itman 1,659 Posted April 10, 2019 Share Posted April 10, 2019 (edited) 16 minutes ago, Kurt said: I am also required to disable the IDS to allow access to my hosting machine for an internal app which I still have not received an answer to why that is happening. Leave Firewall and IDS alone for the time being. Refer to the below screen shot. Right click on one of the related Network log entries and select "Don't block similar events in the future." This should create an IDS exception for this activity. See if that stops your logging and corresponding network share performance issues. I am not going to do so presently since I not getting that many log entries; only for Win Store related activity. Edited April 10, 2019 by itman Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 10, 2019 Share Posted April 10, 2019 I did do this and I still was required to disable IDS. Log entries decreased, but occasionally still happened. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 10, 2019 Share Posted April 10, 2019 59 minutes ago, itman said: Connected to the Store and performed a manual update. Ended up with a bunch of new Eset Network Protection log entries. Can you share steps to accomplish this? Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 10, 2019 Share Posted April 10, 2019 I got it, I am seeing the same additional log entries. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 10, 2019 Share Posted April 10, 2019 (edited) 16 minutes ago, Kurt said: I got it, I am seeing the same additional log entries. Forgot to mention that when the IDS exception is created, it will only create the exception for the IP address associated with the log event. Refer to the below screen shot. Open IDS Exceptions in the Network Attack Protection section of the Eset GUI . Then edit the existing exception removing the existing Remote IP address. This will then apply the exception to all IP addresses. Edited April 10, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 10, 2019 Share Posted April 10, 2019 (edited) 32 minutes ago, Kurt said: Can you share steps to accomplish this? https://www.thewindowsclub.com/check-for-windows-store-app-updates -EDIT- Another way to do so: https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games Edited April 10, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 10, 2019 Share Posted April 10, 2019 (edited) I also noticed something else odd. For some reason, "Filtering" was enabled on my Eset Network protection log. I know I didn't manually do so. I have since disabled it and will wait if that somehow has something to do with this unexpected protocol data issue. -EDIT- Nope. No relation to this very odd Eset behavior. Edited April 10, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 10, 2019 Share Posted April 10, 2019 Damn it - another Eset bug. I just noticed the IDS exception created by right clicking on the Network log entry is not the correct one! It created an "Unexpected Network Protocol" exception instead of an "Incorrect Ethernet Packet" exception. So you will have to manual delete the "Unexpected Network Protocol" exception and add an "Incorrect Ethernet Packet" exception. Now see if the blocked network activity stops. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 11, 2019 Share Posted April 11, 2019 (edited) I finally got "Incorrect Ethernet Packet" IDS exception to work. I had to set the Direction in the rule to "Both" and presently doing it by detected IP address; after verifying the IP address is associated with a Win Store connection. Sure hope Eset figures out what the problem here is proto. -EDIT- Forget any exceptions. When I set direction to Both I started seeing blocked Google server connections appearing whose IP addresses were never seen before. Appears to me something serious is borked in IDS detection. Edited April 11, 2019 by itman Joliet_tech 1 Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted April 11, 2019 Author Share Posted April 11, 2019 Thank itman for all the advice and information. But I have more then one ip address to block. I'm not very computer savvy so I turned my wifi back on and wait to see if this gets corrected by Eset. Joliet_tech 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted April 11, 2019 Administrators Share Posted April 11, 2019 If possible, please provide logs generated as follows. Until then we cannot carry on and check what is causing the error: - enable advanced logging under Help and support -> Details for technical support - reboot Windows - reproduce the error - stop logging - gather logs with ESET Log Collector and provide the generated archive. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 again, how is this done? What is the log file name? Your instructions do not properly allow me to generate what you are looking for. Please provide better instructions on how to provide the log files you are looking for. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 19 hours ago, Kurt said: I need guidance what disabling the IDS affects and what is my risk if I leave it disabled. Once again Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 17 hours ago, Kurt said: What is the name of the file, there are many generated in the diagnostics folder. Once again. