Network Connection issues with ESET Smart Security 8

[liewjp 0]

Hi,

 

  I have installed ESET Smart Security 8 ("Internet Protection Module" - 1156B) and encountered my network connection keeps disconnected. (happens randomly).  Eset will prompt Blocked network threat - UDP Port Scanning attack and followed by network disconnected. This issue doesn't happen with version 7.

 

  I am tried temporarily disabled protection and firewall (then restart), but the issue still persist. 

 

  Kindly advise and assist, thanks.

 

  Regards,

  Steven Liew

[Marcos 5,070]

What device in your network has IP address 192.168.2.55 ?

[liewjp 0]

Hi,

 

  For your information, IP address 192.168.2.55 is belong to my company server (Windows Server 2008R2 Enterprise With SP1). 

 

  Once my computer connected to this server and do something (search, copy or move files), then message will pop-up and followed by network disconnected (If keep Ignoring) .

 

  If I choose More options and information from the pop-up message and following by stop blocking, then the network won't be disconnected.

 

  I believed this is something abnormal. Kindly assist and advise, thanks. 

 

  Regards,

  Steven Liew

[rugk 397]

I think the text describes quite good what to do:

 

So you could check the box "do not ask me again" and click "stop blocking". AFAIK this would exclude the IP.

 

However I recommend you to go on with troubleshooting this, because it seems to be a new problem with v8.

Maybe you can tell us what the server is exactly doing (with your computer) what could cause this issue.

[Marcos 5,070]

If the server actually checks remote computers for open ports then it's correctly detected as a port scan attack.

[liewjp 0]

Hi,

 

  @rugk,

 

    Yap, I am agreed with you because it seems to be a new problem with v8 (v7 doesn't happened).

    I also can check the box "do not ask me again" and click "stop blocking" (exclude the IP) for the time being, but not in the long run.

    I still need to troubleshooting and identify the root cause (whether the problem is really with eset v8 or else).

    How to troubleshoot is another headache to me, because it happened randomly when accessing network server.

 

  @Marcos,

    

   You mean this is normal for the server checks remote computers for open ports then it's correctly detected as a port scan attack ?

   Is this the new feature in v8 and can be ignoring ?

 

  Kindly advise and assist, thanks.

 

  Regards,

  Steven Liew

  

 

 

[Marcos 5,070]

The port scan attack detection has been there for years to my best knowledge. To troubleshoot the issue, please carry on as follows:

- enable logging of blocked connections in the IDS setup

- enable logging to pcap

- clear your firewall log

- restart the computer

- reproduce the problem

- run ESET Log Collector to collect logs

 

Then compress the output archive along with pcapng log, upload the archive to a safe location and  pm me the download link.

[liewjp 0]

Hi Marcos,

 

   As requested, I have PM and upload the eset log file according your instructions.

 

  Please check and confirm, thanks.

 

  Regards,

  Steven Liew 

[BellaBoo 5]

hello, i'm experiencing similar things and i wonder if this too is what i need to do to figure out why it's happening.  here are two of the alerts i've received, the 2nd of which i've received more often today while i've been online:

 

;

;

 

the top pic is from several days ago and because it indicates that it's listed as source, i clicked 'stop blocking'.  that statement in the dialog may be quite ambiguous because it is listed as a source and so to me indicating no threat.  the 2nd pic is the first part of the alert i started receiving today, clicking 'more options and information' brings up the 3rd pic.

 

i searched this forum, i searched the knowledgebase and i even searched the web to inform myself as to how i determine the source numbers of my connected devices, but i'm absolutely mystified because not even ESET in their knowledgebase articles describes any of this behaviour, potential or otherwise.  nothing is so clean cut and for a novice geek like myself that uses her computer to do all manner of things just wants to know she's safe doing all manner of things and to not have to worry about or concern herself unnecessarily with these alerts that keep popping up that provide ambiguous or information that gets the user nowhere and then for ESET to not even have an article based on or around an explanation for such things is very troubling for me.

 

anyhoo, please let me know marcos or rugk or anyone, whether this is the same or even a similar thing and that i too should be doing what the OP is doing to determine what it is that's going on.

 

ta much

[BellaBoo 5]

i've just received another alert.  this is a new source though:

 

i've been getting alerts all night regarding source 69..., i've been working on word and pdf documents.  my email account isn't open but i do have a tab or two open in firefox.

