sometimes CFP permit blocked connections [RESOLVED]

Hi guys;

Sometimes, at ramdomly boots, CFP doesn’t block IP’s that I’ve in my blocked addresses AND explicity ruled to block them in ALL app (and, ALSO, have created an inclusion of them in “My Blocked Network Zones”).

Let me explain: I have one computer connected to the internet by one cable-modem, no router. I have 10.0.0.0-10.255.255.255 and some others IP’s included in “Network Zones” named as “blocked”. In ALL applications I have a rule to block and log all “IP - in/out” of that “blocked” zone. Sometimes this works fine, but sometimes it doesn’t. I have PG2 too, and, when it doesn’t work PG2 blocks all that incoming garbage, for example blocking all connections from 10.0.0.0-10.255.255.255, works a lot, blocking many connections that CFP seems to allow… AND SOMETIMES IT DOESN’T (when CFP seems to work ok). Seeing at the logs shows the same thing.

The only way to let CFP working right is to try another boot… and so goes on… until PG2 doesn’t block all that garbage… Sometimes I have to re-boot 3 or 4 times.

It doesn’t matter the “number” of the IP blocked. It happens with any.

I did try “Miscellaneous/Diagnostics” and a total clean re-install 3 times, and still the same.

Any idea?

Did someone else noticed this?

edit: I have did a full scan of “bacterias” with online BitDefender, PANDA, and with my Ad-Aware and NOD32, AND CFP… my system seems to be clean…

Sorry; but what is PG2? You are apparently trying to block all of the noise traffic from your cable modem neigborhood, with both PG2 and with CFP3? Can you post one of your logs and your global block rules?

PG2 means Peer Guardian 2. There are alot of known issues with PG2 and other software. #

PeerGuardian isn’t working for me, or is interfering with my firewall. What can I do?

PeerGuardian is known to be incompatible with McAfee and BlackICE firewalls. Outpost is also known to cause a problem if you shut down PG2 while it is running. There is currently no way around this, so we recommend you try switching to another firewall like Sygate. If PeerGuardian still isn’t working, you can try an alpha build to see if it’s been fixed, or report a bug. BTW I like you sig. Try never having an infection in over 6 years then we can talk.

http://phoenixlabs.org/pg2/faq/

BTW I like you sig. Try never having an infection in over 6 years then we can talk.

Thank you all.

@ Sded: Yes, I’m trying to do that. I’ll make some screen-shots tonight (now is working-time…)

@ Vettetech: Oh! Try another FW? NO-WAY !!! (with respect) ARE YOU CRAZY??? CFP is just great! Only this issue, that happens with v21.329, but both PG2 and CFP seems to be working without problem (I have only to re-boot if I notice that CFP isn’t blocking the “blocked” incoming garbage and PG2 is). Older versions of CFP didn’t show that. Maybe some incompatibility with PG2-RC1-test2 in this version. I will try PG2-b6c again, if tomorrow’s new CFP version show the same… I’ll let you know what happens.

I’m not the only one who uses this machine, and my sons are very creative and curious at their 17yr… so, 19-20 months without any infection is just great to me! This is my time with Comodo! hehehehehe… I’v tryed Outpost, ZA-Pro, Jetico and others, and now, with CFP I don’t hear that call anymore: “Dad…”

THANK YOU !!!

Have you tried running just CFP3? It has worked OK for other cable users without Peer Guardian who have posted asking what all the blocks were-they weren’t expecting the “neighborhood” behavior. :wink: Changing behavior on boot looks suspiciously like interference between the applications. One reason for the log request is that there is usually also some traffic that actually is between you and the cable network, and SPI may allow that in anyway-does anything look legitimate? Makes me glad I have DSL with a direct DHCP link. :slight_smile:

I didnt say try another firewall. That is a quote from the PG site.

First question, is there anything in the logs? Particularly after something apparently gets thru, but before doing a boot.

Second question, have you tried running the Firewall Configuration Reporting Script (in the sticky topic at the top of the forum page)? That should confirm that what you think you’ve got CFP set to do, is what it is set to do. And, again, after something apparently comes thru but before a reboot, run the script again to see if CFP settings have been somehow changed.

