itman 1,655 Posted April 11, 2019 Share Posted April 11, 2019 (edited) Appears it has something to do with IPv6 HTTPS to Microsoft direct or delegated servers. However, I have received the "Incorrect Ethernet Packet" block when doing some testing in regards to DNS checking on other sites. So the problem might have an Eset SLL protocol scanning element to it. Normal browser connections are completely unaffected by the issue for the most part. Edited April 11, 2019 by itman Link to comment Share on other sites More sharing options...
Joliet_tech 0 Posted April 11, 2019 Share Posted April 11, 2019 (edited) Kurt, I do not think it has anything to do with IPv6. I disabled it as part of my troubleshooting and it made no difference. Also, my issue was purely from pc to pc - accessing a folder on another pc. My issue seems somewhat simpler than some of the others mentioned here. Edited April 12, 2019 by Joliet_tech Add additional info Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 11, 2019 Share Posted April 11, 2019 Think I found a temporary solution until Eset has a fix for this. Create an IDS "Unexpected Network Protocol" exception with no IP address specified and everything else set to "No." Note: "Direction" in the rule must be set to "Both." Initial test was to connect to Win Store and no Network log entries were generated. Although security-wise this is not an ideal solution, it is far better than totally disabling IDS protection. rklumpp 1 Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 11, 2019 Share Posted April 11, 2019 (edited) Nice... I likey, I will test and report back tomorrow. Edited April 11, 2019 by Kurt Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 11, 2019 Share Posted April 11, 2019 (edited) I am also starting to lean toward Port 0 usage by Microsoft as the possible culprit. This would not be the first instance I had in that regard using Eset. I believe in ver. 11, Eset changed something in this regard. My ISP for reasons beyond me does ICMPv6 pinging against my router; probably for connectivity purposes. My Win firewall event log was expanding a phenomenal rate from block activity related to this. That plus Eset's firewall wizard showed the same phenomenal counts. I resolved this one by just creating firewall rules to allow the activity for the IPv6 IP addresses involved. Edited April 11, 2019 by itman Joliet_tech 1 Link to comment Share on other sites More sharing options...
Joliet_tech 0 Posted April 12, 2019 Share Posted April 12, 2019 Can you shine some light on your Port 0 usage comment. I am unaware of this in any regard. What is Port 0 or what does it refer too? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,050 Posted April 12, 2019 Administrators Share Posted April 12, 2019 Please somebody provide network protection advanced log as I requested earlier in this topic. Link to comment Share on other sites More sharing options...
rklumpp 0 Posted April 12, 2019 Share Posted April 12, 2019 46 minutes ago, Marcos said: Please somebody provide network protection advanced log as I requested earlier in this topic. Attached are my complete diagnostic logs, hoping they can be somewhat useful. Note that this particular PC does not have the issues that caused me to visit this discussion (but I am also having the problematic errors with "incorrect ethernet packages")! The reason for my visit: certain PCs from some customers of ours had issues accessing files on a network share (the share itself showed up, but accessing files was either painfully slow or caused the application to stop responding entirely. There are quite some differences between the networks and PC setups between the 3 "problematic cases" I have to deal with here, so I am not going into detail right now (but if you need to know anything specific, please ask away!). I do not have logfiles from the customer PC(s) in question - they're currently trying to work on those machines - but I do have remote access and can collect logfiles and so on after business hours when necessary or helpful! Diagnostics.zip Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 12, 2019 Share Posted April 12, 2019 (edited) Read the prior posts and reply with proper guidance Marcos and maybe I will. Edited April 12, 2019 by Kurt Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 12, 2019 Share Posted April 12, 2019 On 4/11/2019 at 6:28 AM, Kurt said: On 4/10/2019 at 11:06 AM, Kurt said: I need guidance what disabling the IDS affects and what is my risk if I leave it disabled. Once again Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 12, 2019 Share Posted April 12, 2019 On 4/11/2019 at 2:02 AM, Marcos said: If possible, please provide logs generated as follows. Until then we cannot carry on and check what is causing the error: - enable advanced logging under Help and support -> Details for technical support - reboot Windows - reproduce the error - stop logging - gather logs with ESET Log Collector and provide the generated archive. On 4/11/2019 at 6:26 AM, Kurt said: again, how is this done? What is the log file name? Your instructions do not properly allow me to generate what you are looking for. Please provide better instructions on how to provide the log files you are looking for. Link to comment Share on other sites More sharing options...
