mcafee firewall exception in CPD.exe

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hello Group:

System One
Win2K SP4, IE6SP1
Scan Eng 4.3.20
DAT 4.0.4359
AV 6.02.3000.1
FW 3.03.1000.0
All windows update applied to OS and browser
Dial Up

System Two
NT4-Sp6 IE5.5-SP2
Scan Eng 4.3.20
DAT 4.0.4359
AV 6.02.3000.1
FW 3.03.1000.0
All windows update applied to OS and browser
Dial Up

Both systems shared the same settings
Allow ARP and DHCP
Other protocols: Allow other than IP, ARP, RARP- Block incoming fragments.
IPX-in-IP Allow other than IP, ARP, RARP- Allow incoming fragments.
Allow Identification
Manual update

AV scans from command window and/or safe mode do not show virus present.

I have noticed that whenever Firewall starts, three services rush out for
internet access. The services are services.exe, svchost.exe and Isass.exe.
If you deny access to services.exe the firewall will report the following
error and the browser will report a DNS error (will not load the page).
Denying access to the other two services will not cause the error if access
to services.exe was previously given:

"McAfee Firewall caused an exception c0000005 at offset 4017c3 in CPD.EXE
(FwMon_SocketClosed). If this condition is repeatable and prevents McAfee
Firewall from operating properly, please report the details of the exception
to McAfee Technical Support."

I know, thanks to Kelly, what this error means already.

The fix given to uninstall and reinstall may fix the symptoms for some users
but not all. If it does work for some users, why?

I have followed the instructions on other posts at www.mcafeehelp.com and I
have used the regular and the forced (manual) uninstall and also have
removed ALL occurrences of Mcafee from the registry, have removed all temp,
cookies etc. Looked for VPN, etc.
I have loaded the virus scanner let it finish loading and then start the
firewall.
I have uninstalled the FW only and reinstalled it following the instructions
given.
Please this error is getting annoying. Have you any good suggestion other
than reinstall or upgrade?

I did not have this error in 2002-2003

Even if manual update (VSMain.exe) is not allowed access to the internet it
will show the exception. This did not happened when I purchased this
software.

The FW seems at the same time to be able to hold TCP and UDP packets, I can
see it on the violations window, but I have no way of knowing if a packet
passed. www.GRC.com and www.scan.sygate.com show all ports blocked.

I used to do most of my work on NT4 SP6.
NT4.0 SP6 is on another disk and that is where I became aware of this error.
It motivated me to install the antivirus and Win2K and move all my working
files to another hard drive, but I found the error there as well, once I
finished.

I think is related to a software update but whose: Windows or McAfee?
Could it be that McAfee introduced this to "induce" people to upgrade?

Please help, thank you

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Mate answered your post in the mcafee forums I read from the files you are
viruses Isass is a virus file as is Scvhost and services can be as well.

scan with the online scanners I posted for you and see what happens.
At least thats my reading of your issue the virus is messing up the firewall
as well.

