I’ve just had my first BSOD caused by cmdmon.sys :o. Minidump included. I thought it may be usefull to the developers…
[attachment deleted by admin]
Hi Bubu74
Yes, that is useful… thanks. I’ve emailed Egemen to tell him it is waiting for him.
Thanks!
But it appears that the BSOD was just the begining of the troubles. After a reboot, CFP logs huge amounts of Outbound policy violatation (ICMP=PORT UNREACHABLE) entries, about 10 per second! Destinations seems to be random IP addresses, even though I’m not trying to connect to any of those.
And the sys tray icon constantly shows in traffic (the red arrow), although there is none ???.
Everything worked fine untill about half an hour ago…
Any suggestions?
Loads of ICMP Port Unreachable’s to different destinations sounds like a P2P thing… torrent. Do have something like that running?
I think Egemen’s got the minidump already, so he’ll probably post back on that after he’s had a chance to analyse it.
No, it happens imediatly after reboot.
I’ve temporarily disabled logging, as it causes constant disk activity.
I’ll try another reboot, maybe it helps. ;D
That’s good news… 
Is your IP address dynamic or static? Also how do you connect to the Net?
I have a DSL connection, through a NAT router, my private IP address is static. THe connection between the router and my machine is wireless. My computer is the only one connected to the router (at least I hope so ;D)
BTW, the reboot didn’t help.
Sorry, I meant your Internet IP… if it’s dynamic then it is possible to pick up an IP address that was previously being used by a P2P user & get lots of hits because of that… But, after 2 reboots that is most odd. Since these ICMPs are outbound, then some application that you’d previously authorised must be connected with them. You’d better check the Task Manager & confirm that nothing odd is running.
My Internet IP address is dynamic, sorry I didn’t mention it in my earlier reply. And when the BSOD happened, I was running utorrent and DC++ ;D, so, what you’re saying may be true.
I don’t see anything unusual in the Task manager (in fact, I use Process explorer ;D), and I did a partial virus check of my system. Everything seems to be fine. Except for those log entries…
It may have been random, don’t know. I wouldn’t do anything unusual or anything, simply whatever site I was on and yes, the red arrow. Same here. Just constant and I never thought to check my logs but this was happening right before I got the BSOD. Curious.
Kail, think this may be pinpointing the problem? Do you like coffee or tea, do you drink pepsi or coke, do you…lolll. <sorry had to do that. 
Paul
I hope you don’t have those problems anymore…
Actually I did and right now have 2.3 , egemen took a memdump and some info. I did a mem test and all was peachy. I know them, they will find it and cure it in no time. That’s one thing for sure I can say is no one works faster at fixing a bug than CFP team. (:CLP)
Paul
It looks like my problems are solved :BNC
I just rebooted my router and reconnected to the internet, and I haven’t seen any of those ICMP outbound violations after that :). Everything works just fine…
Before that, I disabled my wireless connection, and connected with my ethernet adaptor (wired). The problems dissapeared. When I connected with my wireless adaptor, problems started again. That’s when I decided to reboot a router, and it worked.
Thank you very much for help, I appreciate it.
P.S. I’m looking forward to hear Egemen’s expert opinion on this… (V)
Hey, that’s great to hear! Yes, egemen will figure it out. Using 2.3 and no BSOD so i’m fairly sure it’s 2.4 in my case. I don’t mind really, 2.3 still works better than other firewalls by far so i’m not at any loss which is great.
Paul
And you still have that Close connection button… ;D
Seriously now, I’ m sure Egemen will figure it out, and I hope they will release another version to fix those issues left in 2.4, before the new major release.
After solving my problem yesterday, I did some testing to see if I can reproduce this strange behaviour…
I used utorrent for a few hours (my ISP will be happy ;D), and after closing it, CFP started to log Outbound policy violatation (ICMP=PORT UNREACHABLE), just like yesterday. I didn’t get the BSOD, though. Reboot of my router helped, again, just like yesterday. I guess the change of my IP address after reconnecting did the trick.
After that, I’ve done another test: I run utorent and closed it. again those Outbound policy violatations… Then I opened utorrent again, and the Outbound policy violatations stopped ???.
It looks like something on my system thinks that utorent (after being closed) still sends data, and since its port is now closed, CFP tries to block it. But I don’t know how can this be even after a few reboots. ???
I finally tried another thing - I changed the way how a router opens a port for utorent. I swithced from Port Forwarding to Port Triggering (this requires to check “enable uPnP” option in utorent).
And guess what - it worked! No more Outbound policy violatation entries in the logs.
That all makes sense to me. If you suddenly stop uTorrent, then since the application is gone CFP has no Network Monitor rules to cover the traffic, thus it hits the default block & log rule. Run uTorrent again, CFP has the application for its rules & is happy.
uPnP? That’s a system service… once running, it will not stop willingly. So, in effect, your never stopping this application. CFP always has the Application Monitor rules for uPnP & doesn’t log any default block errors in the Network Monitor.
But why run the vulnerable uPnP service? Why don’t you stop that service and create a block rule with no logging (a silent block) in the Network Monitor for outbound ICMP PORT UNREACHABLEs, just before the final block & log rule. Save on resources and is safer.
The only thing that doesn’t make sense is why did I have those ICMP=PORT UNREACHABLEs even after a reboot?
You are right about UPnP, and I didn’t use it before all of this happend. I’ve just enable it to see how will utorrent (and CFP) behave with it turned on.
Since it’s outbound, I could only guess. You’ll need to run something like SysInternal’s Process Explorer to see what is generating that traffic.