why doesn't Application Modification Detection work ?

[mantra 1]

Hi

running some tests on windows 7 and windows 10

i have installed several version of eset internet security and last smart security , i have downloaded old version of firefox and chrome , updated and eset doesn't allert me even firefox.exe and chrome changed 

i have read several topics , sadly locked 

i'm using automatic filtering and i create rules for firefox and chrome to allow

but i can't get any warning when i updated them ,even the hash and the code of firefox is changed

in the past it works great 

i have created some rules for example allow firefox block chorme just to make a test

how can i understand why it does not work ?

thanks

Edited June 14, 2021 by mantra

[mantra 1]

ops can't edit my topic anymore

Allow modification of signed (trusted) applications -> is OFF

[Marcos 5,070]

Please make sure to test it with the latest v14.2.10. If you haven't upgraded to v14.2 yet, switch to the pre-release update channel and run update manually.

[peteyt 393]

3 hours ago, mantra said:

ops can't edit my topic anymore

Allow modification of signed (trusted) applications -> is OFF

Does this work if the firewall isn't in automatic mode? Not sure if the feature only works in interactive

[Marcos 5,070]

5 minutes ago, peteyt said:

Does this work if the firewall isn't in automatic mode? Not sure if the feature only works in interactive

If a permissive rule exists for an application, it doesn't matter what firewall mode is used.

[peteyt 393]

10 minutes ago, Marcos said:

If a permissive rule exists for an application, it doesn't matter what firewall mode is used.

Does that include application medication detection? I always presumed that would require interactive 

[mantra 1]

57 minutes ago, Marcos said:

Please make sure to test it with the latest v14.2.10. If you haven't upgraded to v14.2 yet, switch to the pre-release update channel and run update manually.

hi

yes i have the lastest version

but i have searched around the forum , i have found other users with the same issue

i thouhgt it was w10 , but it does happen in w764bit too

thanks

[Marcos 5,070]

Please provide logs collected with ESET Log Collector for a start.

[peteyt 393]

28 minutes ago, mantra said:

hi

yes i have the lastest version

but i have searched around the forum , i have found other users with the same issue

i thouhgt it was w10 , but it does happen in w764bit too

thanks

There was a recent firewall issue but that got solved I belive. You could try turning pre release updates on?

[Marcos 5,070]

1 hour ago, peteyt said:

There was a recent firewall issue but that got solved I belive. You could try turning pre release updates on?

I assume the OP did so since he or she confirmed that the latest version 14.2 was installed. I asked for ELC logs also to confirm this.

[mantra 1]

4 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector for a start.

hi

I will download and i will keep running at every boot

but should I wait for a program update to save the log?

thanks

[itman 1,659]

The Application Modification feature only works if the Eset firewall is set to Interactive mode. If an app is modified for which an existing firewall rule exists for that app, the feature will trigger an alert.

Really don't know Eset has not updated their documentation about this restriction.

[Marcos 5,070]

As I wrote, it's enough to have a permissive rule for an application created. You don't need to have the firewall in interactive mode:

[mantra 1]

31 minutes ago, itman said:

The Application Modification feature only works if the Eset firewall is set to Interactive mode. If an app is modified for which an existing firewall rule exists for that app, the feature will trigger an alert.

Really don't know Eset has not updated their documentation about this restriction.

Hi Itman

but in the past , i remember eset smart security did warn me everytime with the firewall set to automatic mode

i guess with internet security or/and  an update of components , they changed the behavior

could be windows defender firewall or windows firewall ?

Itman have you noticed this behavior on w7 too ?

thanks

[peteyt 393]

13 minutes ago, mantra said:

Hi Itman

but in the past , i remember eset smart security did warn me everytime with the firewall set to automatic mode

i guess with internet security or/and  an update of components , they changed the behavior

could be windows defender firewall or windows firewall ?

Itman have you noticed this behavior on w7 too ?

thanks

Are normal rules working e.g. if you black an application will it stop working and its just the update issue that is faulty?

[mantra 1]

26 minutes ago, peteyt said:

Are normal rules working e.g. if you black an application will it stop working and its just the update issue that is faulty?

hi

why do you mean for black?

the rules works , i mean if i block firefox ,eset firewall block it

some programs (freeware too)  can comunicate using windows service , and to block the host file must edited

it's irrating that eset firewall can not detect them , the program that use windows service to comunicate , i'm not sure which service do they use , but i guess the dns service , i should do a test , disabling the dns service and see if some program (frewware too) can bypass the firewall but not the host file

 

 

[peteyt 393]

3 minutes ago, mantra said:

hi

why do you mean for black?

the rules works , i mean if i block firefox ,eset firewall block it

some programs (freeware too)  can comunicate using windows service , and to block the host file must edited

it's irrating that eset firewall can not detect them , the program that use windows service to comunicate , i'm not sure which service do they use , but i guess the dns service , i should do a test , disabling the dns service and see if some program (frewware too) can bypass the firewall but not the host file

 

 

Sorry meant block 

[mantra 1]

1 hour ago, Marcos said:

As I wrote, it's enough to have a permissive rule for an application created. You don't need to have the firewall in interactive mode:

hi

can i ask you 2 questions?

1) about the log , should i wait that an application do change to save the log?

2) why do some programs freeware bypass the firewall and could be blocked only via the host file ?

is the dns service ? Is enough to stop and disable the dns cache service

thanks

[Marcos 5,070]

1, Please re-phrase the question, I don't understand what you mean. What log do you mean? What log would you like to save or what?

2, Please provide step-by-step instructions how to reproduce the bypass. By default, any outbound communication is allowed. If you create a block rule for a particular application, the rule should be always applied, at least if it's on top of other rules.

[itman 1,659]

2 hours ago, Marcos said:

As I wrote, it's enough to have a permissive rule for an application created.

Time Eset formally defined what a "permissive" firewall rule is. I believe you are referring to a firewall rule that allows all outbound network traffic from an app with no other rule specifications; protocol or local/remote port, IP address, etc..

[itman 1,659]

I will also note that I have a whole bunch of "permissive" firewall rules as I previously defined. The only one to have ever triggered an Eset Application Modification alert with the firewall in Automatic mode was explorer.exe. And it did not trigger every time a Win update updated explorer.exe, but sporadically.

[mantra 1]

12 minutes ago, itman said:

Time Eset formally defined what a "permissive" firewall rule is. I believe you are referring to a firewall rule that allows all outbound network traffic from an app with no other rule specifications; protocol or local/remote port, IP address, etc..

Quote

Please provide logs collected with ESET Log Collector for a start.

1) about eset log collector how should I use ?

(keeping logging until an application update)?

 

[Marcos 5,070]

5 minutes ago, mantra said:

1) about eset log collector how should I use ?

Run ELC and click Collect. After the archive has been generated, upload it here.