Eset Internet Security 12.0.27.0 Firewall Blocks access to my School Account Sign-in

[cutting_edgetech 25]

Eset Internet Security version 12.0.27.0 Firewall blocks my school's sign-in screen from loading when in Interactive Mode. I receive no prompts, it blocks it silently.

It also blocks me from downloading documents on Blackboard when logged into my account in Interactive Mode. This blocking occurs silently also.  The only way to avoid the problem is to switch to Automatic Mode.

 

Here is the sign-in page. Click on "use the single sign-on Mypath" link as shown in the screen shoot.  https://hazard.kctcs.edu/current-students/student-resources/mypath.aspx 

I'm using Windows 10 X64 Pro Version 1709.

[itman 1,746]

Are you using FireFox as your browser?

[cutting_edgetech 25]

I tried with Firefox, and Internet Explorer.

Edited November 2, 2018 by cutting_edgetech

[itman 1,746]

It is "slowly unfolding" that there might be issues with ver. 12.0.27 Interactive firewall mode.

Temporarily disable Eset's SSL protocol scanning and see if that stops the blocking. If so, report back that it did.

[cutting_edgetech 25]

This has been an issue since version 11. I just haven't had time to report it until now. I will do as you have instructed, and report back.

[cutting_edgetech 25]

Disabling SSL protocol Scanning seems to have fixed the problem (not really a fix, but a work around).

It did not work at first, but after clearing the browser cache I was able to load the sign-in page, and sign in with Eset's Firewall in Interactive Mode. 

I was able to sign in with Internet Explorer, and Firefox.

Edited November 2, 2018 by cutting_edgetech

[Marcos 5,267]

Are you having the issue only with that particular website or with any other website as well ?

[cutting_edgetech 25]

Only, with my school website, AFAIK. I have problems signing in, and also accessing resources once I have signed in. When using blackboard I can't download documents (.pdf, .doc) without switching to Automatic Mode.

[cutting_edgetech 25]

Here is a screenshot of the sharepoint platform they are using as a central location to access everything. I really like the layout they have.

[Marcos 5,267]

In this case the issue doesn't appear to be related to the firewall. I was able to reproduce it and merely disabling SSL/TLS filtering helped. Switching the firewall to automatic mode didn't make any difference.

I'll report it to devs and provide them with logs. We'll keep you posted.

[itman 1,746]

In the meantime, you could just try to exclude your school's IP address which appears to be, 67.208.145.191, from SSL/TLS protocol scanning. This would prevent you from always having to toggle SSL/TLS protocol scanning off and on.

[cutting_edgetech 25]

1 hour ago, Marcos said:

In this case the issue doesn't appear to be related to the firewall. I was able to reproduce it and merely disabling SSL/TLS filtering helped. Switching the firewall to automatic mode didn't make any difference.

I'll report it to devs and provide them with logs. We'll keep you posted.

I also have logs I collected with Eset Log Collector. If you need them I can send them by email, or pm if possible.

[cutting_edgetech 25]

23 minutes ago, itman said:

In the meantime, you could just try to exclude your school's IP address which appears to be, 67.208.145.191, from SSL/TLS protocol scanning. This would prevent you from always having to toggle SSL/TLS protocol scanning off and on.

Where can I add the IP exception at? I'm not seeing it in the UI.

[itman 1,746]

Click on Edit as shown in the below screen shot.

Also if this doesn't work, the real "culprit" is that there is a redirect to login.microsoftonline.com going on prior to the school sign on web page appearing.

Edited November 2, 2018 by itman

[cutting_edgetech 25]

2 minutes ago, itman said:

Click on Edit as shown in the below screen shot.

Also if this doesn't work, the real "culprit" is that there is a redirect to login.microsoftonline.com going on prior to the school sign on web page appearing.

Ok, Thank you for all your help!

[cutting_edgetech 25]

1 hour ago, Marcos said:

In this case the issue doesn't appear to be related to the firewall. I was able to reproduce it and merely disabling SSL/TLS filtering helped. Switching the firewall to automatic mode didn't make any difference.

I'll report it to devs and provide them with logs. We'll keep you posted.

I still can't log in with Interactive Mode, and I still can't download documents in Interactive Mode. Switching the Firewall to Automatic Mode is a temporary fix for me. Switching to Automatic Mode allows me to login, and access all resources on Blackboard.

Eset appears to be treating SSL/TLS filtering differently in Automatic Mode than in Interactive Mode.

I just thought I would let you know so you can pass the word on to the developers.

Thank you for all your help!

cutting_edgetech

Michael

[itman 1,746]

Have an idea of what's going on.

When this link,  "use the single sign-on Mypath", which equates to this URL, https://mypath.kctcs.edu/ , is clicked, a redirect to login.microsoftonline.com is done. Immediately thereafter a RuntimeBroker.exe task is started. I believe this task is what the Eset firewall in Interactive mode is blocking. Why this only occurs with SSL protocol scanning enabled is a mystery.

