At the start of my business meeting I was working away with nary a care in the world, and then ESET Antivirus starts freaking out and I can’t reach any website or service: Teams is broken, Outlook stops delivering and receiving and soon I have hundreds of alerts from ESET that might be hosting a Potentially Unwanted Application…
I mean, Bing is a PUA, but having everything suddenly break looks an awful lot like a malware infection.  Fortunately for me it wasn’t, but unfortunately for me it was because Comcast silently enabled Web Filter Protection.  ESET was alerting to the fact that every website I was going to was being proxied by Comcast as a Man in the Middle.
This article is about what this means, detection and what you can do to protect your privacy.

First things first: ESET NOD32 rocks!

I’m not one to preach one antivirus vendor over another but ESET’s suite of antivirus products is the best I’ve ever seen in my IT career, effectively stopping some of the worst malware there is.  In the worst case, it will self-sacrifice and fall on its sword before it lets your computer suffer.

ESET also doesn’t tolerate adware or business-endorsed junk that pays other vendors like Symantec or McAfee to look the other way.  I refuse to pay for anything on my computer, but I buy ESET.

ESET’s website filter is what caught this whole event in the first place, detecting that websites were NOT from the original website server but from a third party.  This is called a Man in the Middle attack, and it can be hard to spot.

When it comes time to buy ESET, you don’t need anything more expensive than their bottom-tier NOD32 product. It’s cheap and affective.

Man in the Middle / MitM Attacks

A Man in the Middle is just that: someone between you and your website.  Consider online banking or getting your email: if someone else is rendering your website, that someone is able to see everything on it.  This situation is otherwise known as “bad”, and web browsers and service providers go to great lengths to prevent it from happening.

For example, pull up another web browser tab and go to Google ( – see the little lock icon?

The little padlock – sometimes a green icon, it can look different per browser – is supposed to mean that the page you’re on really is Google, and that someone else can’t see what you’re typing and can’t see what you’re getting back. They can’t see your bank account balance, the email from your mistress, or your business emails either, it’s private.

A Man in the Middle defeats this security, and if carefully executed that padlock icon will still be there while it’s happening.

It’s not an attack, it’s a FEATURE!

Now we’re getting into the heart of the matter: Comcast Business and XFinity Fi have security products called Web Filter Protection, Malware, Phishing and Botnet Protection and XFi Advanced Security that are intended to protect you from phishing emails, hostile websites and other scary places on the Internet, including sites about sex education and greeting cards (not kidding, screenshots follow). 

Question: how do these products know you’re going someplace scary?

Answer: they monitor every site you visit and decide whether you should see it.

Comcast isn’t the only company that does this, just about everyone else wants to protect you too:

  • Microsoft SmartScreen is a cloud-based “feature” that uploads every site you go to for review
  • Mozilla Firefox has “Deceptive Content and Dangerous Software Protection” and “Enable DNS over HTTPS” to a specified provider (not itself evil, but you should know what it does before you turn it on).
  • Google Chrome has SafeBrowsing that will “protect [you]from dangerous websites”.

There are three ways these protection systems can work:

  • Review the encryption certificate and see if it matches: if you hit but the certificate is from, then you have a problem. This is what ESET does, it’s non-invasive.
  • Voluntarily send your website information to a business for review. This is what Microsoft, Mozilla and Google are doing.
  • Don’t mess around and intercept absolutely everything going across the wire while still pretending to be the original site: this is what I discovered Comcast’s security products do, and since they’re the Internet Service Provider, it’ll spy on not only your browsers, but every smartphone in your house and even your TV. It’s quietly enabled by default and you’d never otherwise know it’s happening.

You need to be aware of these features being automatically and silently enabled on just about every product you use, from iPhone and Android to all browsers, and even your Internet Service Provider!  When there’s an upgrade or a new “feature” of its kind available, it will be automatically installed, or re-enabled if you’ve previously disabled it.  You need software that can detect this for you, or you’ll never catch it.

Technical Details – How It Started

This is an example of the alerts I received by the hundreds. Nowadays “thick” apps (such as Steam, Outlook, etc) are really just mini browsers. In this case I was running Steam in the background and this website URL alert came up.