"Odafan" <caortega@bellsouth.net> wrote in message
news:9zroc.3421$5z5.2162@bignews2.bellsouth.net...
> Hello Group:
>
> System One
> Win2K SP4, IE6SP1
> Scan Eng 4.3.20
> DAT 4.0.4359
> AV 6.02.3000.1
> FW 3.03.1000.0
> All windows update applied to OS and browser
> Dial Up
>
> System Two
> NT4-Sp6 IE5.5-SP2
> Scan Eng 4.3.20
> DAT 4.0.4359
> AV 6.02.3000.1
> FW 3.03.1000.0
> All windows update applied to OS and browser
> Dial Up
>
> Both systems shared the same settings
> Allow ARP and DHCP
> Other protocols: Allow other than IP, ARP, RARP- Block incoming fragments.
> IPX-in-IP Allow other than IP, ARP, RARP- Allow incoming fragments.
> Allow Identification
> Manual update
>
> AV scans from command window and/or safe mode do not show virus present.
>
> I have noticed that whenever Firewall starts, three services rush out for
> internet access. The services are services.exe, svchost.exe and Isass.exe.
> If you deny access to services.exe the firewall will report the following
> error and the browser will report a DNS error (will not load the page).
> Denying access to the other two services will not cause the error if
access
> to services.exe was previously given:
>
> "McAfee Firewall caused an exception c0000005 at offset 4017c3 in CPD.EXE
> (FwMon_SocketClosed). If this condition is repeatable and prevents McAfee
> Firewall from operating properly, please report the details of the
exception
> to McAfee Technical Support."
>
> I know, thanks to Kelly, what this error means already.
>
> The fix given to uninstall and reinstall may fix the symptoms for some
users
> but not all. If it does work for some users, why?
>
> I have followed the instructions on other posts at www.mcafeehelp.com and
I
> have used the regular and the forced (manual) uninstall and also have
> removed ALL occurrences of Mcafee from the registry, have removed all
temp,
> cookies etc. Looked for VPN, etc.
> I have loaded the virus scanner let it finish loading and then start the
> firewall.
> I have uninstalled the FW only and reinstalled it following the
instructions
> given.
> Please this error is getting annoying. Have you any good suggestion other
> than reinstall or upgrade?
>
> I did not have this error in 2002-2003
>
> Even if manual update (VSMain.exe) is not allowed access to the internet
it
> will show the exception. This did not happened when I purchased this
> software.
>
> The FW seems at the same time to be able to hold TCP and UDP packets, I
can
> see it on the violations window, but I have no way of knowing if a packet
> passed. www.GRC.com and www.scan.sygate.com show all ports blocked.
>
> I used to do most of my work on NT4 SP6.
> NT4.0 SP6 is on another disk and that is where I became aware of this
error.
> It motivated me to install the antivirus and Win2K and move all my working
> files to another hard drive, but I found the error there as well, once I
> finished.
>
> I think is related to a software update but whose: Windows or McAfee?
> Could it be that McAfee introduced this to "induce" people to upgrade?
>
> Please help, thank you
>
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Thank you peacekeeper for answering right away, I appreciate it.

>I am a tad confused ... are you getting this error when and only when you
block the services request to access net?

The only way I get the error is if I deny access to services.exe

If allow all three services =no error.
If allow services.exe and disallow Isass.exe =no error and connection to net
If allow Isass.exe and disallow services =error and no connection to net

I have concluded that services.exe must be allowed
1-to get access to internet and
2-to avoid the error, but why?

>Do you mean Isass or Lsass the former is a worm.
Sorry I misspelled.
F:\WINNT\system32\lsass.exe
LSA Executable and Server DLL (Export Version) v5.00

Last night I downloaded some updates for office, today the latest DAT 4360.

I scanned all drives with Stinger and with Mcafee, both on Safe Mode,
Command with prompt
and also as a regular scan from within windows. Nothing found.

I did not those online scans since I am not at ease with lowering my
firewall for them to do

their thing.

The exception in CPD.EXE when denying access to VSMain.exe has not happened
today.

I had one more instance of the error today in the afternoon at either
closing the browser or disconnecting from the net.

Do you or any other reader know why services.exe must access the internet to
avoid CPD.exe errors

and for the browser to load a page?

I would like to know if users of other versions of MFW 3.03 have this or any
other error when

not allowing services.exe to the net.

I will toss out the installation of NT and in its place create a new W2k
with McAfee alone without service packs first, later will add service packs
and windows updates, to compare with the present one and will later post.

