Comodo firewall molesting my cpu

Hello, first of all, my hat goes off to you fellows here. This firewall is very good compared to some of those top price ones and it does what they do and even more … for free. I recently downloaded it because one of my paid AV/FW solutions liscense has expired and I was unimpressed with the memory usage.

I’m running a amd 4200+ with 1 Gb of ram dual channeled 430 mhz and a WD Raptor.
Windows Xp Home /w SP2 and all current updates.

My problem, when I have application monitor enabled within the firewall my cpu starts blasting to 100% ++. My programs currently running are :

AVG Virus Scanner
Ad Aware (norman)
Bit Comet
Daemon Tools
Diskeeper (background)
Gigabyte overclocker utility
Style Xp (background task)
Winamp (tray)

I have windows firewall enabled and data execution enabled, it was recommended to disable windows firewall when I installed, are they clashing and that is what’s causing this cpu usage to peak ?

Thanks in advance.

Hi Wobbly, welcome to the forums.

Despite the recommendation to disable Windows Firewall, I do believe that CFP & Windows Firewall peacefully coexist without any issue.

Assuming the CPU is being consumed by CFPs cmdagent.exe (is it?), then this is more likely to be caused by BitComet. Obviously, temporarily disabling BitComet to confirm this would be the first step. It is also worth checking CFPs Log (under the Activity tab) to see if there are any corresponding Log entries.

There is a work-around for P2P programs causing high CPU in cmdagent.exe to turn off CFPs Monitor DLL Injections (Application Behavior Analysis).

Yeah, cmdagent.exe. I assumed it was comet as well because of the active connections. But I contradicted myself when I seen others posting about using torrent and other p2p apps just fine.
With dll monitor turned off it halves the cpu usage to 50%, but it still peaks and bottlenecks it for a second.
Comet turned off, everything is fine. In the log it seems to be repeating “Inbound Policy Violation” with the same ip address over and over, it’s adding a new line every half second.

Sorry about this, I should have stated more about the problem in my original post, I’m extremely tired right now.


Having posting issues atm. Sorry for late reply.

That’s OK, its your topic & you can take as long as you like… there is no hurry. :slight_smile:

When you’re feeling less tired please post some examples of these repeated Inbound Policy Violations, they might give us a clue as to what is happening.

The source IPS seems to be different now, infact all of them, I wouldn’t doubt how many are RIAA and such, but I have peergaurdian disabled until I can get this sorted lol.

As for the same recurring IP I stated before, it’s no longer in the log. Here is a snipet of the log output.

Comodo Firewall Logs
Date Created: 10:40:29 03-01-2007
Log Scope: Today Date/Time :2007-01-03 10:40:25Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 60003)Protocol: UDP IncomingSource: 66.117.5.83:4679 Destination: 70.48.34.191:60003 Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:40:25Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 31663)Protocol: TCP IncomingSource: 218.111.65.155:4519 Destination: 70.48.34.191:31663 TCP Flags: SYN Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:40:20Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 31663)Protocol: TCP IncomingSource: 218.111.65.155:4519 Destination: 70.48.34.191:31663 TCP Flags: SYN Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:40:20Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 31663)Protocol: TCP IncomingSource: 125.99.133.92:4227 Destination: 70.48.34.191:31663 TCP Flags: SYN Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:40:15Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 31663)Protocol: TCP IncomingSource: 125.99.133.92:4227 Destination: 70.48.34.191:31663 TCP Flags: SYN Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:40:10Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 31663)Protocol: TCP IncomingSource: 125.99.133.92:4227 Destination: 70.48.34.191:31663 TCP Flags: SYN Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:40:00Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 31663)Protocol: TCP IncomingSource: 200.79.239.137:4275 Destination: 70.48.34.191:31663 TCP Flags: SYN Reason: Network Control Rule ID = 5

Skip a few recurring results and here are a few different ones …

Date/Time :2007-01-03 10:39:34Severity :MediumReporter :Network MonitorDescription:Inbound Policy Violation (Access Denied, ICMP = PROTOCOL UNREACHABLEPORT UNREACHABLE)Protocol:ICMP IncomingSource: 192.168.1.1 Destination: 192.168.2.1 Message: PROTOCOL UNREACHABLEPORT UNREACHABLE Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:39:34Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, Protocol = IGMP)Protocol:IGMP IncomingSource: 192.168.2.1 Destination: 224.0.0.1 Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:39:34Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 26008)Protocol: TCP IncomingSource: 87.7.39.143:32669 Destination: 70.48.34.191:26008 TCP Flags: SYN Reason: Network Control Rule ID = 5

Date/Time :2007-01-03 10:39:34Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 70.48.34.191, Port = 26008)Protocol: UDP IncomingSource: 218.170.112.232:10877 Destination: 70.48.34.191:26008 Reason: Network Control Rule ID = 5

There’s too many to list, if I were to copy the entire log this thread would be massive, unless you want me to upload the log to rapidshare or something.\

Thanks again.

Right, I guess most of this lot are unsolicited calls coming from Bit Comet users/hubs/whatever probably trying to either list or get what you have (assuming you’re the 70.x.x.x IP). They are all bouncing off CFPs final Network Monitor block & log rule (rule number 5). I note there are a couple of different local ports they’re aiming for… 26008, 31663 & 60003. I’m fairly ignorant of Bit Comet… so are these the ports you’re expecting? Is Bit Comet meant to be listening to these ports or do you expect inbound Bit Comet traffic to appear on lots of different ports? We might both need to read the FAQs on this P2P stuff. LOL. Or someone will jump in & help us.

