Jump to content

Recommended Posts

10 hours ago, Marcos said:

Note that:
- CHM/NI has nothing to do with IPv6 communication according to the developers
- CHM/NI does not actively manipulate with network communication; it merely monitors the network to report devices and this has not changed since CHM was first added to ESET's products. The only difference are home/office networks when routers can be tested for vulnerabilities; however, this is only performed after clicking the "Scan your network" button.

 

Let's analyze in more detail logically; something Eset developers appear to be incapable of doing.

The above quote implies that Network Inspector is directly linked to Connected Home Monitor functionality.

Next is Eset adequately warns that Connected Home Monitor should only be used when the Home/Office profile is the active network connection profile.

By default, Eset installs with the "use Windows settings" option. Again by default, the Win 10 firewall uses the Public profile. Therefore the network connection established by Eset is using the Public profile.

Since Connected Home Monitor use is N/A in regards Public profile use, by default Network Inspector should be disabled. It should only be auto re-enabled when one switches the active network connection profile to the Home/Office profile.

Edited by itman
Link to comment
Share on other sites

  • Administrators

To avoid misunderstanding, Network Inspector is just a new name for Connected Home (previously known as Connected Home Monitor). The code remained same. There are no differences at all but the name of the feature.

NI works in passive mode and listens to network communication. The communication is limited to sending discovery packets. The passive part has not changed since CHM was first introduced in v10.

In home/office networks the user has a button to scan the network available. Only when clicked, NI scans the router for vulnerabilities by generating communication that simulates possible exploits.

Link to comment
Share on other sites

3 hours ago, Marcos said:

NI works in passive mode and listens to network communication. The communication is limited to sending discovery packets. The passive part has not changed since CHM was first introduced in v10.

I will again reiterate what happens on my EIS installation when Network Inspector is enabled.

At system restart time, a half dozen ekrn.exe UDP and UPDv6 are established along with an ekrn.exe port 138 connection. These remain for a couple of mins. and are then dropped. In the past, one ekrn.exe UDP and UDPv6 remained. On ver. 17, the UDPv6 connection is usually permanent dropped and not later reestablished.

Upon resume from Win 10 sleep mode, a dozen ekrn.exe UDP and UPDv6 are established along with an ekrn.exe port 138 connection. These remain for a a couple of mins. are then dropped. In almost every instance on ver. 17, the UDPv6 connection is usually permanent dropped and not later reestablished.

In regards to the ekrn.exe UDPv6 connection when dropped. If I perform anything related to current network status such as ipconfig /all or view network settings in Win 10, the ekrn.exe UDPv6 connection is reestablished and remains in effect until system shutdown/sleep mode.

With Network Inspector disabled, I have no borked Eset firewall activity where my normal outbound network traffic is being interpreted as inbound traffic and being blocked upon resume from sleep mode. Although there have been two incidents where this occurred for a couple of port 53 DNS connections.

Now really, is this passive behavior?

Network Inspector stays permanently disabled on my device.

-EDIT- BTW the same above behavior occurs the minute the Network Wizard is opened with the result being the ekrn.exe UDPv6 connection being permanently dropped.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

itman can't explain that to him, he's always right, he's not true, but he believes it, so let's let him believe in it. 

Edited by SlashRose
Link to comment
Share on other sites

1 hour ago, SlashRose said:

itman can't explain that to him, he's always right, he's not true, but he believes it, so let's let him believe in it. 

Good advice. I am tired of wasting my time in this forum reporting Eset problems that ultimately get dismissed.

Link to comment
Share on other sites

5 hours ago, itman said:

Good advice. I am tired of wasting my time in this forum reporting Eset problems that ultimately get dismissed.

Now how do we consumers report problems that happen to our products?
Because I'm always seeing problems and never a solution. and a lot of delay to solve, whenever what I hear is on V15 it will be corrected.

Link to comment
Share on other sites

  • Administrators
2 hours ago, New_Style_xd said:

Now how do we consumers report problems that happen to our products?
Because I'm always seeing problems and never a solution. and a lot of delay to solve, whenever what I hear is on V15 it will be corrected.

Please elaborate more on what issues you are having with v14. As far as I know, currently there should be basically only 2 issues with v14 that will be fixed in v15: 1) A graphical issue with animated icon when update is no longer running, 2) Malfunctioning "Disable checking upon inbox content change" setting which users are not normally supposed to change.
Yesterday there was an update of the Cleaner module (1222) which should prevent higher cpu load on system startup under certain circumstances which should also result in update being run faster unless the cpu is heavily utilized by other processes. If you had this issue occurring intermittently from time to time, this update would have solved it.

