It's hard to tell. I've often wondered if transferring files via FTP might be a trigger, too.

For now, though, I think the only verifiable trigger is simply being a Comcast customer.

I posted this back on July 19th and I think I should post it again:

---

I wrote:

I have a theory.  The one thing that can raise a red flag that a computer has been compromised by a bot is above average bandwidth use.  I received a warning email this morning.  Routinely, for a VERY long time, I've run scans by AVG AntiVirus, SuperAntiSpyware, and Spybot ... at least once a month.  When I received this morning's email, I re-ran the same scans I did on July 1st.  It found the usual tracking cookies everyone picks up.  But other than that, nothing.

 

However, I do maintain a mirror website (phase2trek.com) that often requires heavy uploading and/or downloding to maintain.  And, I suspect this may "trigger" a ConstantGuard bot warning.  FWIW, beyond those three scans, I use a "hosts" file that screens out connections with known "toxic" sites.  For more info on setting up and implementing "hosts" file protection, see this site:

 

http://winhelp2002.mvps.org/hosts.htm



---

Since July 19th, I haven't gotten a warning email.  But over the last week, I did some significant uploading to one of my mirror sites:

http://farragut.novelhost.net

Then bingo, less than an hour ago, I get the warning email again.  I'm beginning to think my theory is correct.

Regards,

J. Alec West

Interesting. 

I do frequently work from home and part of my job is qa testing and escalation support with proprietary hd video conferencing software that averages upload and download rates of 1.5 mbps. Perhaps I'll start tracking when I have lengthy calls going and see if a bot alert appears within a few hours after that.

I am pretty sure I know what triggered mine in late July/ early August. I was live streaming a sporting competition for several days. My usage was very high. When the competition ended on the 6th my usage dropped significantly for the rest of the month. In ended up nowhere near 250g, I had 147g. So I guess a high usage for several days is a trigger point.

I'm now getting the warning messages from Comcast again. Attached is the log from my Netgear WGR614v10 router. (Comcast was out, so the logs aren't long.) Unlike last time I posted, I can't see anything out of the ordinary, do you? Thanks for your help -- matt

