Jump to content

ESET 10 firewall blocks egui.exe (itself) ::1 is detected as remotecomputer


Recommended Posts

hello in 2016 i have tried upgrade to eset 10 on windows 8.1 but i had to run av_remove.exe and downgrade to eset v9 because it was incompatible with IPv6 

 not as local address

 

now we have 2017 and i have upgraded to esetv10 with win10 same issue. removed and installed it clean same issues.

 

ESET 10 blocks itself. ::1 is detected as remotecomputer not in local address. this is wrong. version9 is working fine with same setting.esetwtf.png

 

 

i put exclusions for ::1 in firewall rules. in network block view it says. UNBLOCKED but still "no rule found" and so it is still blocked even while it says unblocked. the only way to unblock is to set interactive mode mode and start app and eset pops up asking firewall rule. than choose second option, remember until programquit. this works. if i choose to create rule and remember permanently, it is still blocked.

 

in https://support.eset.com/kb2266/?locale=en_US  no solution.eset.png

win10x64 enterprisev1607
Signaturdatenbank: 14766 (20170113)
Soforteinsatz-Modul: 9341 (20170113)
Updates: 1009 (20161205)
Viren- und Spyware-Schutz: 1508 (20170103)
Advanced Heuristik: 1175 (20161110)
Archivunterstützung: 1258 (20161117)
Säuberungstechnologie: 1128 (20161025)
Anti-Stealth-Unterstützung: 1106 (20161017)
Personal Firewall: 1328.1 (20161206)
ESET SysInspector: 1264 (20161108)
Lokalisierungsunterstützung: 1567B (20161222)
HIPS-Unterstützung: 1259 (20161213)
Internet-Schutz: 1290 (20170104)
Web-Inhaltsfilter: 1052 (20160620)
Erweiterter Spam-Schutz: 4927 (20170113)
Datenbank: 1087 (20161107)
Konfigurationsmodul (33): 1466.2 (20170104)
LiveGrid-Kommunikationsmodul: 1022 (20160401)
Spezielles Säuberungsprogramm: 1012 (20160405)
Sicheres Online-Banking und Bezahlen: 1094 (20170104)
Rootkit-Erkennungs- und Bereinigungsmodul: 1006 (20160715)
Netzwerk-Schutzmodul: 1348 (20170112)
Prüfmodul für Routerschwachstellen: 1024 (20161201)
Schutz vor skriptbasierten Angriffen: 1010 (20161205)
 
 
my hostfile have added ::1 localhost 
 
Edited by  rESET 
interactive mode
Link to comment
Share on other sites

  • Administrators

I've asked developers to look into it. In the meantime, temporarily enable advanced personal firewall logging in the advanced setup -> Tools -> Diagnostics, restart the computer and wait until the mentioned communication occurs. After allowing it, stop logging and collect logs with ELC (see my signature for instructions). When done, drop me a pm with the generated zip file attached.

Link to comment
Share on other sites

ok, i have found log collector link inside eset support tools. tried to capture this behavior. But i havent got the egui firewall dialog again. But the problem is the ::1 is detected as "unknown device" /"remote host" for every app/service connection no matter. same rule mismatching

if run cmd>nslookup eset.com ::1

this happens also for me. with eset 9 on same configuration not. perhaps can i somehow tell eset10 to know ::1 is the localadress zone? because localadress in zones cannot be edited.

 

i tried to capture it. firewall log is full of entries. if more info needed let me know.firewall_detailrulenotfound_while_adressunlockedbyrule.pngunknown_device_localhost.png

Link to comment
Share on other sites

In Eset's firewall settings, go to Connected networks. Click on Network Adapters as shown in the below screen shot. If Loopback Psuedo-Interface 1 adapter is not shown, that is why your localhost connections are failing. Eset establishes its 127.0.0.0/x and ::1/x connections based on settings in that adapter.

 

 

Eset_Network_Adapters.png

Link to comment
Share on other sites

Based on the screen shot you just posted, I see no evidence that a IPv6 connection has established via DHCP IPv6. I see no public or private IPv6 address assignment. The only thing I see is the fe80:: local link scope address.

Also the loopback adapter is showing 10.0.0.0/16 CIDR address. That is not a valid localhost loopback address as far as I am aware of. Are you using a VPC such as Amazon Cloud?

VPC and Subnet Basics

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.

-EDIT- Also the existence of the Teredo Tunneling adapter indicates that you are not connecting via IPv6 but instead are receiving IPv6 communication in a pseudo fashion; the IPv6 communication is being "tunneled" through an IPv4 connection using a Teredo server connection.

What you might try to do is create two firewall rules:

1. allow outbound TCP/UDP protocol traffic from local IP address ::1 to remote IP address 10.0.0.0 - 10.0.255.255

2. allow inbound TCP/UDP protocol traffic from remote IP address 10.0.0.0 - 10.0.255.255 to local IP address ::1

Add rule 1 first and see if that solves the issue. If not, add the second firewall rule.

Important: Move both rules to the top of all existing firewall rules.

