How to handle CPF

Ok, I think I have found out how the CPF should be handled.

  1. If you have a nonstatic IP address that is delivered from a DHCP server you need to either disable ‘Do protocal analysis’ via 'Security->Advanced Attack Detection and Prevention->Miscellanous-> OR disable ‘Monitor DNS queries’ via 'Security->Application Behavior Analysis. Both seems to do the job.

  2. Permanently allow EVERYTHING that uses explorer, svchost or services.

  3. Permanently allow everything that popups with the word OLE in it’s description if it involves the files mensioned in point 2, if it involes any browser AND any other program that needs internet access to work.

  4. You need a powerful antispyware and antivirus tool to prevent bad code exploiting point 2 and 3.

Not the best solution but I don’t see anyway around it.

  1. Depending on your scenario, you should not have to disable Protocol Analysis or DNS Queries, as long as you have the proper Network Monitor rules to allow the type of traffic necessary for DNS & DHCP. In some very odd cases (based on equipment requirements, possibly) users have found it necessary to do so, but for the majority this is not the case.

We can help you create those rules, by the way…

  1. You should only need an Application rule for svchost.exe with a Parent of services.exe. You shouldn’t have to grant explorer.exe individual internet access, nor the others. Services.exe, explorer.exe, and system will be Parents to other applications and processes (as with svchost, mentioned above), but shouldn’t have to connect on their own. Again, a proper ruleset is needed.

We can help you verify/confirm your rules…

  1. As I believe we have discussed before, if you know the applications they are safe to Allow with Remember, which will help you avoid that exact same combination of alert items again.

  2. Not really. As long as you keep Application Behavior Analysis turned on, if there is any hint that these applications/processes/services or any components thereof, have been exploited by malware, you will get a popup alert that the application has changed in some way. In that case, you will see messages from CFP like, “cryptographic signature has changed,” “such and such dll has been injected,” “application is sending special windows messages,” “has been modified in memory” and so on.

That tells you you should probably Deny (without Remember) to block the connection, and go about checking into the event to see what is going on, and why your AV, etc did not catch it…

And guess what? We’re here to help you with all that… :wink: Really.


If you could help me create the right rules for my ADSL I would be happy.

I just got a Cryptographic alert about cpf.exe and cpfupdate.exe. :-\ I clicked allow.

I’ve been looking through the tutorial here how to configure rules, but it seems to be specific for a LAN network, which I’m not using. I only have one computer. I’m a bit worried that my computer is bad protected because I had to turn off ‘Do protocol analysis’. Am I at risk? I haven’t noticed anything odd yet exept from the Cryptographic warning mensioned above. Maybe someone hacked into the updating feature. :-\

If you go to Activity/Logs, you can find the entry for the cryptographic alert on CFP & the updater. Let me know what it says, verbatim (the details will show at the bottom of the screen, when you click on that alert; you may have to use the scroll bar, or just open the window to full-screen). It shouldn’t be an issue, but it’d be good to know what it says. And while turning off Protocol Analysis does decrease your security in some respects, it’s not something to panic over; there’s a lot of other security still in place.

We can sure help you set up your ADSL connection, and you’re right, you don’t need all the LAN rules, although we may use some of the same concepts, as you will see. I take it that you’ve been having trouble getting and keeping your connection, based on IP assignment from your ISP’s DNS and/or DHCP servers, correct?

To get started, if you can provide a few things:

  1. Open Network Monitor to Full-screen. Capture a screenshot, and save it as an image file (jpg, png, gif) and attach to your post. (More info on screenshots, if you need it, can be found here:,6770.0.html or in the Tutorial Compilation)

  2. Open Application Monitor to Full-screen. Capture a screenshot… and attach to your post.

  3. What are you looking for from a firewall? That is, do you want a firewall that’s ‘set & forget’ and you don’t have to mess with it? Or, are you someone that likes to play around with it, try to break, fix, and figure it out, so you can create your own custom rules and security? (this will help with some steps to take as we get all this set up)


Unfortunately the entry for the cryptographic alert has been overwritten by later alerts. Maybe next time… :frowning:

Sigh. So I have to create an account on an image host site? I tried Imageshack once, but I didn’t like how it worked. I guess I’m gonna have to do that again?

I think a set it and forget it is the best approach for me. Maximum security without breaking my connection is what I’m looking for. I’ll see if I can get my screenshots up here in a moment…

Ok, let’s see if I can upload my first image…

Hurray! :BNC Here’s the next one…

Good job! (:CLP) No, you don’t have to do webhosting of the images; my post in that thread explains how you can use the “Additional Options” below your post’s textbox to attach images directly to the forum.

Some prefer one way, some prefer another. If you use the hosting method, you can also change the code just a little by including image tags and it will show the image instead of the link. For example, you have:

which only shows the link.

If you do it like this:

it will give you this result:

But that’s all a side note… now on to the ‘good stuff.’ You might print this out in case you have any difficulties connecting while we’re in the process…

I see only one issue at the moment. Go to Application Monitor, open the rule for svchost.exe, and change it from TCP/UDP In to TCP/UDP In/Out. Since Outbound is not currently allowed for that application, it cannot communicate with the servers as it needs to, for your connectivity. So that should help.

Okay, Set & Forget, then.

Turn Protocol Analysis & DNS Queries back On; as I said, you shouldn’t need to have them turned off.

Then go to Security/Advanced/Miscellaneous, move the Alert Frequency slider to Low (it’s already there by default) or Very Low (Very Low gives you one alert per application; no details… this is the best for your ‘set & forget’). If you want set & forget, I really think Very Low is the way to go.

