jeffshead

I just tried again. Mine is still inbound only. Maybe there is an update caching issue somewhere. Is there a module version that I can check?

Thanks for the suggestion but I already tried that. It made no difference so I switched back.

So here is a screen cap of the default rule that comes with versions prior to ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11: Below is the default rule that comes with ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11: I had to create a "catch all" outbound rule, as a workaround, to fix several applications that were broken by this latest ESET update. Maybe there's a system process that needs outbound to Local addresses for which I'm not receiving a prompt, but simply adding Local addresses to individual outbound rules for each application does not work for me. Did ESET intentionally remove outbound from that default rule?

The Veeam agent has a service and a systray exe. The systray exe has to communicate with the service. Hence, localhost traffic. Regardless of the Windows firewall, this issue is ONLY with ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11; not any other prior version of either ESET product. I also tried adding the local addresses set to individual rules and disabling that catch all outbound rule that I created. It didn't work. That catch all outbound rule is necessary.

So I see that the first default rule in 10.0.2045 allows both in and out traffic for local addresses. That same rule in 10.1.2046.0 allows only inbound. I copied that rule and changed the direction to outbound and then added it. That seems to solve this issue. Why was that default rule changed in 10.1.2046.0? Is this a bug? Is my workaround safe? If not, what other way can this issue be fixed?

So I took the 10.1.2046.0 update, again, to do some more testing. Being that I'm in Interactive mode, I get prompted every time there's traffic for which there's no existing rule. I noticed that all of the prompts that I'm receiving are for the broken apps and traffic is going to either 127.0.0.1 or ::1. So apparently, the default rules are not the same as they were in 10.0.2045. So what rule do I need to add to fix this issue?

There is a Veeam service but there's also a Veeam Systray exe that communicates with the service. The exe is what keeps getting blocked.

I worked on this issue for many hours and got tired of dealing with it. I performed a clean uninstall and reinstalled 10.1.2045 and everything works as it should. Not only that, but the new interface for editing rules from the prompt is a step backwards. You can no longer select the IP address that you are being prompted about.

Both ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11 suffer from the same issue that did NOT exist prior to these updates. Every thing worked until these updates were installed. No other changes were made. I use interactive mode. Several apps stopped functioning because ESET is blocking connections even though rules do exist to allow those connections. To keep this simple, I'll focus on one application; Veeam Agent for Microsoft Windows. After every system reboot, ESET prompts about traffic for which I have already added a permanent rule for, from previous prompts. I currently have 8 identical rules for the same Veeam exe. After selecting Allow and adding a permanent rule, everything works until the next reboot. After each reboot, I'm promted again… Rinse, repeat. And before anyone asks, there's no corresponding entries listed under Setup->Network->Resolve blocked Communication or Resolve temporarily blocked IP addresses. Why is 127.0.0.1 a remote site? I even created a rule and added 127.0.0.1. Shouldn't the rule depicted below, allow the traffic depicted in the image above: For the sake of clarity, if I get the prompt depicted in the first image and select Remember until application quits, or if I select Create rule and remember permanently, and click the Allow button, traffic is allowed and the app works until I reboot the system even when I have selected Create rule and remember permanently. After reboot, the traffic is once again blocked and I get the same prompt. So what's going on here? I've even used the ESET Cleaner and performed fresh installs. This only happens with Interactive mode. I've even tried Learning mode but after switching back to Interactive mode, the issue comes back.

It does not show up under "Resolve blocked communication". I have tried creating a manual rule to allow all. I'm going to create a separate post. This is an issue with the latest update. Everything used to work until the update. I didn't change anything other than reboot the PC after ESET applied the 16.2.11 update.

This last update (16.2.11) causes the Veeam Agent for Microsoft Windows service to not run at system start when ESET is set to Interactive mode. I don't care how many times you uninstall/reinstall, ESET does not always/consistently display an action pop-up to Allow or Disallow traffic.

With all do respect, I must say your statement is not correct. EIS is blocking the traffic but it is not being logged anywhere; including the Troubleshooting wizard. If I go to Setup > Network protection > Firewall and select 'Disabled permanently', the traffic is not blocked. Otherwise the traffic is blocked but not logged. This behavior was reported by others who also use Interactive mode, a couple of years ago. I managed to force EIS to log the traffic that it is blocking by utilizing the info posted in the thread I linked to in the previous paragraph. I enabled Enable Network protection advanced logging and created a general catch-all ASK firewall rule and set it to Information level logging in order to log the blocked traffic. Until I did this, the Network Protection log was completely empty. In fact, it's always empty on every PC that has EIS set to Interactive mode. I love ESET but having to spend so much time researching how to log traffic that should be logged by default is bad.

I don't see a Firewall Troubleshooting Wizard. If you are referring to Setup > Network protection > Network Protection Troubleshooting, it does not show anything (relating to to pre-login traffic) being blocked. Like I stated previously, EIS is set to Interactive so the Network Protection log is always empty which I think is ridiculous.

How can one determine exactly what EIS blocks before a user logs on to a Windows PC? If EIS is set to Interactive mode, after a user logs on to the PC, the user will be alerted with a pop-up that tells the user that EIS is blocking specific traffic and waits for a response from the user to continue blocking or allow the traffic. This works great for traffic AFTER a login. However, the problem that I encounter is that some pre-login traffic is being blocked but ESET does not log the blocked traffic so I don't know what Allow rule(s) need to be created to allow the traffic. I found this post which states, 'The only way I know of to log blocked network connections when the firewall is set to Interactive mode is to create an Ask rule to monitor any network inbound and outbound traffic for any protocol.' Creating an Ask rule as described in that post only logs the remote IP address where the traffic was going to. How can we make EIS log all information about the blocked, pre-login traffic so that it logs the program that is generating the traffic that is being blocked and domain name if one was used instead of an IP? In other words, how can we view the same type of info, that is presented in the Interactive pop-ups, for pre-login traffic which is being blocked?

