Enrico

I've started the logging with HTTP3 scan enabled, tried to reach a network share, disabled the scan, restarted the network, opened a shared folder, quit the logging.essp_logs.zip

Had to disable it since it was trashing my IPv4 LAN.

After manually checking for updates the auto-type is working again. (tested only with FF 115.5.0 ESR)

KeePass has an auto-type function, generally it's the most used since it require only two clicks: one on the open url icon an the other on the auto-type icon. Auto-type has another useful option, the obfuscation. Since Safe Banking controls the secured browser clipboard and memory, KeePass is unable to perform the auto-type function (as expected), only the manual copy-paste works. I didn't tested the KP auto-type after disabling "clipboard protection" under browser protection setup.

Safe banking breaks KeePass auto-type functionality, instead use Copy User Name (ctrl-B) and paste the value in the browser, Copy Password (ctrl-C) and paste the value in the browser. Sincerely I wouldn't use Safe Banking, it opens the browser with a default clean profile, default FF settings are not the best from a privacy/security perspective.

Unfortunately, I can't open a ticket because of the captcha (I don't accept google's privacy policy). At this point I will opt for the solution I wanted to avoid: create allow and block rules for every software and remove the ask rules.

I've noticed this strange behaviour, steps to reproduce: 1- Create a higher priority Block firewall rule for any application, both directions, any protocol, insert all IP ranges to monitor. 2- Create a lower priority Ask firewall rule for any application, both directions, any protocol, insert all IP ranges to monitor. 3- Start a browser (or any kind of software that connects to both IP ranges). 4- Visit a website that use the Ask rule IP ranges and select "Remember until application quits". 5- Visit a website that use the Block rule IP ranges, all traffic is allowed! OR: 3- Start a browser (or any kind of software that connects to both IP ranges). 4- Visit a website that use the Block rule IP ranges, all traffic is blocked. 5- Visit a website that use the Ask rule IP ranges and select "Remember until application quits". 6- Visit again a website that use the Block rule IP ranges, all traffic is allowed! The same happens even without an Ask rule, every software requesting network traffic, without an existing dedicated firewall rule, once allowed it can bypass the block rule. IP filtering is my first layer of defence against threats and data theft, I'm really worried about this behaviour, do you have advices or suggestions?

From a clean ESSP installation: 01- set: Advanced setup - protections - SSL/TLS - SSL/TLS mode - Interactive. 02- start a browser and visit a website, in the Encrypted network traffic popup window select "Remember action for this application" and click on "Scan" button. 03- open: Advanced setup - protections - SSL/TLS - Application scan rules - Edit. 04- select the rule created for the browser and click "Edit"...

V17.0.10.0 same issue: the only way to edit a rule is first delete the existing one, start the application requesting a ssl/tls connection and then saving a new auto/allow/ignore/ask rule. btw: just for curiosity I'm also testing Grid and Browser protection, network traffic is less than I've expected and no browsing errors so far, so probably I'll leave them active.

Interactive firewall issues seem resolved with V17.0.10.0, thank you.

As I previously said when I took the screenshot it was with a clean installation , only that rule was created, then the logs were built with my old settings, needed for a safe internet access. The problem is not a new rule creation, it's the warning when I open (edit) an existing rule. With the pre-azure signature version everything was OK. Default settings don't offer the protection I need, for example if I do not add a performance exclusions for my professional CAD/CAM software, and relative file extensions, it slows down or crashes, since Eset is scannign the constant read/writes of temporary and backup files (1-10GB size), the same can be said for flight simulators or audio/video editors. Scanning of removable media is disabled because none has access to my computers and only my removable media is used. I'm not interested in Live Grids, Clouds or software that require costant network traffic, my pc's are offline most of the time. Every Banking protection I've tried only caused issues with my restrictive browser configuration. 2003-2023 whitout infections.