If both of those questions don’t give any leads on the problem, I’ll suggest running the current version of HijackThis from http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis just as a reality check. I wouldn’t expect it to find anything, but it won’t hurt to be sure.

First of all: I’v NEVER doubted of CFP. In any way.

And I think that I’v found something after i did the following sequence:

  1. still with CFP-v21, I’v downgraded from PG2-RC1 to PG2-b6c => same results;
  2. full uninstall of PG2, and registry clean removing all pgfilter garbage;
  3. full uninstall of CFP (run “CFP3 File+Registry Cleaner” bat cleaning AND manual clean of all registers left);
  4. clean install CFP v21;
  5. Install PG2-vb6c => same results
  6. full uninstall of PG2 with all possible registry cleaning;
  7. upgraded to CFP v22;
  8. install of PG2-b6c => same results;
  9. changed my CFP D+ configurations according to:

a) old setting = D+/Advanced/Deffence+ Settings/General Settings was with “Block all the unknown requests if app is closed” ticked only, “My Trusted Software Vendors” was including Comodo, MS, Diskeeper and ESET.

b) new setting = “Trust the app digitally signed…” and “Block all the unknown requests…” ticked ON but with “Comodo CA Limited” and “Comodo CP, Inc” ONLY, as “My Trusted Software Vendors” listed (erased all else but not Comodo) => working fine after at 12 re-boots; but it didn’t solved the issue - the problem is back.

I think that this is not the main incompatibility, but it is a start to track.

([ at ] Sded: sorry for not uploading some screen shots… time-saving… I’v been trying all possibilities instead…)

edit: I’v checked all incoming requests with WireShark in between these tests…

Have you tried running only CFPv22? With all of the reported PG2 incompatibilities and the many CFP users who are on cable and don’t use PG2, this certainly seems worth trying. But I don’t see it on your list.

[ at ] Sded: PG2 helps me to not accept unwanted inbound/outbound connections to unwanted destinations… it blocks a lot of IP’s… ~3,155 billions… and I think that CFP is not able to do that the way PG2 does… that’s my (and too many others) price to be a torrent fan… If CFP was able to accept BISS blocklists, no-one was in need of PG2…

I’vd tried to run CFP only and IT BLOCKS everything that is listed without any problem, OK SOMETIMES ONLY.

edit: updated my informations after 1 day without PG2 and a lot of re-boots.

I tried everything, from clean re-install (after register cleaning, including Legacy devices) to a total uninstall of PG2, but no success.

4 on each 5 boot process CFP permits those incoming “garbage” from 10.xxx.xxx.xxx and from an IP of my ISP (not an DNS server nor DHCP server) explicity listed on “My Network Zones” as Blocked Addresses and with a Global Rule blocking that zone (plus a blocking rule for every app, all of them incl. WOS, System…). Including that “Blocked Addresses” zone in “My Blocked Network Zones” doesn’t help too.

Checking on “Attack Detection Settings”/“Protect ARP Cache” and “Block Gratuitous ARP Frames”, AND checking ALL options on “Attack Detection Settings”/“Miscellaneous” didn’t help too.

After booting my PC, when I get those unwanted incoming connections, if I change my Firewall Security Level to “Block All Mode” for 3 minutes and then return to “Custom Policy Mode” ALL that garbage is blocked by CFP. This means that CFP is allowing some connections on boot-up, isn’t it?

Tried creating a simple rule on every app blocking all incoming IP protocols from 10.0.0.0 - 10.255.255.255 but, again, no success. The same results.

HijackThis didn’t catch anything wrong. Process Explorer NT too. My system is clean. Scanned by CFP, NOD32, BitDefender, Kaspersky, Ad-Aware and Counter-Spy.

Crazy, isn’t it?

Someone else noticed this?

This is a serious issue! Everything else is great on CFP. Passed many tests (GRC, PCFlanck, etc…).