Kurt 4 Posted April 12, 2019 Share Posted April 12, 2019 (edited) 12.1.34.0 update is available. go to Update-> Click "Check for updates" (lower right) Issue still exists.. Edited April 12, 2019 by Kurt Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 11 hours ago, Joliet_tech said: Can you shine some light on your Port 0 usage comment. I am unaware of this in any regard. What is Port 0 or what does it refer too? https://www.lifewire.com/port-0-in-tcp-and-udp-818145 Whereas the article states ISP's routinely block it, there is nothing to stop the ISP from using it as noted, to ping its own issued routers. Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 37 minutes ago, Kurt said: I need guidance what disabling the IDS affects and what is my risk if I leave it disabled. Did you try my prior posted workaround? I haven't received a Network log entry since implementing it. I am also going to experiment a bit with it today by enabling alerting for it in an attempt to isolate the source processes. That way and hopefully, a like exception could be created for those processes alone. Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 13 minutes ago, itman said: I am also going to experiment a bit with it today by enabling alerting for it in an attempt to isolate the source processes. That way and hopefully, a like exception could be created for those processes alone. Problem is much worse than initially thought. A check for Win Update status via Win 10 System Settings will trigger the "Unexpected Network Protocol" detection. The app though not shown is svchost.exe - windows update service, I believe. Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted April 12, 2019 Author Share Posted April 12, 2019 So if I don't make any changes to rules etc. Is it alright just to leave it blocking unknown devices? My computer is not at risk with this continuing to block unknown devices? I will just have tons of logs in my network protection. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,050 Posted April 12, 2019 Administrators Share Posted April 12, 2019 19 minutes ago, Purpleroses said: So if I don't make any changes to rules etc. Is it alright just to leave it blocking unknown devices? My computer is not at risk with this continuing to block unknown devices? I will just have tons of logs in my network protection. Not sure what you mean by blocking unknown devices. Do you have advanced logging turned off and logging verbosity set to informative (default) and not to "diagnostic"? What kind of records are being created in your firewall log? Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 (edited) 26 minutes ago, Purpleroses said: So if I don't make any changes to rules etc. Is it alright just to leave it blocking unknown devices? My computer is not at risk with this continuing to block unknown devices? I will just have tons of logs in my network protection. As I stated previously if your network perimeter is protected with a router is stateful and employs NAT, DoS, and other like protections, Eset's protections in regards to unknown protocol detection is redundant. Edited April 12, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 Time to get things into a broader perspective. Avast users on Win 7 are getting boot blue screens "up the wazoo" after the last cumulative update. Avira user systems have "slowed to a crawl" on both Win 7 and 10 after last cumulative update with symptoms similar to that reported in this this thread. Perhaps Microsoft has implemented its "hardball" strategy against third party AV vendors? Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted April 12, 2019 Author Share Posted April 12, 2019 What I meant to say is that when I have the ethernet on I get unknown devices blocked and then it says incorrect ethernet packet in network protection logs. So If I don't change any rules etc then I should be alright? I posted an image also Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 3 minutes ago, Purpleroses said: What I meant to say is that when I have the ethernet on I get unknown devices blocked and then it says incorrect ethernet packet in network protection logs. If you click on the "Unblock" tab, Eset will create an "Unexpected Network Protocol" IDS exception. The problem is it won't stop this activity since the exception rule created "Direction" mode specifies "In"; i.e. Inbound traffic. You will have to edit the IDS exception and change the "Direction" mode to "Both" as I previously posted here: https://forum.eset.com/topic/19197-incorrect-ethernet-packet/?do=findComment&comment=93725 . Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 More info on "borked" AV vendors as a result of last Tuesday's cumulative updates: https://www.bleepingcomputer.com/news/microsoft/microsofts-april-2019-updates-are-causing-windows-to-freeze/ Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted April 12, 2019 Author Share Posted April 12, 2019 37 minutes ago, itman said: If you click on the "Unblock" tab, Eset will create an "Unexpected Network Protocol" IDS exception. The problem is it won't stop this activity since the exception rule created "Direction" mode specifies "In"; i.e. Inbound traffic. You will have to edit the IDS exception and change the "Direction" mode to "Both" as I previously posted here: https://forum.eset.com/topic/19197-incorrect-ethernet-packet/?do=findComment&comment=93725 . So I have more then one unknown device blocked with incorrect ethernet packets. Do I have to click on unblock each one to create Unexpected Network Protocol" IDS exception. Link to comment Share on other sites More sharing options...
itman 1,655 Posted April 12, 2019 Share Posted April 12, 2019 (edited) 21 minutes ago, Purpleroses said: So I have more then one unknown device blocked with incorrect ethernet packets. Do I have to click on unblock each one to create Unexpected Network Protocol" IDS exception. Sorry. I forgot to mention that when you click on "Unblock" in the screen you show, it will only create an IDS exception for that given IP address shown. Just click on one of the blocked communication events shown to create the IDS exception. Then besides editing the "Direction" to "Both" in the created IDS exception as previously posted , remove the IP address reference in the exception. In other words, the field should be blank. This will result in the IDS exception applying to all inbound and outbound traffic from the device. Below is a screen shot of how the IDS exception should appear after all editing is completed: Edited April 12, 2019 by itman Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted April 12, 2019 Author Share Posted April 12, 2019 Thank you itman for the advice it worked like a charm. But is it safe to do this and does Marco think it is alright to do this also? Plus it is not putting my computer at risk for creating a rule to IDS exception? Link to comment Share on other sites More sharing options...
Recommended Posts