Didn't capture it this time E8. But will try next time, I'm sure I'll be seeng it again

wandajhall,

You can set the notification e-mails as spam, but I don’t think there is any way to stop the html injection notices. It appears once your identified as having a bot, all your traffic is monitored and sent through a proxy server where they do deep packet inspections and inject the notices on your normal browsing when they decide to inform you.

Looks like they are experimenting again, some others have had issues / questions, see threads below.

http://forums.comcast.com/t5/Security-and-Anti-Virus/Constant-Guard-Questions/m-p/970741#M81352

http://forums.comcast.com/t5/Security-and-Anti-Virus/Computer-May-Be-Infected-With-A-quot-Bot-quot-N...

http://forums.comcast.com/t5/Security-and-Anti-Virus/Bot-message-support-line-worthless/m-p/941291#M...

http://forums.comcast.com/t5/Connectivity-and-Modem-Help/Usage-Meter/m-p/976235#M135161

davegreen,

Thanks, for the reminder links.  I knew I'd seen a reference elsewhere to the RFC (that link is a 404, now, from the original announcement of Constant Guard, which is also linked in your "reminders").

Glad that some of the other posts contained the still usable RFC link.  As you said, the RFC doesn't give an indication of what the injection would look like.  But those that are being driven nuts will at least have a bit more insight to the machinations, if they are interested.  Most probably would just prefer Comcast be more upfront.

(Where have I seen someone else calling for much the same?  )

Bartleby, your welcome. I would agree CC needs to be more upfront with these injections. I don’t have much confidence in CC’s programming abilities, seen too many errors that have no defensible excuse.

The results are becoming more evident. People are considering these injections as too invasive, especially after they do due diligence in testing for bots and can’t find anything.

I think objective evidence in the form of times / urls / and suspicious activity needs to be available to people who want it, otherwise it will be viewed as bogus information. Trust us doesn’t cut it.

Thank you for the links Davegreen!  And I agree wholeheartedly with your observation, couldn't have said it better!

Wandajhall, your welcome. I would call their security number and see what they say. From what I remember on the other threads, no bots found by OP, a CC employee posts, and the problem fades away. At least no further problems posted from the OP. Don’t know what goes on behind the scenes, since I haven’t gotten an e-mail or injection notification. Seems suspicious to me.

Hi folks  So, I came here to look around because I got my first one of these yesterday, though I only saw it this morning.  Granted, I have to go check the desktop that I do not use, but the laptop and netbook I check regularly (with Ad Aware, Spybot and Malwarebytes), and as far as I know are still clean.  But the thing is, yesterday I was having a horrible day with the internet connection, for most of the day.  And that has been happening (though not that long of a period), on and off for the past, well, I guess few weeks.  More times than not, it kind of seemed like at what could be called peak times the connection would crawl or grind to a halt.  Last week was fine, but the weekend for an hour  one day, couple hours the other same thing, then fine until yesterday.  Yes, did call them when it started, and they said, after 45 minutes of wire switching and pinging and whatever, they said it was us.  Here, most are convinced it's them since if it were us, it would be all the time.  

So anyway, my point/question is, given the timing of the email and the incredibly lousy connection yesterday, is there a potential connection between the two, or probably not? 

---

OV_099 wrote:...So anyway, my point/question is, given the timing of the email and the incredibly lousy connection yesterday, is there a potential connection between the two, or probably not?

---

Since Comcast doesn't give you any information about the supposed bot, it's impossible to say. You have no idea whether the supposed activity happened this morning, yesterday, last week, or a month ago.

Ah, okay.  Well, I'm doing the longer scans of the programs now and will finish tomorrow for all the computers (though since I"ve been having problems with my Win7 laptop, don't think I'll be able to do the longer versions, given it froze when I was doing the Ad Aware one, but that's my problem, not related to this).  And if nothing shows up from those, guess that's all I can do, right?

OV-099,

If you use a wireless router, is it locked down?  Always good to make sure somebody isn't siphoning, so to speak.

Not that an uninvited "guest" on your connection would account for a bot notice, necessarily.  But if someone's borrowing your connection, who knows what they are doing with it, or what state their system might be in.

And whenever someone states they are having unspecified "problems" with a system freezing, my eyebrows arch at least a little.

Just got another Comcast Spam. Same bs. Activity sugesting a bot. No evidence. Just a link to install Norton (no way that's gonna happen) or pay for Comcast's service. Comcast gets enough of my money as it is.

Let's get back to what's possibly triggering these spam mails. Is it, as others suggest, sudden increases in traffic? If so, that's a pretty low, and easily triggered bar. Normally, it's just my iMac online all day. In the evenings, though, it's not unusual for my wife's MacBook to get online. When she's on, she keeps a live connection going to her office's Network Solutions webmail account. And, when she's home from college, my daughter's MacBook will often join the network (and stay on alllll night). Then, there are times when my wife's iPhone jumps on.