Under URL management -- What is the difference between List of allowed addresses and List of addresses excluded from content scan? Let's say there is a website that ESET is blocking but I want to access it anyway. If I add it to List of allowed addresses, will ESET then let me access that page but still scan for malware whereas adding it to List of addresses excluded from content scan will let me access the site and not scan it for malware? Is my assumption correct? If so, then if I add a URL to List of allowed addresses and ESET lets me access the page but finds malware, ESET will still block the page? So if the malware is a false positive, the only way to access that page is to then add it to List of addresses excluded from content scan? Is all of the above correct? If not, please elaborate.

I am trying to rule out ESET as being the cause of an issue. How can I totally disable all protections without uninstalling the product? I know simply right-clicking the systray icon and selecting "Pause" for the firewall and Protection does not remove all protections. I remember being able to do this, years ago. It required booting to SafeMode, disabling something and rebooting. The problem I'm encountering is that I cannot delete or move some folders/exe's after viewing them. I get the following error: If I wait for about a minute, I can move/delete them. I'm wondering if ESET is locking the file/folders.

Can Endpoint be installed on Windows Server in order to get eset firewall on a server? I know the eset product that is designed for Windows Servers does not come with a firewall.

I cannot find a setting that tells ESS to quarantine suspected email attachments rather than delete them. I see that you can set it (Email client protection) to not clean but that means it won't quarantine, doesn't it? I had someone email a JavaScript file to me in a zip container but ESS deleted the file (false positive) and I don't see anyway to recover the file. It would make more sense to quarantine email attachments rather than delete them so you can recover safe files.

Thank you. That makes sense, now. I'm just used to going into routers' firewall logs where everything is logged and easier to find. Since the VPN subnet is not automatically added to ESET's "Known networks", what is the best approach to allowing VPN connections as if they were just another PC on the same subnet as the PC on which ESET is installed? Is that a bad idea? What are the differences between adding 10.1.1.0/24 to the Trusted zone versus manually adding 10.1.1.0/24 to the Known networks? EDIT: I did what another user suggested (https://forum.eset.com/topic/8274-endpoint-security-homework-network-not-being-treated-as-trusted-zone/?tab=comments#comment-43989) and added the VPN subnet to the already existing Known network and it seems to work just fine.

10.1.1.0/24 is not in the known networks setup. Only 192.168.1.0/24. The firewall troubleshooting wizard is what I was looking for. It does not make sense to me why the Personal Firewall log does not show all blocked communications. Why must users have to hunt for blocked communications in different locations of the GUI?

I have ESS 10 on a PC on my local network. I have a SSL VPN set up on my router so I can access my local network when abroad. My LAN IP's are 192.168.1.xxx. My VPN IP's are 10.1.1.xxx. I have tried every setting I could find but I cannot access this PC over the VPN. I am in interactive mode but have never gotten an alert when I try to connect. I have tried disabling IDS, adding the VPN IP to IDS exclusions and disabling HIPS. I have also set HIPS to log all events but I see nothing about my connection attempts in the logs. The only way I can connect via VPN is to "Pause firewall (allow all traffic)". How can I find out exactly why ESS is blocking my VPN connection? Why is it not being logged?

I must concede to some of your points and apologize for getting off topic. I still hold firm on the fact that there should be an option to opt-out of the nag screen or at least being able to turn it off until two weeks before EOF of the version that is currently installed.

Because ESET wants to sell annual upgrades, every year. ESET is getting more bloated, with useless cr@p, with each release. ESET is marketing to the less savvy. Half of this isn't needed if you are behind a good gateway and know what you should and shouldn't be doing. It's really sad when company's think it's perfectly fine to spam their paying customers with ads that they cannot opt out of. If the main reason for the nag is safety, then why are you still supporting v8.x until 12/18? The annoying nags shouldn't start until the installed version is close to EOF. Not 2+ years before EOF. That's spam being generated by the same company that you are doing business with and they are telling you that they don't care. We (ESET) are going to continue annoying you whether you like it or not because we already have your money and we don't care what you want because we know better than you. Now click on the upgrade button to stop the annoying nag screen and send more money.

I decided to leave Home Network Protection enabled and see if the added network traffic is worth it. I added a firewall rule to not log the dropped packets so my logs are not so cluttered. One annoyance is the fact that the types of devices to select from is very limited. There's no option to add a custom device type, either. I'm referring to identifying "Unknown" device types as indicated below: ESET should add the following device types: Wireless access points UPS's Media players A custom type so you can add whatever text you want to describe the type of device. The ability to add your own image would be really nice.

Thanks for the replies 192.168.0.1 is the router and 148 is the PC. Exactly what protection does Home Network Protection provide? I use a business class gateway/router that allows only explicit traffic so it's always going to drop the Home Network Protection packets. I could create a rule to stop logging that traffic but I don't need ESET to "test your home router for vulnerabilities". If the only other action it performs is to tell me what other devices are on the network, then I will keep it disabled. So does Home Network Protection do anything else?