Jump to content
Sign in to follow this  
Kate978

Firewall is not working partly. Is it a bug or a hack?

Recommended Posts

Hello.

There is the following problem with the firewall after ESET Internet Security 12 installing. The firewall is configured to block all incoming connections and request all outgoing. When you first connect to the Internet, everything works fine. But after the first connection the firewall begins to allow some outgoing traffic without permission. This problem is observed immediately after the computer is turned on and disappears upon reboot. Is this a bug of ESET Internet Security or is it a sign of hacking a computer?

Operating system: Windows 10 64-Bit.

Share this post


Link to post
Share on other sites

In automatic mode (default), all outgoing communication is allowed and all non-initiated communication from outside the Trusted zone is blocked.

It is not clear how the firewall behaves after a system restart  since it should always behave the same way unless custom rules are created.

Share this post


Link to post
Share on other sites

The firewall is in Policy-based mode, not Automatic mode. Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked.

Such behavior of the firewall looks suspicious. Like hacking a computer. But maybe this is just a bug?

 

Share this post


Link to post
Share on other sites
49 minutes ago, Kate978 said:

Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked.

Post a screen shot of your existing firewall rules; just one that shows the beginning of the default Eset rules.

Share this post


Link to post
Share on other sites

Some communication is allowed by default. To override default rules, you'd need to move your custom rule(s) on top of the default rules which are hidden unless you check a box to display them in the rule editor.

Share this post


Link to post
Share on other sites
53 minutes ago, Marcos said:

Some communication is allowed by default.

And this info is posted where ??????  Somebody can pull his hair out trying to figure out what's wrong  ( see the OP: Firewall is not working partly. Is it a bug or a hack? ) when in fact is "some communication is allowed by default".....

Share this post


Link to post
Share on other sites

Please kindly stop using bold font and multiple question marks which is generally considered shouting. Shouting is forbidden by our forum rules.

Quote

And this info is posted where ?

image.png

Share this post


Link to post
Share on other sites

These are my firewall rules.

Firewall rules
Name                                                             Protocol                  Direction        Local         Remote
Ask traffic for openvpn.exe                        TCP and UDP         In
Deny incoming connections                    Any                         In
Ask traffic for ProtonVPN.exe                    TCP and UDP         Out
Ask traffic for ProtonVPNService.exe       TCP and UDP         Out
Ask traffic for firefox.exe                            TCP and UDP         Out
Ask traffic for tor.exe                                  TCP and UDP         Out
Ask traffic for egui.exe                                TCP and UDP         Out
Ask traffic for ekrn.exe/ekrn                      TCP and UDP         Out
Ask traffic for dnscrypt-proxy.exe            TCP and UDP         Out
Ask traffic for svchost.exe/CryptSvc         TCP and UDP         Out
Ask traffic for svchost.exe/Dhcp               TCP and UDP         Out
Deny outgoing multicast DNS requests   UDP                        Out                                       IP: 224.0.0.252
                                                                                                                                                      Port: 5355
Deny outgoing NETBIOS requests            TCP and UDP         Out                                       Port: 445,137-139
Deny outgoing LDAP requests                  TCP and UDP         Out                                       Port: 389,3268,49152-49159
Ask outgoing connections                       Any                        Out
Deny traffic for svchost.exe/Dnscache    TCP and UDP         Out

 

custom_rules.jpg

Share this post


Link to post
Share on other sites

Hidden default rules are at the bottom of the list. Only blocking incoming connections rules are active. Others are inactive.
There is a leakage of such traffic as dns-client, dnscrypt-proxy, ekrn, part of ProtonVPN. Even forbidden protocols like MDNS, NBNS, SSDP get access to the Internet without any permission.
This initialization window with ESET logo is also missing.

 

eset_logo.jpg

Share this post


Link to post
Share on other sites

I haven't used Eset's Policy modes for either firewall or HIPS settings. However, policy mode in other security software usually means only rule based "allow" activity and everything else is blocked by default. Or using an expanded definition, only allow and block rules are permitted. The concept of "ask" rules/activity falls in the scope of interactive monitoring. For example, an ask rule by definition will offer a user the option to manually create a rule. This by definition violates the concept of employing a fixed policy.

