1Password has detected an unknown process (Unlock on Secure Desktop) and outbound traffic
https://i.imgur.com/mMU9JC7.png
https://i.imgur.com/guuHMzW.png
When I try "Unlock on Secure Desktop", warning message is displayed.
"1Password has detected an unknown process."
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe try to access registry key below. I opened RegEdit but there don't exist "internat.exe" value in registry key.
HKEY_USERS\S-1-5-21-xxxx...-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: internat.exe
I searched about ctfmon.exe. It seems to be relating ms office and input locale.
http://www.neuber.com/taskmanager/process/internat.exe.html
I have not ms office. I have not ever install it.
I searched for where it came from.
I extract and look into install.wim from Windows 10 10240.iso using 7-zip.
There is not ctfmon.exe.
virustotal scanning is clean. it digitally signed from MS. Maybe.. no malicious file.
I look into install.wim from Windows 10 10565 insider preview build. It exists in 10565 build install.wim file.
Therefore ctfmon.exe file seem to be include in future Windows 10 builds.
i didn't install 10565 build. I still keep 10240, because anti-virus firewall product didn't support insder preview build.
I've been using 10240 RTM since August. It suddenly appeared a few days ago.
it seems to be come from Windows Update to support pensil recognition and new functions etc.
I sometimes read Agilebits blog. I read articles about keylogging and secure desktop function.
I understand about Windows os's weak security. I will install Anti-Keylogger product soon.
Windows secutity don't protect my master password and clipboard capture. keylogger didn't detect 1P's auto-submit but not clipboard.
Anyway, I want to use "Unlock on secure Desktop" function without warning popup.
First question:
Is ctfmon.exe safe? when i met warning popup, what to do?
Second question:
Many outbound traffic.
Is safe IPs below?
i can see many outbound traffic from 1password.exe, Agile1pAgent.exe.
Whenever I create new login items, and whenever I change my password on websites, 1password processes try to connect outer server.
Such behavior seems like a leaking information. I worried about it. I didn't find agilebits documents about it.
I think, agilebits team should inform users of it
ec2-107-23-29-143.compute-1.amazonaws.com (107.23.29.143) TCP 443. (https): maybe license check?
54.204.16.18: maybe update server?
cache.agilebits.com
aws.cachefly.net
cache.agilebits.com
vip1.g.cachefly.net
a23.49.149.163.deploy.static.akamaitechnologies (23.49.149.163) TCP 80 (http)
a23.49.155.27.deploy.static.akamaitechnologies (23.49.155.27) TCP 80 (http)
a23.43.5.163.deploy.static.akamaitechnologies (23.43.5.163) TCP 80 (http)
a23.43.11.27.deploy.static.akamaitechnologies (23.43.11.27) TCP 80 (http)
108.166.23.223
54.163.256.95
204.93.150.151 TCP 443 (https)
ocsp.comodoca.com (178.255.83.1) TCP 80 (http)
crl.comodoca.com (178.255.83.2) TCP 80 (http)
// certificate? I don't know about it. anyway safe?
May I add it to allow it on my firewall program's rule set?
wow! so many outbound traffic.
I worry about it, if my system is hacked or not.
I searched agilsbits Windows forum. Not found about it. knowledge, User Guides, blog.. and not found even on Google search.
I know several Dropbox IPs. it is not dropbox ips.
204.93.150.151: my headache
Whenever I sign up on website, outbound origins. it trace all my website sign up.
I guess that it maybe is rich icon cache server. I don't know.
If the ip is Agilebits cache server, it is normal and my system still keep safe.
But, even though I already have any site's icon, whenever I change any website's password, always outbound triggered.
I doubt, someone steal my password? What is IP:204.93.150.151 ? Why always outbound, whenever i change my website passwords?
AS30081 CacheNetworks, Inc. Chicago. do Agilebits use that IP? is it Safe?
Would you like to offer proper informations to your clients about it? I want to see it on user guide, if possible.
Many outbound traffics, but No information.
regards.
1Password Version: 4.6.0.586
Extension Version: 4.4.3.90 for chrome
OS Version: Windows x64 10.0.10240
Sync Type: Dropbox
Comments
-
first, sorry my pity English.
When I try Unlock on Secure Desktop, ctfmon.exe process detect message is displayed.
"1Password has detected an known process."
C:\Windows\SysWOW64\ctfmon.exeI searched about ctfmon.exe. It seems to be relating ms office and input locale.
http://www.neuber.com/taskmanager/process/internat.exe.htmlctfmon.exe try to access registry's HKEY_USERS\S-1-5-21-....\run\internat.exe.
but there don't exist internat.exe in registry value.I have not ms office. I have not ever install it.
I had to investigate where it came from.I extract and look into install.wim from Windows 10 10240.iso using 7-zip.
There is not ctfmon.exe.virustotal scanning is clean. it digital signed from MS. Maybe.. no malicious file.
I look into install.wim from Windows 10 10565 insider preview build. It exists in 10565 build install.wim file.i didn't install 10565 build. I still keep 10240, because anti-virus firewall product didn't support insder preview build.
I've been using 10240 RTM since August. It suddenly appeared a few days ago.
it seems to be come from Windows Update to support pensil recognition and new functions etc.I sometimes read Agilebits blog. I read articles about keylogging and secure desktop function.
I understand about Windows os's weak security. I will install Anti-Keylogger product soon.Windows secutity don't protect my master password and clipboard capture. keylogger didn't detect 1P's auto-submit but not clipboard.
