Herein I shall attempt to help myself solve the following problem:
Starting Sunday, 3/11/07, I am unable to connect my email client, TBird, to the internet to check my mail accounts. CFP is blocking the connection attempt by Network Rule ID 6 (the block all rule) because of SYN on the outbound from TBird.
Here’s how/when I noticed it.
Late Saturday, I decided to crank down my TB app rules as I have done my browser rules, and limit the ports (I just hadn’t done it b4). So I did that, limiting it to Ports 25, 110. Then on Sunday CAVS did a sizable update (took a few minutes), but didn’t require a reboot. TB also upgraded (the application, not extensions/themes), no reboot required. Later I checked email, to see how CavEmlSvr.exe did on CPU usage. I couldn’t connect; they all failed.
I removed the Application Rules for TB and CES. Exited CFP, restarted. Allowed with remember, for any alert that came up; same result (didn’t realize at that point it had gone into lockdown). Watched connections, saw TB connection drop. Checked logs, see the blocks for SYN.
Disabled CAVS email scan entirely. Reboot. Same thing, SYN block on TB. Still blocked, for SYN. Here’s something odd, tho… it still allowed browser to connect. Increased flood values, exited CFP, restarted, still blocked for SYN. Rebooted. Still blocked for SYN. Disabled Protocol Anlysis; exited, restarted, still blocked for SYN. Disabled Block fragmented IP datagrams, exited, restarted, still blocked for SYN. Rebooted.
This morning b4 coming to work, with Flood values increased, & Advanced Attack Detection off, tried to check again. Same thing, TB blocked because of SYN. Change to Allow All, it connected no problem.
I thought at first it was related to CAVS, since that’s a Beta. But with email scan disabled it’s still doing it, so that’s not it. Thought it might’ve been related to the rule change, but that has been reverted to the previous settings (and a reboot), so it’s not that. It’s either related to the TB update, or some CFP update (if it did one over the weekend; I have not previously filtered cpfupdat.exe’s access to the internet from home, so it could have without me knowing).
So the next questions are:
What version of TB?
What version of CFP?
answer: Don’t know. I didnt’ check; have to do that tonight, and post some relevant logs.