esset 2 Posted August 2, 2017 Share Posted August 2, 2017 (edited) My current issue happened after my manual product update of Eset Internet Security, perhaps one/two/three (?) days ago. My firewall is in interactive mode. For the first time today I noticed the 'use notification service' and the 'manageability service' try to establish an outbound connection, which I permitted. At first as a one time permission. Then, since the requests continued 'till application quits'. So 'outbound', but I also got an 'inbound' alert, which I also permitted. All this happened the first time I turned the computer on and tried to browse the internet. This is a simple home desktop computer, Windows 7 professional 64 bit. Connected by a wired router to a modem to the internet, not connected to any other computer or network. I'm not sure why the 'Intel Management and Security Suite' should be active, if I interpret this correctly. It seems highly unlikely that malware is present. I don't like unknown services or applications phoning out or in, and there is a reason why the firewall is set to interactive. Is this a bug or other issue with the new product update ? Anything I or you can do about this ? Edited August 2, 2017 by esset Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted August 2, 2017 Administrators Share Posted August 2, 2017 Could you please clarify what is the issue? You have firewall set to interactive mode and you were correctly asked about communication for which you granted one-time permission. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 197 Posted August 2, 2017 Most Valued Members Share Posted August 2, 2017 26 minutes ago, esset said: My current issue happened after my manual product update of Eset Internet Security, perhaps one/two/three (?) days ago. My firewall is in interactive mode. For the first time today I noticed the 'use notification service' and the 'manageability service' try to establish an outbound connection, which I permitted. At first as a one time permission. Then, since the requests continued 'till application quits'. So 'outbound', but I also got an 'inbound' alert, which I also permitted. All this happened the first time I turned the computer on and tried to browse the internet. This is a simple home desktop computer, Windows 7 professional 64 bit. Connected by a wired router to a modem to the internet, not connected to any other computer or network. I'm not sure why the 'Intel Management and Security Suite' should be active, if I interpret this correctly. It seems highly unlikely that malware is present. I don't like unknown services or applications phoning out or in, and there is a reason why the firewall is set to interactive. Is this a bug or other issue with the new product update ? Anything I or you can do about this ? It's nothing to do with updating your EIS. The "notification service" needs a new rule as there was an update for windows itself (KB4032188) that in turn prompted you to ask for access to the push notification service. It's nothing sinister and you should allow it and create the rule & remember permanently. You will encounter this type of thing often when you run the firewall in interactive, following a windows update. Link to comment Share on other sites More sharing options...
itman 1,756 Posted August 2, 2017 Share Posted August 2, 2017 (edited) 1 hour ago, esset said: I'm not sure why the 'Intel Management and Security Suite' should be active, if I interpret this correctly. As far as I am aware of, this is a server based product. As Marcos stated when you set the firewall to interactive mode, you will receive an alert for every outbound connection for which an existing Eset firewall does not exist. You will then have to make the decision as to whether to allow the connection and to manually create an allow firewall rule from the displayed alert data so no further alerts are received. If you don't want to do this, you have two choices: 1. Set the firewall to the default allow all outbound connections. 2. Set the firewall to "training" mode for a set period of time to auto create rules for all outbound connection requests. Then, reset the firewall mode to "interactive" mode. Edited August 2, 2017 by itman Link to comment Share on other sites More sharing options...
esset 2 Posted August 2, 2017 Author Share Posted August 2, 2017 (edited) @Marcos, True, but it was completely out of the blue. I must admit that on rare occasions I've seen a somewhat similar alert for a DHCP thingie, I'm not sure when and how this occurs. As in, I have never seen this before and it happened relatively quickly after updating the Eset product. I did look up 'Intel Active Management Technology' and did not find that encouraging. I rarely get any requests for outbound connections unless I do something really unusual. In a way, this issue is/was 'what is going on' ? Sure, I could create that permanent outbound permission. @cyberhash, I'm running Windows 7, not 10. Most links to that KB are for Windows 10. Also, I no longer use 'Windows automatic update' but restrict myself to installing only the 'security only' updates from the windows/microsoft (?) update catalog. And IF I did check that corectly, I don't have KB4032188 installed. @itman, 'As far as I am aware of, this is a server based product.' i'm not sure what you mean by that. The rest is crystal clear. I often do thing in a way that is not standard. I know that makes things inconvenient at rare occasions. The other side is that I don't have to bother people because of malware infections or a damaged system. Edited August 2, 2017 by esset Link to comment Share on other sites More sharing options...
itman 1,756 Posted August 2, 2017 Share Posted August 2, 2017 (edited) 6 hours ago, esset said: 'As far as I am aware of, this is a server based product.' i'm not sure what you mean by that. The rest is crystal clear. For starters, you didn't state "'Intel Active Management Technology" but "Intel Management and Security Suite" which is a server based product. You can read up on Intel Active Management Technology here: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology with the following of note: All access to the Intel AMT features is through the Intel Management Engine in the PC's hardware and firmware.[1] AMT communication depends on the state of the Management Engine, not the state of the PC's OS. As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware.[1] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS. AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.[1][30] In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.[1][31] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance. Note that there is an outstanding vulnerability in Intel AMT that has been only partially patched. Details about that here: https://nvd.nist.gov/vuln/detail/CVE-2017-5689#vulnDescriptionTitle Appears in Win 7, the interface with Intel AMT is via a driver. Since I never used Intel CPU's, I'm an AMD guy, I really don't know what interfacing occurs between Win 7 and Intel AMT network connection wise. I do know if a firewall alert is received "totally out of the blue" as you described, it is best to block the connection and then explore what caused it. More so in this case since their is an outstanding vulnerability regarding it. One possible explanation is the Win 7 driver was updated. That could be benign or malicious activity. All the Eset firewall can do is alert you of activity based on how you configured it; not to the basis of that activity. Edited August 2, 2017 by itman Link to comment Share on other sites More sharing options...
esset 2 Posted August 3, 2017 Author Share Posted August 3, 2017 (edited) @itman, Thanks. '"'Intel Active Management Technology" but "Intel Management and Security Suite"' maybe I've seen both (two alerts, but I don't remember) I just tried to find out what the services were related to. Thank you for that information about the AMT. I suppose it was good that I was alerted to it. Edited August 3, 2017 by esset Link to comment Share on other sites More sharing options...
itman 1,756 Posted August 4, 2017 Share Posted August 4, 2017 (edited) You might also want to read the link referenced in this thread: https://forum.eset.com/topic/12297-malware-uses-intel-amt-to-bypass-windows-firewall/ Edited August 4, 2017 by itman Link to comment Share on other sites More sharing options...
Recommended Posts