 

can anyone tell me something about what this all means.

 

tia

[ken1943 22]

80.82.70.24 was blocked by Malwarebytes also because it it a "bad" site. Is ESET your only firewall or are you behind a router. If you don't have a router, then Eset is doing it's job blocking scans. I don't know if you can stop the alerts with a setting.

[BellaBoo 5]

hi ken and thanks.

 

my windows firewall settings are managed by eset but i'm not behind a router so i appreciate that eset is doing its job.

 

i plugged in to my firefox the 80... source and it came up with a page informing 'proxy scanning in progress' under the banner of NSA (Network Security Alliance).  that's some freaky site for sure and i reckon anyone taking a look at that page and if it is dangerous, i'd conclude that many might fall for it! 

 

when i plugged in to firefox the other two source numbers their respective pages failed to load and so i am still none the wiser as to what they are or to what they relate.

 

i do recall a number of years of years ago tho and possibly between v.4 and v.5, that i would often receive alerts of some kind and that i needed to tick some box or other in advanced settings, under ssl or hips maybe?!?!  i don't recall but i was satisfied that eset was doing its job and so ticking that box merely stopped the alerts popping up all the time.

 

if you or anyone else can help me out with that, i'd be grateful.

 

i don't like this option of 'keep blocking' / 'stop blocking' because i have no freakin clue as to what it all means nor to what these damned numbers refer.

[SweX 871]

My advice is that you choose "keep blocking", I see no reason at all why you should stop blocking. If you would have a router it's very possible it would have taken care of this up front, but since you don't, it goes straight through and the software firewall has to do the job in this case.

 

FYI....

 

80.82.70.24  = Suspicious 60/100

 

IP address has been identified as risky by one/more sources

 

hxxp://zulu.zscaler.com/submission/show/48384a6174aaa58e39242560e4c8bc5b-1433738264

Edited June 8, 2015 by SweX

[itman 1,659]

My advice is go to this web site: https://www.grc.com/x/ne.dll?bh0bkyd2 . Click on "Proceed." Then click on the "Common Ports" tab. It will run a scan to determine if any of the commonly used ports are open and therefore visible to the outside world. All your ports after the scan is complete should show "Stealth." 

[BellaBoo 5]

ahhh itman, i've been using grc.com for years and only just the other day did i do a stealth report and found 4 'closed' with the rest stealth.  what a pretty green stealth is. you get kudos for bringing it up

 

looking at grc.com again, i've realised while performing some tests that the 4.79.142.206 alert [as above] is grc's ping!

 

anyhoo, does anyone know how to stealth those 4 ports?  they are 25 [smpt], 80 [http], 137 [netbios-ns] and 138 [netbios-dgm]

 

i'm still on grc.com to see whether there's any suggestions or recommendations of how to stealth those 4 ports but if some already knows, please, let me know.

 

ta much

[ken1943 22]

Closed is as good as stealth. Stealth is a term dreamed up by programers to make people happy.

To someone scanning you, the ports cannot be accessed because a program is not using a certain port and

can't even be probed. There a some ports that should not be open to the internet and that is what a firewall is for, as well

as good programing.

Edited June 10, 2015 by ken1943

[ken1943 22]

Couldn't edit. That is why I tell everyone I know to use a router and why ISP's are now using modem/routers.

Many home routers today do not have very good logging, but if you could see the router logs, you would understand

what I am trying to say. The "noise" on the internet is unbelieveable.

 

So block the junk.

Edited June 10, 2015 by ken1943

[itman 1,659]

ahhh itman, i've been using grc.com for years and only just the other day did i do a stealth report and found 4 'closed' with the rest stealth.  what a pretty green stealth is. you get kudos for bringing it up

 

looking at grc.com again, i've realised while performing some tests that the 4.79.142.206 alert [as above] is grc's ping!

 

anyhoo, does anyone know how to stealth those 4 ports?  they are 25 [smpt], 80 [http], 137 [netbios-ns] and 138 [netbios-dgm]

 

i'm still on grc.com to see whether there's any suggestions or recommendations of how to stealth those 4 ports but if some already knows, please, let me know.

 

ta much

You can eliminate the port 137 and 138 issue by disabling NetBIOS for  the IPv4 or IPv6 connection for your modem. No reason for NetBIOS to be enabled these days.