Share this post


Link to post
Share on other sites
2 hours ago, Kate978 said:

This initialization window with ESET logo is also missing.

If you are using Win 10's fast startup option, the logo screen won't show at boot time. It does appear after a system restart.

Share this post


Link to post
Share on other sites

As far as DNS leakage is concerned, you should perform one of the web leak test such as: http://dnsleak.com/ to ensure your VPN provider is not the source of the leak.

Edited by itman

Share this post


Link to post
Share on other sites

I disabled the fast boot. I really saw the initialization window with ESET logo. Now it sometimes appears, sometimes not, but the firewall is fully working both after shutdown the computer and after rebooting. Then I turned on Interactive mode and here are my rules.

Firewall rules
Name                                                               Protocol                Direction    Local     Remote
Ask traffic for openvpn.exe                          TCP and UDP        In
Deny incoming connections                        Any                         In
Allow traffic for ProtonVPN.exe                  TCP and UDP        Out
Allow traffic for ProtonVPNService.exe      TCP and UDP       Out
Ask traffic for firefox.exe                              TCP and UDP        Out
Ask traffic for tor.exe                                    TCP and UDP        Out
Allow traffic for egui.exe                              TCP and UDP        Out
Allow traffic for ekrn.exe/ekrn                    TCP and UDP        Out
Allow traffic for dnscrypt-proxy.exe           TCP and UDP       Out
Allow traffic for svchost.exe/Dnscache     TCP and UDP        Out
Allow traffic for svchost.exe/Dhcp             TCP and UDP        Out
Deny outgoing connections                         Any                         Out
Deny traffic for svchost.exe/CryptSvc        TCP and UDP        Out
Deny outgoing multicast DNS requests     UDP                       Out                               IP: 224.0.0.252
                                                                                                                                               Port: 5355
Deny outgoing NETBIOS requests             TCP and UDP        Out                                Port: 445,137-139
Deny outgoing LDAP requests                   TCP and UDP        Out                                Port: 389,3268,49152-49159


But... There is still a leakage of traffic, which is forbidden not only in the firewall rules, but in the system. These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security. It connects to various not Eset IP addresses (224.0.0.22, 192.168.0.1, 192.168.0.100, 65.52.98.233, etc.) using NetBIOS protocol. But is it normal behavior?

1579248.jpg

Share this post


Link to post
Share on other sites
2 hours ago, Kate978 said:

These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security.

Ekrn.exe performs internal proxying activities using UDP and the ports associated with the protocols you referenced. You need to allow all ekrn.exe traffic both inbound and outbound; not just outbound traffic.

As far as NetBIOS goes, I have it disabled for my IPv4 network adapter connection. I have disabled the SSDP Win service thereby eliminating all that traffic. As far as mDNS, that one is a slippery bugger. Windows has a way of using it despite your best efforts. I don't worry about it anymore. If you want stop all mDNS traffic, just disable all default firewall rules associated with it per the below screen shot.  Or disable LLMNR under Allowed Services section which will create a rule to not use sent outbound traffic to 224.0.0.252, ff02::, etc..:

Eset_mDNS.png.7beca6fcc412aaa402aa7f874cb3460b.png

Edited by itman

Share this post


Link to post
Share on other sites

Now the firewall is fully functional. It seems the problem was in conflict with fast boot. Very thank you.

Share this post


Link to post
Share on other sites
1 hour ago, Kate978 said:

Now the firewall is fully functional. It seems the problem was in conflict with fast boot. Very thank you.

Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem.

Share this post


Link to post
Share on other sites
2 hours ago, Rami said:

Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem.

The OP is using a VPN as his rules obviously indicate. This might be a factor with Win 10 Fast Boot enabled.

I likewise have used Eset with and without Fast Boot enabled. What I have observed is it appears Eset's firewall initializes faster under Fast Boot which would be expected.

Share this post


Link to post
Share on other sites

I turned off fast startup in Control Panel.
Control Panel=>Power Options=>Choose what the power buttons do=>Change settings that are currently unavailable=>Turn off fast startup=>Save changes
I can't explain this fact, but now firewall is working fine.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×