====

[Admin login] from source 192.168.1.3, Sunday, Sep 11,2011 12:47:41
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 12:27:59
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Sunday, Sep 11,2011 11:06:52
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Sunday, Sep 11,2011 11:01:37
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Sunday, Sep 11,2011 10:50:54
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 10:38:52
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 09:38:56
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 09:28:57
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 09:28:11
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 09:20:38
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 09:12:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 09:08:50
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 09:05:28
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Sunday, Sep 11,2011 09:04:13
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Sunday, Sep 11,2011 09:01:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 08:59:31
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Sunday, Sep 11,2011 08:58:32
[Time synchronized with NTP server] Sunday, Sep 11,2011 08:12:35
[Internet connected] IP address: 24.34.21.191, Sunday, Sep 11,2011 08:13:40
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Sunday, Sep 11,2011 07:20:10
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Sunday, Sep 11,2011 07:17:41
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Sunday, Sep 11,2011 07:11:57
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Sunday, Sep 11,2011 07:05:57
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Sunday, Sep 11,2011 07:02:57
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Sunday, Sep 11,2011 07:00:23
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Sunday, Sep 11,2011 06:03:40
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 05:47:23
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 05:22:54
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Sunday, Sep 11,2011 04:54:14
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 04:27:11
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 04:17:18
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Sunday, Sep 11,2011 03:09:33
[DHCP IP: (192.168.1.2)] to MAC address 00:1E:8F:52:7E:4A, Sunday, Sep 11,2011 01:57:28
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 23:07:49
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 23:04:55
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:33:31
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:29:32
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:29:11
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:26:54
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:26:02
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:21:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:15:56
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:14:14
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:13:08
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:11:13
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:07:06
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 22:00:05
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 21:59:33
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 21:48:17
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 21:43:29
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 21:32:16
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 21:07:42
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 20:45:12
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Saturday, Sep 10,2011 20:26:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:36:07
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:34:50
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Saturday, Sep 10,2011 19:25:34
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:25:06
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:24:05
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:22:48
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 19:22:13
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:21:26
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:21:00
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:19:58
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:18:39
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:18:00
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:16:59
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:15:57
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:14:55
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:13:54
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:12:54
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:11:57
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:09:40
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Saturday, Sep 10,2011 19:08:45
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 19:07:39
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 19:01:57
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:56:09
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:55:07
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:54:06
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:53:07
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:52:07
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:51:12
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:50:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:49:24
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:48:22
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:47:54
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:46:50
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:45:59
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:45:08
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:44:06
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Saturday, Sep 10,2011 18:43:44
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:43:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:42:14
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:41:18
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 18:40:22
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 18:39:33
[DoS attack: STORM] attack packets in last 20 sec from ip [93.113.9.44], Saturday, Sep 10,2011 18:39:27
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Saturday, Sep 10,2011 18:37:41
[DoS attack: Smurf] attack packets in last 20 sec from ip [71.21.10.255], Saturday, Sep 10,2011 18:15:58
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Saturday, Sep 10,2011 17:59:18
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Saturday, Sep 10,2011 17:57:58
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Saturday, Sep 10,2011 17:46:14
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 16:20:23
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 16:15:10
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Saturday, Sep 10,2011 16:14:19
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Saturday, Sep 10,2011 16:14:06
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 16:13:46
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 16:09:47
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 16:05:06
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 15:52:44
[DHCP IP: (192.168.1.15)] to MAC address E0:F8:47:BA5:8E, Saturday, Sep 10,2011 15:34:11
[DHCP IP: (192.168.1.15)] to MAC address E0:F8:47:BA5:8E, Saturday, Sep 10,2011 15:21:46
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Saturday, Sep 10,2011 15:17:11
[DHCP IP: (192.168.1.15)] to MAC address E0:F8:47:BA5:8E, Saturday, Sep 10,2011 15:03:25
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 15:01:00
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 15:00:03
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:55:21
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 14:52:37
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:48:55
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:42:15
[DHCP IP: (192.168.1.15)] to MAC address E0:F8:47:BA5:8E, Saturday, Sep 10,2011 14:39:29
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:35:10
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:32:02
[DHCP IP: (192.168.1.7)] to MAC address 38:E78:7B:3B:AA, Saturday, Sep 10,2011 14:31:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:29:41
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:28:14
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:24:56
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:21:14
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:14:20
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:07:14
[DHCP IP: (192.168.1.15)] to MAC address E0:F8:47:BA5:8E, Saturday, Sep 10,2011 14:06:01
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 14:03:40
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:57:28
[DHCP IP: (192.168.1.2)] to MAC address 00:1E:8F:52:7E:4A, Saturday, Sep 10,2011 13:56:53
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:52:59
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Saturday, Sep 10,2011 13:50:46
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:49:23
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:44:12
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Saturday, Sep 10,2011 13:42:30
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:40:51
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:39:09
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:38:43
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 13:34:05
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 13:32:49
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:31:43
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Saturday, Sep 10,2011 13:30:21
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:23:50
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Saturday, Sep 10,2011 13:23:35
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:22:19
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 13:21:59
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Saturday, Sep 10,2011 11:40:49
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Saturday, Sep 10,2011 11:36:29
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Saturday, Sep 10,2011 11:16:12
[DHCP IP: (192.168.1.7)] to MAC address 38:E78:7B:3B:AA, Saturday, Sep 10,2011 11:13:53
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Saturday, Sep 10,2011 11:10:01
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Saturday, Sep 10,2011 10:32:39
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Saturday, Sep 10,2011 10:31:10
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 09:56:28
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Saturday, Sep 10,2011 09:55:41
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Saturday, Sep 10,2011 09:25:26
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 09:25:21
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:22:34
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:21:49
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:21:22
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:20:49
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:16:58
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:13:12
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:09:32
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:05:47
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 09:02:02
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:58:16
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:54:35
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:52:51
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:51:00
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:48:48
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:47:40
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:47:15
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 08:45:57
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:43:44
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:39:52
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:36:19
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Saturday, Sep 10,2011 08:26:55
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:26:19
[DHCP IP: (192.168.1.7)] to MAC address 38:E78:7B:3B:AA, Saturday, Sep 10,2011 08:24:11
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:21:58
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:21:17
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:20:31
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:19:44
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:19:04
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:18:18
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:17:27
[DHCP IP: (192.168.1.9)] to MAC address 8C:58:77:236:E5, Saturday, Sep 10,2011 08:14:44
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Saturday, Sep 10,2011 08:14:03
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 08:13:36
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Saturday, Sep 10,2011 08:12:09
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 07:56:44
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 07:37:52
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Saturday, Sep 10,2011 07:13:24
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 07:08:32
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 06:14:39
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 05:55:12
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Saturday, Sep 10,2011 05:40:30
[DHCP IP: (192.168.1.14)] to MAC address 00:1E:35:EC:15:A3, Saturday, Sep 10,2011 05:36:16
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Saturday, Sep 10,2011 05:27:07
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Saturday, Sep 10,2011 04:54:40
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 04:30:00
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Saturday, Sep 10,2011 04:02:58
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Saturday, Sep 10,2011 03:58:51
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Saturday, Sep 10,2011 03:42:37
[DHCP IP: (192.168.1.13)] to MAC address 00:1F:3B:A1:C9:E3, Saturday, Sep 10,2011 02:38:57
[DHCP IP: (192.168.1.2)] to MAC address 00:1E:8F:52:7E:4A, Saturday, Sep 10,2011 01:57:25
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Friday, Sep 09,2011 20:52:59
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Friday, Sep 09,2011 20:12:23
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Friday, Sep 09,2011 20:06:57
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 19:35:04
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [221.195.6.66], Friday, Sep 09,2011 19:01:46
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [221.195.6.66], Friday, Sep 09,2011 19:01:24
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [221.195.6.66], Friday, Sep 09,2011 19:01:02
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [221.195.6.66], Friday, Sep 09,2011 19:00:37
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 18:38:45
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Friday, Sep 09,2011 18:34:50
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 18:26:07
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 18:06:21
[DHCP IP: (192.168.1.12)] to MAC address 00:21:00:6F:B0:E4, Friday, Sep 09,2011 17:48:35
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 17:36:29
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Friday, Sep 09,2011 17:03:18
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 16:00:38
[DHCP IP: (192.168.1.6)] to MAC address 00:1F:F3:C5:1F:83, Friday, Sep 09,2011 15:38:16
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Friday, Sep 09,2011 15:20:42
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Friday, Sep 09,2011 15:20:14
[DHCP IP: (192.168.1.11)] to MAC address 10:9AD:C1:4A:7B, Friday, Sep 09,2011 15:14:35
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Friday, Sep 09,2011 15:00:30
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Friday, Sep 09,2011 14:34:30
[DHCP IP: (192.168.1.8)] to MAC address 1C:65:9D:97:E6:50, Friday, Sep 09,2011 14:31:04
[DHCP IP: (192.168.1.7)] to MAC address 38:E78:7B:3B:AA, Friday, Sep 09,2011 14:29:00
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Friday, Sep 09,2011 14:24:09
[DHCP IP: (192.168.1.2)] to MAC address 00:1E:8F:52:7E:4A, Friday, Sep 09,2011 13:56:51
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Friday, Sep 09,2011 13:48:19
[DHCP IP: (192.168.1.13)] to MAC address 00:1F:3B:A1:C9:E3, Friday, Sep 09,2011 13:31:28
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 12:25:48
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 12:19:43
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 12:18:47
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 12:08:27
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 12:03:58
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Friday, Sep 09,2011 11:57:20
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 11:57:09
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 11:46:18
[DHCP IP: (192.168.1.10)] to MAC address E0:F8:47:00:FD:2C, Friday, Sep 09,2011 11:45:58
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 11:36:02
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 11:35:34
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 11:34:53
[DHCP IP: (192.168.1.5)] to MAC address 00:23:12:CC:CD:B3, Friday, Sep 09,2011 11:33:35
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Friday, Sep 09,2011 11:16:30
[DHCP IP: (192.168.1.4)] to MAC address 00:25:BC:70:EB:04, Friday, Sep 09,2011 10:50:31
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 10:44:08
[DHCP IP: (192.168.1.3)] to MAC address 00:1E:52:74:EC:81, Friday, Sep 09,2011 10:42:20

