Jump to content

ESET Internet Security 11 interactive firewall pop-ups missing, SSL/TSL protocol filtering seems to not work


Recommended Posts

Hello,

as a long time customer of ESET Internet Security (former Smart Security) I finally have to use the forums to get some help/awareness for a new bug I have encountered after upgrading from Internet Security 10 to 11.

I am currently using a clean installation (ESET Uninstaller Tool) of ESET Internet Security version 11.0.131.0 on a 64-bit Windows 10 system with the new 1709 update, but the problems with ESET have been there before the Windows Fall Creator update aswell.

1. Problem: Interactive firewall pop-ups missing

The interactive firewall doesn't ask for new or recently changed/updated programs for internet access - it just blocks them. This bug occurs seemingly random, but after manually setting the gamer-mode on and off the pop-ups are missing completely like if it is still on. I have to restart the computer to restore the pop-ups and give those applications access to the internet. Of course I have the automatic gamer-mode for fullscreen applications disabled. This problem started after upgrading from version 10 to 11 and several clean installations didn't fix it. I don't want to reinstall my whole operating system to have a chance of fixing this error, especially when it got introduced after upgrading to a new version of Internet Security.

2. Problem: SSL/TSL protocol filtering doesn't seem to work

For this one I am not 100% sure, but it seems to me that it is not working correctly. I am not sure how to test it so feel free to give me a proper way if you have one. I tried to download the eicar test-file on their website first through the download area using the standard protocol http - ESET Internet Security blocked it as expected and the log said "HTTP inspection", so that one worked. When I try to download the eicar test-file from the area using the secure, SSL enabled protocol https then the download pops-up, but the "realtime file protection" takes it out of the temp. Shouldn't there be "HTTPS inspection" so that the file doesn't get into my temp files at all?

The second reason why I think that the SSL/TSL protocol filtering doesn't work is when I switch the mode of SSL/TSL protocol filtering from automatic to interactive mode then not a single one of the expected applications asks for the type of scanning and they still have access. Back on Windows 7 almost every internet-based application triggered a pop-up when setting the mode to interactive. This goes for policy-mode aswell. Back on Windows 7 no application without imported certificate worked, they just had no internet access - as you would expect. On Windows 10 now, when using the policy-mode nothing changes, every application has internet access.

Those 2 things together give me the impression that SSL/TSL protocol filtering seems to not work - especially because the policy mode on Windows 7 was really aggressive, and the interactive mode did give pop-ups.

Edit: After some testing I found out that the gamer-mode really keeps supressing any kind of notification including pop-ups from the interactive firewall even after turning it off. This wasn't the case in v10.

Thanks for any help!

Edited by fabbel
Link to comment
Share on other sites

  • ESET Moderators

Hello Fabbel,

we are sorry for the inconvenience caused.

The Gamer mode behavior is a bug and will have to be fixed on our side, when you enable the automatic Gamer mode detection as a wrkaround, it should work correctly until we fix it.

When in comes to the SSL/TLS inspection, which browser do you use? Does the issue persist after system reboot?

Regards, P.R.

Link to comment
Share on other sites

On ‎10‎/‎19‎/‎2017 at 6:22 PM, fabbel said:

2. Problem: SSL/TSL protocol filtering doesn't seem to work

Go here: http://www.eicar.org/85-0-Download.html and download the various https: files. I had no detection issues w/ver. 11.

Also you can perform all the test here: http://amtso.org/feature-settings-check-for-desktop-solutions/ . Ver. 11 passed every one of the tests.

As far as the test files reaching the disk, it depends on your browser and how you respond to the download request. For example in IE11, the standard Run/Save/Cancel info box appears at the bottom of the web page. If Eset alerts but you click on the "Save" button, the test malware file will be saved to your default download location. This allows you to manually override Eset's detection if so desired.

Note.: If the file was actually malicious, Eset's realtime scanner will alert when file creation is attempted on the disk.

 

Link to comment
Share on other sites

On 25.10.2017 at 11:35 AM, Peter Randziak said:

Hello Fabbel,

we are sorry for the inconvenience caused.

The Gamer mode behavior is a bug and will have to be fixed on our side, when you enable the automatic Gamer mode detection as a wrkaround, it should work correctly until we fix it.

When in comes to the SSL/TLS inspection, which browser do you use? Does the issue persist after system reboot?

Regards, P.R.

