HELP! - 2.0.0.1 Stopping ActiveSync & Email from working

Hi,

I have been using Comodo PFW for sometime now. I only got round to upgrading to v2 (and autoupfrading to 2.0.0.1) a few days back. I am now having BIG problems with it. >:(

1 - Microsoft ActiveSync 4.1 - This will not connect to a device if Comodo PFW is running. If an attempt is made to connect to a device while it is running, then before it will work I have to re-start the PC and close Comodo PFW AND the launchpad.

I have tried adding all the ActiveSync programs as trusted applications with FULL trust & invisibility and still no joy. It just won’t have it and I am getting REALLY frustrated with it now!

2 - Email - MS Outlook 2002 & AVG Anti-virus email scanner - I can not get a connection to my POP3 mail servers if Comodo PFW or launchpad is running. Again, if an attempt is made while Comodo is running, then simply exiting Comodo and retrying isn’t enogh. I have to restart the PC, exit Comodo THEN retrieve my emails. Again, I have added all necessary programs as fully trusted apps, but with no joy.

I am getting really annoyed with this, and am on the verge of doing away with Comodo and simply start using the Windows Firewall.

Can any one help me? Anyone else experienced similar problems? Any one able to advise how to fix these problems?

??? :cry: >:(

If you are behind a router add a trusted zone. Go to “Security → Tasks → Add a Trusted Zone” the wizard will help you with the procedure :smiley:

No router. I simply have a USB ADSL modem. No hardware based firewall, etc.

I’ve been reading through this forum, and apparently the AVG email scanner was a problem in CPFW 2.0.0.0, but was supposedly fixed in 2.0.0.1.

I am definitely running CPFW 2.0.0.1 and definitely still having the problem. When the email scanner appears with a message saying it is connecting to the POP3 server it then just hangs.

Anyone else still having this problem with 2.0.0.1?

Any idea on how to solve it? Or is it being dealt with in the next update?

I suppose one way around it would be to stop using AVG, and to start using the Comodo AV. :-\ Any comments as to what the Comodo AV is like? Is it a good product? Reliable?

Still mythed with the ActiveSync problem too? ???

G’day SilentBob,

Re. AVG email scanning, I’m in the same boat - the AVG email scanner will just sit there ad infinitum, even after upgrading CPF to the latest version. Others have reported that it works, though, so it may be a system specific issue.

I’ve installed Comodo’s anti virus and have found it to be quite nice so far, and the developers are working flat out on improving it. I still run AVG but have reinstalled it using CUSTOM install and not selecting the email scanner. Once AVG was reinstalled, I disabled the resident component and am just using it for on demand scanning and for verification against Comodo’s scan results.

To date, AVG hasn’t detected anything that Comodo didn’t also find. This isn’t to say that Comodo is quite ready for prime time, their AV database is still growing but doesn’t have all definitions (but which AV does? ;)) and their (Comodo’s) ability to react to zero day threats and new outbreaks is still to be tested. The AV app is still a bit on the bulky side for my liking, but this is being worked on, hopefully for the next release.

I’ll ■■■■■ my thinking cap on a bit tighter about the ActiveSync issue, 'cause my wife uses an iPaq and I’ll be running down this road my self sooner or later.

Hope this helps,
ewen :slight_smile:

G’day again,

Re. Active Sync, and please bear in mind this is just off the top of my head - does ActiveSync establish the connection between the external device and the host app. by means of the 127.X.X.X local loopback?

I’m only thinking along these lines because CPF monitors IP based traffic, so I assume it’s picking up an IP connection related to the syncing process.

This could be checked by disabling CPF, connecting the external device and, in a CMD window, running “IPCONFIG /ALL” and seeing if there are any connection pertaining to the ActiveSync connection.

Please postback here and let us know the results.

Hope this helps,
ewen :slight_smile:

OK, I have run the IPCONFIG /ALL command with the device connected. The results returned were as follows:

Ethernet adapter Local Area Connection 3:

	Connection-specific DNS Suffix:
	Description: Windows Mobile-based Device #3
	Physical Address: 80-00-60-0F-E8-00
	Dhcp Enabled: Yes
	Autoconfiguration Enabled: Yes
	IP Address: 169.254.2.2
	Subnet Mask: 255.255.255.0
	Default Gateway:
	DHCP Server: 169.254.2.1
	Lease Obtained: 21 May 2006 14:46:27
	Lease Expires: 20 June 2006 14:46:27

Does this help?

