Jump to content

What I should do with the duplicates rules?


Recommended Posts

Hello,

I have a lot of duplicated rules, can I deleted them and keep the latest rules created Or is better do nothing with them?

I will love to delete the dups, but I am not going to move a finger before I have an advice for the experts here in this forum.

Thanks

Camelia

For example I have 6 rules of WinStore.App.exe

WinStore.App.exe
WinStore.App.exe(2)
WinStore.App.exe(3)
WinStore.App.exe(4)
WinStore.App.exe(5)
WinStore.App.exe(6)

01rules_dup.jpg.1513a7e87db8bfe6b3a2f8724c30586e.jpg

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, camelia said:

Hello,

I have a lot of duplicated rules, can I deleted them and keep the latest rules created Or is better do nothing with them?

I will love to delete the dups, but I am not going to move a finger before I have an advice for the experts here in this forum.

Thanks

Camelia

For example I have 6 rules of WinStore.App.exe


WinStore.App.exe
WinStore.App.exe(2)
WinStore.App.exe(3)
WinStore.App.exe(4)
WinStore.App.exe(5)
WinStore.App.exe(6)

01rules_dup.jpg.1513a7e87db8bfe6b3a2f8724c30586e.jpg

I belive you can delete them but don't think leaving them will cause any issues such as space etc. As you can see from the folder path each location has a slightly different version name.

The problem with Windows Store apps is their folder location and I believe exe. name changes with each version number. For example is the folder name was app 1.0 the new folder might be app 1.5 and so on. As the location and so on change eset treats it like a new app and a new rule gets made. 

Link to comment
Share on other sites

On 10/31/2020 at 3:03 AM, Marcos said:

Correct. The rules are not duplicate since the path to the application is different.

Are this services duplicates?

Five rules of DoSvc, all same path:  C:\Windows\System32\svchost.exe

  • Allow communication for svchost.exe/DoSvc
  • Allow communication for svchost.exe/DoSvc (1)
  • Allow communication for svchost.exe/DoSvc (2)
  • Allow communication for svchost.exe/DoSvc (3)
  • Allow communication for svchost.exe/DoSvc (4)
  • Allow communication for svchost.exe/DoSvc (5)

Thanks

Camelia

DoSvc.jpg.6f1e5f3a1df0606adf57a9b635a3573a.jpg

Link to comment
Share on other sites

4 hours ago, camelia said:

Are this services duplicates?

Five rules of DoSvc, all same path:  C:\Windows\System32\svchost.exe

First, monitoring Win 10 individual services via Eset firewall is somewhat an effort in futility. Eset attempted that a while back in a prior release and quickly abandoned it. Hence, why all Eset default firewall rules for svchost.exe are not service specific. Why? Because there are many hidden services used by Windows that are not specifically listed or controllable via Control Panel -> Admin Tools -> Services.

In regards to DoSvc, it is Win 10's Delivery Optimization service used to speed up downloading of Win Updates primarily but also used for other Microsoft apps. If Win 10 is not restricted in some form on how updating is performed, you can end up with what is described here: https://social.technet.microsoft.com/Forums/windows/en-US/b94d8e74-58de-451a-b137-7ec2028adc27/delivery-optimization-service-downloading-something-and-using-all-my-bandwidth . Win 10 introduced runtimebroker.exe via BITS processing that allows one service to spawn multiple instances of another service/process. This is in effect what your Eset firewall rule set shows in regards to DoSvc service. Also what service is actually started in regards to DoSvc is C:\WINDOWS\System32\svchost.exe -k NetworkService -p.

My advice - quit globally monitoring individual service outbound network traffic via Eset firewall.

Edited by itman
Link to comment
Share on other sites

On 11/1/2020 at 6:11 AM, Marcos said:

Unfortunately without seeing all parameters of particular rules it's not possible to tell if they are identical or not. Please provide logs collected with ESET Log Collector.

😱😱😱😱

Warning Presents! (All > Original binary from disk)

Camelia

EISLogCollector.jpg.d74cda64b5fba66c64b7fc9132a6ba4f.jpg

eis_logs.zip

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...