====

Got another one this evening.

Comcast Security Assurance...You're now on my spam filter.

Just picked up another one of these at 1:58 AM PST. Been over a month since I received the last one. I'll be calling first thing in the morning to deal with the situation, hopefully I'll actually get some real information that I can investigate myself this time around.

As for conclusions that I've been able to make just from the email...assuming the notices come within a couple hours of the detection (Comcast reps stated this in this thread, so I'll go ahead and go with it, although this didn't appear to be the case for my first notification), this would mean that the activity must be coming from 1) my "main" computer, 2) my iPad, 3) my laptop, or 4) an outside connection. From here I'll be breaking these down with as much information as I can:

1) When the first notification came, I ran everything back to back on the entire system, and a couple times over the next couple days. This includes Microsoft Security Essentials, SpyBot Search & Destroy, ESET's Online Scanner, Malwarebytes' Anti-Malware, and Norton (had an old subscription that was on it's last week so I figured why not). ESET's Online Scanner discovered one file that I had received from a client, which was contained in a file archive of his website contents. I had opened this archive and extracted the contents so that I could work on his site about two months before. To my knowledge, this was just a remnant file in the archive I received, and it does not appear to have ever executed on my system. Needless to say, it was cleared up and removed by ESET's Online Scanner and all archive files pertaining to the issue were deleted. I never happened to write the name down, but I did do a little bit of digging on the name of the infected item, and it appeared to be just a variant of a common virus. Scanned again with everything just to be safe, absolutely nothing picked up.

Since then I've regularly scanned using the aforementioned tools, encrypted my entire computer using the Whirlpool hash function, and changed every halfway important and above password to lengthy, complex sequences using a different system on a different internet connection. Additionally, I purchased ESET's package since their software appeared to be relatively non-bloated and perform regular scans with it as well.

I automatically prevent all traffic-related requests on my computer until I manually approve them. I stay up-to-date with everything from Microsoft since this system runs Windows 7. I use the most recent version of Firefox with NoScript (w/everything disabled including CSS-related @fontface requests due to the way it's implemented in FF currently) and AdBlock (everything blocked). If I need to view something on a website that requires JavaScript/Flash/etc., I carefully pick through the list of blocked sites and only allow the bare minimum. The only time I run other browsers (i.e. Internet Explorer, Google Chrome, etc.) are to view my own websites to ensure cross-browser compatibility during the front-end phases of development, all of which is my own code, so nothing malicious getting through there.