What is do know is there is inconsistent behavior when the firewall is in Automatic mode. Using IE11, the first attempt hangs on the redirect to login.microsoftonline.com. Immediately repeating the connection process again in the browser results the school's logon page being displayed.  Note that I am not logged on to Win 10 via Microsoft mail account.

What is going on here might also be related to if you are logged onto Win 10 via Microsoft mail logon account. It appears to me that is how the school assumes you are logged on and is attempting some verification process based on your device id or the like?

Edited November 2, 2018 by itman

[cutting_edgetech 25]

I'm not using my own Microsoft On-line ID (windows is a pain to deal with if you authenticate Windows OS login using that method due to privacy issues), but it appears that the school is creating a Online-ID for me to use with Microsoft Sharepoint platform. 

The domains switches twice during the login process.  Take note that Eset blocks even getting to the login screen, but also blocks the login itself most of the time.  I don't remember the domain switches that take place before arriving at the logon page. You can see that yourself though without having logon credentials.

The domain starts at  https://sts.kctcs.edu/......then switches to https://login.microsoftonline.com/login.srf?client-request-id....., and then to https://kctcs.sharepoint.com/sites/mypath

That's about as detailed as I can get for now. I'm typing one handed here due to crazy doctor paralyzing  my hand with botox shots for writers cramp. It will be at least 2 more months before I can type again. I was suppose to graduate this semester in InfoSec, and transfer to another University, That's all on hold now. I will provide what info I can, but it takes me forever to type anything now. ?

Edited November 3, 2018 by cutting_edgetech

[itman 1,746]

@Marcos, below is a screen shot of all the URLs used by SharePoint. My guess at this point is SSL protocol scanning doesn't like one or more of those URLs:

Quote

Sharepoint Online Firewall Ports

Below are the list of SharePoint Online firewall ports:

The only ports required are HTTP/S on 80 & 443.

The URL’s required for internet filtering (proxies) are:

*.streaming.mediaservices.windows.net
ajax.aspnetcdn.com – Office Video
r3.res.outlook.com – Office Video and Delve
Spoprod-a.akamaihd.net – Office Video and OneDrive for Business
*.onenote.com
cdn.onenote.net
crl.microsoft.com
evsecure-ocsp.verisign.com
evsecure-aia.verisign.com
evsecure-crl.verisign.com
sa.symcb.com
sd.symcb.com
*.omniroot.com
*.verisign.com
*.symcb.com
*.symcd.com
*.verisign.net
*.geotrust.com
*.entrust.net
*.public-trust.com

https://adam-hand.com/office-365-firewall-ports/sharepoint-online-firewall-ports/

Edited November 3, 2018 by itman

[cutting_edgetech 25]

Eset is no longer blocking my schools login screen, or the login itself when using Interactive  Mode. Also, i'm able to download resources on Blackboard again.

I have made no changes. I don't know if Eset made any changes/fixes or not.

[Nightowl 206]

11 minutes ago, cutting_edgetech said:

Eset is no longer blocking my schools login screen, or the login itself when using Interactive  Mode. Also, i'm able to download resources on Blackboard again.

I have made no changes. I don't know if Eset made any changes/fixes or not.

It could have been ESET because Marcos said that he will report it to the developers and also as he said it's not related to the firewall , it's related to the SSL/TLS scanning , so setting the firewall as Automatic or Interactive won't make any differences.

[itman 1,746]

3 hours ago, cutting_edgetech said:

Eset is no longer blocking my schools login screen, or the login itself when using Interactive  Mode. Also, i'm able to download resources on Blackboard again.

I have made no changes. I don't know if Eset made any changes/fixes or not.

Good to hear the problem has been resolved.

[cutting_edgetech 25]

4 hours ago, Rami said:

It could have been ESET because Marcos said that he will report it to the developers and also as he said it's not related to the firewall , it's related to the SSL/TLS scanning , so setting the firewall as Automatic or Interactive won't make any differences.

It did make a difference on my machine. Setting the Firewall to Automatic Mode always resolved the problem. That's why I was saying that Eset must be enforcing different SSL/TLS policy in Automatic Mode than Interactive Mode, or the problem is not only SSL/TLS. I could reproduce this 100 percent of the time. This was the case since at least version 11.

[cutting_edgetech 25]

32 minutes ago, itman said:

Good to hear the problem has been resolved.

Yes, I hope they was able to identify the problem and fix it. If not then Eset client was able to add some policy on it's own from me disabling SSL/TLS that allowed the page to load, and also allowed the login. If that's the case then maybe the problem will reappear once I roll my machine back, or reformat. Hopefully they fixed the problem though.