Kate978 1 Posted February 2, 2019 Share Posted February 2, 2019 Hello. There is the following problem with the firewall after ESET Internet Security 12 installing. The firewall is configured to block all incoming connections and request all outgoing. When you first connect to the Internet, everything works fine. But after the first connection the firewall begins to allow some outgoing traffic without permission. This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer? Operating system: Windows 10 64-Bit. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted February 2, 2019 Administrators Share Posted February 2, 2019 In automatic mode (default), all outgoing communication is allowed and all non-initiated communication from outside the Trusted zone is blocked. It is not clear how the firewall behaves after a system restart since it should always behave the same way unless custom rules are created. Link to comment Share on other sites More sharing options...
Kate978 1 Posted February 2, 2019 Author Share Posted February 2, 2019 The firewall is in Policy-based mode, not Automatic mode. Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked. Such behavior of the firewall looks suspicious. Like hacking a computer. But maybe this is just a bug? Link to comment Share on other sites More sharing options...
itman 1,755 Posted February 2, 2019 Share Posted February 2, 2019 49 minutes ago, Kate978 said: Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked. Post a screen shot of your existing firewall rules; just one that shows the beginning of the default Eset rules. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted February 2, 2019 Administrators Share Posted February 2, 2019 Some communication is allowed by default. To override default rules, you'd need to move your custom rule(s) on top of the default rules which are hidden unless you check a box to display them in the rule editor. Link to comment Share on other sites More sharing options...
novice 20 Posted February 2, 2019 Share Posted February 2, 2019 53 minutes ago, Marcos said: Some communication is allowed by default. And this info is posted where ?????? Somebody can pull his hair out trying to figure out what's wrong ( see the OP: Firewall is not working partly. Is it a bug or a hack? ) when in fact is "some communication is allowed by default"..... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted February 2, 2019 Administrators Share Posted February 2, 2019 Please kindly stop using bold font and multiple question marks which is generally considered shouting. Shouting is forbidden by our forum rules. Quote And this info is posted where ? Link to comment Share on other sites More sharing options...
Kate978 1 Posted February 3, 2019 Author Share Posted February 3, 2019 These are my firewall rules. Firewall rules Name Protocol Direction Local Remote Ask traffic for openvpn.exe TCP and UDP InDeny incoming connections Any In Ask traffic for ProtonVPN.exe TCP and UDP Out Ask traffic for ProtonVPNService.exe TCP and UDP Out Ask traffic for firefox.exe TCP and UDP Out Ask traffic for tor.exe TCP and UDP Out Ask traffic for egui.exe TCP and UDP Out Ask traffic for ekrn.exe/ekrn TCP and UDP Out Ask traffic for dnscrypt-proxy.exe TCP and UDP Out Ask traffic for svchost.exe/CryptSvc TCP and UDP Out Ask traffic for svchost.exe/Dhcp TCP and UDP Out Deny outgoing multicast DNS requests UDP Out IP: 224.0.0.252 Port: 5355 Deny outgoing NETBIOS requests TCP and UDP Out Port: 445,137-139 Deny outgoing LDAP requests TCP and UDP Out Port: 389,3268,49152-49159Ask outgoing connections Any Out Deny traffic for svchost.exe/Dnscache TCP and UDP Out Link to comment Share on other sites More sharing options...
Kate978 1 Posted February 3, 2019 Author Share Posted February 3, 2019 Hidden default rules are at the bottom of the list. Only blocking incoming connections rules are active. Others are inactive. There is a leakage of such traffic as dns-client, dnscrypt-proxy, ekrn, part of ProtonVPN. Even forbidden protocols like MDNS, NBNS, SSDP get access to the Internet without any permission. This initialization window with ESET logo is also missing. Srabon 1 Link to comment Share on other sites More sharing options...
itman 1,755 Posted February 3, 2019 Share Posted February 3, 2019 I haven't used Eset's Policy modes for either firewall or HIPS settings. However, policy mode in other security software usually means only rule based "allow" activity and everything else is blocked by default. Or using an expanded definition, only allow and block rules are permitted. The concept of "ask" rules/activity falls in the scope of interactive monitoring. For example, an ask rule by definition will offer a user the option to manually create a rule. This by definition violates the concept of employing a fixed policy. Link to comment Share on other sites More sharing options...
itman 1,755 Posted February 3, 2019 Share Posted February 3, 2019 2 hours ago, Kate978 said: This initialization window with ESET logo is also missing. If you are using Win 10's fast startup option, the logo screen won't show at boot time. It does appear after a system restart. Link to comment Share on other sites More sharing options...
itman 1,755 Posted February 3, 2019 Share Posted February 3, 2019 (edited) As far as DNS leakage is concerned, you should perform one of the web leak test such as: http://dnsleak.com/ to ensure your VPN provider is not the source of the leak. Edited February 3, 2019 by itman Link to comment Share on other sites More sharing options...