When the notification came through, I was working on a couple web-related projects and had been for a couple hours before that, putting me within the time frame of notification. The only online activity I personally was doing was uploading files. Assuming that the messages are coming within a couple hour period, usage spikes are not what's triggering these, at least on my end.

2) iPad is really only used for reading and again checking cross-browser compatibility on websites that I develop. I will mention that I was using the device more often when the first notification came, but had not really used it much until a few days before this recent message. I had not used it in the supposed notification period, but it was idling and should have had an active wireless connection.

3) Laptop has been without a hard-wired connection and power for the last 20ish hours as of this post. I've used it in between the two notifications I've received on a regular basis. It also receives scans using SpyBot S&D, the ESET Online Scanner, and Malwarebyte's Anti-Malware on a fairly regular basis. Rarely detects a couple tracking cookies. Firefox + NoScript + AdBlock also used, although I'm more liberal about allowing sites via NoScript on it. Assuming the timeframe for notification is correct, it doesn't qualify as a candidate for the detection notice.

4) Since the first notification, I've had wireless access to my router turned off. About a week ago I re-enabled it to connect my iPad. It provides a decent range, about out to the residential street, meaning that neighbors or someone parked outside in a car could have access. I've checked my router logs, nothing out of the ordinary to my knowledge, just communication between the router, connected devices, and the Comcast hub. Encrypted with WPA2, so I'm going to guess it's not getting broken into based on laptop battery life.

TLDR: All of my systems are regularly scanned and highly protected. Nothing of significance is ever detected.

I'd like to think my systems are pretty well secured from the possibility of infection. Unless I get some real information regarding the issue tomorrow via the support line that can confirm the bot detection was legitimate/false positive, I will be cancelling my service with Comcast. It was the only high-speed service in my area, but this has since changed. Although I've only received two notices, these messages really waste my time since I take them seriously, even though I'm almost positive they're a marketing scare tactic.

EDIT: Forgot to mention I'm recording all my traffic tonight using two different programs so that I can cross-reference any information obtained from the phone call.

@ Tayne,

Thanks for your feedback and please do keep us appraised of what you find out when you contact support.

Just got off the phone with the representative, got more information this time around, but not anything that's super helpful. I'm not saying that this is the rep's fault, it seems like they don't really have much available, but the information and data should be there if the customer wants it.

As for what I did get and how the call went...

1) The trigger was four "somethings." I'd assume this refers to four connections within a short period, but I can't say 100% since no more information was available.

2) Apparently single incidents were noticed on my IP address occasionally between September 1st and now. If the malicious activity is so well known, why are emails not being sent for these single incidents as well? There shouldn't be some magic number (i.e. 4) of incidents that must be reached before getting a notice. Referencing the rep I spoke with for the first notification, they typically see thousands of incidents when someone is infected.

3) The time of occurrence in their system was apparently 6:58. Didn't say if that was AM/PM or what time zone, but I live in a PST region and my email notice arrived at 1:58 AM. Based on the minute marking, I'd say the activity notification is coming near-instantly, or at least it did in my case. It's possible that it's off by an hour or something since I don't have any information relating to what time zone the system detecting the activity is set to.

4) Apparently the name of whatever caused the notification was "Northglobe Crasher" or "Northglobe Crusher," couldn't really hear correctly over the phone. Apparently they "don't give that information out usually since searching for that on your computer won't do any good." Really? Never would have guessed that. I surfed around online, didn't find -anything- referencing this. There's mention of a Crusher virus online, but I'm doubting this is related. Maybe I'm wrong. Regardless, Northglobe Crasher/Crusher must be completely new or have a different name since there's no mention of it on my initial search. Out of curiosity, if they don't have any information regarding IPs, connections, etc., why would they have the name of what's causing the issue? Really makes no sense and the rep hesitated when he mentioned the name. I'll leave that up to the reader for interpretation.

5) Asked if he could check back to the previous notice to see what was causing it then, he said that my IP had changed and that he couldn't. My IP has been the same for at least six months, putting both incidents on this IP. Additionally, having access to my account should give a list of the IPs I've had since becoming a customer, allowing them to reference the incident if my IP had actually changed.

6) I kept asking for more information and eventually the rep just stopped talking on the phone. Urged me to either use Norton, Constant Guard, or another free alternative, even though I had already told him multiple times what I've been using, then said "Thanks for calling Comcast, have a nice day."

I've scanned using everything again, all results say my system is clean. Unfortunately nothing to cross-reference with my activity logs, though. I'll do a complete scan on my laptop today just to cover all the bases.

Conclusion: False positive or marketing scheme. I'm leaning toward the latter. If more information were available, I'd at least reconsider, but there wasn't anything given to me over the phone to justify the notification.

