Jump to content

Serious Flaw/bug in Eset Firewall Troube Shooting Wizard


Recommended Posts

  • ESET Insiders

I have encountered a serious problem with the Firewall Trouble Shooting Wizard Feature. It unblocks blocked connections on it's own (attackers in my case) when using the drop down menu to change the time frame from 15 minutes to 1 hour. The problem seems to be that if I click 1 hour then it unblocks the blocked IP address just under it since the 1 hour selection is exactly over the unblock button.  I have had this happen at least 10+ times in the past 3 weeks. Once this occurs I don't see any obvious way to block the attacker's IP address again without creating a packet filter rule for that IP address.

There is also a second way Eset is unblocking blocked IP addresses (malicious IP addresses in my case) on it's own from the Network Trouble Shooting Wizard. If I choose details to see why the IP address was blocked and use the Close Button to close the details window it will also sometimes unblock the IP address just under it. I assume this is also due to the close button being over the unblock button.

Once Eset unblocks the attackers IP Address I have to turn off my router, and reboot my computer. I've been rebooting since I run in a virtual environment, and as mentioned above I see no obvious way to block the address again once Eset unblocks it without creating a packet filter rule for that one IP address.

To be clear i'm not double clicking so this should not be occurring. That being said, the UI is not designed very well. The 1 hour selection from the drop down menu, and the close button from the details window should not be over the rather large unblock button.  Also, I strongly believe the user should be prompted saying something like, "are you sure you want to unblock this IP Address".  I have to assume there is a glitch in the UI since i'm 100% positive i'm not double clicking.

I have turned on logging for most of my packet filter rules but all blocks do not get logged so that is my reason for using the Network Trouble Shooting Wizard so often. It's the easiest way to see attackers being blocked that are not written to the log file. Usually, the ones that don't get logged are those that get blocked due to there being no allow rule for. All most all of these have been verified attackers so far So I still need to use the Network Trouble Shooting Wizard so I can get those IPs to add to my blacklist (peerblock).

I've already tried using another mouse and also reinstalling Eset, neither worked.  I'm using Eset Internet Security 12.1.34.0 on Windows 10 X64 version 1709.

I would strongly suggest making changes to the Firewall Trouble Shooting Wizard UI so that the 1 hour menu option, and the close button for the details window is not over the unblock buttons. What can we do to get this fixed? I've been using Eset since 2003, and I don't want to change to another product.

Link to post
Share on other sites

Very strange behavior.

I use the Network Trouble Shooting feature all the time. In fact, as recently as last weekend. This last instance was because of some old deeply embedded malware that appears to related to a drive I have Win 7 installed on. I haven't accessed this drive directly in years but running a WD periodic scan must have triggered it somehow. It was a pretty ugly event with my assumption that my Win 10 1809 build on the same device was totally trashed. Turns out luckily it wasn't. Appears the malware injected explorer.exe but couldn't run properly from there on Win 10.

Anyway, prior to this I had created Eset firewall rules to monitor all outbound explorer.exe traffic. As I knew from years ago past experience with this malware, it attempted to connect to an IP address in Taiwan via port 21 that serves up the Conifiker worm of all things. Anyway when the Eset firewall alert appeared, I blocked it and had it create a firewall rule to block port 21 outbound traffic from explorer.exe. Thereafter, I monitored for any like outbound traffic using Eset's Network Wizard until the previous block connections shown timed out. 

From everything I have observed, Eset Network Troubleshooter is working w/o issue.

Link to post
Share on other sites
  • ESET Insiders

I use the Network Wizard many times a day, every day. After I made the above post yesterday I accessed the drop down menu to see the one hour window view, and there was a slight freeze before the Window changed to the 1 hour view. After that 3 attackers on my Network that showed blocked in the Network View Wizard changed to unblocked! I had to turn my router off, and reboot again. There is definitely an issue with the Network Wizard. Unfortunately since I use the wizard many times a day, every day, i'm being affected when most people will not.

I'm going to have to send a bug report. I don't think posting in the forum is going to help.  I'm sure they will want logs, and other info. I will obviously be forced to drop Eset if I can't find a fix for this. I could avoid using the Network Wizard if Eset would log all blocked connections. I maintain a really good blocklist that I use with Peerblock. I add all malicious network attacks to my blocklist which I have created from many different sources. Many of my Network attacks don't get logged since they get blocked when there is not an allow rule to allow their attempts to access my network. Is there a way to make Eset Log access attempts that get blocked for when there is no allow rule, and no specific block rule?