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 17 hours ago, Kurt said: I need guidance on what disabling the IDS affects and what is my risk if I leave it disabled. Doing this solves my issues other than Incorrect "Ethernet packet errors" on all machines. Once again. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 14 hours ago, Kurt said: I reinstalled, and still have the same issue. Please note. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 Thanks Itman. I appreciate your troubleshooting help. I think your initial thoughts that the router is bad may have some merit. I think the firmware on my modem/router maybe outdated and not correctly passing and/or sharing IPv6 addresses correctly confusing ESET and blocking the communications. I am working with my internet provider to check the firmware and possibly replace the modem to remove that piece of the puzzle. I have built my internal routing table to address intrAnet communications so PC to PC communication is now working. Thanks again. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 11, 2019 Share Posted April 11, 2019 A new update today. Observed Eset Networking log activity at today's first cold boot. It's not just Win Store network activity causing the Eset IDS detection logging, but all outbound activity to Microsoft. For example, BackgroundTaskHost.exe, etc.. In total, 45 event log entries created. I also did a hard reset on my router last night to no avail. All Eset has to do to duplicate this on a Win 10 1809 build is to reboot the device. The question now is only Win 10 1809 affected or are prior Win 10 versions also? Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 11, 2019 Share Posted April 11, 2019 (edited) 18 minutes ago, Kurt said: I think your initial thoughts that the router is bad may have some merit. I don't believe that is the problem since multiple Eset users are having the issue. Microsoft has changed something on at least Win 10 1809 in regards to its server communication and that is what Eset needs to concentrate on. Also why when an IDS exception for an "Incorrect Ethernet Packet" log event is created, does Eset generate an "Unexpected Network Protocol" exception? Note the Eset definition for this: Quote Detected unexpected data in protocol – Improperly formatted ARP, DNS or ICMP echo packets. Or zero port in TCP/UDP/. "My money" at this point is on Microsoft has changed something in their DNS protocol requests and Eset can't handle it. Edited April 11, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 11, 2019 Share Posted April 11, 2019 (edited) @Marcos these are the IP addresses connections from Microsoft related Windows processes running at boot time. None are domain routable addresses from what I can determine: 2600:141f:8000:195::4106 Akamai Aggregate location - United States ptr - g2600-141f-8000-0195-0000-0000-0000-4106.deploy.static.akamaitechnologies.com 2a01:111:200a:8::ff04 - Microsoft V6 2a01:111:f330:1790::a01 - Microsoft V6 Edited April 11, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 11, 2019 Share Posted April 11, 2019 Perhaps this is pertinent: https://dnsflagday.net/ Link to comment Share on other sites More sharing options...
Joliet_tech 0 Posted April 11, 2019 Share Posted April 11, 2019 On 4/10/2019 at 10:06 AM, Kurt said: Disabling Network Attack Protections (IDS) on the PC being accessed has addressed the issue of accessing the fileshare quickly and allowing access to the app hosting machine (screenshot reflects my PC which has IDS still enabled, but is initiating the access). I need guidance what disabling the IDS affects and what is my risk if I leave it disabled. Link to comment Share on other sites More sharing options...
Joliet_tech 0 Posted April 11, 2019 Share Posted April 11, 2019 I disabled the Network Attach Protection on the pc hosting the data and it resolved the issue completely. Thank you. And Thank you Microsoft.....grrrrrrrr. What is still baffling me though is that I have another pc in the office that similarly has mapped drives on the same pc's as above and there was NEVER any slow down. Access to pc-A was always good while access to pc-E was bad. I checked and both of these pc's (A and E) that have drives mapped TO THEM had the same update on 4/9 (KB4493509). Does anyone have an idea of why this occurred this way? Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 7 hours ago, Kurt said: I need guidance on what disabling the IDS affects and what is my risk if I leave it disabled. Doing this solves my issues other than Incorrect "Ethernet packet errors" on all machines. Anything yet? Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 Installed a new cable modem/router, no difference. It is likely ESET or Microsoft or both. Time for ESET to start collaborating and fix the issue with Network Attack Protection (IDS) and IPv6... ECELeader 1 Link to comment Share on other sites More sharing options...
Recommended Posts