Firewall is not working partly. Is it a bug or a hack?

[Kate978 1]

Hello.

There is the following problem with the firewall after ESET Internet Security 12 installing. The firewall is configured to block all incoming connections and request all outgoing. When you first connect to the Internet, everything works fine. But after the first connection the firewall begins to allow some outgoing traffic without permission. This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer?

Operating system: Windows 10 64-Bit.

[Marcos 5,070]

In automatic mode (default), all outgoing communication is allowed and all non-initiated communication from outside the Trusted zone is blocked.

It is not clear how the firewall behaves after a system restart  since it should always behave the same way unless custom rules are created.

[Kate978 1]

The firewall is in Policy-based mode, not Automatic mode. Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked.

Such behavior of the firewall looks suspicious. Like hacking a computer. But maybe this is just a bug?

 

[itman 1,659]

49 minutes ago, Kate978 said:

Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked.

Post a screen shot of your existing firewall rules; just one that shows the beginning of the default Eset rules.

[Marcos 5,070]

Some communication is allowed by default. To override default rules, you'd need to move your custom rule(s) on top of the default rules which are hidden unless you check a box to display them in the rule editor.

[novice 20]

53 minutes ago, Marcos said:

Some communication is allowed by default.

And this info is posted where ??????  Somebody can pull his hair out trying to figure out what's wrong  ( see the OP: Firewall is not working partly. Is it a bug or a hack? ) when in fact is "some communication is allowed by default".....

[Marcos 5,070]

Please kindly stop using bold font and multiple question marks which is generally considered shouting. Shouting is forbidden by our forum rules.

Quote

And this info is posted where ?

[Kate978 1]

These are my firewall rules.

Firewall rules
Name                                                             Protocol                  Direction        Local         Remote
Ask traffic for openvpn.exe                        TCP and UDP         In
Deny incoming connections                    Any                         In
Ask traffic for ProtonVPN.exe                    TCP and UDP         Out
Ask traffic for ProtonVPNService.exe       TCP and UDP         Out
Ask traffic for firefox.exe                            TCP and UDP         Out
Ask traffic for tor.exe                                  TCP and UDP         Out
Ask traffic for egui.exe                                TCP and UDP         Out
Ask traffic for ekrn.exe/ekrn                      TCP and UDP         Out
Ask traffic for dnscrypt-proxy.exe            TCP and UDP         Out
Ask traffic for svchost.exe/CryptSvc         TCP and UDP         Out
Ask traffic for svchost.exe/Dhcp               TCP and UDP         Out
Deny outgoing multicast DNS requests   UDP                        Out                                       IP: 224.0.0.252
                                                                                                                                                      Port: 5355
Deny outgoing NETBIOS requests            TCP and UDP         Out                                       Port: 445,137-139
Deny outgoing LDAP requests                  TCP and UDP         Out                                       Port: 389,3268,49152-49159
Ask outgoing connections                       Any                        Out
Deny traffic for svchost.exe/Dnscache    TCP and UDP         Out

 

[Kate978 1]

Hidden default rules are at the bottom of the list. Only blocking incoming connections rules are active. Others are inactive.
There is a leakage of such traffic as dns-client, dnscrypt-proxy, ekrn, part of ProtonVPN. Even forbidden protocols like MDNS, NBNS, SSDP get access to the Internet without any permission.
This initialization window with ESET logo is also missing.

 

[itman 1,659]

I haven't used Eset's Policy modes for either firewall or HIPS settings. However, policy mode in other security software usually means only rule based "allow" activity and everything else is blocked by default. Or using an expanded definition, only allow and block rules are permitted. The concept of "ask" rules/activity falls in the scope of interactive monitoring. For example, an ask rule by definition will offer a user the option to manually create a rule. This by definition violates the concept of employing a fixed policy.

[itman 1,659]

2 hours ago, Kate978 said:

This initialization window with ESET logo is also missing.

If you are using Win 10's fast startup option, the logo screen won't show at boot time. It does appear after a system restart.

[itman 1,659]

As far as DNS leakage is concerned, you should perform one of the web leak test such as: http://dnsleak.com/ to ensure your VPN provider is not the source of the leak.

Edited February 3, 2019 by itman

[Kate978 1]

I disabled the fast boot. I really saw the initialization window with ESET logo. Now it sometimes appears, sometimes not, but the firewall is fully working both after shutdown the computer and after rebooting. Then I turned on Interactive mode and here are my rules.

