Problem with Internet Security 11.1.54

[txhawkeye 0]

I've used Eset Internet Security on Windows 7 together with Symantec Workspace Virtualization (SWV) for a long time with no problems until upgrading Internet Security to 11.1.54 and now firewall rules no longer work for applications under the control of SWV.

SWV allows me to virtualize applications into an SWV 'layers'.   It uses a filter driver to redirect I/O for each virtualized application.  So, an application like SyncBackPro appears to other applications to be located at C:\Program Files (x86)\2BrightSparks\SyncBackPro.exe, but is actually located at C:\fslrdr\43\[_B_]PROGRAMFILES[_E_]\2BrightSparks\SyncBackPro\SyncBackPro.exe.  Internet Security sees the location as C:\fslrdr\43\[_B_]PROGRAMFILES[_E_]\2BrightSparks\SyncBackPro\SyncBackPro.exe when creating a firewall rules.

I run Internet Security in interactive mode.  After upgrading to 11.1.54 all the permanent firewall rules I've created for SWV virtualized applications are essentially ignored.  Internet Security prompts me every time for what action to take for outbound traffic every time I start an SWV virtualized application that has rules defining the action that should be taken. I tried creating new permanent rules from the prompts, but the next time I run the application Internet Security generates a new prompt (as if I'd specified that the rule is to apply only for the current instantiation of the application).  I've checked the firewall rules list and the new rules have been added, but Internet Security still prompts me every time the is run.

I had no problems before 11.1.54; I could create a permanent rule for any SWV virtualized application using the redirected location and it would work as expected.  After 11.1.54, the permanent rules for SWV virtualized applications no longer work and I cannot find a way to stop getting a prompt every time the virtualized applications run, so I've reverted to 11.0.151.9.

I don’t know what changed in 11.1.54, but I can’t upgrade to it until this is fixed.  Let me know if you need any further information to help resolve this.

Thank you in advance.

[anton83 110]

Did you tried to reset to default firewall in EIS?

[txhawkeye 0]

No, I did not attempt to reset anything before restoring the prior version.

I'm willing to try, but I need to know what you mean by "reset to default firewall in EIS".  Please let me know what steps I need to perform in order to do what you're asking.

[itman 1,659]

2 hours ago, anton83 said:

I run Internet Security in interactive mode.  After upgrading to 11.1.54 all the permanent firewall rules I've created for SWV virtualized applications are essentially ignored.  Internet Security prompts me every time for what action to take for outbound traffic every time I start an SWV virtualized application that has rules defining the action that should be taken.

Post a screen shot of the Eset alert you are receiving. I want to verify that it is a firewall alert and not an application modification alert which I assume you have enabled.

[txhawkeye 0]

It was a firewall alert, not an application modification alert; I'm familiar with both.  The SWV virtualized applications hadn't changed.  The firewall alert popped every time I started one of the virtualized apps - even after telling Eset to create a permanent rule to allow (and I verified the rules were created by looking at the firewall rules after Eset created them).

I have reverted to 11.0.159.9 because it was too much of a hassle to have to continually interact with Eset to run the multiple SWV virtualized apps I have.  The problems do not occur in 11.0.159.9.

If you need me to re-install and send you a screenshot, I can do that, but I'm certain Eset was throwing firewall alerts.

Please advise.

[itman 1,659]

As best as I can determine, there were no changes to the firewall in ver. 11.1.54. Eset a few vers. back removed the individual service ref. for svchost.exe for the default firewall rules. Personally, I don't see how your existing rules for SWV in the prior versions.

[txhawkeye 0]

Hmmm.  I've been using Eset going back to at least version 7.  The firewall rules for SWV virtualized applications have always worked without any issue for all versions until 11.1.54.

Perhaps something happened during the upgrade to 11.1.54.  I upgraded via a prompt from the Eset software.  I'll try upgrading again and see what happens and report back (it may be a day of so before I can, though).

[anton83 110]

7 hours ago, txhawkeye said:

No, I did not attempt to reset anything before restoring the prior version.

I'm willing to try, but I need to know what you mean by "reset to default firewall in EIS".  Please let me know what steps I need to perform in order to do what you're asking.

There was a such error for some users. You need to enter EIS firewall settings and click to reset to default. There wa a post here how to do it.

