Bug: Firewall in interactive mode ignores rules after temporary disabled and reenabled

[Zur13 0]

I have ESET Internet Security v12.1.34.0 licensed. I'm using a firewall in Interactive mode. A few weeks ago I've noticed this bug: firewall starts to ignore existing rules and spams interactive popups Allow/Deny for the connections which was automatically handled by the permanent rules before the firewall was temporarily turned off (for example for Firefox web browser and other apps). This happens after I disable the firewall using the "Pause firewall (allow all traffic)" command from the context menu on the tray icon and then turn it on again using the "Enable firewall" link on the Home tab in the window.

It worked fine a few months ago.

 

Edit: I've also noticed that I can't create new permanent rules from interactive popup after this happens it does not even asks for windows admin permission just Error message pops up at the screen corner saying "Failed to create rule".

Edited May 9, 2019 by Zur13
Failed to create rule

[zamar27 5]

I reported the same bug a few weeks ago. But then these errors seems to stop, so it looks like either it was already fixed for some time, or may be you need to cleanup your PC using some system cleaner and reboot. I do cleanup after some programs updates, including Windows updates if there are some issues. It also allows to auto recreate large system service and boot files. Sadly some programs leave remnants at update, which may conflict with new code.

If that does't help, may be try to uninstall & cleanup & reinstall Eset. Consider resetting to defaults your Windows Firewall as well. The reason is, there may be other Eset features that didn't work in your setup, but you simply don't know that since you never tried to change other settings. 😉

Edited May 30, 2019 by zamar27

[peteyt 393]

4 hours ago, Zur13 said:

I have ESET Internet Security v12.1.34.0 licensed. I'm using a firewall in Interactive mode. A few weeks ago I've noticed this bug: firewall starts to ignore existing rules and spams interactive popups Allow/Deny for the connections which was automatically handled by the permanent rules before the firewall was temporarily turned off (for example for Firefox web browser and other apps). This happens after I disable the firewall using the "Pause firewall (allow all traffic)" command from the context menu on the tray icon and then turn it on again using the "Enable firewall" link on the Home tab in the window.

It worked fine a few months ago.

 

Edit: I've also noticed that I can't create new permanent rules from interactive popup after this happens it does not even asks for windows admin permission just Error message pops up at the screen corner saying "Failed to create rule".

 

1 hour ago, zamar27 said:

I reported the same bug a few weeks ago. But then these errors stopped, so it looks like either it was already fixed for some time, or may be you need to cleanup your PC using some system cleaner and reboot. I do cleanup after some programs updates, including Windows updates if there are some issues. It also allows to auto recreate large system service and boot files. Sadly some programs leave remnants at update, which may conflict with new code.

If that does't help, may be try to uninstall & cleanup & reinstall Eset. Consider resetting to defaults your Windows Firewall as well. The reason is, there may be other Eset features that didn't work in your setup, but you simply don't know that since you never tried to change other settings. 😉

It could be that the user is not using pre-release updates. @Zur13 open eset - hit F5 to go to advanced options - open update, click the + symbol on profiles then the + symbol on updates. For update type if set to regular update change to pre-release update and see if that fixes it. 

[zamar27 5]

I just tested it again, and indeed the error persists. Eset Firewall in Interactive Mode doesn't re-read saved rules DB after being disabled for some  time, and then re-enabled. I had to re-login, meaning restarting Eset, to force it read the existing rules. Switching to pre-release resulted in no improvement, since network Protection module wasn't updated for awhile. I don't know why the issue shows up intermittently. It might be linked to using a VPN.

Edited May 10, 2019 by zamar27

[zamar27 5]

This bug was reported for awhile. When its going to be fixed? Does Eset have a Bug Tracker accessible by users similar to Bugzilla?

[biggus 0]

I swear, I am THIS close to ditching this damn software (Internet Security) even though I just paid for 3 years. I have been using it for so long I can't remember, but this new version, like almost all new versions of everything is junk. Every freaking time I reset my machine, all traffic is blocked. Then I screw around, and change things and undo things and click things, and then it works, until I reset my machine again.  First it was invalid certificates, fixed that, but now, who knows. Firewall off, net works, firewall on, no traffic. Logs tell me nothing.

I used to love NOD, and later ESET, now I despise it. Unintuitive, poorly laid out, diabolically buggy.