Well, I see Comcast has revamped their scare-spam-email, judging by the one I got this afternoon. It's just slightly more ominous in its warnings against phishing, identity theft and keystroke logging. Even the link supplied in the email now send you to Bot Assistance! So, what the heck, I need a good chuckle...I click and head to Bot Assistance!

Spiffy! Let's see...I have two options...DIY or "affordable bot and virus removal support". Hmmm...well, I'm pretty handy, and Comcast already gets enough of my hard-earned money, so, let's DIY. I click "Get Started" and....

Ooooops. Er...Windows? Guys...I'm on a Mac. Your site isn't smart enough to sniff that out and give me the appropriate screen? K. Let's click "Next". Maybe there's Mac stuff on the next popup...

Nope. Guess not. Maybe clicking that Download button will take me to the right place...Hmmmm...Neither the button or the "How can I tell..." seem to work in Firefox/Mac. Nice.

Onward...Next!

More Windows stuff. Oh well...obviously this is a canned sales page. Dropping out from the popup, I did manage to finally find a Mac area of Bot Assistance Center. And what do I find? Well, of course, there's the free Norton. But, now, there's more!

Identity Guard!!! The essentials are free, but there's the up-sell for paid services.

Secure Backup and Share!!! You, of course already get 2G of storage as a Comcast customer anyway. Hey...Another upsell!!! 50G for a mere $50/yr!!!

Now, last but not least, my favorite...

Xfinity Toolbar!!! Seriously? A toolbar. On a Mac? Dudes...Toolbars are a Windows thing. Does your marketing department do any actual research on this stuff?

So, all-in-all, a very educational stop at Bot Assistance. One that merely served to reinforce my belief that 1) The warning emails are a marketing campaign, and 2) Comcast is clueless about the Macs on their network. Once again...Comcast...There are no bots that run on Macs.

But, hey...If you're so darned sure I have a bot...Scan my network for free. If you're going to keep sending me these bogus emails, I think it's time for you to put-up. Scan my system at no charge to me. Just as long as I don't have to install any of your or Norton's junkware, that is.

I don't disagree that most of the messages people receive are likely marketing or false positives, but you're mistaken when you say there "are no bots that run on Macs." There definitely are viruses, malware, bots, etc. that are designed with the current versions of Mac OS in mind. This was less prevalent in the past, but these malicious programs absolutely exist today. If you don't believe me, google "mac botnet" and you'll find pages of results. Most links will point you to a 2009 incident, but there are other cases if you look around.

Based on your previous posts, it seems like you've scanned all of your systems, but if you're leaving the ones running Mac OS out of the loop with the idea that they're not susceptible, I'd be willing to bet those systems are infected. The fact that you're receiving these notices so frequently suggests to me (a fellow Comcast customer who has received the notices) there's definitely something triggering it, whether that's a website you're visiting, some program you're running, or malicious software operating without your knowledge.

"Can't handle Macs on the Network" makes absolutely no sense. The internet service Comcast offers works perfectly with Apple products, Macbook, iPhone, iPad, or otherwise. They wouldn't exclude roughly 10% of internet-ready device users from their service. If you were meaning that the bot notifications are a result of using a Mac OS-based system, it still doesn't make sense. Multiple users report they only have Windows operating systems active in their household, yet they still receive these emails.

The notifications are an alert to inform customers of a potential issue and that is all. The emails report problems that absolutely exist, and plague numerous individuals who use the internet on a daily basis. The trigger and infection validity are in question.

JimC,

Thank you for going through the site as detailed as you did.  We did design the site to provide a DIY wizard that fit the OS.  Apparently that is not working correctly.  I'll look into it and report back.

Tayne, it absolutely makes sense.  The only time I get any notifications is when my daughter uses her MacBook Pro which is verified as completely clean.  My neighbor, the same.. he gets notifications when he uses a Mac laptop.   

"The notifications are an alert to inform customers of a potential issue and that is all. The emails report problems that absolutely exist, and plague numerous individuals who use the internet on a daily basis. The trigger and infection validity are in question."

Report problems that exist?  What planet are you on.... Comcast's entire system is flawed and so far, I've seen not a single incident that has been valid... the only thing that is seen is an attempt by Comcast to get a user to pay for additional services.

---

ComcastJordan wrote:

JimC,

Thank you for going through the site as detailed as you did.  We did design the site to provide a DIY wizard that fit the OS.  Apparently that is not working correctly.  I'll look into it and report back.

---

ComcastJordon, while you are at it, check out this thread:

http://forums.comcast.com/t5/Security-and-Anti-Virus/Repeated-Comcast-Security-Guard-Notices/m-p/105...

On Seot 15th I reported it to the Forum Admin using the "Report Inappropriate Content" labeled as Not Abuse as follows:

"Not abuse - the information for MAC users uner the "Do it Yourself" no longer exsists on this link: http://xfinity.comcast.net/constantguard/botassistance/ Once again the CG team or Security folks are changing information in links and leaving information out. Is there anyway you can wake them up and have them double check what they change for ommissions"

Are you saying that MAC DIY info would pop up if I were running a MAC or that in fact there is supposed to be an option for MAC users in addition to Windows users, as it had been before it was changed?