Ta,
Simon

Hi Simon,

Can you please have a look at my post at https://forums.comodo.com/index.php/topic,220.msg1407.html#msg1407

and try to follow the steps to be able to paste some logs here?
After we review your traffic log, we can have an idea about what is happening.

Thx,
Egemen

OK, here we go.

When I connect my mobile device and ActiveSync tries to make a connection, I get the following:

Date/Time :2006-05-21 20:00:21
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = 5721)
Protocol: TCP Incoming
Source: 169.254.2.1:listen(1025) 
Remote: 169.254.2.2:5721 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:21
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:16
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:11
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = 5721)
Protocol: TCP Incoming
Source: 169.254.2.1:listen(1025) 
Remote: 169.254.2.2:5721 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:11
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:06
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = 5721)
Protocol: TCP Incoming
Source: 169.254.2.1:listen(1025) 
Remote: 169.254.2.2:5721 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:06
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:01
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = 5721)
Protocol: TCP Incoming
Source: 169.254.2.1:listen(1025) 
Remote: 169.254.2.2:5721 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:00:01
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:56
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:51
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = ftp-ssl(990))
Protocol: TCP Incoming
Source: 169.254.2.1:1026 
Remote: 169.254.2.2:ftp-ssl(990) 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:51
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:46
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:41
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = ftp-ssl(990))
Protocol: TCP Incoming
Source: 169.254.2.1:1026 
Remote: 169.254.2.2:ftp-ssl(990) 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:41
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:36
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = 5721)
Protocol: TCP Incoming
Source: 169.254.2.1:listen(1025) 
Remote: 169.254.2.2:5721 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:36
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = ftp-ssl(990))
Protocol: TCP Incoming
Source: 169.254.2.1:1026 
Remote: 169.254.2.2:ftp-ssl(990) 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:36
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:31
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Incoming
Source: 169.254.2.1 
Remote: 169.254.2.2 
Message: PORT UNREACHABLE 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 19:59:31
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 169.254.2.2, Port = ftp-ssl(990))
Protocol: TCP Incoming
Source: 169.254.2.1:1026 
Remote: 169.254.2.2:ftp-ssl(990) 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1

When I try to send/recieve email via Outlook, the AVG email scanner appears and advises that it is trying to connect ot the POP3 server. I get the following log:

Date/Time :2006-05-21 20:06:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.255.96, Port = 43206)
Protocol: TCP Incoming
Source: 62.85.75.97:3780 
Remote: 86.29.255.96:43206 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:06:08
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.255.96, Port = 43206)
Protocol: TCP Incoming
Source: 62.85.75.97:3780 
Remote: 86.29.255.96:43206 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1


Date/Time :2006-05-21 20:06:03
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.255.96, Port = 10000)
Protocol: TCP Incoming
Source: 82.182.77.192:63675 
Remote: 86.29.255.96:10000 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1
In the attackers' world, this port is usually used by Trojan.W32.dumaru.ad(10000)


Date/Time :2006-05-21 20:05:58
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.255.96, Port = 10000)
Protocol: TCP Incoming
Source: 82.182.77.192:63675 
Remote: 86.29.255.96:10000 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1
In the attackers' world, this port is usually used by Trojan.W32.dumaru.ad(10000)


Date/Time :2006-05-21 20:05:53
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.255.96, Port = 10000)
Protocol: TCP Incoming
Source: 82.182.77.192:63675 
Remote: 86.29.255.96:10000 
TCP Flags: SYN 
Reason: Network Control Rule ID = 1
In the attackers' world, this port is usually used by Trojan.W32.dumaru.ad(10000)

Hi SilentBob, pls open comodo gui,go to security > click tasks> new network rule>
general-allow >protocol-ip> direction-in
Source ip 169.254.2.2
remote ip any click ok. Now go to network monitor and move this rule above “rule block ip in”.Try this for Active sync. Hope this helps, tim

Hi,

Thanks for that. However, I have applied that change but ActiveSync still just sits on “connecting”. :frowning:

Hi, if you change protocol to “any” does this change anything?

The protocol in the top section doesn’t have an “any” option…? The IP protocol on the “IP Details” tab is already set to “any”.

Sorry, my mistake.

It seems activeSYNC needs some local ports(5721/990) to be allowed.

What you need to do is:

1- Go to “Security->Nework Montitor”,
2- Right click on the first rule(Rule Id = 0)
3- Select Add Rule->Add Before
4- Action “Allow”, Protocol “TCP”, Direction “In”
5- Source IP : “Single IP” = “169.254.2.1”,
6- Remote IP : “Any”
6- Source Port : “Any”
8- Remote Port : “Any”
9- Click Ok button.

