast determine that I may have a virus-bot on a computer in my home?
We identify infected computers in several ways. First, we get data from reputable Internet research groups that specialize in bot identification. The data we get includes a list of Internet Protocol (IP) addresses that are infected and those that belong to bot command and control channels. Second, we look for malicious behavior exhibited by bots such as spam, distributed denial of service attacks and repeated connections requests to known command and control channels. We then aggregate this data to confirm whether one or more of your computers has been infected."

Okay, if that's it, I can see a whole lot of false positives on the horizon, many people worrying for no good reason, much of the time. Just like the way the anti-virus programs figure that OVER protection and undue paranoia are better ideas than playing it realistically. There will be many reports of "infected" IP addresses and such, simply due to their realm or genre, for lack of a better way to say it.

Oh welll, forgive me for being skeptical. I mean, Comcast can't even get the "Message has been deleted" thing fixed for the forums, where you're told the message you are trying to access has been deleted, if you're not logged in when you click the email link (And I've been bringing that one up for almost two years and have even been told it's being worked on).... so I'm not real confident.

But it's all good. It might be useful for some people, although I personally feel that all this nannyware creates a false sense of security, as well as countless technical user issues, and the best thing is for people to just be careful where they're going and wshat they're installing and clicking.

It's a difficult balancing act, indeed. But infected computers are a serious problem, and ISPs are in the best position to intercede.

Hopefully they'll be relatively conservative in this system, because of how intrusive the results are. It would be less troublesome if they just sent email rather than intercepting web client traffic, but I think it's well known from past experience that customers often ignore these emails. In fact, emails like that are often used by phishers and malware spreaders themselves (when Comcast sends email to notify customers that their port 25 has been blocked, they frequently post here asking if it's legit).

First of all the initial post by NSM998, needs to be edited to take out McAfee and reflect Comcast Norton Security Suite (CNSS).  I'd imagine the resulting paid "tech support" would also have to be with Norton.

I am very curious with how the Constant Guard in the test area is working out with folks who have already made the switch from McAfee to CNSS.  Any conflicts?

One last question, will there be a way for an individual user to disable this function?

---

USAF_E-8_RET wrote:

First of all the initial post by NSM998, needs to be edited to take out McAfee and reflect Comcast Norton Security Suite (CNSS).  I'd imagine the resulting paid "tech support" would also have to be with Norton.

 

I am very curious with how the Constant Guard in the test area is working out with folks who have already made the switch from McAfee to CNSS.  Any conflicts?

 

One last question, will there be a way for an individual user to disable this function?

---

USAF_E-8_RET,

We have seen no issues prior or after the switch to Norton.

Sarge and I ask....

One last question, will there be a way for an individual user to disable this function?

---

1offive wrote:

Sarge and I ask....

One last question, will there be a way for an individual user to disable this function?

---

Hi iofffive,

You might want to go to this link from there: http://security.comcast.net/get-help/solutions-to-common-problems-and-faqs.aspx

This is the latest we have from Comcastgeorge:

Please refer customers with concerns about Constant Guard to the below URL.

http://security.comcast.net/get-help/contact-comca st-security.aspx

Specifically:

How to contact the Comcast Customer Security Assurance Department:

The Customer Security Assurance organization has been established to ensure a safe and secure online experience for Comcast customers. This team is a dedicated group of security professionals who respond to issues pertaining to phishing, spam, infected PCs (commonly referred to as "bots"), online fraud and other security issues.

Normal business hours (M-F, 9:00 am to 11:30 pm EST
S-S, 10:30 am to 6:30 pm EST)

888-565-4329

George Lunski
Comcast Help Forums Administrator
george_lunski@comcast.com

Hey there, CCC. So, I'm taking that as a definite NO! Well, alrighty then! :/ Thanks CCC.

So why don't the call center staff know about this "new wonderful feature?  Why did they several times last night tell me I have a virus, the pop up is not from comcast, the email is not from comcast."

Well this new feature hit Colorado yesterday.  My pc got the spash pop up at 3:00 pm.  I called Comcast they said it is not them.  Comcast did not want a fax of the printscreen, did not want an email of the printscreen.  All they told me to do was use their norton and malwarebytes.org to get rid of it.

Then I went to my comcast email to send an email to them anyway and there was an email they sent me at 1:15 pm yesterday.  I called comcast again, they said the emial is spam it is not from them.

I ran my regular Webroot Security essentials tools, computer associates software, malwarebytes.org,, and even downloaded the "comcastic norton."  I spent nearly 6 hours running these programs and still the pop up would not go away.

I then went to chat.  I should post the chat here.  Amazing for it to be docemented that Oh, the email is from us but the pop up is not. 

Unfortunately, it's all too common that Comcast's support reps are unfamiliar with new and trial features of the service. This seems to happen whenever they roll out something new.

Can you paste a picture of your pop up here or tell us what it says.

DoubleG, there's a screen shot in the first message in the thread.

Hello Barmar

Nice to hear from you. I did see the screen print for the constant guard but was wondering what gk77 pop up was saying as 77 said comcast stated pop up and email he got was not from them.

Apologies for going off-topic, but am I the only person who has noticed that something about this thread causes IE8 to switch to compatibility mode for the site?

(If anyone else noticed this and commented, I apologize for the echo--didn't read the whole thread.)