Jump to content

Some Firewall Rules Reset After Computer Restart


Recommended Posts

Hello.. new member here

 

I'm using Smart Security 7 solution.

 

For a long time I had my ffirewall filtering policy in Learning mode. Yesterday I thought that it's time to up the security a bit and go for a more strict firewall setting. I switched to Policy-based mode.

After half a day fine-tuning my firewall, adding exceptions to allow stuff that I use, I was quite satisfied with the result. But after I restarted my computer, some rules that are prepackaged, which

you can turn off, but not delete (not that I wanted), will switch back on and mess up my configuration. This is very annoying, since the exceptions that I've made, are still blocked by

Block all unknown outbound traffic in Administrator mode rule.

First, the rules I have added are not unknown and second, if I turn off a setting, it should stay off.

 

Other rules that I prefer would stay off are:

Block outgoing multicast DNS requests

Block outgoing SSDP (UPNP) requests from svchost.exe

 

I would much rather like a solution for this instead of somebody saying that's how it works. :rolleyes:

Edited by sirius
Link to post
Share on other sites

Hello and welcome,

 

You say you have had the firewall in Learning mode for a long time, how long exactly?

 

The default automatic is recommended for most people wich is why it is the default mode.

 

One should not use learning mode longer than necessary, and after that switch the firewall to the mode you want to use depending on what you prefer. But most people don't need to switch to the learning mode at all, as the default automatic mode works pretty good.

 

This KB article explains the different firewall modes quite nicely: hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3190&actp=search&viewlocale=en_US&searchid=1406573176873#filtermode

Edited by SweX
Link to post
Share on other sites

I had it on Learning mode over half a year I think. Hoped it would learn my most used stuff and add them to firewall rules list, but it didn't. So I turned it to Policy-basec mode now and added everything I needed myself.

 

I don't see how this affects my problematic builtin ESET rules turning back on after restart though.

Link to post
Share on other sites

Learning mode over half a year, means that anyone could have intruded on your computer and the firewall would have said " OK Let them on in and create a rule for it "

At most learning mode should be only used to create 1 rule, or a set of rules to be left on maybe for 1 day while you run most of your stuff, but it should be converted to automatic or interactive the following day.

Link to post
Share on other sites

My advice would be to reset your entire firewall configuration and every single rule with it.

Then place it on learning mode and open all your common apps and browsers, plus send emails and perform windows updates and app updates all in one day.

Then switch to interactive the following day and the prompts and pop ups will allow you to make and define your rules as new ones unknown to the firewall appear.

 

To assist you with your extra features blocking.

Have a look at the following KB for all your firewall settings that are embedded : hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2906

If you do not see your options then you have to manually create rules for the blocking. 'Manually'

Link to post
Share on other sites

This -> "My advice would be to reset your entire firewall configuration and every single rule with it."

 

 

Was exactly what I thought to say depending on how long you would say you had used Learning Mode for. And your half year period was quite a bit longer than I expected. So without a doubt please do follow Arakasi's advice!

 

Learning  mode — Learning mode should only be used if you are an experienced user in a controlled environment because it does not require user approval to create permanent rules and can expose your computer to increased risk.

Learning mode allows all activity and automatically creates and saves rules based on user behavior; it offers a less user-intensive initial configuration of the Personal firewall. No user interaction is required.   Learning mode is not secure, and should only be used until all rules for required communications have been created. The Personal firewall should then be set to Automatic mode with exceptions or Policy mode. 

 

 

To answer your question, yes you are right about that Learning Mode will learn and create all necessary rules automatically as that is exactly what its made for...but 6 months is way too long for that.

 

I am no firewall or network expert myself. But if you have any problems with something not connecting or working as it should then just ask and let us know and a member or ESET Staff will help you get it right so you don't use Learning Mode for a longer period than what is necessary.

 

But first, lets start over from scratch with your firewall and then we continue from there.

Link to post
Share on other sites

I had it on Learning mode over half a year I think.

I doubt this is true.

Learning mode expires after 2 weeks

 

However if you want to tighten up the rules and understand what is happening I would also advise interactive mode with a clean install. You can make the rules as specific as you like to start with (open up the advanced tab and limit ports and message type). You can then edit the rules to create generalise rules relatively easily. I have then documented my prefered rules, which makes it easier to apply to other computers or after clean re install for any other reason.

 

I thought that it's time to up the security a bit and go for a more strict firewall setting. I switched to Policy-based mode.

After half a day fine-tuning my firewall, adding exceptions to allow stuff that I use, I was quite satisfied with the result. But after I restarted my computer, some rules that are prepackaged, which

you can turn off, but not delete (not that I wanted), will switch back on and mess up my configuration. This is very annoying, since the exceptions that I've made, are still blocked by

Block all unknown outbound traffic in Administrator mode rule.