While you’re there, make sure the 2nd box from the top, “Do not show alerts for applications certified by Comodo” is checked, both “Skip Loopback…” boxes are checked, and towards the bottom, the box to update the certified safelist is checked (sorry, I don’t remember the exact wording on that one, and am not at a computer with CFP 2.4 right now). (Yes, I’m working completely from memory at this point…). OK>

Then go to Security/Tasks/Scan for Known Applications. Follow the prompts; it may suggest you reboot when finished, but you don’t have to just yet.

On your desktop, go to Start/Run, and type “cmd” (without the quotes). When the DOS window opens, type “ipconfig /all” at the prompt.

This will give you information (which you will need). Make a note of these IP addresses: Default Gateway, DHCP Server, DNS Server.

I’m guessing that your DHCP & DNS Servers will either be the same, or sequential (unless you’re behind a router, in which case you will have DHCP & DNS that are router IPs, and probably a DNS that’s your ISP’s). To set up an example, let’s just say that you use a router, and have the following:

DNS:, and 123.345.45.56 (which would be your ISP’s server)

In CFP, go to Security/Tasks/Create a Zone (we’ll do this twice, once for each IP address range). Name the first one (for instance) Router. For the starting IP, put; for the ending IP put

Now Create a Zone again. Name it ISP DNS. For the first IP, put 123.345.45.56 (as per my example); for the second, put the same again.

Now go to Security/Tasks/Define a New Trusted Network (we will do this twice also; once for each Zone). Select the first zone from the dropdown menu. Then do it again, for the second zone.

Each time, it will create two rules at the top of your Network Monitor (positions Rule ID 0 & 1). The first will Allow IP Out from Any (your computer) to Zone; the second will Allow IP In from Zone to Any.

So for the case of this example, you would have four new rules at the top of your Network Monitor. These rules will allow all necessary communication to establish and maintain your internet connection. It can be done without creating trusted zones/networks, but it requires more tweaking; this way is the sure-shot no interrupts method.

Now you reboot, and you should be all set. There is only thing that might occur; it will depend on your ISP. It is possible that they don’t have just one local server for you to access; they may have a range. If so, it is possible that at some point in time it would not be able to update your connection. The easiest thing to do would be contact your ISP and find out the IP range for the DNS servers that you access. Go back into Security/Tasks/Modify a Zone. Open the ISP DNS zone, and change the start/finish range to match what they tell you. And that’s it. You can do this even if you don’t experience a problem, to forestall such from occurring.

I know this is a lengthy post; if you have any questions that need clarified, please ask and I will do so.


I’m sorry, I don’t understand. I don’t have a router, yet the IP for DHCP is completely different from the DNS IP’s, contrary to your example. I have 4 DNS IP’s. 3 are almost the same except for the last 3 numbers and one has completely different numbers compare to the other 3.

Do you mean the first rule I enter I name ‘Router’ and put the DHCP IP in, then new rules for each of the DNS IP’s?

Also there are a Start Range and an End Range field. What should I type there?

Alright, after I’ve re-read your post a few times I see that maybe you mean that the Start Range is the DHCP IP and the End Range is the DNS IP. But I have 4 DNS IP’s.

Sorry, I was trying to cover all bases in one post. That’s bound to lead to confusion…

If you don’t have router, then disregard that aspect of it. The differing numbers is not what I’m used to, but where you are things may be different; it’s not something is any cause for concern, it just makes it a little more complex, is all (and probably why you were having problems).

Are the DNS server IPs sequential? (ie,,, and so on) or are they completely separate numbers?

Does the DHCP server start out the same (ie, the first segment of numbers, or is that different as well? The range for your ISP, that I looked up, was the same for the first two segments, and extended only in the third (ie,, so I just want to make sure we’re not too far out in left field…

Let’s take that for the moment. I’ve already caused enough confusion, I’m afraid… My apologies.


Ok, let me give you some fake IP’s just so you see how it looks like:

IP address:


DHCP server: 721.32.486.162

DNS servers: 950.46.211.920 ()
950.46.211.924 (
950.46.211.919 (*)

The ones with the (*) are allmost alike. It’s not the right numbers but the sequence in the example is the same.

Okay, that’s certainly odd… Have you done an IP Lookup (such as WhoIs) on these to see if they are from your ISP?

Using the numbers in your example, create these two zones:

DHCP (or whatever name). Start 721.32.486.162 / Finish 721.32.486.162

DNS (or whatever name). Start 950.46.211.919 / Finish 950.46.211.924 (looks like they’re using a range, so we’ll include the missing ones)

If the oddball DNS server confirms to match to your ISP, you can create a Zone for that as well, such as:

DNS 2 (or whatever). Start / Finish

Then use the Zones to Create Trusted Networks.


PS: If you want to PM me specific IP details, that’s fine, and we can discuss a little more in private. (As a Moderator, I can see the IP you’re posting from.)

Ok, if you could just tell me how I do a whois exactly, I’ll get right to it. (:SHY)

Sure thing (:WIN) In the center column there’s a box for Whois Lookup (Domain). Type the IP address in there and click Go.

You think you could do it for me instead? There are all those options and drop down boxes I’m getting dizzy. I’ll PM you.

Sorry, I must be getting tired. You explained where to type the IP but I missed it. Ok, looking it up…

Ok, it looks like I got it all set. Just rebooted my computer after I turned on the ‘Monitor DNS Queries’ and ‘Do protocol analyses’, which I had to have turned off earlier. In half and hour or so I will know if my ISP failed to refresh my IP.

By the way, I just got a new cryptographic warning again about cpf.exe and cpfupdate.exe, but couldn’t find any log about it.

Thanks a million for your help! :SMLR

Just one more question. What about the other rules on the Network monitor? Do I need to keep them?