Link to post
Share on other sites
  • Most Valued Members
15 minutes ago, cutting_edgetech said:

I use the Network Wizard many times a day, every day. After I made the above post yesterday I accessed the drop down menu to see the one hour window view, and there was a slight freeze before the Window changed to the 1 hour view. After that 3 attackers on my Network that showed blocked in the Network View Wizard changed to unblocked! I had to turn my router off, and reboot again. There is definitely an issue with the Network Wizard. Unfortunately since I use the wizard many times a day, every day, i'm being affected when most people will not.

I'm going to have to send a bug report. I don't think posting in the forum is going to help.  I'm sure they will want logs, and other info. I will obviously be forced to drop Eset if I can't find a fix for this. I could avoid using the Network Wizard if Eset would log all blocked connections. I maintain a really good blocklist that I use with Peerblock. I add all malicious network attacks to my blocklist which I have created from many different sources. Many of my Network attacks don't get logged since they get blocked when there is not an allow rule to allow their attempts to access my network. Is there a way to make Eset Log access attempts that get blocked for when there is no allow rule, and no specific block rule?

I cannot test this myself at the moment as there is nothing being blocked. I know you have the latest version but do you have pre-release updates on. I haven't seen anyone else mention this bug but sometimes bugs are fixed and go to the pre-release bit first. If you hit F5 to go to the advanced part and go to the update area, select profiles and then updates and change the type from regular to pre-release.

Emailing is generally the recommended solution but possibly attaching a screenshot or even better a small video showing the issue could also help. Logs will generally also be requested.

Link to post
Share on other sites
  • ESET Insiders

No, I don't have pre-release updates enabled. I try to stay away from updates that may not be stable. I doubt they will contain a fix for this since I don't think this has been reported.  I'm going to send a bug report. The UI design is flawed anyway and should be changed.

Link to post
Share on other sites
1 hour ago, cutting_edgetech said:

Many of my Network attacks don't get logged since they get blocked when there is not an allow rule to allow their attempts to access my network.

Set the logging severity to "Warning" for all existing Eset firewall "Block" rules. This includes the default ones. This will result in a log entry always being created.

1 hour ago, cutting_edgetech said:

Is there a way to make Eset Log access attempts that get blocked for when there is no allow rule, and no specific block rule? 

Not that I am aware of. The HIPS has such capability; but only for blocked activity.

On the other hand, Network Wizard shown "Blocked" activity is primarily a result of existing Eset firewall block rules. Hopefully by modifying logging severity as noted above, you will be provided with most of the detail you desire.

Link to post
Share on other sites

One additional comment about Eset's Network Trouble Shooting Wizard. You should not be relying on this as your primary method to block unwanted inbound network traffic. The Wizard was actually designed primarily to automated firewall rule creation for internal apps that are being blocked for some reason. And as far as I am concerned, it creates very permissive rules.

If your router does not employ a stateful firewall that will block any incoming unsolicited network traffic, you should seriously consider purchasing one that does. The router is the point where you want to block any unwanted inbound traffic.

Link to post
Share on other sites
  • ESET Insiders
2 hours ago, itman said:

Set the logging severity to "Warning" for all existing Eset firewall "Block" rules. This includes the default ones. This will result in a log entry always being created.

Not that I am aware of. The HIPS has such capability; but only for blocked activity.

On the other hand, Network Wizard shown "Blocked" activity is primarily a result of existing Eset firewall block rules. Hopefully by modifying logging severity as noted above, you will be provided with most of the detail you desire.

I already have logging turned on for all the internal rules, and my own rules. When ever there is not an allow rule or an explicit deny rule for some access attempt then Eset still will not log those intrusion attempts. I have found those to be the more severe intrusion attempts into my network. I only have 1 hour to get the IPs from those attempt since they are not logged, and that is the reason I have to use the Network Wizard to get them. I also verify those attacking IPs through AbuseIPDB. It's a community reporting database used by Network, and Security Professionals to share there findings with other professionals. IMO it is by far the best database available. 