First, the rules I have added are not unknown and second, if I turn off a setting, it should stay off.

 

Other rules that I prefer would stay off are:

Block outgoing multicast DNS requests

Block outgoing SSDP (UPNP) requests from svchost.exe

 

I may be wrong but I think some of those rule are used to implement options selected by check boxes elsewhere in ESET setting. eg

Blocking all if no specific rule allowing is policy mode

Allow multicast address relolution in the trusted zone is IDS and Advanced option

Allow UPNP for system services is also IDS and Advanced option

 

I'm not sure its is smart to fight with ESS over the rules it takes a particular interest in. There is probably a reason ESET coded specific control of these rules. One would suspect they are important for the protective function ESET provides

Edited by Patch
Link to post
Share on other sites

The KB you listed has not been edited since 2012.

Also those 14 days can be adjusted.

There have been many changes since then.

Only the OP can verify if he has been running it for 6 months, and he already stated he had been.

Edited by Arakasi
Link to post
Share on other sites

Learning mode expiration was strictly 14 days some years ago, you can adjust it now or reset the Learning mode period.

 

As to rule list. I'm quite sure that the list has nothing there that I haven't approved. If someone can say for sure that it is possible to insert hidden rules by some exploit, I will look into reseting the whole thing. It took me ALOT of time to create the list of rules, so I don't really want to reset it just to experiment.

 

I'm looking into Patch's reply when I get home. I'm vaguely remembering that there were some settings somewhere that may control that behaviour, I'm having a problem at the moment.

 

To SweX: While Learning mode is designed to automatically add necessary rules, it had only about 5 rules. When I turned on the Policy-based mode, I increased the list by alot.

Link to post
Share on other sites
As to rule list. I'm quite sure that the list has nothing there that I haven't approved. If someone can say for sure that it is possible to insert hidden rules by some exploit, I will look into reseting the whole thing. It took me ALOT of time to create the list of rules, so I don't really want to reset it just to experiment.

 

Hello, I don't follow, how can you say that when you don't need to approve anything at all while in learning mode. I would not call it an experiment, more like for your own computer safety. Unless you have looked through the whole list and you know what's what in the list.

 

To SweX: While Learning mode is designed to automatically add necessary rules, it had only about 5 rules. When I turned on the Policy-based mode, I increased the list by alot.

 

Well, that sounds weird considering the long period you used learning mode there should be a lot more than 5 rules, I assume it didn't work correctly for you. - Then you must have increased the rule list by creating your own rules, as policy-based mode does not give you allow/block notifications or creat rules automatically like the learning mode but follows the rules that are already inplace.

 

Personally I would still reset the whole list and start over, but that's just me, and you do as you like of course.

 

I'm having a problem at the moment.

 

What sort of a problem? If you tell us you will most likely get help with it.  :)

Link to post
Share on other sites

SweX

First, yes Learning mode doesn't give any notifications and the rules that I "approved" were added all after I turned on Policy-based mode, by me, since the list created by Learning mode was very short and didn't cover much of anything I'm using.

Second, Learning mode did not create exceptions for all of my programs I used daily for all of that time, just had some system rules.

Third, read the whole sentence.

 

In addition to Patch's comment regarding IDS and advanced options, this didn't help.

Link to post
Share on other sites

SweX

First, yes Learning mode doesn't give any notifications and the rules that I "approved" were added all after I turned on Policy-based mode, by me, since the list created by Learning mode was very short and didn't cover much of anything I'm using.

Thanks for clarifying, so learning mode had basically not created any rules at all automatically during the 6mo period, and you created them manually when you switch from the learning mode. As I said before, it doesn't sound like learning mode worked correctly in your case.

 

My point was that it doesn't matter if you approved anything after switching to policy-based mode, if learning mode had already approved as good as everything for 6 month, but apparently that wasn't the case (luckily) as it does not sound like it worked correctly, for some reason.

Second, Learning mode did not create exceptions for all of my programs I used daily for all of that time, just had some system rules.

Learning mode does normally also work for apps of course. 

 

I'm having a problem at the moment - this didn't help

I guess its just me that can't seem to find where you mention your actual problem, so I will not try to help you with it and let other members do that.

Edited by SweX
Link to post
Share on other sites

SweX: If you read the end of Patch's reply (#7), you'll see that he noted a possible solution.

And I replied that "I'm looking into Patch's reply when I get home. I'm vaguely remembering that there were some settings somewhere that may control that behaviour, I'm having a problem at the moment.

 

Between the words "behaviour" and "I'm" is a comma, not a dot. So this is all a single sentence. For some reason you picked only the part after the comma.

 

But that doesn't matter*, because somehow the problem has resolved itself. Last 6 computer restarts, the built-in rules that re-enabled themselves before, have stayed disabled.

 

 

* - English is not my native language, so we could argue about the correct placement of words, but that's not why I'm here :)

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...