Firewall rules
Name                                                               Protocol                Direction    Local     Remote
Ask traffic for openvpn.exe                          TCP and UDP        In
Deny incoming connections                        Any                         In
Allow traffic for ProtonVPN.exe                  TCP and UDP        Out
Allow traffic for ProtonVPNService.exe      TCP and UDP       Out
Ask traffic for firefox.exe                              TCP and UDP        Out
Ask traffic for tor.exe                                    TCP and UDP        Out
Allow traffic for egui.exe                              TCP and UDP        Out
Allow traffic for ekrn.exe/ekrn                    TCP and UDP        Out
Allow traffic for dnscrypt-proxy.exe           TCP and UDP       Out
Allow traffic for svchost.exe/Dnscache     TCP and UDP        Out
Allow traffic for svchost.exe/Dhcp             TCP and UDP        Out
Deny outgoing connections                         Any                         Out
Deny traffic for svchost.exe/CryptSvc        TCP and UDP        Out
Deny outgoing multicast DNS requests     UDP                       Out                               IP: 224.0.0.252
                                                                                                                                               Port: 5355
Deny outgoing NETBIOS requests             TCP and UDP        Out                                Port: 445,137-139
Deny outgoing LDAP requests                   TCP and UDP        Out                                Port: 389,3268,49152-49159

But... There is still a leakage of traffic, which is forbidden not only in the firewall rules, but in the system. These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security. It connects to various not Eset IP addresses (224.0.0.22, 192.168.0.1, 192.168.0.100, 65.52.98.233, etc.) using NetBIOS protocol. But is it normal behavior?

[itman 1,659]

2 hours ago, Kate978 said:

These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security.

Ekrn.exe performs internal proxying activities using UDP and the ports associated with the protocols you referenced. You need to allow all ekrn.exe traffic both inbound and outbound; not just outbound traffic.

As far as NetBIOS goes, I have it disabled for my IPv4 network adapter connection. I have disabled the SSDP Win service thereby eliminating all that traffic. As far as mDNS, that one is a slippery bugger. Windows has a way of using it despite your best efforts. I don't worry about it anymore. If you want stop all mDNS traffic, just disable all default firewall rules associated with it per the below screen shot.  Or disable LLMNR under Allowed Services section which will create a rule to not use sent outbound traffic to 224.0.0.252, ff02::, etc..:

Edited February 4, 2019 by itman

[Kate978 1]

Now the firewall is fully functional. It seems the problem was in conflict with fast boot. Very thank you.

[Nightowl 202]

1 hour ago, Kate978 said:

Now the firewall is fully functional. It seems the problem was in conflict with fast boot. Very thank you.

Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem.

[itman 1,659]

2 hours ago, Rami said:

Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem.

The OP is using a VPN as his rules obviously indicate. This might be a factor with Win 10 Fast Boot enabled.

I likewise have used Eset with and without Fast Boot enabled. What I have observed is it appears Eset's firewall initializes faster under Fast Boot which would be expected.

[Kate978 1]

I turned off fast startup in Control Panel.
Control Panel=>Power Options=>Choose what the power buttons do=>Change settings that are currently unavailable=>Turn off fast startup=>Save changes
I can't explain this fact, but now firewall is working fine.

 

[boom 0]

my personal firewall epfwlwf file missing. 

[Marcos 5,070]

50 minutes ago, boom said:

my personal firewall epfwlwf file missing.  

A nice screen shot from the prehistoric era

Please uninstall ESS v4 and install ESET Internet Security v12 from scratch.

[itman 1,659]

Quote

my personal firewall epfwlwf file missing. 

Quote

ESET Smart Security

ESET Smart Security is not available in version 11. ESET Smart Security has been replaced with the new solution - ESET Internet Security.

Version	Release Date	Latest Build	Updated	Status	Next Status	Expected EOL
10	25-Oct-16	10.1.245.0	17-May-18	Basic Support	End of Life	Dec 2020
9	13-Oct-15	9.0.429.2	13-Jun-18	Basic Support	End of Life	Dec 2019*
8	21-Oct-14	8.0.319.0		End of Life	End of Life	Oct 2018
7	8-Oct-13	7.0.325.0		End of Life	End of Life	Dec 2017
6	15-Jan-13	6.0.316.0		End of Life	End of Life	June 2017
5	13-Sep-11	5.2.15.0		End of Life	End of Life	Dec 2015
4	2-Mar-09	4.2.71.2		End of Life	End of Life	Dec 2015
3	5-Nov-07	3.0.695.0		End of Life	End of Life	Dec 2015

https://support.eset.com/kb3678/?segment=home

Edited March 6, 2019 by itman

[fuliyatsi 0]

On 2/2/2019 at 6:33 PM, itman said:

Post a screen shot of your existing Vidmate iTunes Notepad++ firewall rules; just one that shows the beginning of the default Eset rules.

This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer?

Operating system: Windows 10 64-Bit.

Edited March 9, 2019 by fuliyatsi

[Marcos 5,070]

Just now, fuliyatsi said:

This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer?

Operating system: Windows 10 64-Bit.

What problem do you mean? Please post a screen shot of a warning or error message that you are getting.

[itman 1,659]

25 minutes ago, fuliyatsi said:

This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer? 

Operating system: Windows 10 64-Bit.

Since this thread has been twice hijacked, the second time by you, it is impossible to determine exactly what issue you are referring to. Proper forum etiquette is not to hijack existing threads but to post a new one about your specific issue.