mantra 1 Posted June 14, 2021 Share Posted June 14, 2021 (edited) Hi running some tests on windows 7 and windows 10 i have installed several version of eset internet security and last smart security , i have downloaded old version of firefox and chrome , updated and eset doesn't allert me even firefox.exe and chrome changed i have read several topics , sadly locked i'm using automatic filtering and i create rules for firefox and chrome to allow but i can't get any warning when i updated them ,even the hash and the code of firefox is changed in the past it works great i have created some rules for example allow firefox block chorme just to make a test how can i understand why it does not work ? thanks Edited June 14, 2021 by mantra Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 ops can't edit my topic anymore Allow modification of signed (trusted) applications -> is OFF Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 Please make sure to test it with the latest v14.2.10. If you haven't upgraded to v14.2 yet, switch to the pre-release update channel and run update manually. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 14, 2021 Most Valued Members Share Posted June 14, 2021 3 hours ago, mantra said: ops can't edit my topic anymore Allow modification of signed (trusted) applications -> is OFF Does this work if the firewall isn't in automatic mode? Not sure if the feature only works in interactive Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 5 minutes ago, peteyt said: Does this work if the firewall isn't in automatic mode? Not sure if the feature only works in interactive If a permissive rule exists for an application, it doesn't matter what firewall mode is used. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 14, 2021 Most Valued Members Share Posted June 14, 2021 10 minutes ago, Marcos said: If a permissive rule exists for an application, it doesn't matter what firewall mode is used. Does that include application medication detection? I always presumed that would require interactive Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 57 minutes ago, Marcos said: Please make sure to test it with the latest v14.2.10. If you haven't upgraded to v14.2 yet, switch to the pre-release update channel and run update manually. hi yes i have the lastest version but i have searched around the forum , i have found other users with the same issue i thouhgt it was w10 , but it does happen in w764bit too thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 Please provide logs collected with ESET Log Collector for a start. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 14, 2021 Most Valued Members Share Posted June 14, 2021 28 minutes ago, mantra said: hi yes i have the lastest version but i have searched around the forum , i have found other users with the same issue i thouhgt it was w10 , but it does happen in w764bit too thanks There was a recent firewall issue but that got solved I belive. You could try turning pre release updates on? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 1 hour ago, peteyt said: There was a recent firewall issue but that got solved I belive. You could try turning pre release updates on? I assume the OP did so since he or she confirmed that the latest version 14.2 was installed. I asked for ELC logs also to confirm this. Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 4 hours ago, Marcos said: Please provide logs collected with ESET Log Collector for a start. hi I will download and i will keep running at every boot but should I wait for a program update to save the log? thanks Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 14, 2021 Share Posted June 14, 2021 The Application Modification feature only works if the Eset firewall is set to Interactive mode. If an app is modified for which an existing firewall rule exists for that app, the feature will trigger an alert. Really don't know Eset has not updated their documentation about this restriction. mantra 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 As I wrote, it's enough to have a permissive rule for an application created. You don't need to have the firewall in interactive mode: Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 31 minutes ago, itman said: The Application Modification feature only works if the Eset firewall is set to Interactive mode. If an app is modified for which an existing firewall rule exists for that app, the feature will trigger an alert. Really don't know Eset has not updated their documentation about this restriction. Hi Itman but in the past , i remember eset smart security did warn me everytime with the firewall set to automatic mode i guess with internet security or/and an update of components , they changed the behavior could be windows defender firewall or windows firewall ? Itman have you noticed this behavior on w7 too ? thanks Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 14, 2021 Most Valued Members Share Posted June 14, 2021 13 minutes ago, mantra said: Hi Itman but in the past , i remember eset smart security did warn me everytime with the firewall set to automatic mode i guess with internet security or/and an update of components , they changed the behavior could be windows defender firewall or windows firewall ? Itman have you noticed this behavior on w7 too ? thanks Are normal rules working e.g. if you black an application will it stop working and its just the update issue that is faulty? Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 26 minutes ago, peteyt said: Are normal rules working e.g. if you black an application will it stop working and its just the update issue that is faulty? hi why do you mean for black? the rules works , i mean if i block firefox ,eset firewall block it some programs (freeware too) can comunicate using windows service , and to block the host file must edited it's irrating that eset firewall can not detect them , the program that use windows service to comunicate , i'm not sure which service do they use , but i guess the dns service , i should do a test , disabling the dns service and see if some program (frewware too) can bypass the firewall but not the host file Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted June 14, 2021 Most Valued Members Share Posted June 14, 2021 3 minutes ago, mantra said: hi why do you mean for black? the rules works , i mean if i block firefox ,eset firewall block it some programs (freeware too) can comunicate using windows service , and to block the host file must edited it's irrating that eset firewall can not detect them , the program that use windows service to comunicate , i'm not sure which service do they use , but i guess the dns service , i should do a test , disabling the dns service and see if some program (frewware too) can bypass the firewall but not the host file Sorry meant block Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 1 hour ago, Marcos said: As I wrote, it's enough to have a permissive rule for an application created. You don't need to have the firewall in interactive mode: hi can i ask you 2 questions? 1) about the log , should i wait that an application do change to save the log? 2) why do some programs freeware bypass the firewall and could be blocked only via the host file ? is the dns service ? Is enough to stop and disable the dns cache service thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 1, Please re-phrase the question, I don't understand what you mean. What log do you mean? What log would you like to save or what? 2, Please provide step-by-step instructions how to reproduce the bypass. By default, any outbound communication is allowed. If you create a block rule for a particular application, the rule should be always applied, at least if it's on top of other rules. Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 14, 2021 Share Posted June 14, 2021 2 hours ago, Marcos said: As I wrote, it's enough to have a permissive rule for an application created. Time Eset formally defined what a "permissive" firewall rule is. I believe you are referring to a firewall rule that allows all outbound network traffic from an app with no other rule specifications; protocol or local/remote port, IP address, etc.. Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 14, 2021 Share Posted June 14, 2021 I will also note that I have a whole bunch of "permissive" firewall rules as I previously defined. The only one to have ever triggered an Eset Application Modification alert with the firewall in Automatic mode was explorer.exe. And it did not trigger every time a Win update updated explorer.exe, but sporadically. Link to comment Share on other sites More sharing options...
mantra 1 Posted June 14, 2021 Author Share Posted June 14, 2021 12 minutes ago, itman said: Time Eset formally defined what a "permissive" firewall rule is. I believe you are referring to a firewall rule that allows all outbound network traffic from an app with no other rule specifications; protocol or local/remote port, IP address, etc.. Quote Please provide logs collected with ESET Log Collector for a start. 1) about eset log collector how should I use ? (keeping logging until an application update)? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 14, 2021 Administrators Share Posted June 14, 2021 5 minutes ago, mantra said: 1) about eset log collector how should I use ? Run ELC and click Collect. After the archive has been generated, upload it here. Link to comment Share on other sites More sharing options...
Recommended Posts