CPF gives me grief!

Installed CPF 2.3.1.20 BETA on XP SP2.
Let the wizard allow everything on the local segment.
It seemed to be working correctly for half a day, when all of a sudden CPF started blocking everything.
I cannot even access my router on 192.168.1.1
Reboots do not help.
Setting the firewall to “Allow Everything” does not help.

What now?

Strange. Are you sure that it isn’t a routers problem. Try to reboot your router first and then post again

The other computer, which uses XP’s native firewall, connects to the router (and to the internet) just fine.

Have you added your lan in the trusted zone?

As stated in the original post:
“Let the wizard allow everything on the local segment.”

Try to disable secure the “host will booting” and “monitor dns queries”, and reboot.
If it does not solve it then consider installing the latest beta :wink:

I’ll try that.

I believe I am running the latest beta.

Check you r logs and see if your getting flooded / attacked. This condition could arise if your IP was being constantly probed and CPF would detect this and put itself into energency mode by shutting down all comms for a set period and then retesting. If the attack is continuing, emergency mode stays on.

A possibility?

Check it out and let us know.

Hope this helps,
Ewen :slight_smile:

Also please activate “Create an alert when this rule is fired” option for “BLOCK IP IN FROM ANY TO ANY…” rule and check your logs.

Egemen

OK, noticed something weird.

Once in a while CPF will say that some application tried to use IE to access the net. If I then block it, nothing else will be able to access the net until I reboot.

Ideas?

It should be the following:

“iexplore.exe has tried to use svchost.exe through OLE Automation”. If this is the case, you dont need to block this attempt because both applications are safe.

But if CPF asked you some unsafe application tried to use iexplore.exe and you blocked it, only that particular instance of IE will be blocked. This should not resist if you close and start another IE instance.

Blocking svchost.exe can cause such symptoms. Make sure you dont have a blocking rule for svchost.exe in your application rules. And If CPF reports OLE Automation for svchost.exe, unless there is no unsafe application in the security considerations, you can safely allow.

Egemen

Actually, I think it said that IZarc (http://www.izarc.org) was trying to use IE.

Was your CPF message something like this…

C:.…\IZArc.exe has tried to use C:.…\iexplorer.exe through OLE Automation, which can be used to hijack other applications?

Yes, that’s it

Well, if you had just installed IZarc, updated it or changed it’s configuration then it would have messed with explorer.exe via OLE. CPF is just warning you of that fact. It’s like this… IE’s parent is explorer and something just OLEed explorer, since you tried to use IE (or even something else that uses IE)… hence the warning.

I raised this issue in another topic CPF Confused?. Different program… But, I’ll think you’ll agree the same thing.

Why would CPF care about the parent application of the task?

Because the parent can control the child. Specifically, explorer.exe (the parent) can pass messages and instructions to iexplorer.exe (the child).

This parent-child process relationship has previously been exploited to circumvent firewalls by… unfriendly applications.

Interesting. Please elaborate.

It’s been some time since I did low-level Win32 programming but I don’t remember anything special about the parent-child relationship (except inheriting some handles when the child process starts, but I think that it would take a really flaky application to exploit that).

Also, as I recall, SendMessage(), PostMessage() and friends do not care about parent/child relationship.

it gives me grief too the firewall is as good as a chocolate fan (S) I doubt it!

Hi Alexo

As it’s the same issue, you might find this topic imformative. If not, then please post back & I’ll do my best to elaborate.