Jump to content
Sign in to follow this  
Computerjul

Question about ESET Firewall & rules

Recommended Posts

Posted (edited)

Hello,

im using ESET Internet Security and i checked the firewall settings and found this

"Also evaluate rules from Windows Firewall"
In automatic mode, allow also incoming traffic allowed by rules from Windows Firewall, unless explicitly blocked by ESET rules.

so i was wondering if this is a potential flaw because i recently saw videos of malware tests with only Windows Firewall/Defender where it would successfully execute code that adds a lot of different rules to the Windows Firewall and downaload a bunch other stuff. If ESET allows everything that is allowed through a rule in Windows Firewall the same thing could happen if u use ESET or exploit other existing rules maybe. Or am i wrong about that im not an expert at all but im very interested to know how it works and if i should disable it. :)

Also i would like to know if it is a good idea to set my network profile for my normal home connection to "public network" instead of "private network".  I always thought if i go with "public network" profile the security would be better and would use stronger settings. Is that true does it provide any security improve even if it is minor ? I never had a problem with it.

Thanks in advance
Computerjul

 

Edited by Computerjul

Share this post


Link to post
Share on other sites
Posted (edited)
49 minutes ago, Computerjul said:

"Also evaluate rules from Windows Firewall"
In automatic mode, allow also incoming traffic allowed by rules from Windows Firewall, unless explicitly blocked by ESET rules.

This applies to existing Win firewall rules pertaining to inbound network traffic unless specifically blocked by an existing Eset firewall rule.

49 minutes ago, Computerjul said:

so i was wondering if this is a potential flaw because i recently saw videos of malware tests with only Windows Firewall/Defender where it would successfully execute code that adds a lot of different rules to the Windows Firewall and downaload a bunch other stuff.

Allowing inbound Win firewall rules is basically "a doubled edged sword." Whereas this option allows for trouble-free operation of a lot of legit Win 10 network traffic such as Store apps, the problem lies in how Win 10 firewall rules at stored. They are stored in clear text in the Registry and are not natively protected from modification. Although not a frequent occurrence, attackers have been able to create Win firewall rules to allow their inbound traffic. Mitigations against this are custom Eset HIPS rules that monitor Registry modification utilities and the like use such as reg.exe, etc..

Edited by itman

Share this post


Link to post
Share on other sites
8 minutes ago, itman said:

This applies to existing Win firewall rules pertaining to inbound network traffic unless specifically blocked by an existing Eset firewall rule.

Does that mean if ESET is already running (without any new custom made HIPs rules) on my computer and somehow a executable manages to run code to add a rule to Windows Firewall does that traffic is allowed or not ?`

10 minutes ago, itman said:

Allowing inbound Win firewall rules is basically "a doubled edged sword." Whereas this option allows for trouble-free operation of a lot of legit Win 10 network traffic such as Store apps, the problem lies in how Win 10 firewall rules at stored. They are stored in clear text in the Registry and are not natively protected from modification. Although not a frequent occurrence, attackers have been able to create Win firewall rules to allow their inbound traffic. Mitigations against this are custom Eset HIPS rules that monitor Registry modification utilities use such as reg.exe and the like.

And thank you for the explanation. Do u or anyone else know what exactly is changed in terms of security and settings (allowed and denied connections) between public and private network? Because i always used public network profile for my home connection.

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, Computerjul said:

Does that mean if ESET is already running (without any new custom made HIPs rules) on my computer and somehow a executable manages to run code to add a rule to Windows Firewall does that traffic is allowed or not ?`

If the question is if Eset by default monitors for modification of Win firewall rules, the answer is no.

2 hours ago, Computerjul said:

Do u or anyone else know what exactly is changed in terms of security and settings (allowed and denied connections) between public and private network? Because i always used public network profile for my home connection.

If this is in regards to the Eset firewall, the simplest answer is the following. The Eset Public profile will not allow by default any inbound traffic from other devices on your local network other than the router.

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...