Common websites just started to get blocked by ESET. Multiple Customers.

[HSI 0]

Over the last couple of days, several customers are having key websites blocked by ESET firewall. As soon as the firewall is disabled, it works. This is happening  on 7.x and 8.x.

Is anyone else seeing this and have a solution yet? 

Thanks,

Mark

[Marcos 5,169]

The firewall doesn't block websites but can block communication with specific IP addresses.

Please provide some examples of blocked websites as well as the alert that ESET triggers.

[HSI 0]

Google.com, Gmail.com, Yahoo.com,  and then several sites that are unique to their industry. It just started yesterday and is happening today to several customers and several pcs. The only solution has been to disable the firewall module and it starts to work. 

[Marcos 5,169]

There must be something wrong with your firewall configuration. Please carry on as follows:

- enable advanced logging under Help and support -> Technical support
- reboot the machine
- launch a browser and open www.google.com which should fail
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here (only ESET staff will be able to access it).

[HSI 0]

Here is an example from one of the pcs. So far I'm at 6 different companies have the same issue. It has to be something more causing it.

 

[Marcos 5,169]

It could be caused by a bad custom firewall rule which blocks also desired communication. Please provide ELC logs as requested.

[Nightowl 206]

It happened to me also , you should be prompted for an Application Modified notification , you should press Keep Rules and remember action , it's because Chrome has updated , ESET has detected that something has changed.

Is your HIPS set as Smart Mode by chance?

Keep the GUI of the ESET opened , close Chrome completely and re-open it , Endpoint should prompt you with a notification that Chrome.exe has changed , if you want to keep it's rules as they are or disable them.

Another browsers should have no issue to access the internet , Firefox , Edge etc..

 

I am sorry , I typed wrong , HIPS is not responsible for it , Firewall is , there is an option of enable detection of application modification

This is what preventing the Chrome from starting because it's waiting for your choice.

Edited August 4, 2021 by Nightowl

[HSI 0]

Hello All,

The log collection for 1 day is 150mb so I'm unable to upload. 

Nightowl, you are correct. It is only Chrome related. I never could get it to prompt me, even under interaction mode. But, on the current workstation I'm trying to fix I click default and everything is working properly. About to try it on another PC and not sure how long this will last of course.

[Marcos 5,169]

1 minute ago, HSI said:

The log collection for 1 day is 150mb so I'm unable to upload.

Please upload it to OneDrive, Dropbox, etc. and drop me a private message with a download link.

[HSI 0]

6 minutes ago, Marcos said:

Please upload it to OneDrive, Dropbox, etc. and drop me a private message with a download link.

Sent!

[HSI 0]

45 minutes ago, Nightowl said:

It happened to me also , you should be prompted for an Application Modified notification , you should press Keep Rules and remember action , it's because Chrome has updated , ESET has detected that something has changed.

Is your HIPS set as Smart Mode by chance?

Keep the GUI of the ESET opened , close Chrome completely and re-open it , Endpoint should prompt you with a notification that Chrome.exe has changed , if you want to keep it's rules as they are or disable them.

Another browsers should have no issue to access the internet , Firefox , Edge etc..

 

I am sorry , I typed wrong , HIPS is not responsible for it , Firewall is , there is an option of enable detection of application modification

This is what preventing the Chrome from starting because it's waiting for your choice.

If I add Chrome to the exclude application modification list, it works properly. It does seem this is the issue. I appreciate your help today!

[Marcos 5,169]

You have the firewall set to automatic mode which is ok. There are, however, also a plenty of custom rules created by learning mode. Please try deleting them so that the rule list is empty.

[itman 1,721]

It's strange that Chrome is triggering an Application Modification detection. In Eset firewall automatic mode, the only time I received a like alert was for explorer.exe. And only if I did something that resulted in a CA cert. validation download. In other words, explorer.exe wasn't recently updated.

I also can't see how a Application Modification alert could be blocking access to the web sites mentioned.