It wasn’t an encrypted page (https), but ESET still knew that the data intended for the Steam app wasn’t really coming from

At this point every application was broken and stopped, I couldn’t work.

I pulled up a command prompt and issued “ping” and I got an IP address.  I then pinged “” and got the exact same IP address…!  Ping, same IP, ping, get the same IP…!  This isn’t supposed to be happening.

I pulled up the command prompt and used nslookup to troubleshoot. 


nslookup is a command line tool that instructs a named server to return an IP address for a specific domain.  For testing, I used, which is Cloudflare’s DNS provider.  It makes things easy because the IP for is!

– First query to shows that one-dot’s IP address starts with 104, which is impossible.

– Second query goes straight to itself, and even it came back with the same result starting with 104!

– I then used my internal PiHole server, which does all DNS queries over VPN. It correctly returned .


These results prove that Comcast was executing a Man in the Middle attack and pretending to be Quad9 or Cloudflare, transparently returning their proxy page instead of the other providers’ real responses.

Just for the extra confirmation, I pulled up Wireshark and reviewed every packet to prove the same thing.

The above shows the raw DNS packets.  Notice that my .local domain name (redacted) is appended to every query so it has to run it twice, this is normal behavior for every Windows machine.  It confirms resolution of to, which is obsurd.

The above shows the DNS query through my PiHole server, which does all queries over Spread Spectrum VPN. It returned the correct result for .

Fixing the Problem

I researched the IP address to find that it’s often related to website errors and specifically errors by Comcast customers. Further research finally provided a name: Web Filter Protection.
I logged into the Comcast Business administration portal and found that this “feature” had been quietly re-enabled.  I started service many years ago and turned it off on the first day: there was no call for it to be back on.  After I turned it off, ESET stopped alerting and my computer resumed normal operation.

Notice that while you can turn Web Filters off, they tell you that Malware, Phishing and Botnet Protection remains on and that you cannot turn it off! This is because Comcast monitors what goes out your Internet connection, and if they detect a mail flood, malicious/viral payloads or your computers reaching out to thousands of computers per second, they’ll shut your account off until you resolve the situation.

This, ladies and gentlemen, is why you need a VPN at all times.  The intent is good and will indeed protect your average Jack and Jill, but they do achieve this protection at the cost of your privacy. There is no recourse because Comcast will say it’s protecting other subscribers from you if you get infected, and protecting their circuits from malicious floods, preserving your bandwidth and keeping your costs down.

What you can do

First, run ESET – nobody does it better.  News articles about “Is antivirus software dead?” are just incredibly ignorant and not worth the time to read, yes, you need it, go get it.  If you have McAfee, you still don’t have antivirus protection even though their marketing team says you do, it’s a lie.
Second, turn Web Filters off but enable all categories to block absolutely everything!  This way if you don’t have ESET or your phone stops working, you know Comcast quietly turned this “feature” back on again.
Notice in the screenshots below, Web Filters is off but Protection Level is custom and all categories are blocked.

Some things to notice here are the categories of sites to be filtered – there is no context that any household should ever block these things.  If you can’t allow Art because you don’t want your children to see Venus DeMilo’s dirty boobies, you have problems other than security.  If you can’t handle Greeting Cards or don’t want to get infected with other people’s Politics and be bothered with how laws are passed in your own country, I can’t help you.    Sports is violence!  Scary!  Sex Ed, can’t have that…

Do you think articles about Trump would be categorized under cults? That’s a matter of opinion – form your own.

When you allow someone else to set your Internet filters, you relegate control of your own education and exposure to what’s happening in the world to someone else. You stop really parenting, and can’t even speak intelligently to your children about what they learn in school when they get home.

Lastly: log into the service portal (business or home) and watch what websites they see you visiting:

This is valuable because a) it reminds you that you have no privacy with any website you visit unless you use a VPN, and b) demonstrates whether your VPN is working because if it were, they shouldn’t have any websites listed.

Reminder: when you visit this portal, keep checking that Web Filters are OFF because ON is the default, and they’ll flip it back on just because you logged in to ensure it’s off!

I hope you found this article helpful.  Keeping an eye on your ISP, browsers, cell phone settings and other defaults takes time – hours – and they make it complicated on purpose. Fight the good fight.

Leave A Reply