Please understand that without providing a clear description of each issue, appropriate logs or dumps and ideally step-by-step instructions to duplicate the issue any software vendor cannot do much about the issues you have.

Link to comment
Share on other sites

  • ESET Insiders
15 hours ago, itman said:

Gute Beratung. Ich bin es leid, meine Zeit in diesem Forum zu verschwenden, in dem über Eset-Probleme berichtet wird, die letztendlich abgelehnt werden.

Can understand you well itman, because I feel the same way on this point

Link to comment
Share on other sites

  • ESET Insiders
8 hours ago, Marcos said:

Bitte erläutern Sie mehr darüber, welche Probleme Sie mit v14 haben. Soweit ich weiß, sollte es derzeit im Grunde nur 2 Probleme mit v14 geben, die in v15 behoben werden: 1) Ein grafisches Problem mit dem animierten Symbol, wenn das Update nicht mehr ausgeführt wird, 2) Fehlfunktion "Überprüfung der Inhaltsänderung des Posteingangs deaktivieren", die Benutzer normalerweise nicht ändern sollen.

And that's exactly our problem here Marcos, you never see reported problems, no matter how much you show them to them and that's why they are not useful here, as I already wrote to their superiors!

Link to comment
Share on other sites

I got Network Inspector to "peacefully co-exist" with my router by doing something I will now admit, I did in the past. So let's get to this.

If I add both the IPv6 addresses for my local subnet allocated DNS server and the external dedicated AT&T DHCP/DNS server as to Eset's Trusted addresses, everything works w/o conflict. But here's the problem with this.

Whereas I have no qualms with adding to Trusted addresses the local subnet allocated IPv6 DNS server since it's primary purpose is for caching IP addresses, I do have a major issue with adding the external dedicated AT&T IPv6 DHCP/DNS server IP address. Simply put if this server gets hacked, I am literally "dead meat" since anything it does will be allowed by the Eset firewall. There is also the issue if either of these allocated DNS servers IP addresses are changed by AT&T although to date, this hasn't happened.

The simple Eset solution is to have Network Inspector "butt out of" DNS server validations when no explicit DNS server addresses are specified on the IPv4 and IPv6 network adapter settings. Since we all know "hell will freeze over first" before Eset does something about this, I won't be renewing my Eset license subscription. I'll be switching to Microsoft Defender and using the money I spent on Eset to add an ATP subscription now that I am using Win 10 Pro. Something that can't be done in Eset consumer versions; i.e. add EDTD protection.

Edited by itman
Link to comment
Share on other sites

5 hours ago, SlashRose said:

And that's exactly our problem here Marcos, you never see reported problems, no matter how much you show them to them and that's why they are not useful here, as I already wrote to their superiors!

You said everything, in a few words...

Link to comment
Share on other sites

I was one step away from uninstalling Eset this morning and it dawned on me there was one last thing I haven't tried in regards to my auto config. IPv6 network connection. So what the hell, let's try that.

My previous experience with use of Cloudflare IPv6 DNS servers yielded the following. If I "dumb down" my IPv6 server settings so Eset's Network Inspector/Inspection processing sees a fixed predefined network connection, it doesn't go spastic resulting in a borked network connection from it. So I specified my external AT&T IPv6 DHCP/DNS server IP address on my network adapter Windows IPv6 DNS settings as primary and my fixed allocated local subnet IPv6 DNS server as secondary.

Now, let's pause a moment. I never considered doing this recently since I tried the same when I first installed Eset Smart Security in 2014. It didn't go very well and never considered it since. The difference from then to now is I have detail knowledge in how my router auto allocates my ISP IPv6 servers. Ditto for "quirks" with Eset in regards to trusting network devices and its validation of them.

Continuing, I next kept my fixed allocated local subnet IPv6 DNS server IP address as an Eset Trusted IP address and removed the external AT&T IPv6 DHCP/DNS server IP address. Trusting the fixed allocated local subnet IPv6 DNS server IP address is the key component in getting Network Inspector/Inspection processing not to go bonkers. The router is pinging this IP address every 30 secs along with IPv6 gateway IP address for connectivity purposes. Additionally, the router is using NetBIOS and mDNS; i.e. port 5353, periodically against this IP address. Note that Eset doesn't even have default firewall rules for port 5353 network traffic. Luckily, the Win 10 firewall does have an inbound rule for it applicable to all its network profiles. The port 5353 element is interesting. I came across a hard to find article that Ethernet based Powerlink adapters use mDNS for device-to-device communication and I use them to connect to my PC. So that might be another element in this Eset network configuration mess.

