KenH 0 Posted October 28, 2020 Share Posted October 28, 2020 I've installed 2 servers & 45 computers over the past week - have to manually uninstall Sophos AV first - and this is the first one that threw this message this morning (picture attached). I tried uninstalling, running the ESET cleaner, running the ESET AV uninstaller (nothing found) and then reinstall. (All as the administrator account). I've attached the log file collected on this computer. This is the first computer to have a problem with installation. Several installs done yesterday are throwing the ARP Poisoning/Duplicate IP alert and then blocking their network connection. All of these point to the router. I've added a policy to exclude the router's address for IDS Exclusions but they are still getting this. Any tips on fixing these would be appreciated. ees_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 28, 2020 Administrators Share Posted October 28, 2020 Please carry on as follows: - in the adv. setup -> tools -> diagnostics enable advanced network protection logging - reboot the machine - disable logging - collect logs with ESET Log Collector and upload the generated zip file here. Link to comment Share on other sites More sharing options...
KenH 0 Posted October 28, 2020 Author Share Posted October 28, 2020 To clarify, that's for the 2nd issue (I probably should have started 2 topics) - correct - the ARP Poisoning issue and not the first issue listed? Thanks Marcos. Link to comment Share on other sites More sharing options...
KenH 0 Posted October 28, 2020 Author Share Posted October 28, 2020 Log file from computer throwing the ARP Poisoning and Duplicate IP alert - no such message after the reboot. File too large 299 MB Link to comment Share on other sites More sharing options...
KenH 0 Posted October 28, 2020 Author Share Posted October 28, 2020 2 hours ago, Marcos said: Please carry on as follows: - in the adv. setup -> tools -> diagnostics enable advanced network protection logging - reboot the machine - disable logging - collect logs with ESET Log Collector and upload the generated zip file here. This is the file generated by the first issue. ees_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted October 28, 2020 Administrators Share Posted October 28, 2020 There are various errors logged. Could you try running the ESET Uninstall tool in safe mode and then installing EP7.3 from scratch? As for the detection of duplicate IP addresses and ARP cache poisoning attack, most likely you have more devices with the same IP address in the network. You can drop me a private message with a download link to the bigger zip file with ELC logs. Link to comment Share on other sites More sharing options...
KenH 0 Posted October 28, 2020 Author Share Posted October 28, 2020 (edited) Same errors after running the ESET Uninstall tool in safe mode. Used the uninstaller on 3 other Desktops this morning after this one and had zero issues. 1) Reran the installer in safe mode & rebooted 2) Ran DISM /online /cleanup-image /restore health & rebooted. 3) Created new installer file and ran as administrator while logged in as administrator. 4) Same errors. 5) Used new installer on another computer - zero problems. At a loss here. This is a fairly new PC and has the same configuration as the one I installed right after it. Edited October 28, 2020 by KenH typo correction Link to comment Share on other sites More sharing options...
KenH 0 Posted October 29, 2020 Author Share Posted October 29, 2020 Issue solved. In Safe Mode - no Networking as local administrator account. Run Eset Uninstaller as admin Restart to Normal mode Elevated Powershell run sfc /scannow (some files reported as fixed) Run DISM /online /cleanup-image /restorehealth. Install and run CCleaner - clean up old applications and registry. Uninstall Ccleaner and restart. Run ESET Installer as administrator Installation successfull - no reported errors. Thinking that Sophos had left registry orphans. For the ARP Poisoning/duplicate IPs - I've run the IP scanner and I don't have any duplicate IPs showing. I flushed the DNS cache on the DNS server and it's still showing the router (Sophos UTM) as the IP source and IP target for these attacks. I've added the IDS exception rule now for this router's IP as displayed in KB 7054 we'll see if this works. Link to comment Share on other sites More sharing options...
Aaeset 0 Posted November 9, 2020 Share Posted November 9, 2020 On 10/28/2020 at 1:11 PM, Marcos said: I hope you get this. ARP Poisoning popped up as blocked. I just want to know if my computer or home net work is under threat. Also how do I check if I am at risk? Please help. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,929 Posted November 10, 2020 Administrators Share Posted November 10, 2020 14 hours ago, Aaeset said: ARP Poisoning popped up as blocked. I just want to know if my computer or home net work is under threat. Also how do I check if I am at risk? You have already asked here: https://forum.eset.com/topic/26221-arp-poisoning-attack-blocked/ Link to comment Share on other sites More sharing options...
Recommended Posts