Any idea?

edit: results from running “cfpv3-config.7221” script:

  1. error:

    http://img87.imageshack.us/img87/2474/errorna1.th.png

  2. full results (CFP_Report.txt file). Please, use this workaround: go to http://deviloid.6pix.net/uploads/046b87ebe8.jpg and get the file this way: Right-Click and “Save As…” and, after downloaded, CHANGE the extension from “.jpg” TO “.txt”. That’s it.

Interesting… Your Firewall Config Script report is showing 3 CFP configurations, of which one doesn’t seem to be doing anything in that it doesn’t define any network zones other than the Loopback Interface.

Two of these look to be standard Comodo configurations (“Comodo - Optimum Security” and “Comodo - Network Security”). The third is named “22.349e”, which sounds like it might be version update gone bad. The report is showing that this “22.349e” configuration is the one in use, but there are no rules defined.

My suggestion is to delete this “22.349e” configuration, and change to use the “Comodo - Optimum Security” configuration, which does have rules defined.

To do this, click CFP → Miscellaneous → Manage My Configurations. Click “Select”, and click “Comodo - Optimum Security”. That should make this configuration your active configuration.

Then click Export, and choose “22.349e”. This will make a backup to restore later if there is any kind of problem Then click Delete, and choose “22.349e”.

I’m guessing that you’ll need to reboot, or at least restart CFP, just to be sure the selecting CFP configuration is in place and working.

Getting rid of that empty configuration likely will take care of the problem. If not, then I’ll ask that you run the Config Report Script again, so to check all the settings that are actually being used at that time.

My Firewall Config Script report may be not complete (error). 2 of those configurations are “default” created at the first boot after CFP install, and are not in use now.

I did tried a new install AND new configurations from scratch, more than 4 times. The problem always persists.

Running Config Script always give me the same error, showed above, and doesn’t report the full state of my configs.

edit: hmmm …maybe inspect.sys is been loaded too late at the boot process !

The Config Script report looks to be complete. When the script finishes, it presents to report to you in Notepad. If you got that, the script did finish.

In CFP, did you change the active configuration from the empty “22.349e” to the “Comodo - Optimum Security”? That “22.349e” isn’t doing anything, and is likely the cause of the problems you’re experiencing.

Quote :

Why Teredo blocking is important
All Windows Vista machines come with a service known as “Teredo” enabled by default. This enables you to access the IPv6 internet using IPv4. It also means that any IPv4 user can masquerade as being on IPv6 in attempt to evade IP blockers and firewalls.


Peerguardian RC1 (not Peerguardian 2.0 Beta 6b) :

Windows Vista support:
Full support for IPv4 and IPv6.
Detects IPv4 users masquerading under Teredo and 6to4 IPv6 addresses.
Connections do not need to time-out like they do in XP, which means faster browsing with ad blocking lists.
UDP “connections” are detected, meaning only the first packet of a UDP protocol will be logged. This allows for much less CPU and disk usage in new P2P projects like Rodi and Freenet.
Compatible with ALL firewalls.

Thank’s guys,

Many new updates these days. XP-SP3 included.
I was using PG2-RC1, but I temporary did change to Beta-6C to see if it helps. But nothing! Back to PG2-RC1.
Well, after all this issue still persists. Weird. Very weird.
My config-script report uploaded IS corrupted due to the script-error, AND it is NOT complete. “22.349e” has a bunch of rules and it is not empty at all. AND it is working!
Anyway… as I said before, I did try AGAIN, after all updates, a total new and clean install, and start with the default rules. After this, I just add a rule to block all unwanted IP’s… 10.0.0.0-10.255.255.255, and the issue persists.
AAArrghhh… I’m going to buy/use a router (LinkSys). Even if I have only one PC connected to the cable-modem.
I’m tired of this. Very.

THANK YOU ALL.

[b]FINALLY !!! v3.0.24.368 was released!

My issue seems to be “cured” after 12 re-boots with full success!!!

THANK -YOU !!![/b]

:■■■■

Glad that you finally got it all to work.

I’ll mark this topic as resolved. If you need it reopened, just PM any of the moderators, and it’ll be unlocked for you.