[nimBuS65 1]

Change in support options Eset IS with Eset antivirus and use windows FW it will help.

[itman 1,659]

21 hours ago, txhawkeye said:

Internet Security sees the location as C:\fslrdr\43\[_B_]PROGRAMFILES[_E_]\2BrightSparks\SyncBackPro\SyncBackPro.exe when creating a firewall rules.

Next time you create a new firewall rule from above process Eset alert, pay close attention to the full path name inserted into the firewall rule. I suspect there is some "subtle" change in the path name.

Also it might be the firewall rule processor can no handle those "[_B_]" bracket characters; BTW do those correspond to any known keyboard character?

[txhawkeye 0]

The path C:\fslrdr\43\[_B_]PROGRAMFILES[_E_]\2BrightSparks\SyncBackPro\SyncBackPro.exe is what I have copied directly from the path name a firewall rule that worked before 11.1.54 and has problems starting with 11.1.54.  The substrings '[_B_]' are literally those characters on the keyboard.

I did another test after my last update.  I had reverted to 11.0.159.9 after having problems with 11.1.54.  For this test, I uninstalled 11.0.159.9 and installed a full copy of 11.1.54 downloaded from the Eset website.  Same results.

However, I did find that the rules for some of the SWV virtual apps did work properly and some did not (I hadn't tested all SWV virtual apps the first time).  Some limited testing hints that the problem MAY be with virtualized 32-bit apps; I have one virtualized 64-bit app and its rules were recognized and handled as expected.  I need more testing to determine whether this is a problem with virtualized 32-bit vs 64-bit apps.

Unfortunately, I have two virtualized 32-bit apps that run frequently on a scheduled basis, so it isn't feasible to stay on 11.1.54 for extended periods of time because 11.1.54 Eset pops firewall alerts every time a scheduled execution takes place.  Therefore, I have again reverted to 11.0.159.9 for now.  When I get some more time, I will do some more testing and report back.

[itman 1,659]

2 hours ago, txhawkeye said:

Some limited testing hints that the problem MAY be with virtualized 32-bit apps

That's interesting. There have been reported issues with Win 10 x(86) 1803  and Eset ver. 11.1.54; mostly on NOD32. I haven't heard of any with Win 7 however. 

[txhawkeye 0]

2 hours ago, itman said:

That's interesting. There have been reported issues with Win 10 x(86) 1803  and Eset ver. 11.1.54; mostly on NOD32. I haven't heard of any with Win 7 however. 

Just to be clear, I'm running 64-bit Win 7.  Some of the SWV virtualized apps are 32-bit apps; others are 64-bit.  I'm working on an approach to determine whether  or not the problem I've encountered on 11.1.54 is related to just the 32-bit apps when I run another test.

[txhawkeye 0]

I did more extensive testing today on EIS 11.1.54.  The problem with EIS 'remembering' firewall rules created for applications that have been virtualized by Symantec Workspace Virtualization (SWV) occurs for both 32-bit and 64-bit virtualized applications.  EIS generates alerts every time an SWV virtualized application attempts to communicate over the network.

As suggested by anton83, I also tried resetting all firewall settings to default.  I can't use the default firewall mode, so I set the firewall to interactive mode after the reset - the problem was still there.  I reset settings again and tried learning mode ... EIS still generated firewall alerts every time an SWV application attempted to communicate over the network. 

I've attached two screenshots of EIS firewalls rules from the tests.  The first show rules generated during the test in interactive mode; the second shows rules generated in learning mode.  Both show multiple copies of the same rules generated when running a program called DxO Photo Lab.  EIS creates the rules correctly, but it doesn't apply them when the application is started again and instead generates a new alert as if no rule exists.

This never happened before 11.4.54.

I have once again reverted to 11.0.159.9 until this problem can be fixed.

Edited June 15, 2018 by txhawkeye

[txhawkeye 0]

Can anybody comment on and/or assist with my preceding post?

[itman 1,659]

12 hours ago, txhawkeye said:

Can anybody comment on and/or assist with my preceding post?

Appears to me Eset firewall in ver. 11.1.54 is having an issue parsing path names with "[" and "]" characters in them. I assume these are the only firewall rules that have like characters in their path names.