The notifications are an alert to inform customers of a potential issue and that is all. The emails report problems that absolutely exist, and plague numerous individuals who use the internet on a daily basis. The trigger and infection validity are in question.



I'm question your point about problems absoultely existing if we get an email. For example, though no one replied, above I included my router's log file, which to me looks completely innocuous. But I got the scary email (again). Thanks in advance.

There are a number of posts on here where customers have received the notifications, been instructed on how to scan for problems, and then found issues with their systems. At least browse around on here before you start throwing around false information.

As for you and your neighbor's situation, you're discussing an isolated case. I have friends with Comcast's internet service who only have Mac OS-based systems, and they don't receive the notifications. Again, as mentioned in my first response to you, there are numerous reports on here from non-Mac OS users who receive the notices as well, so it's not a operating system related issue.

Are you arguing that malicious software doesn't exist? That's all that Comcast is alerting its customers to, and that their system(s), based on interpretation of the information on their end, may be infected. It's as simple as that. The messages are 100% valid, but I'm not saying that everyone who gets one is infected. Instead, Comcast's filter is probably set to error on the side of caution, meaning that when something is detected, it's likely, but not always, a false positive.

Is Comcast trying to get you to pay for additional services? Absolutely, Comcast is a business, and businesses sell products, so what do you expect. Are the detection settings designed to alert customers at even the slightest possibility of infection, promoting their products as much as possible? Probably. In reality this is for the best, since the majority of users won't have the slightest clue that they're potentially installing malicious software (knowingly or unknowingly). Erring on the side of caution here benefits all customers since it provides at least a little more integrity to the system as a whole.

Comcast isn't just going to send out notifications that actually say your system may be infected without justification, however. There's a trigger, otherwise numerous customers wouldn't be receiving multiple notifications in a short period. No, this trigger isn't your when your daughter uses her MacBook Pro. If this were a direct marketing campaign, you'd see a lot more people reporting emails at the same time, and they wouldn't send them daily to some customers.

Correct, Mac DIY information should pop-up for Mac users.  For some reason the site is currently detecting everyone as a Windows machine (it's not a conspiracy... just messed up code).  We're working on fixing it.

---

wandajhall wrote:

Report problems that exist?  What planet are you on.... Comcast's entire system is flawed and so far, I've seen not a single incident that has been valid... the only thing that is seen is an attempt by Comcast to get a user to pay for additional services.

---

Why would a customer who had an issue, was alerted by our system, and was able to fix the issue come to the forums to report it? 

Sure ok...  clearly you can't be wrong, so no point in arguing with you.   Her laptop must be the problem and Comcast is only trying to help her realize it.  So every time she comes home and hooks up the laptop and I get the "email"... we'll assume it's an invisible virus/bot that apparently only Comcast can see.  I'll tell everyone else who's getting the same thing that you said that they can't be wrong and Mac's do not trigger any warnings so they must also be infected with the invisible virus or bot.

I was referring to those who continually get emails and there are no viruses found... no one comes back and says, oops... there is one, I just didn't see it.

In response to your router log, matthewcornell, I browsed through it and here's what I've noticed in my initial look through:

You're receiving Denial of Service attempts (doesn't look like they're getting through, but who knows) from three different IPs. Although this information may not be 100% accurate, a quick Google search yields the locations of these IPs as Kirkland, Washington, China, and Romania. These might be random, they might not be. Could be related to gaming consoles, as they've been targeted in the past.

You have 15 different clients connected to your router. Clients is just the word most routers use for any type of connected device (wired or wireless) such as a computer, XBOX, laptop, cell phones, iPad, etc. Does this sound correct to you? Sometimes you'll pick up extra entries if a system somehow changes, so this is a possibility. Router encryption is really pretty pathetic, anyone who even has the slightest idea of what to do to gain access to a network can do it. If you must have wireless access, make sure it's limited to a range bounded by your house, and ensure that you change the password regularly. The safest bet is to avoid wireless all together, although this is sometimes difficult to do.

---

wandajhall wrote:

Sure ok...  clearly you can't be wrong, so no point in arguing with you.   Her laptop must be the problem and Comcast is only trying to help her realize it.  So every time she comes home and hooks up the laptop and I get the "email"... we'll assume it's an invisible virus/bot that apparently only Comcast can see.  I'll tell everyone else who's getting the same thing that you said that they can't be wrong and Mac's do not trigger any warnings so they must also be infected with the invisible virus or bot.

---

You completely missed the point of my post since you're convinced that Comcast is trying to scam you. To turn what I'm saying into a statement specific to your situation, your daughter's laptop probably isn't infected with anything if it came up clean. In this case, Comcast is reporting a false positive to you. This means they found something that could be considered a problem, but it actually isn't anything malicious.

