Selecting "Enable Anti-ARP spoofing" Blocks Entire Internet [M1219]

airatgab · October 17, 2014, 5:42am

Find the answer in the view logs. The screenshot.

Chiron494 · November 19, 2014, 9:16pm

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.

Thank you.

lugo_58 · November 19, 2014, 9:53pm

Hi Chiron,

I am not a user anymore. Sorry I can’t check this.

Regards,
yigido

Chiron494 · November 20, 2014, 5:06pm

I’m very sorry to hear that. If in the future you, or anyone else, is able to check this issue please respond and let me know.

Also, yigido, even though you are not a CIS user anymore, please do feel free to still ask any questions you may have.

Thanks.

lugo_58 · November 30, 2014, 3:34pm

Hi Chiron,

I installed CIS today. This problem still exist. CIS when Anti-ARP Spoofing enabling, blocks my entire connection.

What can I do now?
Thanks

qmarius · November 30, 2014, 6:43pm

I’ve updated the tracker data.
Could you post your FW logs (while you’re experimenting this issue, recommended after you cleared the logs initially)?

Thank you.

lugo_58 · November 30, 2014, 7:10pm

How can I do this? Can you explain me

SanyaIV · November 30, 2014, 7:39pm

[ol]- Open CIS, go to Tasks and choose View Logs

You may want to clear your logs and then re-do the experimenting with the ARP setting so that old irrelevant log content is removed.
Choose Firewall Events in the drop-down menu.
[Optional] Right-click anywhere and click Entire Period and then press Date two times so that it is in a order of time with the latest events at the top.
Right-Click anywhere and then click Export
Type in a name and save the file to any location you want.
Attach the file in a reply to this thread.[/ol]

lugo_58 · November 30, 2014, 8:05pm

Hi @Sanya thanks for your help
but there is nothing I saw in the firewall logs.
I will attach it anyway.

[attachment deleted by admin]

SanyaIV · November 30, 2014, 8:08pm

I just checked it and it is indeed empty. (Just wondering, did you choose “Entire Period” under the optional instructions of point #4?)

lugo_58 · November 30, 2014, 8:11pm

I did all steps, do not worry. If you wants to see which connections blocked by CFW. There is no block for the sites.
Enabling Anti-ARP spoofing is blocks my entire (whole) connection. When I disabled it, the pages automatically loaded.

qmarius · November 30, 2014, 8:13pm

We are mainly looking for FW events triggered by the operating system and relations between Source IP and Destination IP (ARP protocol).

nasion · January 1, 2015, 8:35am

yigido post:1:

1. The full product and its version:
COMODO Internet Security 8.0.332922.4281 BETA

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
Windows 7 Home Premium x64 SP1 - Real Machine

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
The change to the configuration which causes this is “Enable Anti-ARP spoofing”. Other than that the configuration is default.

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
It is a clean install

5. Other Security, Sandboxing or Utility Software Installed:
No, only CIS.

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1: I installed CIS v8 Beta and rebooted
2: After reboot I select the option for “Enable Anti-ARP spoofing”.
2: After this I find that I have no internet connection available.
3: Unchecking “Enable Anti-ARP spoofing” allows my computer to communicate with the internet.
4: A video showing this issue is attached to this post.

7. What actually happened when you carried out these steps:
If “Enable Anti-ARP spoofing” is selected my internet connection is blocked.

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
Selecting “Enable Anti-ARP spoofing” should not block my internet connection.

I am sorry for my late , and I do not reproduce your problem.
My enviroment and steps are same with you ,expect for Windows 7 Ultimate x64 . Now I am begining to download Windows 7 Home Premium with Service Pack 1 (x64) system for test ,but differences is very small between these two systems ,We will make our efforts for reproducing your problem 。
I find your network is wireless (I test on wired network and wireless network), did you test this issue using wired network or would you reproduce it on virtual machine ?
Thanks for your feedback and Looking forward to your reply。

lugo_58 · January 1, 2015, 1:41pm

This is my dormitory internet… Problem is only exist this dormitory internet.
When I am at my friend home, problem dissapeared… I think problem is not CIS, the problem is my network.
You can move the topic as resolved issue.
Thanks

nasion · January 1, 2015, 5:39pm

if the reason is your network,then your network is attacked by ARP spoofing at the time when your mac cache is timeout. Because cis donot know the mac of gateway and the attacked arp is droped .leding to that system donot know gateway mac， so there is no net package.

you can call the cmd.exe ,arp -d,and ping the ip of gateway or router to get correct mac or the mac of attacker .then arp -a ,and find who the mac come from . or you can use wireshark to filter arp .
I donot know if it is useful for your network . good luck!

qmarius · January 1, 2015, 6:49pm

There is a contradiction between these statements. Thus, the issue should not be marked as “Resolved”.

nasion · January 3, 2015, 2:47pm

if you also reproduce , you can try bind the ip of gateway with mac of gateway by follow:
1 netsh i i show in
2 find your the index of local network ,eg 12
3 netsh -c “i i” add neighbors 12 192.168.1.1 00-23-cd-a4-b3-ce , 192.168.1.1 is instead of the ip of gateway, 00-23-cd-a4-b3-ce is instead of the mac of gateway。
4 enable network card (wired network) to promiscuous mode

you repeat the steps before now to see if it also happens and capture packet by wireshark from begin to end ,then you save the packtets to a local file . check if it is same ,when turn on wireshark and turn off wireshark,because attacker maybe force network card to drop the packet,we will force network to receive the droped packet when turn on promiscuous mode.

I am looking forward to your reply and hope to get your wireshark local file .thank you !

wasgij6 · March 12, 2015, 2:05am

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.

lugo_58 · March 13, 2015, 7:45pm

Hello,

Today I tested new Beta of CIS 8.2.0.4474… and problem still exist in this beta.
Symptoms are same as the first post. You can see the problem in to the video which attached in the first post.
I attached new diagnostic report and some other needed files. I also attached “Firewall Pro” folder into ProgramData path of CIS.

Inform to you mods and devs
Regards,
yigido

[attachment deleted by admin]

lugo_58 · March 13, 2015, 7:48pm

I almost forgot…
This issue only happens when I am online on my dormitory internet connection…
While I am connected to my mobile hotspot connection the problem is not happen…

It is clear that there is a problem between my dormitory internet and CIS.

Thanks,
yigido