So, it's possible that, on a given night, my usage can jump from one Mac to three, plus an iPhone.

It should be noted that all three Macs have tested clean, including a Nessus scan. And, in any case, there are no bots out there that run on a Mac. None. Which is why these emails are so very frustrating. It's obvious that whatever metrics ConstantGuard is using to determine bot activity, they're horribly flawed. Sadly, I'm seeing nothing to indicate Comcast really cares about whether their system is accurate or not.

Thanks for the spam, Comcast!

Actually, I'm beginning to think it's the Mac's that are triggering the notices.  It appears that they can't handle Mac devices so anyone who is using a Mac is being tagged.   My daugher has a Mac laptop and I started noticing whenever she's home and uses her Mac, I get a bot email warning.   I checked her Mac for bots/viruses/malware...anything and it comes up clean.  I had her not use the Mac to see if the emails stopped and they did... yesterday, she used it and bam, I got another bot email.

I don't know what it would be about a Mac that would trigger anything, though. They use standard industry protocols.

The claim that there are no Mac bots is simply false.  iService comes to mind, though that was first observed a couple of years ago, and was never seen to be a large botnet.  But it can be and has been done.  And in the malware world, it's never a long stretch from proof of concept to continuing to push it along, and Macs aren't impervious.

Regarding the daughter who comes home and trips the notices.  Does she do P2P?  Is she downloading possibly infected torrents?  There's a chance that the P2P services in play are hitting the very honeypots that trip the notices.  Activity against honeypot IPs is at least part of what's going on to trigger the notices as I understand it.

For the average user, even if the detail behind the notice was made available, it would be greek at best to them.  Even for the intermediate user, that's probably the case.  I'm not denying Comcast should be more willing to share, particularly for a new approach to looking for malware activity, and notifying users.

IService came and went quietly and never amounted to more than an interesting experiment. In order to get it, the user had to specifically download illegal copies of either iWork '09 or Photoshop CS4. And then, the user had to purposely install these illegal copies and run them. That was the ONLY manner in which iService could make it onto a user's Mac. It does not propogate itself across networks. iService was found on a tiny handful of computers and, today, simply doesn't exist as a threat.

No, my daughter doesn't do torrents. She doesn't even know what a torrent is. And no P2P.

Who cares if the details would be gibberish? The emails from Comcast are less helpful than gibberish. Once again, if these warnings are legitimate, Comcast should prove it. It should be easy for them.

My daughter's Mac does not have any P2P software on it or torrents nor is there any evidence that she's ever visited any site that could trigger these warnings.  

No matter what the technical savvy of the user is, details as to exactly what computer is suspect and exactly what activity is causing the notice NEEDS to be given or no one is going to take them seriously.    It appears that my daughter's Mac is what is triggering the alerts, and after going back through a lot of these posts, that seems to be the case for a lot.    Since none of the Mac's that have been listed appear to have any bots on them...  seems to be obvious that the problem is with Comcast, not the users.   

I get these constantly and have never had a MAC attached to my comcast connection, so not the situation for me.  My router is locked down as well.

As far as I know, my router is all nice and locked down... you guys are talking about Apple related products, of which I have none... I haven't gotten a new email (yet), so I don't know if that's fixed or what.  I did do the longer checks on the two out of three computers, and I'm no expert at this type of thing, but the stuff that came up seemed your normal cookies and junk, nothing that sounded vastly different or utterly more terrifying.  

As for the Win7 laptop with freezing and crashing, I've been on another forum where I've done plenty of info gathering with dump files and whatever else the program gathers.  I've uninstalled one program, vaccummed the vent areas, and whatever else.  I haven't done the latest suggestions yet, which is using these programs that seem to take a really long time to check out the memory and whatnot.  I would think that it's not going to be a bot or whatever if when I get the blue screens, that part of the time instead of one that gives me lot of different numbers, it just gives me a two sentence one where it mentions hardware failure.  But who knows.  But with all that, plus a crazy at times internet connection, I sure don't need the idea of something else like a computer virus or bot that I can't pick up.  Sure better not get another one of those emails.... sigh.

Just when I thought I was in the clear , another email shows up.  I'm getting them about every 2-3 days. No issues found on any of my systems.  Running 4 different AV programs. Nothing showing up.

running bot checker etc...I've done pretty much everything that has been suggested in this forum, have found no traces of anything.Even completely shut down some of my machines.

Still getting them.... I hope for comcasts sake, they are doing something to improve their detection system!

The silence from Comcast is disheartening.  I would hope, if nothing else, that they would reach out to apparently conscientious users, who are ticked off by the lack of response.

Even if it was done behind the scenes, to deal with individual cases.  Eliminating as many false positives as possible should be a priority, and here are some folks that need convincing that isn't what they are experiencing.