Macs are not triggering the warnings, it makes zero sense why they would. They use the same technology to connect to the internet that virtually every other mainstream system does. Seriously, read more than a handful of posts on here, you'll see that they're not all Mac-related. Why would Comcast try to cause problems for 10%, give or take, of their HSI customers?

Comcast will be able to detect certain things better than any antivirus software available. Any ISP will be able to since they have access to all the information being sent and received by your router. Most AV programs are concerned with the files on your computer, not what they're connecting to. Firewalls that come with most AV software are designed to prevent unwanted traffic, although it's not foolproof. Just because your AV says nothing is present, doesn't mean that it's the truth. New malicious software is being developed constantly, meaning that you'll never be 100% immune. Being intelligent about what you do on the computer to begin with and having redundant forms of protection is the only way you can be relatively confident that you're not infected.

I know you said your daughter's laptop is completely free of infection, but it's pretty obvious, based on your description of the situation, that something present on the system or something she's doing while connected is triggering the notifications. If you're relying on one program alone, try a couple other free ones. SpyBot, MBAM, and the ESET online scan are good starts.

Oh my... please, just stop replying.  

---

wandajhall wrote:

Oh my... please, just stop replying.  

---

Sorry you're mad and in denial =(.

"The messages are 100% valid, but I'm not saying that everyone who gets one is infected. Instead, Comcast's filter is probably set to error on the side of caution, meaning that when something is detected, it's likely, but not always, a false positive."

Make up your mind. Either the messages are 100% valid, or it's likely a false positive. Your words. It can't be both. Get your script right.

"Comcast will be able to detect certain things better than any antivirus software available. Any ISP will be able to since they have access to all the information being sent and received by your router."

And yet, Comcast is unable to provide any specifics about these supposed infections to help their paying customers eliminate them. Instead, we're left to a "Do it yourself or pay us to do it for you" choice. This is serious security?

"Hey...You have an infected computer. No, sorry, we can't tell you how we know, or what the infection is. That's up to you to figure out. Orrrr...you can pay us to take care of the problem we claim you definitely have." That's a scam in any other neighborhood.

It's simple. If Comcast were serious about security, they would provide details about the infection they've detected, and definitely NOT leave it up to the customer to hopefully find it. And do it without the marketing upsells.

---

JimC wrote:

"The messages are 100% valid, but I'm not saying that everyone who gets one is infected. Instead, Comcast's filter is probably set to error on the side of caution, meaning that when something is detected, it's likely, but not always, a false positive."

 

Make up your mind. Either the messages are 100% valid, or it's likely a false positive. Your words. It can't be both. Get your script right.

 

"Comcast will be able to detect certain things better than any antivirus software available. Any ISP will be able to since they have access to all the information being sent and received by your router."

And yet, Comcast is unable to provide any specifics about these supposed infections to help their paying customers eliminate them. Instead, we're left to a "Do it yourself or pay us to do it for you" choice. This is serious security?

"Hey...You have an infected computer. No, sorry, we can't tell you how we know, or what the infection is. That's up to you to figure out. Orrrr...you can pay us to take care of the problem we claim you definitely have." That's a scam in any other neighborhood.

 

It's simple. If Comcast were serious about security, they would provide details about the infection they've detected, and definitely NOT leave it up to the customer to hopefully find it. And do it without the marketing upsells.

---

The messages are valid, Comcast detects something, they send you a message. Simple as that. In the first line of the quote, read after the comma and it should clear it up for you. It's whether or not the emails actually represent malicious software that's in question. In my case, it's visiting a website that triggers it. The email states that bot-like activity was detected on one or more systems. This doesn't guarantee it is bot activity, though. Instead, something you've done on your network has produced traffic that behaves (where data is being sent, how it's being sent, and/or the amount) similarly to previously detected bots.

And yea, unfortunately I'm not sure why they don't provide more specifics. I gave the rundown on my conversation with the "tech" above, so you can see how far I got with them. I'm sure they can provide more information, but I think they're trying to keep the illusion of privacy. If Comcast is monitoring and capturing specific details from our traffic about potentially malicious software, then it becomes a question of what else they're keeping track of.

ComcastJordan wrote:

Correct, Mac DIY information should pop-up for Mac users.  For some reason the site is currently detecting everyone as a Windows machine (it's not a conspiracy... just messed up code).  We're working on fixing it.

---

Thanks for the info Jordan - that does make it a bit more difficult for us volunteers to see if it is working correctly - luckily we had a customer point out that they could not get what they thought they should be getting.  In the past, the customer got the choice. 

Is there any thing else that was changed - like the download on CGPS or NSS ??  I mean it "automatically detecting you OS and giving you the correct download" - which has been proven to be ineffective until it is fixed? 

Speaking of CGPS - any idea when the FF crashing will be fixed?

is the constant guard and norton sweet any good from comcast ? 

I installed Norton on all my Windows PCs and use to as an additional protection measure. As a free option, it's definitely worth using unless you install it on a serverly under powered or very old computer. In that case, you might see some performance issues.

