Ever since F-PROT AV upgraded to version 6 I’ve had to turn OFF the Comodo Firewall to be able to update F-PROT. Once it is updated I can turn on the firewall again, and until the next time I log off and on, or reboot, it will check for and download updates, but the minute I restart the computer, or log off and on, or use Standby, I can no longer update or get automatic updates for the anti-virus product IF Comodo Firewall is running. I have tried every variation on the applications F-PROT is shown using in the Applications list, and I cannot do anything with the components from F-PROT shown in the components list.
HELP!!! Is there any easy way to make these two programs work together, or do I have to junk the Firewall. I will NOT give up F-PROT AV…
If you’re having a connection issue, the first place to head is for the firwewall logs. These are found under ACTIVITY - LOGS. If you scroll through this listing, you should be able to spot the line where the F-Prot update is being blocked. From the info in tis log, you can create a network monitor or application monitor rule that will allow F-Prot to update.
If yoou can’t figure it out, you can always export the logs to a HTML file and post them here for someone to go through. The log can be exported by right-clicking inside the logs window and selecting “Export HTML”. The resulting HTML file can be attached to a posting.
I’ve looked in the logs, and checked each IP address that is reported in the logs using Sam Spade to see who owns the IP address. I’ve done that for everything that is resulting in any alert or any block. None of them are from F-Prot or from/to the F-Prot web site. The only blocks are to Microsoft, MS Hotmail, Akamai Tech and Rogers, my ISP. I checked the logs before I posted the message about the problem I am having. To update F-Prot or check to see if there is an update, I need to END the Comodo Firewall, run the update check from F-Prot and then turn on the firewall again. As long as I do not reboot, restart or go to stand-by it will continue to permit me to check, but if I reboot, restart or come out of stand-by I am one again unable to check for updates until I play this game of turning off the firewall and turning it on again. I suspect that the two security applications are having a bad case of indigestion at start-up with the boot protection or other security in F-Prot being the main source of the problem, as turning Comodo Firewall off and back on permits the updates, but I have no way of tracing or proving this. I’ll keep watching the logs, but the updates for F-Prot are at http://updates.f-prot.com/cgi-bin/get_randomly?fp-def and http://updates.f-prot.com/cgi-bin/get_randomly?macrdef2 OR at Home Page – 2023 TIS updates - DATA443-Cyren
The domain servers for F-PROT are at 213.220.100.1 to .3 and 213.220.100.xxx are NOT showing up in the log at all.
You might contact FProt to find out what executable drives the udpate; it may be something different than what you have in the Application Monitor. Then you can create a rule to allow it.
Might also run the Application Wizard (Security/Tasks/Scan for Known Applications); follow the prompts; reboot. Might work…
Also, since you know the FProt IP range, you could Add that as a Trusted Zone, and then put that in your Network Monitor as such, to specifically allow traffic to/from that Zone.
All was fine doing updates until I rebooted the Notebook. The problem that shows up in the log is as follows…
Severity: Medium
Reporter: Application Monitor
Description: Application Access Denied (svchost.exe:24.153.22.195:dns(53))
Application: F:\WINDOWS\system32\svchost.exe
Parent: F:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 24.153.22.195:dns(53)
Date and time are the date and time I ask F-PROT to do its check for an update and get, from F-PROT, “unable to connect to server”
If I turn off Comodo Firewall and turn it on again without trying the update of F-PROT it continues to report this same action and does NOT allow F-PROT to update or check for an update.
If I turn off Comodo Firewall and try the update with Comodo Firewall turned off the update check works and F-PROT connects to the server. Then when I turn Comodo Firewall back on, after that one successful connection, it continues to connect and check successfully until the next restart or reboot of Windows.
The medium severity message only comes when F-PROT tries the update AND it is being stopped. There is NO message in the log when it succeeds in updating.
Any ideas? It seems that it is svchost.exe that is causing the issue. I have already tried permitting all activity from my computer to 24.153.22.195: 53, which happens to be one of my ISP’s DNS servers [Rogers].