EDIT:  Fixed a typo, and wanted to add that people posting here are exhibiting due diligence.  Time for Comcast to exhibit same.

I agree completely, Bartleby. Comcast are only doing harm to their security efforts with their silence.

My great fear is what Comcast might do to a customer, like myself, who has a clean system yet continues to trip their bot warning. I can easily see Comcast suddenly disconnecting the customer without recourse.

---

Bartleby wrote:

The silence from Comcast is disheartening.  I would hope, if nothing else, that they would reach out to apparently conscientious users, who are ticked off by the lack of response.

 

Even if it was done behind the scenes, to deal with individual cases.  Eliminating as many false positives as possible should be a priority, and here are some folks that need convincing that isn't what they are experiencing.

 

EDIT:  Fixed a typo, and wanted to add that people posting here are exhibiting due diligence.  Time for Comcast to exhibit same.

---

Bartleby...  you're absolutely correct!

---

JimC wrote:

Just got another Comcast Spam. Same bs. Activity sugesting a bot. No evidence. Just a link to install Norton (no way that's gonna happen) or pay for Comcast's service. Comcast gets enough of my money as it is.

 

Let's get back to what's possibly triggering these spam mails. Is it, as others suggest, sudden increases in traffic? If so, that's a pretty low, and easily triggered bar. Normally, it's just my iMac online all day. In the evenings, though, it's not unusual for my wife's MacBook to get online. When she's on, she keeps a live connection going to her office's Network Solutions webmail account. And, when she's home from college, my daughter's MacBook will often join the network (and stay on alllll night). Then, there are times when my wife's iPhone jumps on.

 

So, it's possible that, on a given night, my usage can jump from one Mac to three, plus an iPhone.

 

It should be noted that all three Macs have tested clean, including a Nessus scan. And, in any case, there are no bots out there that run on a Mac. None. Which is why these emails are so very frustrating. It's obvious that whatever metrics ConstantGuard is using to determine bot activity, they're horribly flawed. Sadly, I'm seeing nothing to indicate Comcast really cares about whether their system is accurate or not.

 

Thanks for the spam, Comcast!

---

I think you are correct about higher usage than normal is one of the triggers.

I got the email on 8-2. On the 30th I had a very high usage total. I am betting that is what triggered the email. I went to the CG section on the website and was stunned that they basically want alot of money to tell that I have no bots...I already knew this.

It would be nice if they let you know what triggered the warning. If the email had said "because you had an abnormally high usage total on 7-30" I would have gone about my business and been happy they are "watching out" for activities like this.

I got this e-mail as well. I found the UPnP was set to automatic. I stopped it and disabled it on my Vista laptop. Is there a way a Comcast tech on the fourms can see if all activity is stopped?

Thank you for letting me know.... this and the other dozen or so times....  now it's time to STOP letting me know since there isn't now, nor has there ever been, a bot on my computer.   Thank you.

Jordan,

Thank you for your response. However...

---

This program is intended to educate and inform in an effort to make our corner of the Internet a little safer.

---

Where is this education and information? An email declaring bot activity is NOT education or information. It's a scare tactic. Once again, specifically identifying the activity your system thinks is bot activity would be education and information. I simply do not understand why Comcast steadfastly refuses to take this one simple step to help customers who, like them, are serious about security.

As for trusting a "trained professional"...Can you imagine how that analogy sounds to those of us who keep our systems secure and absolutely know our systems are not infected, yet continue to get these emails and no useful information from Comcast beyond "trust us"?

---

JimC wrote:

Jordan,

Thank you for your response. However...

 

---

This program is intended to educate and inform in an effort to make our corner of the Internet a little safer.

---

Where is this education and information? An email declaring bot activity is NOT education or information. It's a scare tactic. Once again, specifically identifying the activity your system thinks is bot activity would be education and information. I simply do not understand why Comcast steadfastly refuses to take this one simple step to help customers who, like them, are serious about security.

 

As for trusting a "trained professional"...Can you imagine how that analogy sounds to those of us who keep our systems secure and absolutely know our systems are not infected, yet continue to get these emails and no useful information from Comcast beyond "trust us"?

---

AMEN!

Jim,

You make a very good point and I can answer that simply.  We are going off of network patterns.  We do not perform DPI, which means we can't tell you specifically which machine behind your modem and we can't tell you the specifics of what occured.  What we can tell you is that we saw some traffic that that appears indicative of bot-like behavior. 

We're not trying to scare anyone.  There is only so much we can put in an email.  That's why the email points people towards http://constantguard.comcast.net, where they can learn more.  You'll notice all the FAQs and free software (aside from Norton) that can help someone diagnose the issue.