The later ones are a couple of different things…

Some, what looks like, LAN traffic (or perhaps a router?) between 192.168.1.1 & 192.168.2.1 was blocked. 224.0.0.1 indicates multicast. Might need to sort this out. What set-up do you have… LAN, router, etc…?

Yeah 70.48 is me alright. Just had to reboot so ip changed once again lol.

My setup is somewhat strange, my modem is a router in its own with almost all ports forwarded, then a lynksys connected by wan to that with its own hardware firewall. Currently on “this” pc, I only have one ethernet card and it is directly hooked up to my Modem, the modem is a siemens speedstream 6520. It’s also doing wireless out to my gaming consoles in the household. (none are on currently, just auxillery download functions that wouldnt be sending anything outbound)

My other pc has 2 ethernet cards with lan traffic going through one of them and internet out of the other, atleast that is what I think lol. One ethernet card goes directly to the modem like this pc does, the other goes into the lynksis router attached by wan, for secure ftp purposes etc.

I turned the other pc off for a bit, the problem seemed to subside “I think” But it looked like it returned even before I turned the other pc back on anyways. Should I go through both my modem and router options and detail them in here ?

192.168.1.1 = Lynksis and 192.168.2.1 = SpeadStream Modem

For the ports bit with comet, uPnP is on anyways, with comet and the listening port 26008, theres going to always be a mish-mash of other people using different ports to connect. So I’m unsure of what here is innocent and which are the evil government trolls/hackers :stuck_out_tongue:

Woah! Was that set-up… erm… intentional? :wink:

Have you set-up a Trusted Zone in CFP between these components?

For Bit Comet I think that you will probably need to open up some ports in the Network Monitor. Otherwise nothing is going to get past that Network Monitor Block rule 5. Is Bit Comet actually working at the moment?

I know that in reference to p2p issues, AOwl states you need to turn UPNP off in the app, and also to set a specific port for it to use, rather than automatic. That seems to be a key issue in that respect, based on user responses.

With your LAN setup/configuration, I’m uncertain if you’re doing any ICS with Windows, since you said you have LAN traffic going through you second computer… If you are, I have read that you need ICMP allowed in order for ICS to function properly.

Hope some of this may help.

LM

All intentional, I banned a few kids that hacked the ftp server a few weeks ago, possibly them still trying to get into my private network and grab the files. The ftp was meant to be over the network only but they somehow bypassed that, I doubt it was a trojan or anything serious because I didn’t notice traffic coming from any specific application, this is all on the other computer though.

Yeah I just set up like 10 torrents for porn with over 200 seeds/leechers across them, strangely enough my cpu is down to 7-10% now. But the log is still filling up quite fast with the #5 rule. I just turned on dll monitor and cpu is still at 7-10% for cmdagent. Alot better of an improvement from doing nothing really lol.

I do have one curious block that I don’t recall adding to the Network Control Rules list, it follows :

Block & Log IP In/Out Any Destination Any IP Rules Any

I dunno what to do now, I guess we consider this solved or does the flooding of the log with #5 rule pose a possible threat to me :S


Sorry didn’t see the other post there, I’ll try turning uPnP off and see how it reacts.

See above, LMs jumped in to help (I said someone would). ;D

But, you need that final block & log rule… without it you’re wide open. You can always add some block rules just above the final block & log rule that block the common Bit Comet rubbish silently if you want.

With UPnP off, and a restart of comet, the #5 occurs more often then before. Before it was perhaps 5-6 a second, now it’s about 12-14 a second. But it did just ask me to allow or block an scvhost that it was trying to access. Ofcourse I allowed it lol.

Strange about the message protocol though, because nothing is being shared between the 2 computers at the moment. ICMP messages would be by default off in this case wouldn’t it ? the only time the 2 communicate is when I have the ftp server running, it currently isn’t right now and my computer with the #5 rule isn’t trying to access it atm either. I’ll try force changing the local ips and switch them around some more.

This is what the log reads currently anyways :

Log Scope: Today Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: UDP IncomingSource: 85.186.126.99:10265 Destination: 69.158.171.142:26008 Reason: Network Control Rule ID = 5Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: UDP IncomingSource: 82.159.114.240:8957 Destination: 69.158.171.142:26008 Reason: Network Control Rule ID = 5Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: UDP IncomingSource: 210.246.144.137:7502 Destination: 69.158.171.142:26008 Reason: Network Control Rule ID = 5Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: UDP IncomingSource: 81.154.209.132:21888 Destination: 69.158.171.142:26008 Reason: Network Control Rule ID = 5Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: TCP IncomingSource: 213.167.96.221:16396 Destination: 69.158.171.142:26008 TCP Flags: SYN Reason: Network Control Rule ID = 5Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: TCP IncomingSource: 80.212.111.240:50858 Destination: 69.158.171.142:26008 TCP Flags: SYN Reason: Network Control Rule ID = 5Date/Time :2007-01-03 12:50:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 69.158.171.142, Port = 26008)Protocol: TCP IncomingSource: 83.12.176.202:59316 Destination: 69.158.171.142:26008 TCP Flags: SYN Reason: Network Control Rule ID = 5

I’ll try messing about with my router settings some more and post back again. Thanks and sorry for the trouble so far lol

Based on what LM said, it looks like you need to set-up the listening port for Bit Comet to 26008… assuming it is not working on whatever you currently have it set to.

Your Internet IP changing is not a problem, since you don’t need to specify it anywhere.

All, I, too, was experiencing high CPU usage (averaging 18%) from the CMDAGENT (executable). I modified the Application Behavior Analysis setting and unchecked Monitor DLL Injections. Yeehaw! All is well again.

Thanks Comodo!
Glenn