Rebooted and I was utterly amazed had how fast, smooth, and most importantly, my IPV6 network configuration was set up with Network Inspector enabled. I am 100% convinced everything is correctly configured since I now see a network binding for the fixed allocated local subnet IPv6 DNS server IP address to the external AT&T IPv6 DHCP/DNS server IP address; something that always existed prior to ver. 17. This proves to me something has changed in ver. 17 in regards to Network Inspector/Inspection and I don't believe anything Eset says publicly to the contrary.

Edited by itman
Link to comment
Share on other sites

On 9/29/2021 at 4:43 PM, itman said:

Rebooted and I was utterly amazed had how fast, smooth, and most importantly, my IPV6 network configuration was set up with Network Inspector enabled. I am 100% convinced everything is correctly configured since I now see a network binding for the fixed allocated local subnet IPv6 DNS server IP address to the external AT&T IPv6 DHCP/DNS server IP address; something that always existed prior to ver. 17.

Wrong again! At least now I remember why this won't work:

On 9/29/2021 at 4:43 PM, itman said:

I was one step away from uninstalling Eset this morning and it dawned on me there was one last thing I haven't tried in regards to my auto config. IPv6 network connection. So what the hell, let's try that.

This does force an immediate connection to the external AT&T IPv6 DHCP/DNS server, but doesn't allow the router to perform its necessary setup processing to the fixed allocated local subnet IPv6 DNS server.

I have however found the Eset "culprit." It's the "Notify about newly discovered network devices" option for Network Inspector. With that option disabled, all my IPv6 networking is being set up correctly and I no longer have to trust both IPv6 servers to prevent Eset firewall processing from going bonkers.

Link to comment
Share on other sites

Posted (edited)

I had to perform some additional system and Eset Networking modifications and now Eset Networking/firewall is "peacefully co-existing" with my device/router. If after reading this, you get a migraine headache. Take two large migraine relief tablets and go to bed.

I forgot to replace Eset firewall default DHCPv6 rule which doesn't work with my router with the Win 10 firewall DHCPv6 rules that do work.

Next, I noticed that Eset Network Identification active connection processing appeared borked. Decided it was time for a full Win 10 network reset. Upon system restart from this, I noticed that my IPv6 DNS servers were fully initialized in both Win 10 and Eset. That is external AT&T IPv6 DHCP/DNS server showed as primary IPv6 DNS server in Win 10 and local subnet IPv6 DNS server as secondary IPv6 DNS server in Win 10. Additionally,  both IPv6 server IP addresses showed in Eset DNS server Zone. This result is critical for Network Inspector correct DNS server determination which I will get into next.

This morning upon first Win 10 fast startup of the day, I observed something never seen in Eset use to date. Both IPv6 server IP addresses showed in Eset DNS server Zone. However, at that time only the external AT&T IPv6 DHCP/DNS server showed as primary IPv6 DNS server in Win 10. Within a couple of minutes, the handshaking processing completed and the local subnet IPv6 DNS server was assigned as secondary IPv6 DNS server in Win 10.

If the above processing holds true from now on for all future system restart modes, it confirms prior statements made by Eset that Network Inspector is determining and saving network settings at either Eset installation an/or when the Windows network is completely rebuilt from scratch as is done via Win 10 network reset option. In my case, this is critical for Eset not misinterpreting the various IPv6 DNS setting combination settings done by my router as rogue DNS server setting modification to my router.

The last remaining piece of this Eset Networking inspection puzzle mess was the misinterpreted outbound network traffic from my device as inbound traffic upon resume from system initiated sleep mode with no prior system sign off.  This had settled down to only DNS and mDNS; i.e. port 5353 traffic as show below:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;Hash;User
10/3/2021 10:38:32 AM;Communication allowed by rule;Allowed;192.168.1.xxx:5353;224.0.0.251:5353;UDP;Rule created by wizard for: svchost.exe;C:\Windows\System32\svchost.exe;010DB07461E45B41C886192DF6FD425BA8D42D82;NT AUTHORITY\NETWORK SERVICE

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;Hash;User
10/3/2021 10:38:33 AM;Communication allowed by rule;Allowed;192.168.1.xxx:57839;192.168.1.25x:53;UDP;Rule created by wizard for: svchost.exe;C:\Windows\System32\svchost.exe;010DB07461E45B41C886192DF6FD425BA8D42D82;NT AUTHORITY\LOCAL SERVICE

Turns out the above is being generated as a result of NetBios and mDNS connectivity handshaking processing from the Ethernet PowerLink adapter my PC is connected to. Eset networking is totally clueless on how to handle this network traffic. So I created specific Eset firewall rules to handle the above.

Bottom line- Eset has really created a network mess with current Network Inspector processing for select customized routers. God help you if you happen to fall into this category.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...