 

Link to post
Share on other sites
  • ESET Insiders
51 minutes ago, itman said:

One additional comment about Eset's Network Trouble Shooting Wizard. You should not be relying on this as your primary method to block unwanted inbound network traffic. The Wizard was actually designed primarily to automated firewall rule creation for internal apps that are being blocked for some reason. And as far as I am concerned, it creates very permissive rules.

If your router does not employ a stateful firewall that will block any incoming unsolicited network traffic, you should seriously consider purchasing one that does. The router is the point where you want to block any unwanted inbound traffic.

I have to use the Network Wizard to get the IP addresses for attackers that get blocked due to there not being an allowed rule or an explicit deny rule for. It's the only way I can get them, and I only have 1 hour to do it before they are lost.

I totally agree with you on needing a new router. My router security sucks. We only get DSL here, and there are only 3 routers on the market that will work with my DSL. The other ones suck worse than the one I have.

I have its settings configured for max security, but I can not block specific ports on my router unless it is one of the ports on the list of options for the router. Almost none of the vulnerable ports that belong to Windows services are on the list.  I also can not block specific IP addresses on my router. My router does not state whether it uses SPI, which it would be a travesty if it does not!

Link to post
Share on other sites
16 hours ago, cutting_edgetech said:

I have to use the Network Wizard to get the IP addresses for attackers that get blocked due to there not being an allowed rule or an explicit deny rule for. It's the only way I can get them, and I only have 1 hour to do it before they are lost.

Let's back up a bit.

The Eset firewall is stateful. It will block any inbound connection:

1. That is not associated with a previous outbound connection.

2. Where an explicit block rule exists to prevent the inbound connection.

All the Network Troubleshooting Wizard shows in regards to the above no. 1). are connections that were blocked. There  is no need to create additional user firewall rules to handle these stateful blocked inbound connections. This is why they are not logged , eventually time out, and no longer are displayed by the Wizard. There is also the risk that by manually creating firewall rules to block this activity, they are not properly created.

Earlier versions of Eset did not have the Network Wizard. Hence the user was totally unaware of the above activity; just as if they they would be if using a router with a stateful firewall. As a rule, router firewalls log all blocked activity which allows the user to be aware of this activity for forensic purposes. On any given day, my router's firewall log contains dozens of blocked inbound connections; primarily port 23, Telnet, attempted access. The Network Wizard's primarily purpose in this context is to provide the ability for example, to inform and create an allow rule for some internal network legitimate inbound connection that was blocked for some reason.

I assume Eset does not log stateful activity blocked inbound connections to prevent the Network Connections log from becoming too large. Another reason would be not to be "bombarded" in this forum with never ending questions about these firewall stateful blocked log enties.

One suggestion to Eset you might request in like forum topic section is Eset provide an option for the Network Connection log where all Network Wizard blocked connections are logged. Similar to like HIPS logging capability, this option would be disabled by default.

Link to post
Share on other sites
18 hours ago, cutting_edgetech said:

I have its settings configured for max security, but I can not block specific ports on my router unless it is one of the ports on the list of options for the router. Almost none of the vulnerable ports that belong to Windows services are on the list.  I also can not block specific IP addresses on my router. My router does not state whether it uses SPI, which it would be a travesty if it does not!

Check the router's firewall log. If it is stateful, you should see numerous inbound connection blocked log entries.

You can also use the GRC Shields Up test here: https://www.grc.com/x/ne.dll?bh0bkyd2  to verify that all ports on the WAN side of the router are in a closed or stealth status. Stealth is the preferred status.

Link to post
Share on other sites
  • ESET Insiders
On 6/26/2019 at 4:09 PM, itman said:

Set the logging severity to "Warning" for all existing Eset firewall "Block" rules. This includes the default ones. This will result in a log entry always being created.

Not that I am aware of. The HIPS has such capability; but only for blocked activity.

On the other hand, Network Wizard shown "Blocked" activity is primarily a result of existing Eset firewall block rules. Hopefully by modifying logging severity as noted above, you will be provided with most of the detail you desire.

You don't have to set the Logging Level to warning in order for Eset to log blocked connections to the Log File. You can set it to Information Level, and it will Log the event as well. I have been using Information Level. I don't know what the difference is in Information Level, and Warning Level. They both produce an entry in the Log file when an IP has been blocked. I will try to find it in the manual after I have finished this post.

