Learning mode and no notification window

[URBAN0 14]

Normally I would get notification pop up on application requesting outgoing connection, but while I have ISS on learning mode HWiNFO64 used  443 port without me even knowing it.

Any info?

Thanks

[Marcos 5,074]

If a rule allowing the communication already exists, no new rule will be create and a notification will not pop up either.

[URBAN0 14]

Although, in interactive mode I will get prompted, but Rule for HWiNFO was never created and I checked already, unless I'm overlooking something.

Edited March 11, 2021 by URBAN0

[URBAN0 14]

I was going to added my  comment but was to late

 

Although, in interactive mode I will get prompted and I did allow once, but wouldn't  that revert settings prior to my allowing by importing them and setting back to learn should show whats going out?

Edited March 11, 2021 by URBAN0

[URBAN0 14]

That doesn't make sense.

For test purpose I installed new app and having my setting backed up I would allow the new app to communicate with its server "checking for updates" in interactive mode and I get notification.

Then I would import previous settings and set it into learning mode, the same app would check for updates and I would see the notification pop up, so whats missing here.

HWiNFO checks for updates in learning mode but no notification and no rules were created prior other then once I allowed but I imported setting like I did with other apps.

 

Edited March 11, 2021 by URBAN0

[itman 1,659]

1 hour ago, URBAN0 said:

For test purpose I installed new app and having my setting backed up I would allow the new app to communicate with its server "checking for updates" in interactive mode and I get notification.

Then I would import previous settings and set it into learning mode, the same app would check for updates and I would see the notification pop up, so whats missing here.

HWiNFO checks for updates in learning mode but no notification and no rules were created prior other then once I allowed but I imported setting like I did with other apps.

The whole purpose of Eset firewall Learning mode is to auto create firewall rules without user intervention:

Prior to importing your previously exported Eset settings, did you exit the Eset GUI?

There might be an issue with Eset in regards to exporting, creation of firewall rules, importing, and setting the firewall to Learning mode all in one Eset GUI session.

Edited March 11, 2021 by itman

[URBAN0 14]

Thank you itman for more detail explanation.

Tbh. now when I think of it, I'm not 100% sure. I think I did exit GUI as I normally would before making any changes, adding any rules or importing/exporting setting.

Normally, any app that is under certain rule e.g. "check for updates" just  an example, If I would to delete the rule set firewall in learn mode and load the app again I would get a windows notification, but that was a while ago I don't really keep on track when, but lately (weeks, month or so) I haven't seen that, even thou the app can be installed and launching for the first time.

Even thou I did allow HWiNFO outgoing connection once, but importing settings should be treated like clean slate and, so I  should be notify in learning mode that this app is making outgoing connecting to its server under learning mode, but nothing.

 

Edited March 11, 2021 by URBAN0

[itman 1,659]

1 hour ago, URBAN0 said:

Even thou I did allow HWiNFO outgoing connection once, but importing settings should be treated like clean slate and, so I  should be notify in learning mode that this app is making outgoing connecting to its server under learning mode, but nothing.

A couple of things here.

When you select "Allow once" in firewall Interactive mode, no firewall rule is created. You have to select the option on the alert to permanently create a rule.

After you import your previous settings, verify that previous firewall rules were created and no other rules exist.

[URBAN0 14]

We are on the same page as far is allowing  rule creation once and permanently. One thing I'm puzzled and Marcos comment confused me even more when he stated:

Quote

If a rule allowing the communication already exists, no new rule will be create and a notification will not pop up either.

He never responded back while I made it clear that I only allow HWinfo once and that was prior to me importing settings which didn't have any rules for HWiNFO so that should have been clean slate, unless I'm not seen something.

It only makes common sense that even thou, you allow rule permanently, If my backup settings are created prior to me allowing permanent rule creation, would importing that setting wipe clear the rule, even if it was created permanently?  If that's the case once put in learning mode, notifications should be showing🙂

Edited March 11, 2021 by URBAN0

[itman 1,659]

36 minutes ago, URBAN0 said:

It only makes common sense that even thou, you allow rule permanently, If my backup settings are created prior to me allowing permanent rule creation, would importing that setting wipe clear the rule, even if it was created permanently? 