While I appreciate your point, and comcast's position, you really need to give a little more info if you want to educate or solve the problem. The current warnings are too superficial to be of any use. Especially if you've received them 5 or 6 times. I would hope that you would also  tell us that comcast is also learning from this and working to adapt and improve this program to make it more useful. You might also consider some apologies to your customers and admit it if it is spitting out false positives from time to time rather than just assuming we are all guilty of something. 

---

Jordan_RO wrote:

  You'll notice all the FAQs and free software (aside from Norton) that can help someone diagnose the issue.

 

 

---

I'd like a complete explanation (or retraction) of what you mean by that comment!  Are you saying Norton is not free or that Norton can not help?  

---

We are going off of network patterns.  We do not perform DPI, which means we can't tell you specifically which machine behind your modem and we can't tell you the specifics of what occured.  What we can tell you is that we saw some traffic that that appears indicative of bot-like behavior.

---

Jordan,

Wait...Are you saying you have enough data to trigger a bot warning, but, bizarrely, not enough data to provide any specifics? That seems like quite a disconnect in logic.

What kind of traffic pattern? What time did that traffic occur? How long did it last? These are important data points that Comcast should share with their customers. Are you saying you don't have any data that specific??? And, yet, it's specific enough to trigger these bot warnings?

---

There is only so much we can put in an email.  That's why the email points people towards http://constantguard.comcast.net, where they can learn more.  You'll notice all the FAQs and free software (aside from Norton) that can help someone diagnose the issue.

---

Actually, you can put a ton of stuff in an email. You can also link to the information (the same way you link to Constant Guard) And, frankly, being a Mac user, there's really nothing at that ConstantGuard site for me beyond the link to download Norton. As far as the FAQs go, I pass all the "signs you may have a bot" warnings with flying colors, Windows-specific though they may be.

---

USAF_E-8_RET wrote:

---

Jordan_RO wrote:

  You'll notice all the FAQs and free software (aside from Norton) that can help someone diagnose the issue.

 

 

---

I'd like a complete explanation (or retraction) of what you mean by that comment!  Are you saying Norton is not free or that Norton can not help?  

---

E-8,

FWIW, I think Jordan was referring to the fact that there are free tools other than (or besides) Norton that links are provided for.  (And hope Jordan will correct me if I'm wrong.)

OK. I have not received the warning for sometime and thought I was finally done. Tonight I have been streaming radio again and boom. Heres the message. I haven't even had a computer turned on, just radio!

Its becoming very clear that the "bot" detection has serious issues.

That is exactly what I meant, Bartleby.  I've edited my post above to properly reflect the intent of my post.

pzoo,

The warning message is not in real-time.  It may have been an hour or two since we detected anything before you see an alert.  We're trying to narrow that window down more and more.

OK, this is good to know. Now we're getting somewhere. A little information can help all of us here.

In reality, the only thing on was radio and it was on for multiple hours. So it still could be the culprit. Unless the window is a day or more long.

The delay is close to real-time, but not instantaneous.  It will never be more than 24 hours (it should never even come close).

And, once again, a Comcast Spam has found its way to my inbox. And, of course, no information. Just a link to download Norton or pay for a Constant Guard scan.

I'll throw this gauntlet down to Comcast...

Prove it.

1. List all bots that are currently known to operate on Mac OS X 10.6.

2. Provide exact information as to time and nature of the activity that provoked the email.

this is why i did not install this service at all. i get my pc profesionaly scaned once a month from my local Computer tech whome is my best friend. all i can say is i would do they same with yor computers take it in have it scanned best buy offers this as well as other computer shops for a small price. if it pulls up clean send the clean bill of health to comcast. then maybe they will start looking at there data more. not saying to do this but i would and i do every month except i dont pay i know them. 

what service? is there something you can turn off or uninstall to get comcast to stop the notifications?

No, there isn't. I was confused by that, too. Maybe they're mistakenly thinking the Norton junk is what causes the emails?

sorry about that i ment the constant guard crapware software. and norton i would never install it on my pc ever. but i see they send out those e-mails even without the software i just read that so sorry about that. 

I got two bot notices (a real ones) from Comcast even though:

• My new cable modem and router were turned off.
• My computers were turned off.

I called Constant Guard (the sales people).  Once I explained the situation, they couldn't get me off the phone fast enough.  I chatted with Comcast and they said my computers were fine and could not tell me why I got the bot notice.

When Comcast can expain to me how bot activity can happen on equipment with no power, I will start to take this seriously.

@ LAJOE,

This is the third time I have read this same post from you - we got your point, now please say something different if you have something worthwhile to say!

It's not rude dude. It's factual...

Self appointed "forum nannies" always crack me up.  But I do wholeheartedly apologize for committing the unforgivable error of posting the same replay in three different threads in my effort to inform others of some information that I wish to share. 

"Ignorance is bliss"...