Eset Blocking Chromecast

[itman 1,659]

I just completed going through a few Eset export .xml files from late last year.

To my best knowledge, Eset has been scanning all ports that use HTTP for some time as evidenced by no specific port range stored in the .XML file. It should be noted that the port specified for HTTPS is 443.

What I believe we have here is perhaps a junior level programmer "getting creative" about the fact that no port range specification was given for HTTP in the Eset GUI and blotching that attempt badly.

[lamar 10]

22 minutes ago, itman said:

perhaps a junior level programmer "getting creative"

[ OFF-TOPIC ]

You made me laugh this evening (it is evening here). When I was a young titan I was sure that always old farts hindered the progress and I tried to avoid requesting advice from them. I had to get old to admit my bad decisions.

[itman 1,659]

19 minutes ago, lamar said:

When I was a young titan I was sure that always old farts hindered the progress and I tried to avoid requesting advice from them. I had to get old to admit my bad decisions.

One of my favorite quotes, "Age and treachery will always defeat youth and enthusiasm."

[Marcos 5,069]

We've ordered Chromecast for testing. Also I've inquired developers about the port range if it's intentional or if it's a bug.

The question is if leaving only port 443 there actually resolves the issue with Chromecast.

[Marcos 5,069]

1 hour ago, lamar said:

May something go wrong with Eset? The first warning sign was they withdrew themselves from independent AV tests in December 2017. I am a persistent user since the early 2000's but nowadays question marks proliferate around my favorite AV/FW.

This is offtopic but ok, let's answer it. There's nothing wrong with ESET, we're better and better day by day. Recently we've achieved top results in a test of a prestigious testing company. As you probably know, taking part in a test costs really a lot of money so AV companies have to carefully decide which tests they will take part it.  As for AV Test, we continue to be tested in private tests where we already receive excellent score.

[itman 1,659]

25 minutes ago, Marcos said:

The question is if leaving only port 443 there actually resolves the issue with Chromecast.

According to Google's own Chromecast security guide, I believe it will:

Quote

Check your advanced router settings

1. Using a web browser, open your router settings.
2. Navigate to the Port Forwarding setting.
3. Consider deleting ports 8008, 8009, and 8443 if they're listed. These ports may be unsafely exposing your devices to the internet.
4. Save your changes if needed.

https://support.google.com/chromecast/answer/9216542?hl=en

Edited July 23, 2019 by itman

[The Scorpion 1]

I've returned the SSL/TSL filtering to 'automatic' and deleted the '0-65535' so that 443 remains alone and chromecast is now recognised.

So, is it considered ok to leave it like that or should the '0-65535' only be deleted when you want to cast and re-entered at other times?   If so seems a problem that needs fixing by Eset.  😐

[itman 1,659]

Another possibility that occurred to me is the 0-65535 port range scanning is only supposed to be used for VPN inbound scanning since it uses a multitude of UDP/TCP ports as shown in this example article: https://www.privateinternetaccess.com/helpdesk/kb/articles/what-ports-are-used-by-your-vpn-service . Just how Eset would be able to differentiate that the source was a VPN is a complete mystery to me.

[itman 1,659]

8 minutes ago, The Scorpion said:

So, is it considered ok to leave it like that or should the '0-65535' only be deleted when you want to cast and re-entered at other times?  

As posted previously, leave it at 443 until Eset officially posts to do otherwise.

[The Scorpion 1]

9 minutes ago, itman said:

As posted previously, leave it at 443 until Eset officially posts to do otherwise.

Thanks

[am_dew 3]

I am also having this issue. Can someone please summarize what needs to done to get Chromecast to work again?   Thanks!

[The Scorpion 1]

am_dew   Here's what I did...

Go into Eset  'set up'  then 'advanced setup' (bottom right)

Select 'Web access protection'  then expand 'Web Protocols'

In 'ports used by https protocol'  delete '0-65535' leaving '443'. 

