PaulWillard 0 Posted January 26, 2020 Posted January 26, 2020 Hi, If I disable Eset internet security v13.0.24 firewall then the Windows 10 folder sharing works and I can see files from other computers. When I enable Eset firewall and enable logs this error shows up >>epfwlog.txt >>1/26/2020 1:28:29 PM Communication denied by rule Blocked 192.168.1.141:35254 192.168.1.255:137 UDP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System I read many forums posts and recommendations to add "192.168.0.0/24" to trusted zones and other things but still no luck is there something else that I am missing?
itman 1,802 Posted January 26, 2020 Posted January 26, 2020 (edited) Refer to the below screen shot. Per your Eset log entry, the Eset firewall is blocking outbound SSDp/uPnP traffic because that is only allowed to port 1900. For file sharing, outbound access to port 137 must be performed by the System process; i.e. ntoskrnl.exe. What is strange is why Eset firewall is creating the blocked SSDP/uPnP outbound log entry. That rule should only be triggered by any attempted outbound traffic to port 1900. Or, perhaps by svchost.exe outbound SSDP service traffic to any port other than 1900 which appears to be the case here. Edited January 26, 2020 by itman
PaulWillard 0 Posted January 26, 2020 Author Posted January 26, 2020 I did exactly what you suggested and added those entries from your screenshot into my >Firewall > Advanced > Rules Time Event Action Source Target Protocol Rule/worm name Application User 1/26/2020 6:19:40 PM Communication denied by rule Blocked 192.168.1.141:49983 192.168.1.255:137 UDP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 6:19:45 PM Communication denied by rule Blocked 192.168.1.141:45919 192.168.1.255:137 UDP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 6:19:48 PM Communication denied by rule Blocked 192.168.1.141:47414 192.168.1.255:137 UDP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System
itman 1,802 Posted January 26, 2020 Posted January 26, 2020 (edited) 55 minutes ago, PaulWillard said: I did exactly what you suggested and added those entries from your screenshot into my >Firewall > Advanced > Rules The rules shown in my screen shot are Eset default ones. So delete any like rules you created since they are not necessary. You can see all Eset default firewall rules by enabling the "Slow built-in (predefined) rules" box option by left mouse clicking on it. Appears Eset firewall is blocking the outbound port 137 traffic since that should only be done by System; not by svchost.exe. What is unexplained is why the Eset log is showing blocked outbound SSDP/UPnP traffic versus blocked outbound file sharing traffic. Edited January 27, 2020 by itman
PaulWillard 0 Posted January 26, 2020 Author Posted January 26, 2020 any other ideas on what I should do ?
itman 1,802 Posted January 26, 2020 Posted January 26, 2020 Have you created any user firewall rules other than the ones noted previously?
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 I also just reviewed Win firewall file sharing outbound rules in regards to port 137, and it only allows that to be done from the System process. So Eset's blocked activity is correct in regards to svchost.exe attempt to do so.
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 5 hours ago, PaulWillard said: recommendations to add "192.168.0.0/24" to trusted zones If you have added 192.168.0.0/24 to the Trusted zone, delete it and see if this stops the Eset blocked port 137 outbound activity.
PaulWillard 0 Posted January 27, 2020 Author Posted January 27, 2020 56 minutes ago, itman said: If you have added 192.168.0.0/24 to the Trusted zone, delete it and see if this stops the Eset blocked port 137 outbound activity. Time Event Action Source Target Protocol Rule/worm name Application User 1/26/2020 8:10:27 PM Communication denied by rule Blocked 192.168.1.141:42021 192.168.1.12:445 TCP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 8:10:27 PM Communication denied by rule Blocked 192.168.1.141:45536 192.168.1.12:139 TCP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 8:10:28 PM Communication denied by rule Blocked 192.168.1.141:42021 192.168.1.12:445 TCP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 8:10:28 PM Communication denied by rule Blocked 192.168.1.141:45536 192.168.1.12:139 TCP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 8:10:30 PM Communication denied by rule Blocked 192.168.1.141:42021 192.168.1.12:445 TCP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 8:10:30 PM Communication denied by rule Blocked 192.168.1.141:45536 192.168.1.12:139 TCP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System 1/26/2020 8:10:35 PM Communication denied by rule Blocked 192.168.1.141:45064 192.168.1.255:137 UDP Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone System
Hpoonis 7 Posted January 27, 2020 Posted January 27, 2020 (edited) I was told to use 'learning mode'. Once that was enabled file-sharing worked (windows 7 to windows 10). However, no amount of fiddling and options is making KODI (win or pi) connect to the win10 shares. I cannot speak for how ESET acts with win7 compared to win10 but I had no problems connecting KODI to win7 shares and ESET was installed back then (before upgrade/rebuild) also. Does the eset firewall create a 'trusted zone' for local addresses (same subnet). I see that as a default that should happen. Edited January 27, 2020 by Hpoonis
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 You still didn't answer my question of if custom user firewall rules have been created. This includes as noted above if you have previously switched Eset firewall to Learning mode as noted above. Also, if you used the Network Wizard previously to unblock any previously blocked network traffic.
PaulWillard 0 Posted January 27, 2020 Author Posted January 27, 2020 2 hours ago, itman said: You still didn't answer my question of if custom user firewall rules have been created. This includes as noted above if you have previously switched Eset firewall to Learning mode as noted above. Also, if you used the Network Wizard previously to unblock any previously blocked network traffic. No I am not using any firewall profile and the filtering mode is set to "automatic mode"
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 2 minutes ago, PaulWillard said: No I am not using any firewall profile Open Eset firewall settings. Refer to the below screen and post what "Protection Type" is shown for your network adapter connection.
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 That looks OK. Do you actually have that many devices on your network?
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 Your screen shot shows 5 connections; Two for physical Ethernet with one disabled. One for virtual Ethernet. One for Wi-Fi - disabled One for Bluetooth - disabled Disregarding the disabled connections, there should be only two network connections shown in Eset; one for the physical Ethernet connection and one for the virtual Ethernet connection.
PaulWillard 0 Posted January 27, 2020 Author Posted January 27, 2020 should I delete those 19 known networks?
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 1 minute ago, PaulWillard said: should I delete those 19 known networks? I would delete all existing network connections and let Eset redetect you active network connections. If Eset keeps recreating new connections as currently exists, it is a sign that Eset is having a problem detecting your current network adapter connections. Next up is who are you trying to share files with since your network consists of just one physical device?
PaulWillard 0 Posted January 27, 2020 Author Posted January 27, 2020 I'm connected to my router through LAN and my laptop in a different room is connected through WIFI.. I am trying to open files from the laptop but ESET won't let me
PaulWillard 0 Posted January 27, 2020 Author Posted January 27, 2020 so I deleted everything then added just one and it seems to be working now!
itman 1,802 Posted January 27, 2020 Posted January 27, 2020 (edited) 1 hour ago, PaulWillard said: so I deleted everything then added just one and it seems to be working now! I was eventually going to get to this. When the "Use Windows setting" is specified for an Eset network adapter connection, this will defer to the Win firewall network profile. If that profile is set to "Public," file sharing is disabled by default unless manually overridden as shown below: Don't know if you were doing something like this. If so, it might explain why file sharing worked for you with the Eset firewall disabled. Most likely what happened was when you disabled the Eset firewall, the Win firewall was also disabled which I believe is the case. As such, no firewall fire sharing restrictions were in place which is why you could perform file sharing. In any case, looks like your issue is resolved. Edited January 27, 2020 by itman
Recommended Posts