CPF Block Outgoing DNS Lookups

Hi everybody!

I installed CPF v2.4.16.174 @ my windows server 2003 SP1 system.

All seems to be fine until i notice that internet don’t work right.
After exploring i found out, that problem is in DNS lookups.
I uncheck in Application Behavior Analysis → Monitor DNS queries but still don’t work.
I also set cmdagent.exe service to run manually… so, after next restart was firewall completely OFF and still don’t work!!
I need to uninstall CPF to get internet work normaly :frowning:

Anyone with same problems?

Solution?

Greetings

greetings, damjan!

DNS issue is likely caused by an inadvertent block of svchost.exe. If you check your Application Monitor you’ll probably see that in there. It must be allowed, or DNS cannot be updated.

Anytime you have issues with CPF, you should have an entry in the Activity Logs, which will give you some clues as to what/why is being blocked.

And no, you can’t set CPF to start manually; it’s part of the program’s defense mechanism, to keep it from being terminated/controlled by malware. The service has to run Automatically, as do the system drivers for it.

LM

Yes. I found out that svchost.exe is process to have inside DNS Client service which do lookups.
I set traffic to allow TCP/UDP in and out, and also Allow invisible connection attempts and Skip advantec security checks.

I realy don’t now why is traffic blocked or where is traffic lost :frowning:

I know… but there was no logs… that bother me too! :frowning:

Yes, you can. I found some kind of workaround:

  1. you uncheck in Advanced → Miscellaneous → Protect own registry keys and files form unauthorized modifications
  2. go to windows Administrative Tools → Services
  3. now double click on Comodo Application Agent to see settings
  4. set Startu type to Manual
  5. reboot
  6. agent (cmdagnet.exe) don’t run, only GUI (cpf.exe)

Greetings
Damjan

But then what happens why you open up the application (GUI) and try to make any changes? I have done that, and turned off the two drivers as well. Once I started the application (GUI) manually, everything is locked. All Monitors are set to Off and cannot be changed. Traffic is not allowed. System-wide hang occurred. Egemen (head of the firewall development team) stated that you cannot manually run the firewall; it will not work properly.

So, did that fix the problem? Or are you still blocked?

LM

True. All monitors are off. You can’t make any changes. I didn’t say that i’m 100% shore that this method completely turn off CPF, I only show the way how to turn off agent.
If firewall is off (for example: cmpagent service crashed), then is ALL traffic blocked by default?

No. :frowning:
I even change number of packages per second (default: 50 packages / 20 seconds), if maybe that way CPF block traffic. But still nothing.

Funny thing here is, that when I open FF (v2.0.0.1) or IE (v6) for the first time, CPF ask me nicely for incoming traffic - click allow, for outgoing traffic - click allow, and when type for example www.google.com ask me if allow DNS lookup through svchost.exe - click allow. OK. But if i then close FF or IE and reopen it or try to open another page, then is all dns lookup traffic blocked :-[
So… not only FF and IE had problems, all programs, that do lookup through svchost.exe didn’t work.

I try even uninstall NOD32, still no changes :-[

Greetings
Damjan

In the Network Monitor, make sure the Block All In & Out rule is at the bottom, and is set for logging - the box checked saying, “Create an Alert if this rule is fired.”

Then go to Security/Advanced/Miscellaneous, and make sure the top box is checked, Enable Alerts.

If you changed either of these, reboot. Then check Activity/Logs when your DNS stops. There absolutely should be something in the Logs, even if it’s not immediately clear where the block is. Whatever you have for Logs, right-click on an entry, select “Export to HTML.” Save the file and reopen it; copy/paste as text into your post. We’ll look at it and see what we see…

LM

I did all you say to do, but still… no log and first page is opened all next are blocked.
I will past here what happened on TCP protocol…

Greetings

Hmm, something’s going on; it’s just unclear at this point what that is…

If you will go to Activity/Logs, right-click an entry and select Export to HTML, save the file. Then reopen the file, copy and paste that into your post here; there should be some clues there.

You can also try creating a new rule in the Network Monitor, as follows:

Action: Allow
Protocol: UDP
Direction: Out
Source: Any
Destination: Any (or the specific IP of your DNS server)
Source Port: Any
Destination Port: 53

Make sure this rule is above your bottom Block & Log All rule. That might help.

As a last-ditch effort, you can go to Security/Advanced/Application Behavior Analysis, and uncheck the box, “Monitor DNS Queries.” Click OK, and reboot.

This disables part of CFP’s security, but some systems work in such a way that sometimes it is the only way…

LM

I try and wrote a rule to allow all in and all out, i also completely turn OFF Network Monitor and don’t work :frowning:

I tried that also of course, but not nothing :frowning:

Here is what happened at TCP protocol: [see attachment]

Thanks for all your time to try help me!

Damjan

[attachment deleted by admin]

Looks to me like there’s something else going on…

That message, 0xC0000240 is for Request Aborted; that being the case, it’s not going to update.

I have two suggestions at this point:

  1. Uninstall and reinstall CFP (using a registry cleaner in between to clear out any clutter remaining behind). Sometimes something small goes wrong with an installation, and strange problems arise. If you do this, be sure to turn off all other security products (AV, antispy, HIPS, etc) before installing CFP; they frequently cause install conflicts.

  2. Submit a ticket to Support - http://support.comodo.com/. Be sure to provide them a link to this topic, so that they will have the steps taken thus far as a reference. They will be able to provide more specific info and tests to help isolate and fix the problem.

Sorry I can’t give you more to work with on that; but the things that should work are obviously not, which tells me something else is going on…

LM

Maybe OS? It is Windows Server 2003.
And I tested on 2 different PCs, both have server system and got same results :frowning:

Thanks anyway!

Damjan

I need “Order Number OR Domain Name” to send a ticket.
Where can I get that?

Thanks!

Damjan

I’ve never seen that before; not sure what it means…

Can you post a screenshot of the message?

LM

Greetings

[attachment deleted by admin]

I think you may have selected the incorrect areas. Make sure the department is: PC Security Software, then the Problem Description should be: Personal Firewall.

You have right. I do that and works!

Thanks!

Greetings
Damjan