SMALL UPDATE at 3PM… I was still able to connect and check for an update. There was one available but it could not be downloaded, and the message in the log was identical to the one reported above. I had to turn off the Comodo Firewall and then the same action brought down the update and installed it. Then I turned the firewall back on. So whatever it is seems to relate to something in between the firewall and F-Prot but is NOT F-Prot itself, and I cannot give the F-PROT DLL files any special privileges, if it is one of those and NOT the executable itself.
The problem isn’t FProt per se; it’s that at some point you have created a block for svchost. Without it, you’re stuck like chuck.
Find and remove any rules for Svchost.exe in your Application Monitor.
Then go to Security/Advanced/Miscellaneous, and uncheck the box for “Do not show alerts for Applications certified by Comodo,” and move the Alert Frequency slider to High or Very High. Click OK.
Reboot your computer. (This will create a lot of alerts; the point is we want to specifically allow svchost.exe to get it back in the system; then you can reverse these changes to bring your alerts down - provided you want to at that point.)
Very quickly after you log into Windows, you’ll start getting alerts; probably several for svchost.exe with itself as a Parent, or with services.exe as the parent (even explorer.exe, etc), on different ports, and possibly to different IPs (although probably all will be your localhost, router, gateway, etc). You will need to check to “Remember” and Allow the connections.
Once the initial flurry is over, then run FProt’s updater. Make sure you Remember and Allow.
Run the Application Wizard (Security/Tasks/Scan for Known Applications); follow the prompts. Reboot when finished.
Did all of the above, and also removed the special IP address and FP executable rules that I had added, so it is basically back to were it was. There were 2 svchost items removed, and after the reboot there are now 9 of them showing up.
F-PROT now goes to the server and checks successfully for any update. However until there actually IS an update there for me to download, I will not know if all is really well. That likely is a day or two down the road. However it IS going to the site now, which is a vast improvement. I’ll let you know down the road if that has indeed solved the problem.
For the record, I have no good idea of how I or anyone else with this sort of problem can tie it down to the solution you suggested… deleting the scvhost executables and the rest of the instructions. It is NOT specifically obvious, at least to me, that this is the way to cure the problem.
There is another issue, which is simply the load on my CPU that comes from Comodo Firewall. It was running at about 30-35% of the CPU’s cycles, but now it is down at about 3%… I’ll keep watch on that too, as I try using Flight Simulator 2004, which really tests a CPU…
Good news there, at least. I’m glad that has helped so far. Please keep us posted…
For the record, I have no good idea of how I or anyone else with this sort of problem can tie it down to the solution you suggested... deleting the scvhost executables and the rest of the instructions.
Good point. I will bring this up to the powers that be… In the meantime, just know that’s a part of why the forum is here, and why users volunteer their time and efforts to help other users resolve problems (in addition to all the input from Comodo staff).
There is another issue, which is simply the load on my CPU that comes from Comodo Firewall. It was running at about 30-35% of the CPU's cycles, but now it is down at about 3%... I'll keep watch on that too, as I try using Flight Simulator 2004, which really tests a CPU...
Comodo Firewall version 2.3.6.81… which I believe is the latest. Database was just recently updated too.
[For the record, years ago I managed computer operational and program testing at one of the Canadian Financial Institutions, and taught staff how to do the work… I’ve also spent 20 years in Information and Computer Security R&D…]
F-PROT had a signature update today, and it worked fine when I asked F-PROT to check and install the update. No problem with the Firewall…
As for the load on the CPU, I’ve observed that during certain events, when running FS9, Comodo Firewall [cpf.exe], when observed via the Windows Task Manager, will jump up to over 30-40% load but will then drop back down again so to 0-3% quickly. I assume this is related to using Real Time Weather or other activities that call on Windows system resources, rather than Flight Simulator resources. Not an issue, on its own, but a curious result that is repeatable. I have told Comodo to permit ALL activity for FS9.EXE as otherwise the result IS far more of a slowdown, from past observations.
For the CPU load, if you use a program like Process Explorer, you may get a better view of programs opening and closing (or calling on resources) to be able to tie CPF’s spike directly to a specific application. Then you could create an Allow All rule for that application (such as you have for FS9), or simply check to “Skip Advanced checks” under the Miscellaneous tab for that App Rule; should help to reduce the CPU load.