[am_dew 3]

1 hour ago, The Scorpion said:

am_dew   Here's what I did...

Go into Eset  'set up'  then 'advanced setup' (bottom right)

Select 'Web access protection'  then expand 'Web Protocols'

In 'ports used by https protocol'  delete '0-65535' leaving '443'. 

Thank you!  This worked for me.

[Marcos 5,069]

The whole range of ports has been added intentionally for increased security. We'll try to address it without the need for you to remove the range of ports which would lower the security and allow bypassing SSL filtering.

[rsternap 1]

Try the help page here under 'problem accessing a device on your network'

https://help.eset.com/ees/7/en-US/solving_problems_protocol_filtering.html

adding the chromecast ip address to the exclude list worked for me.

Find the address in google home app - tap the icon for your chromecast device, tap settings (gear symbol), scroll down to information

Edited July 24, 2019 by rsternap

[itman 1,659]

6 hours ago, Marcos said:

The whole range of ports has been added intentionally for increased security.

The problem here is AV vendors such as Eset, Kaspersky, etc. noted for implementing SSL/TLS scanning are "notorious" for applying them using methods that are still objectionable to many security experts. Add to that the browser developers, Chrome and FireFox, who are on record for condemning SSL/TLS protocol scanning outright.

Now add to this a whole new dimension where all network communication is being scanned. As is typical of AV vendors employing like scanning, the attitude is "we will implement it and worry about the consequences of doing so later." This current Chromecast fiasco is without doubt, the first of many more to come.

Frankly, I am getting fed up with current third party AV security development practices and currently giving Windows Defender "a hard look" as my security solution. It is scoring quite well on AV lab tests and is doing so without using SSL/TLS protocol scanning. Win 10 1903 enhancements such as self-sandboxing, self-protection, block-at-first-sight capability, and ASR mitigations such as blocking of obfuscated PowerShell scripts, blocking of PSExec execution and WMI events, etc. to name are few are quite appealing to me.

[Marcos 5,069]

Nowadays more and more malware communicates over SSL so scanning the communication is critical for keeping the system safe and malware free. Abandoning SSL scanning would substantially deteriorate protection capabilities of particular AV products. If Microsoft provided a better way of scanning SSL communication, we would not be forced to do SSL introspection.

[itman 1,659]

13 minutes ago, Marcos said:

Nowadays more and more malware communicates over SSL so scanning the communication

Scanning of SSL/TLS communication has nothing to do with this. Eset is now scanning all communication regards of need. The HTTPS port setting will remain at port 443 on my installation.

[lamar 10]

5 hours ago, rsternap said:

adding the chromecast ip address to the exclude list worked for me.

This works up till that point when the DHCP server in your router assigns a new IP address to chromecast. Can not be prognosticated when, but it will happen.

[lamar 10]

What nice polemics between itamn and Marcos 

1 hour ago, itman said:

The HTTPS port setting will remain at port 443 on my installation.

I agree with you: HTTPS port is historically 443 (rarely 8443). And in this case there is no sense of the setting "ports used by HTTPS" in Eset control panel. However, we do not know what Chromecast does on port 8009. Maybe it performs a hidden HTTPS communication violating the "443-tradition". In this case, for me, the most interesting question is what sort of hidden communication Chromecast performs that is found malicious by Eset.

 

3 hours ago, itman said:

The whole range of ports has been added intentionally for increased security.

I understand and appreciate this. If this is the final and official Eset statement, may I recall my former suggestion to leave the whole range protected with an exclusion of port port 8009 of Chromecast. Set the "ports used by HTTPS" field to "0-8008, 8010-65535".

Open issues remained:

It is a common security approach to protect everything, and handle specific needs by exclusions. But the "ports used by HTTPS" setting is a reverse approach: protect nothing except the individually specified ports. Did Eset realize the weakness of this approach in V12?