I also installed Norton on my iMac and Macbook Pro but found it to be laborous to deal with. It always interfered with the QA testing I do for my companies products when I work from home. It also seemed to produce significantly more alert messages that required acknowledgement than Norton on Windows did.

For the casual Mac user, Norton may work out just fine.

I installed Constant Guard, but removed it. I wasn't interested in the options it provided.

Norton has a long and not very good history on the Mac. It's reputation is that it causes many more problems than it ever solves. In general, Mac users avoid installing Norton.

Is it possible to opt-out of the bot e-mails and browser pop-ups? I am also getting false positives and I would like to disable these notifications.

Sorry, there is no way to opt out.

I doubt if there is a way to "opt out" of these notifications.  However, you may be able to configure spam protection to forward them to a spam folder before you see them.  In my case, I use a private mail server to receive mail (non-Comcast).  I could, if I wished to, set up my spam filters to scan the message bodies of incoming email for the string "constantguard" ... and send such emails to my "blackhole" address unread.  This string shows up in these notifications as part of a web address recipients are asked to visit:

https://constantguard.comcast.net/email

Doing this, I'd still be able to receive any other email from Comcast - as long as the string was not part of the message body.  But, so far, I've only received 2 of them - about 2 months apart.  So, they're not that much of a nuisance ... yet.

From the FAQ's on the link that AlecWest provided in his last response and verification of what LPP stated:

Can I opt out of receiving future Service Notices?

USAF_E-8_RET wrote:

ComcastJordan wrote:

Correct, Mac DIY information should pop-up for Mac users.  For some reason the site is currently detecting everyone as a Windows machine (it's not a conspiracy... just messed up code).  We're working on fixing it.

---

Thanks for the info Jordan - that does make it a bit more difficult for us volunteers to see if it is working correctly - luckily we had a customer point out that they could not get what they thought they should be getting.  In the past, the customer got the choice. 

 

Is there any thing else that was changed - like the download on CGPS or NSS ??  I mean it "automatically detecting you OS and giving you the correct download" - which has been proven to be ineffective until it is fixed? 

 

Speaking of CGPS - any idea when the FF crashing will be fixed?

---

Sorry, I missed this post from quite a while ago.  I don't have any update on the crash issue.  The site is undergoing changes to make it a) nicer to look at, and b) easier to use.  I'll get the latest word on Suite updates and post them shortly.

I also got this warning from Comcast just yesterday 10-5-11, but I also received a voice mail on my cell phone from them with the same message.  I did follow the instructions and downloaded Constant guard but now today I got an email saying my first and secondary accounts are scheduled to be deleted.  They gave me an address to email to cancel the removal of my accounts but low and behold when I click on web site they say they are sorry but they can not find the site.  So now I AM as skeptical as you.  Please, SOMEONE, ANYONE, that can shed some light or tell me what to do, please get a hold of me.  I am really not real good with the computer and I don't want to add more chance of virus since I really don't know how to get rid of it.  Like I said, I did download Constant Guard and I already have Norton Antivirus installed.  Do you think I am safe? And I am hopeful that the call from Comcast was legitimate.

I made my Constant Guard warnings disappear: by uninstalling Google Chrome

---

Steveonovitch wrote:

I made my Constant Guard warnings disappear: by uninstalling Google Chrome

---

So are you saying that Constant Guard does not play nicely with Chrome?  The saga continues!

Can you clarify what you mean by that? How did uninstalling Chrome make your notifications stop?

Browser notifications? Email Notifications?

Did you uninstall it a week ago and have not gotten any since? Or did you uninstall it today andthe notification went away?

I use Chrome and have not noticed any notices because of it.  The only time I receive any notificiation is when my daughter uses her MacBook Pro on the home network (yes, it has been verified clean multiple times).

After a refreshingly long drought, I got the Comcast email again yesterday. If I am to believe that the emails are generated very shortly after "activity" is detected, I suspect I know what triggered it.

The evening before, my system experienced a rather large spike in activity when both my wife and daughter hit my network with their Macbooks at the same time, both doing a lot of heavy surfing. This would have resulted in at least a sudden tripling of our normal network activity. For all I know, my wife's iPhone may have joined-in, too. FWIW, both Macbooks run ClamXav and test clean. No bots. No trojans.

I got another email yesterday... after many months of not getting one.

I don't have a Mac.     Went through all the conversations here months ago... blah blah blah.

I am pretty sure it's a false positive, again.

And, another one today. Marketing must really need to hit their fulfillment numbers on the ConstantGuard up-sell.

Here's an interesting development...

Today, my wife got the same Constant Guard bot scare spam, sent to her comcast.net email account. Why would Comcast send this to her address? Her email is not the primary account email. It's just an additional address. Is Comcast now going to spam all non-primary email addresses on an account?

This is out of control, Comcast. Cease and desist.

Jim,

Can you PM me with the email address?  These notifications should only be going to primary email accounts.  If it went to a secondary, I'd like to investigate further.

I got the warning in all 5 email accounts, not just the primary.