Now your first network control rule must be : Allow TCP IN FROM IP 169.254.2.1 to IP ANY WHERE SOURCE PORT IS ANY AND REMOTE PORT IS ANY

This should solve your ActiveSYNC problem. IF not please paste your logs and a screenshot of network control rules screen again.

For AVG issue, we need better logs.
What you can do is:
1- clear all logs
2- For all of your network control rules, Select “Generate an alert when this rule is fired” option. i.e. double click on each rule, select the checkbox and press OK.
3- Retry receiving your email and paste the new logs. You can always send your logs as a PM to me.

Thx,
Egemen

OK, thanks. I will try this when I get home tonight. I will post any results back here.

Thanks again,
Simon

Ok, I applied that change. I was then able to connect to ActiveSync, but only once. Upon trying a second time both the PC version & my mobile device locked up. I tried a few times between restarts. However, I then removed the relationship to my device and setup a new relationship. Now all seems fine.

So to recap, I added the following rules:

Security > Network Monitor > Add:

	a) to be added as first rule (ID = 0)

	Action: Allow
	Protocol: TCP
	Direction: In
	Source IP: Single IP -> 169.254.2.1
	Remote IP: Any
	Source Port: Any
	Remote Port: Any

	b) To be added above the "Block IP In Any" rule (ID = 2)

	Action: Allow
	Protocol: IP
	Direction: In
	Source IP: Single IP -> 169.254.2.2
	Remote IP: Any
	IP Details: Any

I have attached a screen print of “all” my network rules.

I can’t go any further with the email problem at the moment. I am having very strange problems indeed tonight. Can’t update my antivirus, and can’t view several websites that you really wouldn’t expect to be a problem, such as MSN, EBay, Amazon. Others, including this one are fine…?!? ??? ???

I will leave it for tonight and see how it behaves tomorrow, 'cos I really haven’t got a clue what’s going on!

[attachment deleted by admin]

OK, AVG Email Scanner…

The only changes that I have made to Comodo PFW are those detailed above in order to get ActiveSync working. However, I am no longer getting the same errors. (BTW, I will post my results, as I don’t have a fixed IP address, so should pose no threats).

Instead, I get several instances of the following:

Date/Time :2006-05-23 20:29:43
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 194.168.4.100, Port = dns(53))
Protocol: UDP Outgoing
Source: 86.29.255.126:1061 
Remote: 194.168.4.100:dns(53) 
Reason: Network Control Rule ID = 1

Then I get an Outlook error while the AVG email scanner hangs (see attached image).

Finally I get the following:

Date/Time :2006-05-23 20:39:37
Severity :High
Reporter :Application Monitor
Description: Suspicious Behaviour (avgemc.exe)
Application: C:\Program Files\Grisoft\AVG Free\avgemc.exe
Parent: C:\Program Files\Grisoft\AVG Free\avgupdln.exe
Protocol: TCP In
Remote: 0.0.0.0:10110
Details: C:\Program Files\Grisoft\AVG Free\avgemc.exe is an invisible application

Any ideas?

Also, I have noticed that I am regularly getting the following entered into the logs:

Date/Time :2006-05-22 21:45:56
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.247.207, Port = 16274)
Protocol: UDP Incoming
Source: 81.1.98.32:18968 
Remote: 86.29.247.207:16274 
Reason: Network Control Rule ID = 3


Date/Time :2006-05-22 21:45:56
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.247.207, Port = 16274)
Protocol: TCP Incoming
Source: 71.127.198.219:50368 
Remote: 86.29.247.207:16274 
TCP Flags: SYN 
Reason: Network Control Rule ID = 3


Date/Time :2006-05-22 21:45:41
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 86.29.247.207, Port = 16274)
Protocol: TCP Incoming
Source: 67.161.107.18:63562 
Remote: 86.29.247.207:16274 
TCP Flags: SYN 
Reason: Network Control Rule ID = 3

Always with varying source. I have no idea what these constant connection attempts are?

However, most importantly, do the above logs shed any light on the email problem?

Many Thanks,
Simon

[attachment deleted by admin]

Hi Simon, the 2nd log down you have shown, do you not get a prompt from cpf?

Description: avgemc.exe is a part the AVG Anti-Virus suite. The process scans e-mails for viruses. This process should not be removed to ensure that your system security is not breached.
I noticed from your post it says this process is invisible, so maybe go to security>advanced>untick "basic popup logic" and see if it prompts for access. Hope this helps, tim

Nope. No pop up. I will try your suggestion when I get home tonight.

Thanks.