Since @Marcosmentioned firewall Learning mode being used at some time, this may have triggered some bug in regards to Application Modification behavior. I have never used Learning mode personally.

[Marcos 5,169]

10 minutes ago, itman said:

Since @Marcosmentioned firewall Learning mode being used at some time, this may have triggered some bug in regards to Application Modification behavior. I have never used Learning mode personally.

If I recollect correctly, there were 2 rules for Chrome created by learning mode on user's machine. There has been an issue with not asking the user after detecting an application modification which has been fixed recently in home version 14.2.23 so it's possible that the fix has not made to Endpoint yet. Will need to check with devs.

Removing the rules created in learning mode should work around it. Permissive rules for outbound communication are redundant in automatic mode anyways.

[Marcos 5,169]

One more thing, you have Advanced heuristics on file execution disabled in the real-time protection setup. It is important to keep this setting enabled which has been on by default as of Endpoint v6 and there should be no reason to disable it.

Also consider enabling detection of potentially unsafe applications and enabling password protection to prevent unauthorized users from tampering with your ESET settings and protection modules.

[zhladik 0]

This is very old  problem - It appears on different apps changes randomly but not very often. Result is always same. App is silently blocked, no rule in FW helps. Only fix is exception rule for app change detection . Eset module (HIPS - no Firewall - i just got confirmation from support person) detects app change (and valid singing of app does not help). A writes somewhere deep in eset on some inaccesible table that app must be blocked. last week i met it on 4 machines blocking Chrome, Today it appeared  on Firefox...

BTW I asked several times in different forums about ESET buglist or fixlist, Anybody here knows url of FIes/Bugs descrion on Eset produkts?

                         

[itman 1,721]

My best guess as to the problem is Eset Firewall -> Application Modification settings are not set to default values - see below screen shot.

First note that Application Modification is only applicable if an existing firewall rule exists for a modified process. I also suspect that these problematic installations might be suppressing Eset message alerts resulting in no notification being displayed.

As long as the signed (trusted) process modification is enabled, there should be no issues when a browser .exe is updated.

Temporarily disable Application Modification Detection setting and see if the issue disappears. If it does, you have verified the source of the problem.

 

Edited August 11, 2021 by itman

[zhladik 0]

But Firewall is simple rules table, If I tried to add  rule for Application (Yes I know to move it to start of table), it did not unblock. Historicaly Eset FW is not nice piece of code. And it seems new developers are not able handle old code very well 😞

It is probably hooked some weird way to HIPS. And BTW - there must be somewhere table of blocked Apps - but nobody knows how to access it. And probably in several latest updates some developers tries to clean relations and screwed things totaly....

[Marcos 5,169]

1 hour ago, zhladik said:

But Firewall is simple rules table, If I tried to add  rule for Application (Yes I know to move it to start of table), it did not unblock.

The issue is not related to rules evaluation.

1 hour ago, zhladik said:

Historicaly Eset FW is not nice piece of code.

When we recently asked users about the firewall, they were satisfied with it. What do you dislike about the firewall and what would you suggest?

1 hour ago, zhladik said:

And it seems new developers are not able handle old code very well

Not sure which developers you mean in particular; the firewall developers have been with ESET for quite many years already.

1 hour ago, zhladik said:

And BTW - there must be somewhere table of blocked Apps - but nobody knows how to access it.

HIPS doesn't prevent applications from running unless you create a blocking rule.

[itman 1,721]

23 hours ago, zhladik said:

But Firewall is simple rules table, If I tried to add  rule for Application (Yes I know to move it to start of table), it did not unblock.

I really depends on the rule that was created.

You can create a very permissive rule for example, that allows all inbound and outbound network traffic for the app. All protocols and ports would be allowed. Also make it an Ask rule versus an allow rule. Move this rule to the top of the rule set.

Start the app and force it to perform some Internet activity. If a firewall alert is not displayed to allow the network traffic, then we can conclude two things:

1. The app is not performing any network activity.

2. Something other than the Eset firewall is blocking the network reaffic.

Edited August 12, 2021 by itman