why does SAS pro often connect to the internet even when I have auto updates disabled?

[LMHmedchem]

I use the comodo ISP firewall and internet access on my system is whitelist only. If there is something that needs access, I create a specific rule for protocol, IP, and port to allow it to connect. I have all auto updates turned off, so I see no reason why SAS should ever try to connect to the internet on its own.

Is there an explanation for this behaviour?

LMHmedchem

[nighthawkext]

How often is it attempting to connect to the internet on your machine?

Only when SAS starts?

Every minute?

[LMHmedchem]

Last night it made about 100 attempted connections over a three hour period, untill the computer was shutdown. That attempted conection was blocked, and it kept trying to connect. It seems to attempt to connect occasionally, I'm not sure how often. It doesn't seem to try to connect at every startup.

LMHmedchem

[nighthawkext]

SUPERAntiSpyware is a subscription based product. As such, it needs access to the internet to verify the product status. Running normally it would rarely attempt to access the SAS servers. Since you have the product blocked from accessing the internet it will keep trying until it can validate it's status.

[LMHmedchem]

SUPERAntiSpyware is a subscription based product. As such, it needs access to the internet to verify the product status. Running normally it would rarely attempt to access the SAS servers. Since you have the product blocked from accessing the internet it will keep trying until it can validate it's status.

I fully understand the concepts of software copy protection, as I use a similar system for the software I write. It is important, however, to fully notify users of the connection requirements for such a system. Many users, like myself, work behind both hardware and software firewall and are in situations where it is necessary to keep a system that is well locked down. Software documentation should specify the firewall settings that will need to be created in order for the software to function properly and ideally this is included in the license so user agrees to allow the connection when they accept the license.

In this case, the documentation should state that superantispyware.exe will need to make periodic outbound TCP connections to IP address 216.35.15.152, destination port 80, for the purpose of license authentication. If a proxy server or specific DNS is used, the user may need to make a rule to allow UDP connections to the DNS at port 53, etc. Security minded users don't like surprises and unanticipated traffic. When connection requirements are specified, then the user can create rules to allow those connections. As long as the digital signature of the connecting application has not changed, the firewall can allow the specified connections.. When updates are made to the software, the user can anticipate a notification from the firewall that this has occurred and that the firewall is now blocking the connection. Since this notification follows a manual update, the user can generally allow the connection safely. If the change to the application digital signature occurs at a time other than following a manual update, it is a red flag that the application may have been compromised. The user can then check a digital signature from the provided, or just un-install and start over with a known good installer.

This may sound like overkill, but the worst infection I ever had on a computer was to the Norton update app. My packet sniffer found it was connecting hundreds of times per day to IP addresses in places like Brazil, China, Russia, Ukraine, S. Korea, and Thailand, and was sending literally gigabytes of data to these locations. Attackers are most likely to attempt to compromise software that they expect will have unlimited and unmonitored internet access, like email, messenger, svchost, etc. That makes it even more important for applications the need to connect to the internet to be specific about where they are connecting to, why, and how, and it also is good to give the user an approximate idea of the size of the data that will be transferred. This makes is easy to discriminate between normal and suspicious behavior.

LMHmedchem