If this doesn't solve the problem, make sure you delete both firewall rules.

Note: I can't vouch for the security of the above since Teredo tunnels are inherently insecure. 

 

Edited by itman
Link to comment
Share on other sites

17 hours ago, itman said:

Based on the screen shot you just posted, I see no evidence that a IPv6 connection has established via DHCP IPv6. I see no public or private IPv6 address assignment. The only thing I see is the fe80:: local link scope address.

 

 

yes, because i disabled ipv6 connection in router as long eset firewall does not protect this.

 

17 hours ago, itman said:

 

Also the loopback adapter is showing 10.0.0.0/16 CIDR address. That is not a valid localhost loopback address as far as I am aware of. Are you using a VPC such as Amazon Cloud?

 

this is not a adress, that is the configured "eset trusted zone" that i manually have added recently for hopefully allowing local traffic. i removed this. i have no vpc connection.

 

17 hours ago, itman said:

 

-EDIT- Also the existence of the Teredo Tunneling adapter indicates that you are not connecting via IPv6 but instead are receiving IPv6 communication in a pseudo fashion; the IPv6 communication is being "tunneled" through an IPv4 connection using a Teredo server connection.

Teredo is ok, but i have disabled now. now my eset adapter view looks same as yours.. with the problem persist. instead my isp gives me ipv6 only. ipv4 is pseudo because dslite tunnel. that is why i need working ipv6 firewall.

 

17 hours ago, itman said:

 

1. allow outbound TCP/UDP protocol traffic from local IP address ::1 to remote IP address 10.0.0.0 - 10.0.255.255

2. allow inbound TCP/UDP protocol traffic from remote IP address 10.0.0.0 - 10.0.255.255 to local IP address ::1

Add rule 1 first and see if that solves the issue. If not, add the second firewall rule.

Important: Move both rules to the top of all existing firewall rules.

If this doesn't solve the problem, make sure you delete both firewall rules.

Note: I can't vouch for the security of the above since Teredo tunnels are inherently insecure. 

 

i have added both rules for testing. see eset ignorance:

esetignorance.png

as i have used eset firewall rules before, i understand that both should work as same if selected direction BOTH. only one rule must be needed. But this didnt solve anything. since the problem is localhost connection is being blocked. and firewall rules are ignored. eset does not apply it set firewall rule. Only if in interactive mode i set allow temporaly for processID.

i would say. teredo or any other tunnel mechanism is fine if you have a WORKING firewall with ipv6 support as eset is supposed to as advertised. it is only insecure if you believe your NAT makes you secure, tunnel passes forwarding through.

 

 

eset does block any local connection i cannot even reach my local webserver Environment, it's blocked. cannot browse to from chrome. see screenshot.

 

eset does interpret ::1 as unknown device. see "firewallproblem window" right bottom corner. it reads "unblocked" in the same time it says in detail, that no rule was applied. if i remove exclusion rule, the "unblock button" is back enabled ... eset 10 is very buggy. will this be patched or i have to only solution downgrade back to eset 9?

 

please note, i did a mistake in error report translation, i said training mode instead interactive mode. interactive mode gives the dialog box to allow remember connections.

Edited by  rESET 
interactive mode
Link to comment
Share on other sites

For starters, the screen shots you post are to small to read. And, I have a 25" monitor.

I am beginning to believe your problems are not related to the Eset firewall but perhaps the Windows firewall. Do this as a test. Set the Eset firewall to "Automatic mode" but uncheck the option "Evaluate also rules from Windows firewall." If your localhost issues disappear, the problem lies in the application of existing Win firewall inbound rules and/or the Windows profile in effect.

Link to comment
Share on other sites

it is not small, forum resize seems small on your screen because it is to large. feel free to klick on it to open screen in full size. or right click, open image in new tab.

 

https://content.invisioncic.com/Meset/monthly_2017_01/esetignorance.png.6e2c1ebfde92493509ab8fc39f71e97c.png

 

out of luck, windows firewall rule evaluation is disabled already. i believe it is not windows problem. it must be eset10 firewall driver. since eset9 works with same setting just fine. back in eset9 have windowsfirewall rule disabled also. would like to use "rule based mode" as i configured a whitelist ruleset in eset. but the problem is not my rules. before reporting this i use fresh and clean eset10. 

Edited by  rESET 
Link to comment
Share on other sites

Try this.

Eset has a default firewall rule named "Allow all traffic within the computer." Enable logging for that rule as shown in the below screen shot. The log entries should show connections to/from both ::1 and 127.0.0.x. In other words, this is the Eset firewall rule that allows localhost connections.

-EDIT- Also your last screen shot shows attempted browser connections from a localhost address. That is a no-no. Are you using a VPN? Do you have a proxy server setup?

Eset_FRule.png

Edited by itman
Link to comment
Share on other sites

Following up on the last posting, appears you have software on your PC that has established a localhost proxy. Software could be legit or malware. This proxy is filtering all inbound and outbound traffic from your PC and that it what the Eset firewall is detecting.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...