That's the way its supposed to work. However, you need to manually verify this is the case after you import your previously exported settings.

[URBAN0 14]

I think I went through every rule that has been created to see maybe I've missed something and its all clear from this app. What I might do is clear everything literally, still have my settings backed up, but start from absolutely scratch and see how the learning mode will work then.

I know its extreme troubleshooting, but I don't have any more ideas how to go about this, my reasoning behind it is that maybe, just maybe while rule was created I saved it and  while I'm importing my previous settings the rule could be within and I just can't see it, if that makes sense 🙂

 

I will report back my findings.

 

Thank you for your effort of trying to help.

 

[URBAN0 14]

Weird!

I reinstalled ISS, clean slate, then put firewall in learning mode and rebooted. While windows restarted ISS not  giving me any notification while HWiNFO checks for update and the rule is created.

 

Now! while I deleted that rule and checked for update manually, ISS gives me a notification of HWiNFO going online using port 433...something isn't right.

Edited March 12, 2021 by URBAN0

[URBAN0 14]

Also, I have ton of other apps that should be going online to check for updates and such and while rules are created I'm getting only very few hit and miss  notifications, but again, If I check updates manually the notifications pop up come up😐

Is there knowing issue with leaking firewall

Edited March 12, 2021 by URBAN0

[URBAN0 14]

I guess my question is...Why while in  learning mode there is no ISS firewall window notification of HWiNFO going online, but If I do  "check for updates" manually the notification windows pop-up🤔

[itman 1,659]

14 hours ago, URBAN0 said:

Weird!

I reinstalled ISS, clean slate, then put firewall in learning mode and rebooted. While windows restarted ISS not  giving me any notification while HWiNFO checks for update and the rule is created.

Now! while I deleted that rule and checked for update manually, ISS gives me a notification of HWiNFO going online using port 433...something isn't right.

Here's one possibility.

When the Eset firewall is in Learning mode, it assumes there will be no user modification activities in regards to firewall rules. If the user subsequently deletes a rule while in Learning mode, the firewall might switch to Interactive mode. This makes sense to me since the user should not be performing firewall rule modification activities while in Learning mode. Or more likely, the above applies only to a specific rule while in Learning mode.

Another possibility is this setting:

Quote

Maximum number of different rules for an application – If an application communicates through different ports to various IP addresses, etc., the firewall in learning mode creates appropriate count of rules for this application. This option allows you to limit the number of rules that can be created for one application.

https://help.eset.com/eis/14/en-US/idh_config_epfw_basic_group.html?idh_config_epfw_learning_mode.html

Appears the maximum rule count for inbound/outbound rules per app is 3.

Edited March 12, 2021 by itman

[itman 1,659]

I will also note this.

If there is a Learning mode "bug" here, it is that the user is allowed to modify firewall rules while in Learning mode. That really should not be allowed.

[URBAN0 14]

1 hour ago, itman said:

Here's one possibility.

When the Eset firewall is in Learning mode, it assumes there will be no user modification activities in regards to firewall rules. If the user subsequently deletes a rule while in Learning mode, the firewall might switch to Interactive mode. This makes sense to me since the user should not be performing firewall rule modification activities while in Learning mode. Or, the above applies only to a specific rule while in Learning mode.

Another possibility is this setting:

https://help.eset.com/eis/14/en-US/idh_config_epfw_basic_group.html?idh_config_epfw_learning_mode.html

Appears the maximum rule count for inbound/outbound rules per app is 3.

 

That makes sense, otherwise, why using the learning mode. 

Last night I even went to a length of reloading image of windows where there was nothing installed but updates only, then installed ISS and set on learning mode, this was done solely for test purposes to see if perhaps after the latest windows update 20H2 which I just got few days had some negative effect on ESE itself.

While I installed some of the apps and then adjusting their settings I let them go online, ISS would show each app reaching their server with window notification with exception of HWiNFO that did that quietly, but after reading the "Learning Mode" and how rules are defined and applied I can see reasoning behind it.

Thank you itman, you've been a truly great help👍

Have a wonderful day