Jump to content

why doesn't Application Modification Detection work ?


Recommended Posts

Hi

running some tests on windows 7 and windows 10

i have installed several version of eset internet security and last smart security , i have downloaded old version of firefox and chrome , updated and eset doesn't allert me even firefox.exe and chrome changed 

i have read several topics , sadly locked 

i'm using automatic filtering and i create rules for firefox and chrome to allow

but i can't get any warning when i updated them ,even the hash and the code of firefox is changed

in the past it works great 

i have created some rules for example allow firefox block chorme just to make a test

how can i understand why it does not work ?

thanks

Edited by mantra
Link to comment
Share on other sites

ops can't edit my topic anymore

Allow modification of signed (trusted) applications -> is OFF

Link to comment
Share on other sites

  • Administrators

Please make sure to test it with the latest v14.2.10. If you haven't upgraded to v14.2 yet, switch to the pre-release update channel and run update manually.

Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, mantra said:

ops can't edit my topic anymore

Allow modification of signed (trusted) applications -> is OFF

Does this work if the firewall isn't in automatic mode? Not sure if the feature only works in interactive

Link to comment
Share on other sites

  • Administrators
5 minutes ago, peteyt said:

Does this work if the firewall isn't in automatic mode? Not sure if the feature only works in interactive

If a permissive rule exists for an application, it doesn't matter what firewall mode is used.

Link to comment
Share on other sites

  • Most Valued Members
10 minutes ago, Marcos said:

If a permissive rule exists for an application, it doesn't matter what firewall mode is used.

Does that include application medication detection? I always presumed that would require interactive 

Link to comment
Share on other sites

57 minutes ago, Marcos said:

Please make sure to test it with the latest v14.2.10. If you haven't upgraded to v14.2 yet, switch to the pre-release update channel and run update manually.

hi

yes i have the lastest version

but i have searched around the forum , i have found other users with the same issue

i thouhgt it was w10 , but it does happen in w764bit too

thanks

Link to comment
Share on other sites

  • Most Valued Members
28 minutes ago, mantra said:

hi

yes i have the lastest version

but i have searched around the forum , i have found other users with the same issue

i thouhgt it was w10 , but it does happen in w764bit too

thanks

There was a recent firewall issue but that got solved I belive. You could try turning pre release updates on?

Link to comment
Share on other sites

  • Administrators
1 hour ago, peteyt said:

There was a recent firewall issue but that got solved I belive. You could try turning pre release updates on?

I assume the OP did so since he or she confirmed that the latest version 14.2 was installed. I asked for ELC logs also to confirm this.

Link to comment
Share on other sites

4 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector for a start.

hi

I will download and i will keep running at every boot

but should I wait for a program update to save the log?

thanks

Link to comment
Share on other sites

The Application Modification feature only works if the Eset firewall is set to Interactive mode. If an app is modified for which an existing firewall rule exists for that app, the feature will trigger an alert.

Really don't know Eset has not updated their documentation about this restriction.

Link to comment
Share on other sites

  • Administrators

As I wrote, it's enough to have a permissive rule for an application created. You don't need to have the firewall in interactive mode:

image.png

Link to comment
Share on other sites

31 minutes ago, itman said:

The Application Modification feature only works if the Eset firewall is set to Interactive mode. If an app is modified for which an existing firewall rule exists for that app, the feature will trigger an alert.

Really don't know Eset has not updated their documentation about this restriction.

Hi Itman

but in the past , i remember eset smart security did warn me everytime with the firewall set to automatic mode

i guess with internet security or/and  an update of components , they changed the behavior

could be windows defender firewall or windows firewall ?

Itman have you noticed this behavior on w7 too ?

thanks

Link to comment
Share on other sites

  • Most Valued Members
13 minutes ago, mantra said:

Hi Itman

but in the past , i remember eset smart security did warn me everytime with the firewall set to automatic mode

i guess with internet security or/and  an update of components , they changed the behavior

could be windows defender firewall or windows firewall ?

Itman have you noticed this behavior on w7 too ?

thanks

Are normal rules working e.g. if you black an application will it stop working and its just the update issue that is faulty?

Link to comment
Share on other sites

26 minutes ago, peteyt said:

Are normal rules working e.g. if you black an application will it stop working and its just the update issue that is faulty?

hi

why do you mean for black?

the rules works , i mean if i block firefox ,eset firewall block it

some programs (freeware too)  can comunicate using windows service , and to block the host file must edited

it's irrating that eset firewall can not detect them , the program that use windows service to comunicate , i'm not sure which service do they use , but i guess the dns service , i should do a test , disabling the dns service and see if some program (frewware too) can bypass the firewall but not the host file

 

 

Link to comment
Share on other sites

  • Most Valued Members
3 minutes ago, mantra said:

hi

why do you mean for black?

the rules works , i mean if i block firefox ,eset firewall block it

some programs (freeware too)  can comunicate using windows service , and to block the host file must edited

it's irrating that eset firewall can not detect them , the program that use windows service to comunicate , i'm not sure which service do they use , but i guess the dns service , i should do a test , disabling the dns service and see if some program (frewware too) can bypass the firewall but not the host file

 

 

Sorry meant block 

Link to comment
Share on other sites

1 hour ago, Marcos said:

As I wrote, it's enough to have a permissive rule for an application created. You don't need to have the firewall in interactive mode:

image.png

hi

can i ask you 2 questions?

1) about the log , should i wait that an application do change to save the log?

2) why do some programs freeware bypass the firewall and could be blocked only via the host file ?

is the dns service ? Is enough to stop and disable the dns cache service

thanks

Link to comment
Share on other sites

  • Administrators

1, Please re-phrase the question, I don't understand what you mean. What log do you mean? What log would you like to save or what?

2, Please provide step-by-step instructions how to reproduce the bypass. By default, any outbound communication is allowed. If you create a block rule for a particular application, the rule should be always applied, at least if it's on top of other rules.

Link to comment
Share on other sites

2 hours ago, Marcos said:

As I wrote, it's enough to have a permissive rule for an application created.

Time Eset formally defined what a "permissive" firewall rule is. I believe you are referring to a firewall rule that allows all outbound network traffic from an app with no other rule specifications; protocol or local/remote port, IP address, etc..

Link to comment
Share on other sites

I will also note that I have a whole bunch of "permissive" firewall rules as I previously defined. The only one to have ever triggered an Eset Application Modification alert with the firewall in Automatic mode was explorer.exe. And it did not trigger every time a Win update updated explorer.exe, but sporadically.

Link to comment
Share on other sites

12 minutes ago, itman said:

Time Eset formally defined what a "permissive" firewall rule is. I believe you are referring to a firewall rule that allows all outbound network traffic from an app with no other rule specifications; protocol or local/remote port, IP address, etc..

Quote

Please provide logs collected with ESET Log Collector for a start.

1) about eset log collector how should I use ?

(keeping logging until an application update)?

 

Link to comment
Share on other sites

  • Administrators
5 minutes ago, mantra said:

1) about eset log collector how should I use ?

Run ELC and click Collect. After the archive has been generated, upload it here.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...