As I sad, I appreciate the extension of HTTPS protection, however I truly disapprove that Eset blocks Chromecast traffic without any warning to the valued customer. May Eset display the HTTPS protection warnings in the browser window? Bad practice as nothing ensures there is any hypertext stuff displayed by the communing partners. I suppose this is the deepest root of our current issue.

[itman 1,659]

1 hour ago, lamar said:

Set the "ports used by HTTPS" field to "0-8008, 8010-65535".

The problem with this if you "buy into" Eset's concept of scanning all port traffic is if malicious site uses port 8009, the incoming network traffic won't be scanned. Again this assumes if scanned, Eset would be able to detect the malware.

Refer to the bleepingcomputer.com prior posted link on how the Kaspersky's Chromecast SSL/TLS protocol scanning exclusion was created. Only IP addresses associated with Chromecast were allowed to use port 8009. This is problematic in that Chrome could change existing IP addresses or use new ones. Also note that Eset's SSL/TLS protocol scanning does not have this capability.

The only present secure way to do the Chomecast exclusion in Eset is to do the following:

1. Only enable HTTPS scanning for port 443.

2. Open you browser and don't do anything else.

3. Set Eset SSL/TLS protocol scanning to Interactive mode.

4. Navigate to the Chromecast web site via use of its extension/plug-in within your browser. Eset's SSL/TLS protocol scanning should throw an alert prompting "Scan" or Ignore." Select "Ignore." This should save the Google self-signed certificate in Eset's  SSL/TLS protocol scanning "List of known certificates" with its status set to ""Ignore." Verify that the certificate created is indeed Google's self-signed certificate.

5. Close your browser and set Eset SSL/TLS protocol scanning to Automatic mode.

At this point when you open the browser and use Chromecast, you should be able to do so without any Eset issues. If this is the case, you can reset Eset HTTPS port scanning to default values; i.e. 443, 0-65535 . If you're a non-technical user and what I just posted sounds like "a nightmare from hell" procedure, I agree with you 100%.

Edited July 24, 2019 by itman

[rsternap 1]

5 hours ago, lamar said:

This works up till that point when the DHCP server in your router assigns a new IP address to chromecast. Can not be prognosticated when, but it will happen.

True, but I believe you can assign a static IP address in most routers these days

[lamar 10]

9 minutes ago, rsternap said:

6 hours ago, lamar said:

This works up till that point when the DHCP server in your router assigns a new IP address to chromecast. Can not be prognosticated when, but it will happen.

True, but I believe you can assign a static IP address in most routers these days

You are right. However Chromecast is widespread device and used by the average citizen, therefore such solution is necessary that can be performed by anybody even "grandma-next-door". Unfortunately none of the solution proposals of this topic fulfills this requirement. I suppose the only solution is Eset makes such changes that let Chromecast go without any modifications in the default settings of any hardware or software tools.

[lamar 10]

3 hours ago, itman said:

If you're a non-technical user and what I just posted sounds like "a nightmare from hell" procedure, I agree with you 100%.

I clearly understand your proposal, and I think today this should be the only way that does not lack of any compromises in security. And you are right, this procedure is "a nightmare from hell" for the average user.

[am_dew 3]

11 minutes ago, lamar said:

You are right. However Chromecast is widespread device and used by the average citizen, therefore such solution is necessary that can be performed by anybody even "grandma-next-door". Unfortunately none of the solution proposals of this topic fulfills this requirement. I suppose the only solution is Eset makes such changes that let Chromecast go without any modifications in the default settings of any hardware or software tools.

RIght on.  I'm an IT professional who is very persisent at trying to find solutions to issues I experience, and it took me a lot of time and research before I found this thread.  I was just about ready to consider my Chromecast devices obsolete but as a somewhat last ditch effort, I Googled "eset chromecast" and then came across this thread.

On a a slightly off topic issue, while troublshooting, I tried "pausing" the ESET firewall and I was still not able to see my Chromecast device.  I thought doing that would completely bypass ESET?