[Marcos 5,074]

I was unable to reproduce it. Please correct what I did differently then you:

1, Without any custom fw rules created, I switched the firewall to interactive mode.
2, Launched Firefox, opened a website and chose to create a rule and allow the communication. Then closed Firefox.
3, Paused the firewall.
4, Launched Firefox and opened a website alright. Then closed Firefox.
5, Resumed firewall.
6, Launched Firefox and opened a website alright without being prompted for an action.
7, Disabled firewall in the advanced setup.
8, Launched Firefox and opened a website alright. Then closed Firefox.
9, Re-enabled firewall in the advanced setup.
10, Launched Firefox and opened a website alright without being prompted for an action.

[zamar27 5]

On 6/1/2019 at 1:00 AM, Marcos said:

I was unable to reproduce it. Please correct what I did differently then you

If you ask about "Firewall in Interactive Mode On/Off bug", its more complex than your basic case. I can't repeat your case, since I already have plenty of rules created in Interactive mode. In addition, I mostly use VPN when browsing the web due to local  WiFi insecurity. And any VPN client uses its own virtual adapter, so the network adapter is changed, when switching VPN client on and off.

- Suppose you have rules created for many different apps in Interactive mode, as well as Win 10 default activities like DNS traffic etc.
- Eset Firewall is active. Disable VPN, browse the web. Launch some apps like Movies & TV, MS Word... They check for updates, send telemetry to big brother.
- Now switch Firewall off and keep working on the web, its at times required when accessing certain sites or for testing certain apps or things not related to Eset. Work 30 min to 2 hours, as if you forget to switch Firewall back on.
- Now switch Firewall back on to Interactive mode. Enable VPN again. Launch different apps, they will start checking for updates, send telemetry. System starts checking DNS and the router.
- Now all previously created rules during several months are ignored. Firewall asks all permissions again.
- Log off Windows. Eset will exit. Logon back to Windows. Eset will  start firewall in Interactive mode. The rules are still ignored, when you start different apps etc, or change VPN mode.
- Reboot the PC. Now everything is back to normal. Eset will start at launch in Interactive mode, all previous rules are honored.

This is a real headache, every time you need to stop Firewall, you must later reboot the PC to get its functionality back. The bug now shows up 100% of all attempts, no exceptions. I periodically do comprehensive PC cleanup, but it doesn't affect this bug.

As a related matter, why not add Auto Enable feature to Firewall after temporarily being Paused, similar to Pausing Protection? People often forget to re-enable it after lengthy pausing.

Edited June 3, 2019 by zamar27

[Zur13 0]

7 hours ago, zamar27 said:

If you ask about "Firewall in Interactive Mode" bug, its more complex than your basic case. I can't repeat your case, since I already have plenty of rules created in Interactive mode. In addition, I mostly use VPN when browsing the web due to local  WiFi insecurity. And any VPN client uses its own virtual adapter, so the network adapter is changed, when switching VPN client on and off.

 

3

I agree that this bug is more complex than @Marcos described but I got this issue even if I didn't use VPN (but I have 2 VPN clients if it is important it is OpenVPN Connect and Check Point). I've tried system temp folder and cache cleanup and turning on pre-release updates like was suggested here but it didn't help I've got this bug once more after that. I can't say if it became rarer now because there was no situation which requires me to turn the firewall off.

I've tried to turn it off just to test if the issue still happens but it had not happened, however, it does not mean that  it is solved because:

1. It happened once after I was done cleanup/update settings.

2. Previously it happened in 2 case sets: when I start having problems with DNS resolution for an unknown reason (turning off firewall helped, it looks like FW disabled windows DNS cache connectivity for some reason) and when some program had connectivity issues (to test if it is related to firewall).

3. I've worked with several programs that actively used internet and with a browser for a few hours with firewall disabled before turning it on again.

If it is important I have 202 rules right now (some of them were imported from settings file, some were created using Remember permanently option in firewall popup and some of them were created manually).

If it is important I have 2 internet providers: router automatically swap to the secondary connection if the primary connection fails.

[Zur13 0]

@Marcos So just now I've got into the same bug again. Here is what has happened:

1. I didn't use any VPN services today or yesterday (my PC was booted ~6 hours ago)

2. I've tried to access web site using HTTPS which had revoked certificate: https://www.umopit.ru/Aura.htm in my default Firefox browser (latest update).

3. I've got message from Eset Internet Security saying the site certificate was revoked and untrusted connection was blocked. similar message was in my browser.

