arp cache protection enabled but still poisoned [Confirmed & Fixed]

i am new here
any idea why my arp is still poisoned by netcut 2.08 after i enable both of the arp protection options under the attack detection settings?

i have this probem too.
my ARP is poisoned by “ARPBuilder” (ARP Builder 0.1)

Can you both please explain a bit more about how you have tested this?

My Settings
OS: Win7+ all patches
CIS: 4.0.138377.779
AV: Kaspersky Antivirus 9.0.0736

  1. Local network is marked as work (in CIS installing process). ARP defender settings is turned on.
  2. Ping local another network PC (examp.: and look MAC (command: arp -a)
  3. Run on third machine ARPBuilder and process atack on my PC for ARP table poison on IP with random MAC.
  4. Attack is successful. have new (random) MAC in ARP table on my PC.

Did you happen to test this on CIS 3.14 also? and did it block it there?
Can you make a packet capture of the “attack” is it using ARP updates or ICMP tricks?

all images in attach.

  1. My PC (IP:, MAC: 00-1B-FC-75-AA-6F) (attach - “0.png”)
  2. Second PC (IP:, MAC: 00-24-1D-9B-17-84). I ping this PC (attach - “1.png”) and his MAC was added to my ARP table as dynamic record (attach - “2.png”). This record is target for poisoning from third (hacker) PC
  3. After poisoning (attach - “3.png”), my ARP record was changed to MAC 1-2-3-4-5-6 (attach - “4.png”).

[attachment deleted by admin]

Okay thanks, do you know if this does also work on V3.14 ?

CIS 4.0 is my first Comodo firewall.

Okay I’ll move this post to the BUG report section and see if i can draw some Dev’s attention.

Can you verify if you have “Block gratuitous arp frames” also ticked?
This tool is using Gratuitous ARP instead of ARP reply spoofing…

I can’t reproduce this against a Win7 host, did you test on XP as the attacked host?

I also tried with CAIN and that also can’t poison my host, unless i untick “protect ARP cache” then i get a full-routed spoof.

My (attacked) Settings:
OS: Win7 x86 + all updates
Antivirus: Kaspersky AntiVirus
Firewall: CIS 4.0.138377.779, settings in attach…

Hacker Settings:
OS: XP x86

Block gratuitous arp frames is turned on!
Did you use ARPBuilder (ARP Builder 0.1) ?

[attachment deleted by admin]

Today I tested this bug without Kaspersky Antivirus (uninstall it from PC). And it’s repeated, so Antivirus is not cause of accident.

We have proved it is a bug, We will fix it ASAP!

Thanks RickWang :-TU

Thanks, we are waiting…

Hello everyone.

Something to update us?

Also, if I block all incoming requests including ICMP packets it should prevent this kind of attack, does it?


I don’t think so ARP is Layer 2 traffic, IP is layer 3 so you need these.

ohh understood, I hope it will be fixed soon.


CIS is the best!!
This bug is fixed in new version 4.0.141842.828, available from update. I check it an all works ok!

Comodo Team, Thank you for good work.