Edited June 21, 2018 by itman

[txhawkeye 0]

10 hours ago, itman said:

Appears to me Eset firewall in ver. 11.1.54 is having an issue parsing path names with "[" and "]" characters in them. I assume these are the only firewall rules that have like characters in their path names.

Interesting thought.  Yes, the only firewall rules with "[" and "]" characters in the path are rules associated with Symantec Workspace Virtualization. 

I will try an experiment where I create a path with those characters and put an executable in the path and see what happens.  I'll try this in a virtual machine rather than upgrade/downgrade my physical/host machine again.

[itman 1,659]

15 hours ago, txhawkeye said:

Yes, the only firewall rules with "[" and "]" characters in the path are rules associated with Symantec Workspace Virtualization. 

I will also note that the bracket like characters shown your screen shot don't look right. Notice the top vertical line is not the same length as bottom one. This leads me to believe some type of special characters are being used. For reference, compare my above posted left and right bracket characters to those shown in your screen shot.

[Marcos 5,074]

9 minutes ago, itman said:

I will also note that the bracket like characters shown your screen shot don't look right. Notice the top vertical line is not the same length as bottom one. This leads me to believe some type of special characters are being used. For reference, compare my above posted left and right bracket characters to those shown in your screen shot.

That's because "[" is followed by an underscore "_" so it looks like "[_" then.

[itman 1,659]

16 minutes ago, Marcos said:

That's because "[" is followed by an underscore "_" so it looks like "[_" then.

And that in itself might be what is causing the firewall rule directory path parsing to "hiccup."

[itman 1,659]

18 hours ago, txhawkeye said:

I will try an experiment where I create a path with those characters and put an executable in the path and see what happens.

I decided to "get to the bottom of this."

Did my own testing on Win 10 1803 w/ver. 11.1.54. As the below screen shots show, I could not duplicate the problem using iexplore.exe as the blocked or allowed executable in Interactive mode. Someone needs to test likewise on Win 7 for verification purposes:

[txhawkeye 0]

OK, I just finished testing with Win 7 in a VMware Workstation virtual machine (ie, 'guest' in VMware terminology).  The VM was a clean Win 7 install.

The problem IS NOT with the characters in the path.  I installed Calibre (ebook management software) in the VM with the install path C:\fslrdr\23\[_B_]PROGRAMFILES64[_E_]\Calibre2\ This is the same path where Calibre is located on the host/physical machine under Symantec Workspace Virtualization (SWV) control.  Note that SWV was out of the picture for this test. The problem with 11.1.54 EIS I've been experiencing DID NOT OCCUR on the VM when Calibre was installed in this path.

I then ran another test on the VM.  This test had both SWV and EIS 11.1.54 installed.  When Calibre was installed and ran under SWV control in this test, the problem DID occur.

So, it looks like 11.1.54 introduces a conflict between SWV and IES as it pertains to using properly handling existing firewall rules that have been created for applications that are under the virtualized control of SWV.  Prior versions of Eset Internet Security as well as Eset Smart Security never had this problem.

Thoughts?

[itman 1,659]

11 minutes ago, txhawkeye said:

I then ran another test on the VM.  This test had both SWV and EIS 11.1.54 installed.  When Calibre was installed and ran under SWV control in this test, the problem DID occur.

Well, your test clearly established the issue is with SWV.

My best guess is Eset's firewall in ver. 11.1.54 is "blind" to process startup from SWV. Why that is I am clueless.

[txhawkeye 0]

On 6/22/2018 at 4:28 PM, itman said:

My best guess is Eset's firewall in ver. 11.1.54 is "blind" to process startup from SWV. Why that is I am clueless.

I've been away for a several days and haven't been online.

How do I proceed from here?  I don't know if Eset monitors these forums.  Do I need to submit a bug report?  If so, how?

Thanks in advance.

[TomFace 539]

43 minutes ago, txhawkeye said:

I've been away for a several days and haven't been online.

How do I proceed from here?  I don't know if Eset monitors these forums.  Do I need to submit a bug report?  If so, how?

Thanks in advance.

If you need to open a trouble ticket, if you are North America see https://www.eset.com/us/support/contact/s3/?seg=home

If you are in other parts of the globe, you should probably contact the ESET office in your country  https://www.eset.com/int/about/contact/ or your local  distributor/reseller.

Edited July 6, 2018 by TomFace