Ricky Martin 1 Posted August 12, 2020 Share Posted August 12, 2020 Hi, Windows WMI instructions within the trusted zone blocked by clients I checked the "Allow incoming RPC communication in the Trusted zone" also tried manually adding the rules but this is not feasible as hundreds of computers and each computer takes randomly port for communication, kindly advice. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,287 Posted August 12, 2020 Administrators Share Posted August 12, 2020 Please elaborate more on what you mean by WMI not working in the trusted zone. What exactly doesn't work? Does it work when you pause the firewall? Link to comment Share on other sites More sharing options...
itman 1,755 Posted August 12, 2020 Share Posted August 12, 2020 (edited) Are you using the WMI scheduler to effectively hide a scheduled task within WMI? Ref.: https://nathangau.wordpress.com/2019/03/06/using-scom-to-detect-wmi-persistence-attempts/ Edited August 12, 2020 by itman Link to comment Share on other sites More sharing options...
Ricky Martin 1 Posted August 13, 2020 Author Share Posted August 13, 2020 Hi Marcos, Windows Management Instrumentation service svhost.exe get block at client machine every time when executes the command over the network and its random port, the attached snapshot of built in and manually rules created rules for svhost to allow communicate, pls. advice Link to comment Share on other sites More sharing options...
Administrators Marcos 5,287 Posted August 13, 2020 Administrators Share Posted August 13, 2020 Please carry on as follows: - enabled advanced network protocol logging under Tools -> Diagnostics -> Adv. logging. - reboot the machine - reproduce the issue - turn off advanced logging - collect logs with ESET Log Collector. The logs should reveal what kind of communication is blocked and if it's caused by your firewall misconfiguration. Does the issue occur after uninstalling ESET, installing it from scratch with default settings and without applying any policy? Link to comment Share on other sites More sharing options...
itman 1,755 Posted August 13, 2020 Share Posted August 13, 2020 (edited) Also it appears to be that what has been created is a plain Win Task Manager scheduled task. WMI based scheduled tasks are created as shown in this article: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--scheduled-tasks . Also: https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista Just create an Eset firewall rule for svchost.exe schedule service not specifying a specific inbound port. Also remote IP address specification should be Trusted Zone only. Note there is a security vulnerability here. If an attacker can gain access to a local network device and create a scheduled task, he could can access to the entire network assuming the Eset firewall is duplicated on each endpoint device. However if this scheduler activity is truly WMI consumer event based, the Eset inbound firewall rule should specify svchost.exe service winmgmt. Again, remote IP address specification should be Trusted Zone. The real problem is that the Win firewall has default firewall rules to handle inbound WMI traffic but they are not enabled by default: https://www.hammer-software.com/how-to-enable-wmi-through-the-windows-firewall-with-advanced-security-using-group-policy/ . This can also be done manually w/o Group Policy use. Note that the article shows enabling rules for the Domain profile. You would have to enable the ones for the Private profile assuming the Win firewall is using the Private profile. Edited August 13, 2020 by itman Link to comment Share on other sites More sharing options...
ScottBarker 0 Posted August 13, 2020 Share Posted August 13, 2020 I am having the exact same issue as Ricky Martin. Regardless of the rules I create and the ports I specify (or don't) there is no change in status, the client blocks svchost.exe every time it tries to execute a WMI Scheduled Task (a reboot for example, in this case). It's especially frustrating as it has been fairly easy to make exceptions/rules for 3rd party programs to communicate, but something so core to the function of windows seems to be blocked by default? Link to comment Share on other sites More sharing options...
Ricky Martin 1 Posted August 16, 2020 Author Share Posted August 16, 2020 Hi Marcos, Sorry for late response! we've public holidays so couldn't check the above suggestion, will check and keep you updated! Thank you Link to comment Share on other sites More sharing options...
Recommended Posts