Jump to content

Recommended Posts

Hi,

If I disable Eset internet security v13.0.24 firewall then the Windows 10 folder sharing works and I can see files from other computers.

When I enable Eset firewall and enable logs this error shows up

>>epfwlog.txt

>>1/26/2020 1:28:29 PM    Communication denied by rule    Blocked    192.168.1.141:35254    192.168.1.255:137    UDP    Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone    System    

I read many forums posts and recommendations to add "192.168.0.0/24" to trusted zones and other things but still no luck

is there something else that I am missing?

Share this post


Link to post
Share on other sites

Refer to the below screen shot.

Per your Eset log entry, the Eset firewall is blocking outbound SSDp/uPnP traffic because that is only allowed to port 1900. For file sharing, outbound access to port 137 must be performed by the System process; i.e. ntoskrnl.exe.

What is strange is why Eset firewall is creating the blocked SSDP/uPnP outbound log entry. That rule should only be triggered by any attempted outbound traffic to port 1900. Or, perhaps by svchost.exe outbound SSDP service traffic to any port other than 1900 which appears to be the case here.

Eset_Sharing.thumb.png.0ebc68364470529e7bf22fcc5ee3bf8d.png

Edited by itman

Share this post


Link to post
Share on other sites

I did exactly what you suggested and added those entries from your screenshot into my >Firewall > Advanced > Rules

Time	Event	Action	Source	Target	Protocol	Rule/worm name	Application	User
1/26/2020 6:19:40 PM	Communication denied by rule	Blocked	192.168.1.141:49983	192.168.1.255:137	UDP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System				
1/26/2020 6:19:45 PM	Communication denied by rule	Blocked	192.168.1.141:45919	192.168.1.255:137	UDP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	
1/26/2020 6:19:48 PM	Communication denied by rule	Blocked	192.168.1.141:47414	192.168.1.255:137	UDP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	

 

Share this post


Link to post
Share on other sites
55 minutes ago, PaulWillard said:

I did exactly what you suggested and added those entries from your screenshot into my >Firewall > Advanced > Rules

The rules shown in my screen shot are Eset default ones. So delete any like rules you created since they are not necessary. You can see all Eset default firewall rules by enabling the "Slow built-in (predefined) rules" box option by left mouse clicking on it.

Appears Eset firewall is blocking the outbound port 137 traffic since that should only be done by System; not by svchost.exe. What is unexplained is why the Eset log is showing blocked outbound SSDP/UPnP traffic versus blocked outbound file sharing traffic.

Edited by itman

Share this post


Link to post
Share on other sites

Have you created any user firewall rules other than the ones noted previously?

 

Share this post


Link to post
Share on other sites

I also just reviewed Win firewall file sharing outbound rules in regards to port 137, and it only allows that to be done from the System process. So Eset's blocked activity is correct in regards to svchost.exe attempt to do so.

Share this post


Link to post
Share on other sites
5 hours ago, PaulWillard said:

recommendations to add "192.168.0.0/24" to trusted zones

If you have added 192.168.0.0/24 to the Trusted zone, delete it and see if this stops the Eset blocked port 137 outbound activity.

Share this post


Link to post
Share on other sites
56 minutes ago, itman said:

If you have added 192.168.0.0/24 to the Trusted zone, delete it and see if this stops the Eset blocked port 137 outbound activity.

Time	Event	Action	Source	Target	Protocol	Rule/worm name	Application	User			
1/26/2020 8:10:27 PM	Communication denied by rule	Blocked	192.168.1.141:42021	192.168.1.12:445	TCP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	
1/26/2020 8:10:27 PM	Communication denied by rule	Blocked	192.168.1.141:45536	192.168.1.12:139	TCP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	
1/26/2020 8:10:28 PM	Communication denied by rule	Blocked	192.168.1.141:42021	192.168.1.12:445	TCP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	
1/26/2020 8:10:28 PM	Communication denied by rule	Blocked	192.168.1.141:45536	192.168.1.12:139	TCP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System			
1/26/2020 8:10:30 PM	Communication denied by rule	Blocked	192.168.1.141:42021	192.168.1.12:445	TCP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	
1/26/2020 8:10:30 PM	Communication denied by rule	Blocked	192.168.1.141:45536	192.168.1.12:139	TCP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	
1/26/2020 8:10:35 PM	Communication denied by rule	Blocked	192.168.1.141:45064	192.168.1.255:137	UDP	Allow outgoing SSDP (UPNP) requests for svchost.exe in the Trusted zone	System	

 

Share this post


Link to post
Share on other sites

I was told to use 'learning mode'.

Once that was enabled file-sharing worked (windows 7 to windows 10). However, no amount of fiddling and options is making KODI (win or pi) connect to the win10 shares. 

I cannot speak for how ESET acts with win7 compared to win10 but I had no problems connecting KODI to win7 shares and ESET was installed back then (before upgrade/rebuild)  also.

 

Does the eset firewall create a 'trusted zone' for local addresses (same subnet). I see that as a default that should happen.

Edited by Hpoonis

Share this post


Link to post
Share on other sites

You still didn't answer my question of if custom user firewall rules have been created.

This includes as noted above if you have previously switched Eset firewall to Learning mode as noted above. Also, if you used the Network Wizard previously to unblock any previously blocked network traffic.

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

You still didn't answer my question of if custom user firewall rules have been created.

This includes as noted above if you have previously switched Eset firewall to Learning mode as noted above. Also, if you used the Network Wizard previously to unblock any previously blocked network traffic.

No I am not using any firewall profile and the filtering mode is set to "automatic mode"

Share this post


Link to post
Share on other sites
2 minutes ago, PaulWillard said:

No I am not using any firewall profile 

Open Eset firewall settings. Refer to the below screen and post what "Protection Type" is shown for your network adapter connection.

Eset_Profile.thumb.png.de5cf2053e1b122dcac69615d016cc5e.png

Share this post


Link to post
Share on other sites

That looks OK. Do you actually have that many devices on your network?

Share this post


Link to post
Share on other sites

Your screen shot shows 5 connections;

Two for physical Ethernet with one disabled.

One for virtual Ethernet.

One for Wi-Fi - disabled

One for Bluetooth - disabled

Disregarding the disabled connections, there should be only two network connections shown in Eset; one for the physical Ethernet connection and one for the virtual Ethernet connection.

 

Share this post


Link to post
Share on other sites
1 minute ago, PaulWillard said:

should I delete those 19 known networks?

I would delete all existing network connections and let Eset redetect you active network connections.

If Eset keeps recreating new connections as currently exists, it is a sign that Eset is having a problem detecting your current network adapter connections.

Next up is who are you trying to share files with since your network consists of just one physical device?

 

Share this post


Link to post
Share on other sites

I'm connected to my router through LAN and my laptop in a different room is connected through WIFI..

I am trying to open files from the laptop but ESET won't let me

Share this post


Link to post
Share on other sites
1 hour ago, PaulWillard said:

so I deleted everything then added just one and it seems to be working now!

I was eventually going to get to this.

When the "Use Windows setting" is specified for an Eset  network adapter connection, this will defer to the Win firewall network profile. If that profile is set to "Public," file sharing is disabled by default unless manually overridden as shown below:

Win_Sharing.thumb.png.95ea2c7f4d1576035b3a68a4b29b7e50.png

Don't know if you were doing something like this. If so, it might explain why file sharing worked for you with the Eset firewall disabled.

Most likely what happened was when you disabled the Eset firewall, the Win firewall was also disabled which I believe is the case. As such, no firewall fire sharing restrictions were in place which is why you could perform file sharing.

In any case, looks like your issue is resolved.

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...