@itman : while I was trying to debug the firewall I've checked all my settings, one by one, just to be sure that everything was OK, I know that the ssl/tls is not related to the firewall module. I use ssl/tls interactive, so add or edit rules is a must, some applications need scanning for better protection (browsers, downloaders), while other applications may have connection issues, so they must be ignored (often applications that use CEF for DRM or other needs, or browsers when websites require card reader device encrypted connection). @Marcos: the screenshot was took with a clean installation and that was the only thing I've modified, now I've imported the previous Eset settings. Logs attached. Best regards. essp_logs.zip

While trying to debug the firewall interactive rules issue I've encountered another problem: after creating a new ssl/tls application scan rule, when I edit the rule I recieve a "Duplicate item. The value is in conflict with another intem in the set." warning, even if there are no other rules. If I edit the path of the executable the warning goes away, maybe Eset is treating "edit" a rule like "add" a rule and this cause the "duplicate item" warning? This problem also seems related to Eset updates, some weeks ago there were no warnings, but a month ago it was like today. Anyone with the same problem? Is it a known bug? Best regards.

Probably I've found a temporary solution for firewall rules not working in interactive mode, bug started when executable signature was introduced. I've added the full path to the .exe and set "application signature" to "any or none", now, when the program starts, there are no more prompts.

It causes no issues at all, but you have to remove other useless files in order to stop unwanted network traffic...

Not crashing but it generates a "Edit <0w>" locked folder inside archives, meanwhile I'll keep client plugins disabled. essp_logs.zip Diagnostics.zip

That screenshot was took after enabling antispam and doing a send/recive, whitout antispam no queries to google were made. Look at this: I was in pause and left the workstation unattended (antispam disabled), at 13:34:22 there was a google DNS query for setting.e5.sk, at 14:can't:remember Eset used my DSN when searching for updates... So ESET have google DNS hard coded and it's used for some purpose. From my point of view, this is a severe security/privacy issue. If a backup DNS is needed fore some reason, than the user should be able to choose wich one.

(In Win10 and Linux I've set DNSWatch servers, the router uses the provider DNS servers, DoH is forced disabled with GP's) I did some more testing and I can confirm that Eset antispam module is using google DNS servers for resolve *.e5.sk , it bypasses the custom firewall rule to block connections to 8.0.0.0/9 and no log entry is created. This is why I've disabled the antispam module long time ago, but at least with the older EIS/ESS versions the firewall rule was respected (connection blocked + entries in the log). I've disabled unused ESS features, so I can't check if Eset engine uses google DNS servers for other modules.

Thanks for the suggestion, I did a factory reset and then realized that I was using Marcos suggestion for the logs: https://forum.eset.com/topic/32651-web-access-protection-the-url-address-is-too-broad/?do=findComment&comment=152084 So it was a false alarm (after diggin' discovered that IP's were from website tracking and imaps).

From yesterday I'm having the following inbound blocked traffic logs: Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;Hash;User 30/06/2022 10:47:33;No application listening on the port;Blocked;92.245.188.58:443;192.168.1.191:49718;TCP;;;0000000000000000000000000000000000000000; Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;Hash;User 30/06/2022 13:17:28;No application listening on the port;Blocked;81.4.100.200:443;192.168.1.191:50315;TCP;;;0000000000000000000000000000000000000000; Could it be that my router has been infected with ZuoRAT?

Connections to Google DNS were also made by the antispam module, try disabling it. (email client protection-antispam protection)

Usually I manually clean the logs every day, so it's not a issue. That solution someway can be useful, allowed url's are logged too so I can use that setting when I try new software, but for broken websites debug now it's easier to rely on browser console (although not so immediate). Thank you.

Since last SSP release I was having empty filtered websites logs, so I noticed that with my filtered websites list I can't set logging severity to "information". I see that the question was also made in the products for windows servers subforum, I would like to ask you if it's possible to add the functionality back to the home users products, since it has become less immediate to know if the filtering was made by ESET, the browser settings or the browser addons. Best regards. Enrico

Never had similar issues, but you can safely disable or delete all the scheduled tasks and set group policies referred at the "useless" compattelrunner. https://www.thewindowsclub.com/what-is-compattelrunner-exe-on-windows-10 https://superuser.com/questions/1613932/how-to-disable-compattelrunner-exe-microsoft-compatibility-telemetry etc...

There have been no more popups, thank you very much. Best regards. Enrico