The Network Wizard will show several different types of attacks that I have found no way to Log using Eset's Logging. I would not even know about them without the Network Wizard. That seems to be a flaw in Eset's design. Eset is seriously lacking on their logging capability, or i'm not finding the options if they do exist. I get a lot of attacks on port 500 on my VPN, but I can't block inbound connections to port 500 or my VPN will not work. The attacks show up in the Network Wizard as being blocked due to no allow or block rule being found. If Eset can not find an allow rule or block rule then it drops the packets. Also packets blocked by their SPI filtering shows up in the Network Wizard. I see them in the Network Wizard often. I do not remember the exact wording Eset uses, but it says something like blocked due to not belonging to any open connection. The only way I could log the blocked attacks I see in the Network Wizard is to turn on diagnostic logging which Eset does not recommend except for trouble shooting. It says it will fill your log file up quickly and i'm assuming it is a drain on resources.

Link to post
Share on other sites
  • ESET Insiders
On 6/27/2019 at 10:58 AM, itman said:

Let's back up a bit.

The Eset firewall is stateful. It will block any inbound connection:

1. That is not associated with a previous outbound connection.

2. Where an explicit block rule exists to prevent the inbound connection.

All the Network Troubleshooting Wizard shows in regards to the above no. 1). are connections that were blocked. There  is no need to create additional user firewall rules to handle these stateful blocked inbound connections. This is why they are not logged , eventually time out, and no longer are displayed by the Wizard. There is also the risk that by manually creating firewall rules to block this activity, they are not properly created.

Earlier versions of Eset did not have the Network Wizard. Hence the user was totally unaware of the above activity; just as if they they would be if using a router with a stateful firewall. As a rule, router firewalls log all blocked activity which allows the user to be aware of this activity for forensic purposes. On any given day, my router's firewall log contains dozens of blocked inbound connections; primarily port 23, Telnet, attempted access. The Network Wizard's primarily purpose in this context is to provide the ability for example, to inform and create an allow rule for some internal network legitimate inbound connection that was blocked for some reason.

I assume Eset does not log stateful activity blocked inbound connections to prevent the Network Connections log from becoming too large. Another reason would be not to be "bombarded" in this forum with never ending questions about these firewall stateful blocked log enties.

One suggestion to Eset you might request in like forum topic section is Eset provide an option for the Network Connection log where all Network Wizard blocked connections are logged. Similar to like HIPS logging capability, this option would be disabled by default.

The only thing my router ever logs as being blocked is some IPV6 address, and I have IPV6 disabled on my Network Adapter.

I don't know how to log packets dropped from Eset's SPI filtering without turning on diagnostic logging. Eset does not recommend using diagnostic logging except for trouble shooting. The Nework Wizard does show packets dropped due to it's SPI filtering. I see them often. It says something like packet does not belong to any open connection.

I would not have to use the Network Wizard if Eset had a better logging system. Also, Eset should not unblock blocked connections in the connection wizard when the user isn't even clicking on the unblock button. They should not have placed the drop down 1 hour selection directly over the unblock button, and also not ask the user for any confirmation before unblocking. Also the close details window button is over the unblock button. Maybe if they make a few UI changes, and ask the user to confirm before unblocking IPs then it would not be a problem at all.

Link to post
Share on other sites
8 minutes ago, cutting_edgetech said:

The only thing my router ever logs as being blocked is some IPV6 address, and I have IPV6 disabled on my Network Adapter.

You finally mentioned that you are using a VPN. As such, you are in essence bypassing the router's firewall. This is one reason I have never considered VPN use.

Link to post
Share on other sites
  • ESET Insiders
37 minutes ago, itman said:

You finally mentioned that you are using a VPN. As such, you are in essence bypassing the router's firewall. This is one reason I have never considered VPN use.

Even when i'm not using a VPN, which is most of the time, my router does not log any blocked IP other than an IPV6 link-local address. It blocks that address over and over again. I'm using IPV4, and I have IPv6 disabled on my network adapter. I don't see any options to adjust the router's logging capability. I've ran plenty of port scans on my router, and never found any open ports. I have all unnecessary windows services disabled. I only have 5 services running that are listening, and their ports are filtered by Eset Firewall. There's not much to exploit on my machine by way of network attacks.