I answered at McAfee forums as well

thanks again


"Peacekeeper" <noturnertspam@removethisbigpond.net.au> wrote in message
news:uMBoc.2093$IH5.92713@news.optus.net.au...
> Mate answered your post in the mcafee forums I read from the files you are
> viruses Isass is a virus file as is Scvhost and services can be as well.
>
> scan with the online scanners I posted for you and see what happens.
> At least thats my reading of your issue the virus is messing up the
firewall
> as well.
>
> "Odafan" <caortega@bellsouth.net> wrote in message
> news:9zroc.3421$5z5.2162@bignews2.bellsouth.net...
> > Hello Group:
> >
> > System One
> > Win2K SP4, IE6SP1
> > Scan Eng 4.3.20
> > DAT 4.0.4359
> > AV 6.02.3000.1
> > FW 3.03.1000.0
> > All windows update applied to OS and browser
> > Dial Up
> >
> > System Two
> > NT4-Sp6 IE5.5-SP2
> > Scan Eng 4.3.20
> > DAT 4.0.4359
> > AV 6.02.3000.1
> > FW 3.03.1000.0
> > All windows update applied to OS and browser
> > Dial Up
> >
> > Both systems shared the same settings
> > Allow ARP and DHCP
> > Other protocols: Allow other than IP, ARP, RARP- Block incoming
fragments.
> > IPX-in-IP Allow other than IP, ARP, RARP- Allow incoming fragments.
> > Allow Identification
> > Manual update
> >
> > AV scans from command window and/or safe mode do not show virus present.
> >
> > I have noticed that whenever Firewall starts, three services rush out
for
> > internet access. The services are services.exe, svchost.exe and
Isass.exe.
> > If you deny access to services.exe the firewall will report the
following
> > error and the browser will report a DNS error (will not load the page).
> > Denying access to the other two services will not cause the error if
> access
> > to services.exe was previously given:
> >
> > "McAfee Firewall caused an exception c0000005 at offset 4017c3 in
CPD.EXE
> > (FwMon_SocketClosed). If this condition is repeatable and prevents
McAfee
> > Firewall from operating properly, please report the details of the
> exception
> > to McAfee Technical Support."
> >
> > I know, thanks to Kelly, what this error means already.
> >
> > The fix given to uninstall and reinstall may fix the symptoms for some
> users
> > but not all. If it does work for some users, why?
> >
> > I have followed the instructions on other posts at www.mcafeehelp.com
and
> I
> > have used the regular and the forced (manual) uninstall and also have
> > removed ALL occurrences of Mcafee from the registry, have removed all
> temp,
> > cookies etc. Looked for VPN, etc.
> > I have loaded the virus scanner let it finish loading and then start the
> > firewall.
> > I have uninstalled the FW only and reinstalled it following the
> instructions
> > given.
> > Please this error is getting annoying. Have you any good suggestion
other
> > than reinstall or upgrade?
> >
> > I did not have this error in 2002-2003
> >
> > Even if manual update (VSMain.exe) is not allowed access to the
internet
> it
> > will show the exception. This did not happened when I purchased this
> > software.
> >
> > The FW seems at the same time to be able to hold TCP and UDP packets, I
> can
> > see it on the violations window, but I have no way of knowing if a
packet
> > passed. www.GRC.com and www.scan.sygate.com show all ports blocked.
> >
> > I used to do most of my work on NT4 SP6.
> > NT4.0 SP6 is on another disk and that is where I became aware of this
> error.
> > It motivated me to install the antivirus and Win2K and move all my
working
> > files to another hard drive, but I found the error there as well, once I
> > finished.
> >
> > I think is related to a software update but whose: Windows or McAfee?
> > Could it be that McAfee introduced this to "induce" people to upgrade?
> >
> > Please help, thank you
> >
> >
>
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hello Group:

I toss out my old NT4 installation. I installed W2K in its place. This is on
a separate hard drive in my pc.

As soon as I finished installing the OS I installed the AV and FW. The first
thing I received was a reminder to purchase a new copy, then services.exe
requested access to the net. I denied it. When I looked in the firewall
activity there it was the infamous:

"McAfee Firewall caused an exception c0000005 at offset 4017c3 in CPD.EXE
(FwMon_SocketClosed). If this condition is repeatable and prevents McAfee
firewall from operating properly, please report the details of the exception
to McAfee Technical Support."

