Jump to content

New installations giving firewall errors and ARP poisoning/Duplicate IP alerts


KenH
 Share

Recommended Posts

I've installed 2 servers &  45 computers over the past week - have to manually uninstall Sophos AV first - and this is the first one that threw this message this morning (picture attached). I tried uninstalling, running the ESET cleaner, running the ESET AV uninstaller (nothing found) and then reinstall. (All as the administrator account).  I've attached the log file collected on this computer. This is the first computer to have a problem with installation.

Several installs done yesterday are throwing the ARP Poisoning/Duplicate IP alert and then blocking their network connection.  All of these point to the router. I've added a policy to exclude the router's address for IDS Exclusions but they are still getting this. Any tips on fixing these would be appreciated.

 

Eset error 166.jpg

ees_logs.zip

Link to comment
Share on other sites

  • Administrators

Please carry on as follows:
- in the adv. setup -> tools -> diagnostics enable advanced network protection logging
- reboot the machine
- disable logging
- collect logs with ESET Log Collector and upload the generated zip file here.

Link to comment
Share on other sites

To clarify, that's for the 2nd issue (I probably should have started 2 topics) - correct - the ARP Poisoning issue and not the first issue listed?

 

Thanks Marcos.

Link to comment
Share on other sites

Log file from computer throwing the ARP Poisoning and Duplicate IP alert - no such message after the reboot.

File too large 299 MB

 

Link to comment
Share on other sites

2 hours ago, Marcos said:

Please carry on as follows:
- in the adv. setup -> tools -> diagnostics enable advanced network protection logging
- reboot the machine
- disable logging
- collect logs with ESET Log Collector and upload the generated zip file here.

This is the file generated by the first issue.

ees_logs.zip

Link to comment
Share on other sites

  • Administrators

There are various errors logged. Could you try running the ESET Uninstall tool in safe mode and then installing EP7.3 from scratch?

As for the detection of duplicate IP addresses and ARP cache poisoning attack, most likely you have more devices with the same IP address in the network. You can drop me a  private message with a download link to the bigger zip file with ELC logs.

Link to comment
Share on other sites

Same errors after running the ESET Uninstall tool in safe mode.

Used the uninstaller on 3 other Desktops this morning after this one and had zero issues.

1) Reran the installer in safe mode & rebooted

2) Ran DISM /online /cleanup-image /restore health & rebooted.

3) Created new installer file and ran as administrator while logged in as administrator.

4) Same errors.

5) Used new installer on another computer - zero problems.

At a loss here.  This is a fairly new PC and has the same configuration as the one I installed right after it.

 

 

Edited by KenH
typo correction
Link to comment
Share on other sites

Issue solved.

  1. In Safe Mode - no Networking as local administrator account. 
  2. Run Eset Uninstaller as admin
  3. Restart to Normal mode
  4. Elevated Powershell 
    1. run sfc /scannow  (some files reported as fixed)
    2. Run DISM /online /cleanup-image /restorehealth.
  5. Install and run CCleaner - clean up old applications and registry.
  6. Uninstall Ccleaner and restart.
  7. Run ESET Installer as administrator
  8. Installation successfull - no reported errors.

Thinking that Sophos had left registry orphans.

For the ARP Poisoning/duplicate IPs - I've run the IP scanner and I don't have any duplicate IPs showing.  I flushed the DNS cache on the DNS server and it's still showing the router (Sophos UTM) as the IP source and IP target for these attacks.

I've added the IDS exception rule now for this router's IP as displayed in KB 7054  we'll see if this works.

Link to comment
Share on other sites

  • 2 weeks later...
On 10/28/2020 at 1:11 PM, Marcos said:

 

I hope you get this.

 

ARP Poisoning popped up as blocked. I just want to know if my computer or home net work is under threat. Also how do I check if I am at risk?

 

Please help.

Link to comment
Share on other sites

  • Administrators
14 hours ago, Aaeset said:

ARP Poisoning popped up as blocked. I just want to know if my computer or home net work is under threat. Also how do I check if I am at risk?

You have already asked here: https://forum.eset.com/topic/26221-arp-poisoning-attack-blocked/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...