Anyway, I want to use "Unlock on secure Desktop" function without warning popup.ok, my first question:
ctfmon.exe is safe? when i met warning popup, what to do?my second question:
Many outbound traffici can see many outbound traffic from 1password.exe, Agile1pAgent.exe.
Whenever I create new login items, and whenever I change my password on websites, 1password processes try to connect outer server.
Such behavior seems like a leaking information. I worried about it. I didn't find agilebits documents about it.I think, agilebits team should inform users of it
outbound traffics:
is safe IPs below?ec2-107-23-29-143.compute-1.amazonaws.com (107.23.29.143) TCP 443. (https): maybe license check?
54.204.16.18: maybe update server?cache.agilebits.com
aws.cachefly.net
cache.agilebits.com
vip1.g.cachefly.neta23.49.149.163.deploy.static.akamaitechnologies (23.49.149.163) TCP 80 (http)
a23.49.155.27.deploy.static.akamaitechnologies (23.49.155.27) TCP 80 (http)a23.43.5.163.deploy.static.akamaitechnologies (23.43.5.163) TCP 80 (http)
a23.43.11.27.deploy.static.akamaitechnologies (23.43.11.27) TCP 80 (http)108.166.23.223
54.163.256.95
204.93.150.151 TCP 443 (https)ocsp.comodoca.com (178.255.83.1) TCP 80 (http)
crl.comodoca.com (178.255.83.2) TCP 80 (http)
// certificate? I don't know about it. anyway safe?
May I add it to allow it on my firewall program's rule set?wow! so many outbound traffic.
I confused, if my system is hacked or not.I searched agilsbits forum. Not found about it. knowledge, User Guides, blog.. and not found even on Google search.
I know several Dropbox IPs. it is not dropbox ips.204.93.150.151: my headache
Whenever I sign up on website, outbound origins. it trace all my website sign up.I guess that it maybe is rich icon cache server. I don't know.
If the ip is Agilebits cache server, it is normal and my system still keep safe.But, even though I already have any site's icon, whenever I change any website's password, always outbound triggered.
I doubt, someone steal my password? What is IP:204.93.150.151 ? Why always outbound, whenever i change my website passwords?AS30081 CacheNetworks, Inc. Chicago. do Agilebits use that IP? is it Safe?
Would you like to offer proper informations to your clients about it? I want to see it on user guide, if possible.
Many outbound traffics, but No information.regards.
1Password Version: 4.6.0.586
Extension Version: Chrome 4.4.3.90
OS Version: Windows x64 10.0.10240
Sync Type: Dropbox0 -
ok, my first question: ctfmon.exe is safe?
when i met warning popup, what to do?@ILT: Indeed. That's pretty confusing, Microsoft! :lol:
In fact, the CTF (Collaborative Translation Framework) is a Microsoft Windows process which monitors active windows and provides text support for speech and handwriting recognition, keyboard, translation, and other technologies for 32-bit Windows apps. And in your case, since you're running a 64-bit version of Windows, this is part of WOW64 (Windows on Windows, supporting 32-bit software on 64-bit Windows).
So long as it's signed by Microsoft, it's perfectly safe to allow it. It's simply Microsoft's Windows Secure Desktop's job to let you know when there's another process trying to run. If it bother's you, you may simply prevent ctfmon.exe from running.
my second question: Many outbound traffic
i can see many outbound traffic from 1password.exe, Agile1pAgent.exe.That's a bit confusing too, AgileBits! Of course, we do have a couple articles in our knowledgebase that cover 1Password's network traffic, but I'll give you a brief overview: 1Password will try to download rich icons for items from our CDN (content delivery network):
Whenever I create new login items, and whenever I change my password on websites, 1password processes try to connect outer server.
Such behavior seems like a leaking information. I worried about it. I didn't find agilebits documents about it.As outlined in the article above, you can simply open 1Password for Windows and disable “Automatically download icons for new Logins“ File > Preferences > Logins to stop this from happening. We don't know or care who you are, but many users like the nice icons, so we provide that functionality. I hope this helps! :)
0 -
Thank you for ur comment.
I also like the icons like the others. So I want to turn on that option.To prepare a Windows clean install, I made a symbolic link for %AppData%\AgileBits. Not to download repeatedly.
Even after a website icon is downloaded already, it continue to attempt to access for cache server.There is not routine to check whether the icon exist or not on local icon location.
At that point, 1Password is not smart. This is what I want to say.Many Windows applications is smart than that.
If icon exist already in local location, download process may not triggered so repeatly.1password for windows need to smart a little bit.
If I turn off “Automatically download icons for new Logins“, I should download icon manually. It is quite tired routine, isn't?Also, whenever I change my password on website(old login item) having its icon, 1password attempts to download icon again and again.
What a stupid routine.I think, Disabling that option is not right solution.
I want to improve this routine in future version.0 -
@ILT: Indeed! I think that's why most of us leave the automatic option on if we care about icons. Like copying data from one place to another by hand, downloading them manually is tedious.
To be clear, 1Password will only download the icons in 3 situations:
- Item is created
- Item is updated
- You select Download Rich Icons
None of these should happen frequently, which is why we've made 1Password behave this way. For example, each item is only created once. And a password should only be changed if it is weak or you have reason to believe it has been compromised. And the menu option is just there as a failsafe in case you want to have 1Password refresh the icons.
In each case, these are opportunities for 1Password to see if there is a newer icon (or one that didn't exist before). Most people, I think expect that 1Password will make a reasonable effort to keep these current, and I think this falls under 'reasonable'. Of course, we may change this behaviour in the future, and if you have specific suggestions of the type of behaviour you'd prefer it would be appreciated. Cheers! :)
0