There was no other software installed, not even a service pack or any
Windows update, so it must not be related to that.

What is it?

Run a test for me on your FW4:
First empty your filter window. "Remove this program from the list" is
called in my version.

1- Unplug net. Stop your firewall and then start it again. Connect Net.
Allow only the browser, check for internet access and the exception.

2- Unplug net. Stop and Start firewall. Connect Net. Allow any other service
that request access, make sure you exclude services.exe and allow the
browser, check for internet access and the exception

3- Unplug net. Stop and Start firewall. Connect Net. Allow service.exe and
browser. Check for net access and error.

You must stop/start the firewall to begin each test. Please post results.

thank you.


"Odafan" <caortega@bellsouth.net> wrote in message
news:9zroc.3421$5z5.2162@bignews2.bellsouth.net...
> Hello Group:
>
> System One
> Win2K SP4, IE6SP1
> Scan Eng 4.3.20
> DAT 4.0.4359
> AV 6.02.3000.1
> FW 3.03.1000.0
> All windows update applied to OS and browser
> Dial Up
>
> System Two
> NT4-Sp6 IE5.5-SP2
> Scan Eng 4.3.20
> DAT 4.0.4359
> AV 6.02.3000.1
> FW 3.03.1000.0
> All windows update applied to OS and browser
> Dial Up
>
> Both systems shared the same settings
> Allow ARP and DHCP
> Other protocols: Allow other than IP, ARP, RARP- Block incoming fragments.
> IPX-in-IP Allow other than IP, ARP, RARP- Allow incoming fragments.
> Allow Identification
> Manual update
>
> AV scans from command window and/or safe mode do not show virus present.
>
> I have noticed that whenever Firewall starts, three services rush out for
> internet access. The services are services.exe, svchost.exe and Isass.exe.
> If you deny access to services.exe the firewall will report the following
> error and the browser will report a DNS error (will not load the page).
> Denying access to the other two services will not cause the error if
access
> to services.exe was previously given:
>
> "McAfee Firewall caused an exception c0000005 at offset 4017c3 in CPD.EXE
> (FwMon_SocketClosed). If this condition is repeatable and prevents McAfee
> Firewall from operating properly, please report the details of the
exception
> to McAfee Technical Support."
>
> I know, thanks to Kelly, what this error means already.
>
> The fix given to uninstall and reinstall may fix the symptoms for some
users
> but not all. If it does work for some users, why?
>
> I have followed the instructions on other posts at www.mcafeehelp.com and
I
> have used the regular and the forced (manual) uninstall and also have
> removed ALL occurrences of Mcafee from the registry, have removed all
temp,
> cookies etc. Looked for VPN, etc.
> I have loaded the virus scanner let it finish loading and then start the
> firewall.
> I have uninstalled the FW only and reinstalled it following the
instructions
> given.
> Please this error is getting annoying. Have you any good suggestion other
> than reinstall or upgrade?
>
> I did not have this error in 2002-2003
>
> Even if manual update (VSMain.exe) is not allowed access to the internet
it
> will show the exception. This did not happened when I purchased this
> software.
>
> The FW seems at the same time to be able to hold TCP and UDP packets, I
can
> see it on the violations window, but I have no way of knowing if a packet
> passed. www.GRC.com and www.scan.sygate.com show all ports blocked.
>
> I used to do most of my work on NT4 SP6.
> NT4.0 SP6 is on another disk and that is where I became aware of this
error.
> It motivated me to install the antivirus and Win2K and move all my working
> files to another hard drive, but I found the error there as well, once I
> finished.
>
> I think is related to a software update but whose: Windows or McAfee?
> Could it be that McAfee introduced this to "induce" people to upgrade?
>
> Please help, thank you
>
>