Hello Peter Randziak,

I'm glad that you are aware of this bug and thank you for mentioning this workaround, which I will use until this issue has been fixed.

In regards to the SSL/TLS inspection: I am using Firefox (56.0.2, 64-Bit) and the issue persist after system reboot aswell as a clean install using the ESET Uninstaller Tool. I will write more on this in my response to itman down below.

Thank you again for the fast response and the workaround!

On 25.10.2017 at 4:25 PM, itman said:

Go here: hxxp://www.eicar.org/85-0-Download.html and download the various https: files. I had no detection issues w/ver. 11.

Also you can perform all the test here: hxxp://amtso.org/feature-settings-check-for-desktop-solutions/ . Ver. 11 passed every one of the tests.

As far as the test files reaching the disk, it depends on your browser and how you respond to the download request. For example in IE11, the standard Run/Save/Cancel info box appears at the bottom of the web page. If Eset alerts but you click on the "Save" button, the test malware file will be saved to your default download location. This allows you to manually override Eset's detection if so desired.

Note.: If the file was actually malicious, Eset's realtime scanner will alert when file creation is attempted on the disk.

 

Hello itman,

the download page for the eicar test-file which you have mentioned is the same one which I used prior to my initial post. I had and still have no detection issues with version 10 and 11 of ESET Internet Security in general. I will try to explain again what  bothers me:

For clarification: I am using Firefox (56.0.2, 64-Bit) on a 64-Bit Windows 10 machine.

Downloads using the standard protocol http get blocked instantly, without "save as"-prompt and therefore no type of file creation in the %temp% folder and the download page turning into an "error: connection closed". The log states "HTTP-Inspection" as the type of inspection which found the threat. This works as expected, no problems.

Downloads using the secure, SSL enabled protocol https get blocked after a short delay, with "save as"-prompt and a .part file creation in the %temp% folder and the download page remains the same. If I try to save the file it fails and the .part file gets deleted out of the %temp% automatically in the meantime - so the detection works and I am safe. BUT should there be such a difference between http and https file downloads? In addition to this: Why does the log state "realtime scanner" as the type of inspection? Should there not be "HTTPS-Inspection" as the type of inspection which found the threat?

For me this looks like the realtime scanner found it, but not the SSL/TLS inspection. That is what I tried to describe with my initial post. Feel free to correct me if this is the intended behavior, but I hope you see why I am curious.

The "feature settings check for desktop solutions" from amtso was also done by me prior to my initial post and I can confirm that ver. 10 and ver. 11 passed every one of the tests, 100%!

The second reason why I question the functioning of the SSL/TLS protocol filtering is the fact that when I set the mode to "interactive" or "policy" everything functions normal, whereas back on Windows 7 (I'm currently using Windows 10, 64-Bit, ver. 1709) almost every application which needs access to the internet resulted in a prompt-window from the interactive mode or didn't get access at all when I used the "policy mode" and didn't import the certificate. The interactive mode doesn't trigger any kind of prompts even though the list of affected applications doesn't contain those applications. Of course I have tried restarts between a change of the mode of the SSL/TLS protocol filtering and didn't start mentioned applications before that.

This boils down to one question: How can I test if the SSL/TLS protocol filtering works? Remember, the eicar https test-file got caught by the realtime-scanner, as stated by the log. I feel like I'm lacking one shell of protection.

Thank you for your response and your time!

Sincerely, fabbel

Link to comment
Share on other sites

  • Administrators

I'd suggest uninstalling ESET and installing the latest version right after the operating system starts to ensure that no email client or browser is running which would prevent the root certificate from being imported. Also the fresh install will default settings will ensure that SSL filtering will be enabled, ports will be set up correctly and no applications or addresses will be excluded from filtering.

Link to comment
Share on other sites

11 hours ago, fabbel said:

Downloads using the secure, SSL enabled protocol https get blocked after a short delay, with "save as"-prompt and a .part file creation in the %temp% folder and the download page remains the same. If I try to save the file it fails and the .part file gets deleted out of the %temp% automatically in the meantime - so the detection works and I am safe. BUT should there be such a difference between http and https file downloads? In addition to this: Why does the log state "realtime scanner" as the type of inspection? Should there not be "HTTPS-Inspection" as the type of inspection which found the threat?

