cfpupdat.exe blocked [resolved]

frogger · August 25, 2008, 4:29am

HI today i had the strangest thing this came up in my logs as blocked i don’t see a entry for it in firewall area ether can someone explain to me how to fix it thanks.

frogger · August 25, 2008, 4:39am

um also this dose not appear to be a comodo ip it is trying to connect to here is the whois on the source ip address 209.73.166.146 this is really strange is it a bug i have found?

OrgName: AltaVista Company
OrgID: ALTAVI-1
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 209.73.160.0 - 209.73.191.255
CIDR: 209.73.160.0/19
NetName: INTERNET-BLK-1-AV
NetHandle: NET-209-73-160-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:
RegDate: 2000-06-08
Updated: 2004-05-21

RTechHandle: NA258-ARIN
RTechName: Netblock Admin
RTechPhone: +1-408-349-3300
RTechEmail: jluster[ at ]yahoo-inc.com

OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName: Network Abuse
OrgAbusePhone: +1-408-349-3300
OrgAbuseEmail: network-abuse[ at ]cc.yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName: Netblock Admin
OrgTechPhone: +1-408-349-3300
OrgTechEmail: jluster[ at ]yahoo-inc.com

ARIN WHOIS database, last updated 2008-08-24 19:10

Enter ? for additional hints on searching ARIN’s WHOIS database.

system · August 25, 2008, 4:42am

cfpupdate is Comodo Firewall Pro Updater. Did you change things and block it?

frogger · August 25, 2008, 4:51am

not that i’m aware of i removed a couple of programs and purged them but did nothing with comodo other then add a program to its interprocess memory that’s it. how would i tell if it’s block if i go and hit update it works? i don’t even see a entry for it i see comodo in firewall but it’s the same as it always has been nothing looks out of the ordinary.

ganda · August 25, 2008, 1:27pm

ehm (:NRD)
according to my “source” O0 , a screenshot of the log entries containing the blocked cfpupdat.exe would be helful.
(:NRD)

frogger · August 25, 2008, 4:53pm

here you go Ganda ignore the svchost blocks it’s my router lol i hope this helps someone figure this out for me. image attached.

[attachment deleted by admin]

system · August 25, 2008, 5:04pm

SVChost is showing cause I think your router is not fully stealthed. I have SVChost set to outgoing only and I get no blocking cause my hardware modem covers all those. What do you have Comodo updater set as under the firewall.

frogger · August 25, 2008, 6:05pm

here is the strangest thing i don’t see it in there at all on ether one of my pc this cpupdat.exe dose not show in there. no my router is fully stealthed always has been. the svchost comes from my other pc on the network. the only reference to comodo in my firewall is comodo firewall pro and it’s on it’s default as outgoing only.

gibran · August 25, 2008, 7:14pm

As per CFP default policy the updater don’t need inbound connections.

Group :	[COMODO Firewall Pro] is defined as
---------------------------------------------------------------------------------------
[0] %Program Files%\COMODO\Firewall\cfp.exe
[1] %Program Files%\COMODO\Firewall\cmdagent.exe
[2] %Program Files%\COMODO\Firewall\cfpupdat.exe
[3] %Program Files%\COMODO\Firewall\cfpsbmit.exe
[4] %Program Files%\COMODO\Firewall\cfplogvw.exe
[5] %Program Files%\COMODO\Firewall\crashrep.exe


Application : Group [COMODO Firewall Pro] Treat as: [Outgoing Only]
----------------------------------------------------------------------------
The predefined rules are as follows:
[0] Allow        TCP Or UDP  Out    From  IP Any  To  IP Any  Where Source Port Is Any And Destination Port Is Any
[1] Block & Log      IP      In/Out From  IP Any  To  IP Any  Where Protocol Is Any

Please check cfpupdat.exe digital signature.

Maybe it was an attack carried when cfpupdater was running ref: http://www.neowin.net/forum/lofiversion/index.php/t495665.html

frogger · August 25, 2008, 8:31pm

ok i checked it here are some pictures of its signature i think all looks ok also attached is a picture of comodo firewall in my network policy. maybe your right maybe someone tried to attack it that would give it a block.

[attachment deleted by admin]

frogger · August 26, 2008, 12:47am

i hope the pics help in figuring this out

system · August 26, 2008, 1:53am

Well done, “destination”. Over and out O0

Hey, I’ve seen that wallpaper before. I think I know where you got it ;D.

As Gibran mentions, all CFP files do not require incoming connections, so the default Outgoing Only firewall rule on CFP would be appropriate. Your log basically means something from the internet was trying to connect to the CFP Updater, but was blocked, which is good in the sense that CFP was doing its job :-TU

As for your other question of why you don’t see a blocking rule in the firewall section, take another look. There’s a ‘Block and Log All Unmatching Requests’ rule (the 2nd one) on Comodo Firewall.

frogger · August 26, 2008, 3:57am

Soyabeaner your correct lol i did not see that glad to here that comodo did it’s job:) case closed thanks all mistry is solved.

ganda · August 26, 2008, 6:48am

solved, locked.hallelujah (:HUG)
(i love this job )
pls PM me or other mod if you want this topic reopened.
(:WAV)