4. I know this site so I wanted to access it anyway so I've disabled web access protection in Eset Internet Security for 10 minutes.

5. It does not help and I've still got the same message from Eset Internet Security saying the certificate revoked. (Another bug?)

6. I've disabled Eset Internet Security Firewall (Network Protection) for 10 min and got the same message from Eset Internet Security again.

7. I've disabled Eset Internet Security Computer protection for 10 min and got the same message from Eset Internet Security again.

8. I've get into advanced setup and disabled SSL/TLS protocol filtering and only after that I had not receive the Eset Internet Security message when tried to access website.

9. After 10 minutes Eset Internet Security modules started to turn on automatically and I started to receive Eset Internet Security firewall interactive popups most interesting I've captured on the attached screenshot with some of the active permanent rules.

P.S. somewhere between steps 4-9 I've started Google Chrome and MS Internet Explorer to check if I can access that site but I've closed them immediately after that before the Eset Internet Security modules started to turn on. I've not restarted Firefox during this period.

P.P.S. I've noticed that Real-time filesystem scanner has scanned some files on my drive C : before I've started to temporary disable Eset Internet Security modules.

P.P.P.S. I didn't note any network problems/DNS problems/internet switching today. Really there was not much activity today I've opened some spreadsheet in MS Excel, send some messages in Skype and watch some videos on youtube using Firefox.

Edited June 9, 2019 by Zur13
added P.P.S.

[itman 1,659]

9 hours ago, Zur13 said:

3. I've got message from Eset Internet Security saying the site certificate was revoked and untrusted connection was blocked. similar message was in my browser.

4. I know this site so I wanted to access it anyway so I've disabled web access protection in Eset Internet Security for 10 minutes.

To begin with, a revoked certificate is not the same security status of lets say, an expired certificate. A CA revokes a certificate for:

1. It's been stolen.

2. The concern that the certificate was issued to has been demonstrated to be untrustworthy.

It's fair to assume no. 2 applies to this web site.  To make matters worse, you disabled Eset's SSL/TLS scanning capability. Doing so means that if this web site does contain malware or redirects you to a site that does, Eset won't detect it and protect you from malicious activities such as drive-by downloading, coin mining, and the like.

Edited June 9, 2019 by itman

[Zur13 0]

8 hours ago, itman said:

To begin with, a revoked certificate is not the same security status of lets say, an expired certificate. A CA revokes a certificate for:

1. It's been stolen.

2. The concern that the certificate was issued to has been demonstrated to be untrustworthy.

It's fair to assume no. 2 applies to this web site.  To make matters worse, you disabled Eset's SSL/TLS scanning capability. Doing so means that if this web site does contain malware or redirects you to a site that does, Eset won't detect it and protect you from malicious activities such as drive-by downloading, coin mining, and the like.

Thank you for the warning but I know the security risks. I've checked the site author he actively communicates with the users in the social networks so I trust this site and besides I have No Script addon installed in my Firefox. After I've disabled the SSL/TLS scanning I've found that modern browsers does not allow accessing the site with a revoked certificate. The issue with the site was resolved when I found that the site has http:\\ version and it does not contain any user input like logins so it does not really needs https:\\. I've turned on SSL/TLS scanning after this and the http:\\ version of the site does not trigger anything when accessed with Eset Internet Security turned on.

 

I hope someone will try to solve the issue with ignored rules it is pretty annoying and it is there for a while now. It is weird for me that the security product which should be extremely reliable fails to apply firewall rules at some point. What if this issue also happens in the Policy-based mode? I know issue reproduction is unstable I was not able to reproduce it on demand but it reproduces every time when I need to temporary disable firewall when I do not expect it.

Edited June 10, 2019 by Zur13

[zamar27 5]

Same endless headache here. Eset staff doesn't acknowledge the issue exists, and therefore there is nothing to fix. 😉 Very convenient!

Edited June 10, 2019 by zamar27

[Marcos 5,074]

1 minute ago, zamar27 said:

Same endless headache here. Eset staff doesn't acknowledge the issue exists, and therefore there is nothing to fix. 😉 Very convenient!

Please open a support ticket and provide step-by-step instructions how to reproduce it. This forum is primarily intended for sharing the knowledge between users, advanced users and moderators. If we're able to reproduce a particular issue reported, we'll do it, however, in this case it's not easily reproducible. Therefore the best course of action would be creating a support ticket which can be tracked and eventually looked at by developers if reproduced successfully.