Link to post
Share on other sites
  • ESET Insiders

I'm beginning to wonder if my router even has SPI. I can't find anything that says it does. Also, Actiontec recently came out with a new DSL modem router combo that advertises that their latest product does have SPI, as if the prior didn't. This legacy product of theirs may not have SPI. If it does then I can't find any documentation stating that it does, and nothing in the user interface says it does. Also, the only logging feature I see in the UI says System Log with no options to change the logging level.

Link to post
Share on other sites
On 6/28/2019 at 7:58 PM, cutting_edgetech said:

I'm beginning to wonder if my router even has SPI. I can't find anything that says it does.

 

Quote

Enterprise-Level Security and Fire-wall

The GT784WN includes WPA and WPA2 encryption, and the ability to assign unique IDs to each wireless gateway to prevent hacking. It also includes a fully customizable firewall with Stateful Packet Inspection, denial of service protection, content filtering, intrusion detection, and additional encryption to prevent unwanted visitors from accessing your network.

https://www.actiontec.com/wp-content/uploads/2017/02/ActiontecGT784WNncsdatasheet.pdf

It appears there is no user manual with detailed setting explanations. The best I could find is: https://setuprouter.com/router/actiontec/gt784wnv/manual-1341.pdf . I ran into the same issue with my AT&T provided router. I had to do web research to determine the actual mfg. of the router and determine their equivalent model number. With that information, I was able to download an user manual with settings options and details. 

Also there is a Verizon version of this router; if that is what you have. That version's firmware might have been modified to prevent end users from accessing the detailed protection settings options.

-EDIT- Here's a web site that shows all setting screen shots for the Verizon model: https://setuprouter.com/router/actiontec/gt784wnv/screenshots.htm .

The firewall has four settings; NAT, low, medium, and high. Click on the firewall screen shot for further details. Note the following. The default firewall security level is set to "Off". Suspect this results in only NAT being shown?  I believe you may have disabled NAT in its stand-alone setting since it is not compatible with VPN? It appears the low - high firewall settings control what Win network protocols(services) and their corresponding ports are monitored.

I don't believe if the firewall is off, it would affect SPI. However, disabling NAT would expose the actual sending port used by Windows.

One thing I don't like is this router has the ability to support remote GUI andTelnet login to the router. I believe there have been multiple remote attack instances against Actiontec routers using this feature. Make sure it's preferably disabled or strong password used.

In theory, a firewall with SPI and NAT should block most unwanted inbound external network traffic. Also, SPI only works for stateful protcols; namely TCP. UDP and ICMP for example are stateless protocols. Most routers will block incoming unsolicited ICMP pings by default. So UDP is the protocol that needs attention and can be blocked effectively by simply disabling unnecessary services that use it such as UPnP.

If the router has default password of "Admin," change it to sometime more secure.

 

Link to post
Share on other sites
  • ESET Insiders
On 6/29/2019 at 9:03 AM, itman said:

 

https://www.actiontec.com/wp-content/uploads/2017/02/ActiontecGT784WNncsdatasheet.pdf

It appears there is no user manual with detailed setting explanations. The best I could find is: https://setuprouter.com/router/actiontec/gt784wnv/manual-1341.pdf . I ran into the same issue with my AT&T provided router. I had to do web research to determine the actual mfg. of the router and determine their equivalent model number. With that information, I was able to download an user manual with settings options and details. 

Also there is a Verizon version of this router; if that is what you have. That version's firmware might have been modified to prevent end users from accessing the detailed protection settings options.

-EDIT- Here's a web site that shows all setting screen shots for the Verizon model: https://setuprouter.com/router/actiontec/gt784wnv/screenshots.htm .

The firewall has four settings; NAT, low, medium, and high. Click on the firewall screen shot for further details. Note the following. The default firewall security level is set to "Off". Suspect this results in only NAT being shown?  I believe you may have disabled NAT in its stand-alone setting since it is not compatible with VPN? It appears the low - high firewall settings control what Win network protocols(services) and their corresponding ports are monitored.

I don't believe if the firewall is off, it would affect SPI. However, disabling NAT would expose the actual sending port used by Windows.