Kate978 1 Posted February 4, 2019 Author Share Posted February 4, 2019 I disabled the fast boot. I really saw the initialization window with ESET logo. Now it sometimes appears, sometimes not, but the firewall is fully working both after shutdown the computer and after rebooting. Then I turned on Interactive mode and here are my rules. Firewall rules Name Protocol Direction Local Remote Ask traffic for openvpn.exe TCP and UDP In Deny incoming connections Any In Allow traffic for ProtonVPN.exe TCP and UDP Out Allow traffic for ProtonVPNService.exe TCP and UDP Out Ask traffic for firefox.exe TCP and UDP Out Ask traffic for tor.exe TCP and UDP Out Allow traffic for egui.exe TCP and UDP Out Allow traffic for ekrn.exe/ekrn TCP and UDP Out Allow traffic for dnscrypt-proxy.exe TCP and UDP Out Allow traffic for svchost.exe/Dnscache TCP and UDP Out Allow traffic for svchost.exe/Dhcp TCP and UDP Out Deny outgoing connections Any Out Deny traffic for svchost.exe/CryptSvc TCP and UDP Out Deny outgoing multicast DNS requests UDP Out IP: 224.0.0.252 Port: 5355 Deny outgoing NETBIOS requests TCP and UDP Out Port: 445,137-139 Deny outgoing LDAP requests TCP and UDP Out Port: 389,3268,49152-49159 But... There is still a leakage of traffic, which is forbidden not only in the firewall rules, but in the system. These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security. It connects to various not Eset IP addresses (224.0.0.22, 192.168.0.1, 192.168.0.100, 65.52.98.233, etc.) using NetBIOS protocol. But is it normal behavior? Link to comment Share on other sites More sharing options...
itman 1,755 Posted February 4, 2019 Share Posted February 4, 2019 (edited) 2 hours ago, Kate978 said: These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security. Ekrn.exe performs internal proxying activities using UDP and the ports associated with the protocols you referenced. You need to allow all ekrn.exe traffic both inbound and outbound; not just outbound traffic. As far as NetBIOS goes, I have it disabled for my IPv4 network adapter connection. I have disabled the SSDP Win service thereby eliminating all that traffic. As far as mDNS, that one is a slippery bugger. Windows has a way of using it despite your best efforts. I don't worry about it anymore. If you want stop all mDNS traffic, just disable all default firewall rules associated with it per the below screen shot. Or disable LLMNR under Allowed Services section which will create a rule to not use sent outbound traffic to 224.0.0.252, ff02::, etc..: Edited February 4, 2019 by itman Link to comment Share on other sites More sharing options...
Kate978 1 Posted February 5, 2019 Author Share Posted February 5, 2019 Now the firewall is fully functional. It seems the problem was in conflict with fast boot. Very thank you. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted February 5, 2019 Most Valued Members Share Posted February 5, 2019 1 hour ago, Kate978 said: Now the firewall is fully functional. It seems the problem was in conflict with fast boot. Very thank you. Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem. Link to comment Share on other sites More sharing options...
itman 1,755 Posted February 5, 2019 Share Posted February 5, 2019 2 hours ago, Rami said: Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem. The OP is using a VPN as his rules obviously indicate. This might be a factor with Win 10 Fast Boot enabled. I likewise have used Eset with and without Fast Boot enabled. What I have observed is it appears Eset's firewall initializes faster under Fast Boot which would be expected. Link to comment Share on other sites More sharing options...
Kate978 1 Posted February 5, 2019 Author Share Posted February 5, 2019 I turned off fast startup in Control Panel. Control Panel=>Power Options=>Choose what the power buttons do=>Change settings that are currently unavailable=>Turn off fast startup=>Save changes I can't explain this fact, but now firewall is working fine. Link to comment Share on other sites More sharing options...
boom 0 Posted March 6, 2019 Share Posted March 6, 2019 my personal firewall epfwlwf file missing. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted March 6, 2019 Administrators Share Posted March 6, 2019 50 minutes ago, boom said: my personal firewall epfwlwf file missing. A nice screen shot from the prehistoric era Please uninstall ESS v4 and install ESET Internet Security v12 from scratch. TomasP 1 Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 6, 2019 Share Posted March 6, 2019 (edited) Quote my personal firewall epfwlwf file missing. Quote ESET Smart Security ESET Smart Security is not available in version 11. ESET Smart Security has been replaced with the new solution - ESET Internet Security. Version Release Date Latest Build Updated Status Next Status Expected EOL 10 25-Oct-16 10.1.245.0 17-May-18 Basic Support End of Life Dec 2020 9 13-Oct-15 9.0.429.2 13-Jun-18 Basic Support End of Life Dec 2019* 8 21-Oct-14 8.0.319.0 End of Life End of Life Oct 2018 7 8-Oct-13 7.0.325.0 End of Life End of Life Dec 2017 6 15-Jan-13 6.0.316.0 End of Life End of Life June 2017 5 13-Sep-11 5.2.15.0 End of Life End of Life Dec 2015 4 2-Mar-09 4.2.71.2 End of Life End of Life Dec 2015 3 5-Nov-07 3.0.695.0 End of Life End of Life Dec 2015 https://support.eset.com/kb3678/?segment=home Edited March 6, 2019 by itman Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
fuliyatsi 0 Posted March 8, 2019 Share Posted March 8, 2019 (edited) On 2/2/2019 at 6:33 PM, itman said: Post a screen shot of your existing Vidmate iTunes Notepad++ firewall rules; just one that shows the beginning of the default Eset rules. This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer? Operating system: Windows 10 64-Bit. Edited March 9, 2019 by fuliyatsi Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted March 8, 2019 Administrators Share Posted March 8, 2019 Just now, fuliyatsi said: This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer? Operating system: Windows 10 64-Bit. What problem do you mean? Please post a screen shot of a warning or error message that you are getting. Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 8, 2019 Share Posted March 8, 2019 25 minutes ago, fuliyatsi said: This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer? Operating system: Windows 10 64-Bit. Since this thread has been twice hijacked, the second time by you, it is impossible to determine exactly what issue you are referring to. Proper forum etiquette is not to hijack existing threads but to post a new one about your specific issue. Link to comment Share on other sites More sharing options...
Recommended Posts