CFP is blocking my wireless laptop from getting a virus signature file auto updates:-
After unpleasant experience of Trend’s latest Integrated Security Centre 2007 I installed Nod32 virus checker and CFP onto 2 computers: 1 PC is wired to the router, 1 laptop connects wirelessly (this difference seems to be pertinent).
The wired PC collects automatic virus signature updates from Nod32 with no trouble. The wireless laptop fails to collect updates.
For every failed update Nod 32 gives a log message “Update attempt failed”/“Function: gethostbyname, parameter: return value 11001” and there is a correspondingly timed CFP Log message:
Outbound Policy Violation
IGMP Outgoing
Source: 192.168.1.136 (…my router asigned IP)
Destination: 224.0.0.22 (…apparently a multicast group membership address)
I may be able to figure out how to open CFP to 224.0.0.22 IP outgoing & incoming (I’m not confident, but I have m0ng0d’s guide). The question is does any one know if it is safe to open up CFP to a Multicast IP?
Cannot find any other posts on auto updates from virus checker services - am I only one ever w/ this problem!? Weird that my PC on same network with Nod32 and CFP installed at same time has no problem.
I’m confused with this one. Multicast addresses (224.0.0.0 thru 239.255.255.255, or 224.0.0.0/4 in CIDR notation) don’t route over the Internet, at least not without some ISP support and that is really uncommon. A multicast address is only a destination address, very much like a broadcast address, and it is LAN segment limited (unless you’re running a multicast router, probably an *ix/BSD box running mrouted).
Yes, you can open up 224.0.0.0/4, as it’s LAN local. Like 192.168.1.255 is the broadcast address for the 192.168.1.0/24 address block.
What confuses me, is Nod32 trying to do multicast at all? Things like routers and time servers use multicast to broadcast their data to any and all that care to listen. That doesn’t strike me as being related.
Your message says the source is 192.168.1.136, your router. That it talks multicast is part of what a router does. It’s doing a group query for other routers (which you probably don’t have). Then your router(s) would do a data exchange over 224.0.0.9 (router multicast group).
What you’ve got sounds like a wireless connection problem, and only a wireless connection problem. If you can get your laptop to talk to the router, your problems will like clear up. Check the router for client connections to see if the laptop is actually connecting, and then check the laptop firewall for connections to the router, and also to the other machine on the same LAN.
You don’t need to create a Network rule for multicast IP addresses, in or out. Simply go to the first rule in Network Monitor (Rule ID 0), right-click and select Add/Add Before. Build it like this:
Action: Allow
Protocol: IP
Direction: Out
Source IP: Any
Destination IP: Any
IP Details: IGMP
OK, and reboot (to clear memory and set new rule). By default, CFP blocks all IGMP, so you need a rule to let it out. I don’t think you’ll need a rule to let it back in; the Stateful inspection engine should handle that.
As to why it’s happening, it’s probably related to function of the wireless setup. As pointed out, it’s internal to the LAN. If creating this rule in CFP clears up the issue, then good and well. If it does not, there may be something else going on. The simple “CFP” test is to set CFP Security Level to Allow All and see if the connection works. If it does, CFP is blocking something; if it doesn’t, it’s not CFP…
thanks for input Grue155 & Little Mac. I am put off by not understanding a Multicast. Just to add a fact, if I request a Nod32 update manually it works. It is only Nod’s auto update that isn’t happening.
Since Nod32 and CFP were installed together it’s unclear which one is causing the problem - as suggested I will switch off CFP, use Windows FW, and watch the Nod32 logs. Separately I will switch off wireless and wire the laptop to the Router.
This testing will take a few days while I wait for the Nod files to be upgraded.
All I really know for sure is Nod32 file version isn’t updating (automatically), the Nod Event log shows the (double) error messages, and at a similar time the CFP Monitor shows a block message. I will attach screenshot should you be curious - but thanks for your pointers and suggestions. Working together we’ll keep one step ahead of the cyber lowlife!