Jump to content

Recommended Posts

Hello,

I have a lot of duplicated rules, can I deleted them and keep the latest rules created Or is better do nothing with them?

I will love to delete the dups, but I am not going to move a finger before I have an advice for the experts here in this forum.

Thanks

Camelia

For example I have 6 rules of WinStore.App.exe

WinStore.App.exe
WinStore.App.exe(2)
WinStore.App.exe(3)
WinStore.App.exe(4)
WinStore.App.exe(5)
WinStore.App.exe(6)

01rules_dup.jpg.1513a7e87db8bfe6b3a2f8724c30586e.jpg

Link to post
Share on other sites
  • Most Valued Members
1 hour ago, camelia said:

Hello,

I have a lot of duplicated rules, can I deleted them and keep the latest rules created Or is better do nothing with them?

I will love to delete the dups, but I am not going to move a finger before I have an advice for the experts here in this forum.

Thanks

Camelia

For example I have 6 rules of WinStore.App.exe


WinStore.App.exe
WinStore.App.exe(2)
WinStore.App.exe(3)
WinStore.App.exe(4)
WinStore.App.exe(5)
WinStore.App.exe(6)

01rules_dup.jpg.1513a7e87db8bfe6b3a2f8724c30586e.jpg

I belive you can delete them but don't think leaving them will cause any issues such as space etc. As you can see from the folder path each location has a slightly different version name.

The problem with Windows Store apps is their folder location and I believe exe. name changes with each version number. For example is the folder name was app 1.0 the new folder might be app 1.5 and so on. As the location and so on change eset treats it like a new app and a new rule gets made. 

Link to post
Share on other sites
On 10/31/2020 at 3:03 AM, Marcos said:

Correct. The rules are not duplicate since the path to the application is different.

Are this services duplicates?

Five rules of DoSvc, all same path:  C:\Windows\System32\svchost.exe

  • Allow communication for svchost.exe/DoSvc
  • Allow communication for svchost.exe/DoSvc (1)
  • Allow communication for svchost.exe/DoSvc (2)
  • Allow communication for svchost.exe/DoSvc (3)
  • Allow communication for svchost.exe/DoSvc (4)
  • Allow communication for svchost.exe/DoSvc (5)

Thanks

Camelia

DoSvc.jpg.6f1e5f3a1df0606adf57a9b635a3573a.jpg

Link to post
Share on other sites
4 hours ago, camelia said:

Are this services duplicates?

Five rules of DoSvc, all same path:  C:\Windows\System32\svchost.exe

First, monitoring Win 10 individual services via Eset firewall is somewhat an effort in futility. Eset attempted that a while back in a prior release and quickly abandoned it. Hence, why all Eset default firewall rules for svchost.exe are not service specific. Why? Because there are many hidden services used by Windows that are not specifically listed or controllable via Control Panel -> Admin Tools -> Services.

In regards to DoSvc, it is Win 10's Delivery Optimization service used to speed up downloading of Win Updates primarily but also used for other Microsoft apps. If Win 10 is not restricted in some form on how updating is performed, you can end up with what is described here: https://social.technet.microsoft.com/Forums/windows/en-US/b94d8e74-58de-451a-b137-7ec2028adc27/delivery-optimization-service-downloading-something-and-using-all-my-bandwidth . Win 10 introduced runtimebroker.exe via BITS processing that allows one service to spawn multiple instances of another service/process. This is in effect what your Eset firewall rule set shows in regards to DoSvc service. Also what service is actually started in regards to DoSvc is C:\WINDOWS\System32\svchost.exe -k NetworkService -p.

My advice - quit globally monitoring individual service outbound network traffic via Eset firewall.

Edited by itman
Link to post
Share on other sites
On 11/1/2020 at 6:11 AM, Marcos said:

Unfortunately without seeing all parameters of particular rules it's not possible to tell if they are identical or not. Please provide logs collected with ESET Log Collector.

😱😱😱😱

Warning Presents! (All > Original binary from disk)

Camelia

EISLogCollector.jpg.d74cda64b5fba66c64b7fc9132a6ba4f.jpg

eis_logs.zip

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...