Jump to content

How to view pre-login traffic blocked by EIS firewall?

jeffshead
 Share

Recommended Posts

jeffshead

jeffshead 0

Posted
Posted (edited)

How can one determine exactly what EIS blocks before a user logs on to a Windows PC?

If EIS is set to Interactive mode, after a user logs on to the PC, the user will be alerted with a pop-up that tells the user that EIS is blocking specific traffic and waits for a response from the user to continue blocking or allow the traffic. This works great for traffic AFTER a login.

However, the problem that I encounter is that some pre-login traffic is being blocked but ESET does not log the blocked traffic so I don't know what Allow rule(s) need to be created to allow the traffic. I found this post which states, 'The only way I know of to log blocked network connections when the firewall is set to Interactive mode is to create an Ask rule to monitor any network inbound and outbound traffic for any protocol.'

Creating an Ask rule as described in that post only logs the remote IP address where the traffic was going to. How can we make EIS log all information about the blocked, pre-login traffic so that it logs the program that is generating the traffic that is being blocked and domain name if one was used instead of an IP? In other words, how can we view the same type of info, that is presented in the Interactive pop-ups, for pre-login traffic which is being blocked?

Edited by jeffshead
Link to comment
Share on other sites
jeffshead

jeffshead 0

Posted
  • Author
Posted (edited)

I don't see a Firewall Troubleshooting Wizard. If you are referring to Setup > Network protection > Network Protection Troubleshooting, it does not show anything (relating to to pre-login traffic) being blocked. Like I stated previously, EIS is set to Interactive so the Network Protection log is always empty which I think is ridiculous.

Edited by jeffshead
Link to comment
Share on other sites
jeffshead

jeffshead 0

Posted
  • Author
Posted (edited)
54 minutes ago, Marcos said:

If you see zeroes here, then no communication was blocked:

With all do respect, I must say your statement is not correct. EIS is blocking the traffic but it is not being logged anywhere; including the Troubleshooting wizard. If I go to Setup > Network protection > Firewall and select 'Disabled permanently', the traffic is not blocked. Otherwise the traffic is blocked but not logged.

This behavior was reported by others who also use Interactive mode, a couple of years ago.

I managed to force EIS to log the traffic that it is blocking by utilizing the info posted in the thread I linked to in the previous paragraph. I enabled Enable Network protection advanced logging and created a general catch-all ASK firewall rule and set it to Information level logging in order to log the blocked traffic. Until I did this, the Network Protection log was completely empty. In fact, it's always empty on every PC that has EIS set to Interactive mode.

I love ESET but having to spend so much time researching how to log traffic that should be logged by default is bad.

Edited by jeffshead
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...