Appendix 2 - Agent Firewall Ports, IPs and Domains
We can capture DNS queries from network packets with Wireshark, and extract domain information.
Domain |
IPs and Ports |
Purpose |
Miscellaneous |
---|---|---|---|
Valkyrie.comodo.com |
52.60.56.170:443, 52.60.198.77:443 |
Valkyrie query and upload |
Valkyrie server domain hardcoded |
p10.fls.security.comodo.com |
45.77.153.162:4448 |
FLS query |
FLS server domain hardcoded |
licensing.security.comodo.com |
178.255.87.18:443 |
Register and security logs. |
Hardcoded in the code, Wireshark capture traces during installation phase. |
cmc.comodo.com |
178.255.85.135:443 |
Acquire Valkyrie encrypted key from server |
Hardcoded in the code, Wireshark capture traces during installation phase. |
oscp.comodoca.com ocsp.comodoca.com.edgesuite.net |
184.50.87.41:443 184.50.87.75:443 |
Encrypted communications (optional) |
Wireshark capture traces during installation phase. Not defined in the solution code. |
wtfibam2s5.execute-api.us-west-2.amazonaws.com |
13.33.231.28:443, 13.33.231.89:443, 13.33.231.27:443, 13.33.231.45:443 (variable) |
Policy, settings and heartbeat |
EDR production server domain hardcoded in solution |
6ynhsugqeg.execute-api.us-west-2.amazonaws.com |
13.33.231.65:443, 13.33.231.105:443, 13.33.231.109:443, 13.33.231.39:443 (variable) |
Policy, settings and heartbeat |
EDR development server domain from edragentsettings.conf |
h7tsgu3aej.execute-api.us-west-2.amazonaws.com |
13.33.231.80:443, 13.33.231.90:443, 13.33.231.52:443, 13.33.231.25:443 (variable) |
Policy, settings and heartbeat |
EDR staging server domain from edragentsettings.conf |
firehose.us-west-2.amazonaws.com |
52.119.165.138:443 52.119.162.196:443 52.119.162.43:443 52.119.169.95:443 52.119.168.237:443 (variable) |
Upload event logs to AWS |
SDK encapsulate the domain information. Extract the domain information from Wireshark monitor. |
The EDR agent uses port 443 to communicate over HTTPS with all servers except the Comodo FLS server, which uses port 4448.
There are only
three server communications during installation -
licensing.security.comodo.com, cmc.comodo.com, oscp.comodoca.com
(ocsp.comodoca.com.edgesuite.net). The oscp.comodoca.com server
domain is optional.