One thing I don't like is this router has the ability to support remote GUI andTelnet login to the router. I believe there have been multiple remote attack instances against Actiontec routers using this feature. Make sure it's preferably disabled or strong password used.

In theory, a firewall with SPI and NAT should block most unwanted inbound external network traffic. Also, SPI only works for stateful protcols; namely TCP. UDP and ICMP for example are stateless protocols. Most routers will block incoming unsolicited ICMP pings by default. So UDP is the protocol that needs attention and can be blocked effectively by simply disabling unnecessary services that use it such as UPnP.

If the router has default password of "Admin," change it to sometime more secure.

 

Sorry for the late reply. I was out of town for several days, and when I came back we had no internet which is typical of this area. My ISP is TDS, and they are incapable of fixing the internet outages here. I have no internet whenever it rains. Water is getting into the lines, and they have been unable to locate the problem after supposedly trying to for years.

So, I have the TDS version of the router. I have always used the high setting for the "Security Firewall". The only visible thing that changes in the GUI is it unticks most of the default allowed inbound ports, but almost none of them are related to vulnerable Windows Services. It seems the High Setting is not much more secure than the Low. I have WAN Ping Block mode enabled, but I still get pinged to death if I use a VPN (which bypasses router's firewall).  I have NAT enabled in the settings, but there is no mention of SPI anywhere in the GUI.

I went through the router settings with a fine tooth comb when I got it, and I have everything configured with Security in mind. Disabling Remote Telenet Login, and changing the default password was the first thing I did when I got the router. I also changed the SSID to something false to cause hackers a little more work in order to know what kind of router I have. I have UPnP, and WPS disabled. I'm using WPA / WPA2 encryption. I also have almost all Windows Services disabled that uses an open port.

I'm hoping Eset will want to make some changes to the positioning of the buttons used in the Network Wizard, UI changes to the Firewall, and provide better logging options. I tried using the diagnostic logging to see how much it logged, but you receive a nagging prompt reminding you to disable it about once a minute.

Also, I think the IDS/IPS could be improved. I think it only detects a low percentage of the port scans that actually occur on my system. I will know more when I get a chance to test the firewall myself which I hope is very soon! Btw.. I have a degree in InfoSec, and Networking. I just graduated in May so I don't have much experience, but I do know quite a bit about Networking and Firewalls. I know I need more experience before I would be considered an expert. I think I may have just gotten a Networking Job at a Large Hospital though, i'm keeping my fingers crossed.

Edited: 7/3/19 @ 5:35

Link to post
Share on other sites

There is one last thing you can try. In theory, this should eliminate the Network Wizard entries and allow you to block all inbound traffic for further review.

Create a firewall rule to deny all inbound communication; that is "ALL" protocols. The only other settings required are to set logging level to warning and to be alerted which I assume you don't want. Note: this rule must always remain at the end of the existing rule set.

The only possible glitch with this how Eset handles inbound Windows Firewall traffic assuming you have that default allow option enabled. If Eset parses the Win firewall rules after all its rules are parsed, this rule will block all that traffic. I believe the Win firewall rule checking is done prior to Eset rule checking but not sure of this.

Link to post
Share on other sites
  • ESET Insiders
1 hour ago, itman said:

There is one last thing you can try. In theory, this should eliminate the Network Wizard entries and allow you to block all inbound traffic for further review.

Create a firewall rule to deny all inbound communication; that is "ALL" protocols. The only other settings required are to set logging level to warning and to be alerted which I assume you don't want. Note: this rule must always remain at the end of the existing rule set.

The only possible glitch with this how Eset handles inbound Windows Firewall traffic assuming you have that default allow option enabled. If Eset parses the Win firewall rules after all its rules are parsed, this rule will block all that traffic. I believe the Win firewall rule checking is done prior to Eset rule checking but not sure of this.

All I want to do is make Eset Log inbound blocks for when there is no allow or deny rule. Eset blocks the connection attempt when there is no allow or deny rule and does not log it. I'm going to let Eset developers know about attacks they may not be aware of, and request a way to log them.

If I create a rule to block all protocols then Eset will block all inbound access, and log all inbound connection attempts. My firewall log would be humongous and it would take an enormous amount of work to sort attacks from harmless connection attempts. I think it's best to sort this out with development if they are willing to add some additional capabilities.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...