Go here: http://www.eicar.org/85-0-Download.html and download the test https eicar file and see if the file stub .part extension still exists when Eset detects. If it the .part file exists, then repeat the same eicar download using IE11. If the .part extension file does not exist using IE11, the issue is FireFox. It is creating the .part extension file. I believe that file is just a "stub" and in no way should be interpreted that Eset's web filtering is not detecting malware downloads using https. 

Link to comment
Share on other sites

On 30.10.2017 at 7:18 AM, Marcos said:

I'd suggest uninstalling ESET and installing the latest version right after the operating system starts to ensure that no email client or browser is running which would prevent the root certificate from being imported. Also the fresh install will default settings will ensure that SSL filtering will be enabled, ports will be set up correctly and no applications or addresses will be excluded from filtering.

I finally found some time to go through a clean install using ESET Uninstaller in safe mode and paid attention to not start any application prior to the re-installation after restarting the system. After several reboots with de- and re-activating SSL/TLS protocol filtering in ESET IS so far only MS Edge has been automatically added into the list of affected applications. For some reason Firefox 56.0.2 (64-Bit) won't get the root certificate from ESET IS imported automatically. As already said, I tried restarting the system and then turning SSL/TLS protocol filtering off/on with a few seconds waiting time before launching Firefox aswell as turning SSL/TLS protocol filtering off, restart the system and turn it on again before launching Firefox.

Adding the root certificate through the button within ESET IS didn't work aswell. I know that I can add the certificate manually, but from my understanding when I would set SSL/TLS protocol filtering now to policy Firefox should NOT get internet access at all, right? At least under Windows 7 this was the case. Now using Windows 10 Firefox keeps having access to the internet without the root cert imported and ESET IS set to policy (scanning every SSL-secure connection).

 

On 30.10.2017 at 2:35 PM, itman said:

Go here: hxxp://www.eicar.org/85-0-Download.html and download the test https eicar file and see if the file stub .part extension still exists when Eset detects. If it the .part file exists, then repeat the same eicar download using IE11. If the .part extension file does not exist using IE11, the issue is FireFox. It is creating the .part extension file. I believe that file is just a "stub" and in no way should be interpreted that Eset's web filtering is not detecting malware downloads using https. 

After the detection of ESET IS the .part file does get deleted. Interestingly attempting to download the file in MS Edge doesn''t create such a .part file, at least not in the %temp% folder, but the ESET IS log states for both MS Edge and Firefox that the malicious file has been detected by the real-time scanner (https download). I have tried turning the web filtering off in ESET, restarted the system and the detections have stayed the same with one exception: The http downloads now state "real-time scanner" aswell as type of inspection through which the threat was found. Remember it stated http-inspection before that, as I would expect and stated in my post above.

So for me it still looks like the SSL/TLS filtering of ESET Internet Security 11.0.144.0 does not work under my intallation of Windows 10, 64-Bit, v.1709, because

1. Firefox and other internet based applications still work (have access) without having the root certificate imported and ESET IS web filtering set to policy. Under Windows 7 ESET IS blocked the internet access for such applications entirely as it was not able to scan those connections.

2. Downloads using https trigger real-time scanner as type of inspection for threat-detection and there is no difference if web-filtering is turned off completely in ESET IS.

I don't want to waste any more of your time. I will install ESET IS on my Windows 10 Laptop in the coming weeks and see if I can see the same behavior or if it is a system specific issue with my desktop machine. Since I am really careful of not having a messy system I expect the same behavior of ESET IS on my laptop. I will see how the next updates turn out until my license expires early next year.

Thanks again for your time and help!

Link to comment
Share on other sites

  • Administrators
5 hours ago, fabbel said:

For some reason Firefox 56.0.2 (64-Bit) won't get the root certificate from ESET IS imported automatically.

Automatic import of the ESET root certificate is supported only for browsers that are installed, not for portable versions of browsers. If that's not the case, try the following:
- reboot the computer
- without launching any application, disable SSL/TLS filtering and click OK
- re-enable SSL/TLS filtering and click OK
- launch a browser and check if eicar is detected upon download: https://secure.eicar.org/eicar_com.zip

If it's not detected, exit the browser and disable SSL/TLS filtering. Start logging with Procmon as per the instructions at https://support.eset.com/kb6308/. Then re-enable SSL/TLS filtering. After approximately 5 seconds stop logging, save the pml log (unfiltered) and compress it. Upload the archive to a safe location (e.g. Dropbox, OneDrive, etc.) as well as logs collected by ELC and pm me download links.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...