latest Firewall module for eset v7 now blocking tracert app

[tommy456 12]

As above i have been using networking app, called ping plotter pro for several years, it combines a tracert and ICMP  as well as other protocols, as of 13:15 today following the downloading of a module update  the firewall  possibly being one of the modules that got updated, eset started blocking without any reason

 

The program would no longer display dns names and ip addresses from my router to the hop prior to the target IP , so rendering using the program useless

 

I tried to change the settings in IDS and with every tick box unselected it made no difference  turning off the firewall briefly allowed the program to work as it should , as did rolling back the update , but the problem with this is i can't get virus sigs updated , why do eset break what wasn't already broken?

 

 

 

04/11/2014 14:47:02    Communication denied by rule    ICMP    Apply ICMP filter        
04/11/2014 14:46:25    Communication denied by rule    ICMP    Apply ICMP filter        
04/11/2014 14:45:49    Communication denied by rule    ICMP    Apply ICMP filter        
04/11/2014 14:43:33    Communication denied by rule    ICMP    Apply ICMP filter        
    
04/11/2014 14:29:36    Packet blocked by active defense (IDS)       ICMP            
04/11/2014 14:29:36    Packet blocked by active defense (IDS)       ICMP            
04/11/2014 14:29:36    Packet blocked by active defense (IDS)       ICMP            
     
          
03/11/2014 12:15:19    Incorrect UDP packet checksum            0            
01/11/2014 17:05:56    Incorrect UDP packet checksum            0            
01/11/2014 11:48:09    Incorrect UDP packet checksum            0            
01/11/2014 11:47:43    Incorrect UDP packet checksum            0            
01/11/2014 11:47:31    Incorrect UDP packet checksum            0            
01/11/2014 09:49:53    Incorrect UDP packet checksum            0            
 

 Just a few edited samples from the firewall log

[Marcos 5,090]

I was unable to reproduce the issue. Please carry on as follows:

- enable logging of blocked connections

- enable advanced logging to pcap (both in the IDS setup)

- clear your firewall log

- restart the computer

- reproduce the problem

- turn off logging

 

 

When done, download and run ESET Log Collector and add pcapng file from C:\ProgramData\ESET\ESET Smart Security\Diagnostics folder to the archive. Then upload the archive to a safe location and pm me the download link.

[tommy456 12]

After  rolling back the update and clearing the update cache, the problem stopped, But i probably can still reproduce this issue  if need be, To me it seems like the IDS  is ignoring  being told to allow the app to send or receive the icmp packets  I have since also added am additional rule in the firewall to allow pingplotter to send and receive ICMP ,  As well as adding the app to the ids exceptions list

[tommy456 12]

ok it suddenly started blocking icmp requests again, followed your instructions, you have pm with link to log

 

And i was also able to get eset to stop blocking ICMP again by rolling back 1 update , maybe the 2 are connected?

 

Further to that after clearing the update cache and allowing updates, immediately following the download of update 10700 ids is again blocking ICMP generated by pingplotter pro

 

The pre release modules make no difference

 

Update:@16:45 , Having done some head scratching ect, i think that i may have found the  underlying cause  currently after roll back of the vsd to 10693 the issue isn't present  everything working as intended

 

But i notice that the virus signature updates are also downloading/installing program modules by stealth as the firewall module changes with  virus sig updates after 10693 , there maybe 3 more module updates also  but the firewall module update from 1236 to 1245  seems to be the underlying cause ,

 

In testing if i allow virsus sigs to update, the ICMP blocking starts, roll-back to 10693 and the blocking ceases  this is 100% re producible currently

 

On another  issue also in ways connected, why does eset still download product components even when the option is set not to do this?  if this worked as it should  i would still be able to update the virus sigs ,but instead i have a broken product due to this latest firewall module being pushed out , and out of date virus sigs,  makes having eset on my system a tad pointless or will do soon enough

Edited November 10, 2014 by tommy456

[SweX 871]

On another  issue also in ways connected, why does eset still download product components even when the option is set not to do this?  if this worked as it should  i would still be able to update the virus sigs ,but instead i have a broken product due to this latest firewall module being pushed out , and out of date virus sigs,  makes having eset on my system a tad pointless or will do soon enough

 

AFAIK, the product modules found in the "about" window (including the firewall for example) is not tied to the "program component updates" settings that you refer to.

 

The modules will be updated regardless of how you set up the "program component updates" in the setup-tree.

The modules are modules (I know the About window says "installed components: " ) and some of them are updated very often. There is no setting to disable module updates for obvious reasons, as it is essential to keep the modules updated. Especially when ESET in many cases can fix a reported problem in a module, then release a updated module wich would fix the issue for all users, even for those that might not be affected by the problem at that point in time, so I don't think it would be a good idea if customers was able to disable module updates.

Edited November 11, 2014 by SweX

[rugk 397]

Yes I think the same like SweX.
The module updates are included in the VSD updates. So the only way to prevent them updating would be to disable the automatic VSD updates.

Well, but what describe the "component updates" in the settings if it's not the VSD module updates?

Edited November 12, 2014 by rugk

[tommy456 12]

The possible problem with eset doing this is that they also break can something else, especially when the IDS still works even once its not selected any more, eset is starting to nag, because updates are suspended whilst i wait to see what eset make of the log from the firewall which even lists my routers ip thanks eset

 

As for being able to prevent module updates  but continue to receive virus sigs  should be possible for trouble shooting and cases like mine, surely the roll-back option could be programmed to roll back modules only, and only ,and still allow vsd files to update ?

where  the updated module  actually breaks something that wasn't broken

Edited November 11, 2014 by tommy456

[rugk 397]

No I don't think it's a good idea to split this, but for troubleshooting you of course can deactivate the automatic VSD update. (but of course only for a short time)

 

Well, but what describe the "component updates" in the settings if it's not the VSD module updates?

About this I'd like to answer myself:

At first it's quite useful to read this kb article: What is the difference between a Virus Signature Database update and a Program Component Update (PCU)?

 

Secondly here is the answer to my question:

 

All settings you can see in the tab "Update mode" there are about PCUs. These are - in contrast to the module updates which are downloaded with the VSD updates - the "upgrades" you can download from the ESET website or if you click on the button "Check for updates" below "Product update":

However you can also activate the option that ESET automatically checks for this updates too. (More information in this post)

 

So what happens when you click on the button or the task for the automatic update runs?

This is controlled by the setting you choose. (see screenshot above)

By default you'll be asked when the update is available and you can download and install it with a few clicks.

But you can also set the setting to not notify you or to automatically download and install the PCU. (without a notification to you before)

 

See also: Suggestion: Different product upgrade channels for ESET products

Edited November 12, 2014 by rugk

[Marcos 5,090]

Today a new firewall module 1248 was put on pre-release servers. Please try it with the new module. Also I'd suggest upgrading to v8.

[tommy456 12]

Tried that earlier, but the  same problem is still there until i roll back to 1236 ,  the other thing that we, eset tech support and me,(remote session) noticed is that  creating rules in the IDS to allow ICMP  requests from ping-plotter  have no effect, eset also blocks UDP pings, but TCP is fine, at the moment if i want to use the pingplotter i have to roll back the update's and suspend them , and the exact same issue was present with version 8 , but as it uses the same module sets that's to be expected

I also experienced other issues when i tried version 8 ,So i'm not a fan  of moving to v8

 

I think that the way forward would be to submit the firewall log i uploaded yesterday( link in PM) and see if the devs can find why /what changed with newer versions of the module after 1236

Edited November 11, 2014 by tommy456

[rugk 397]

Tried that earlier, but the  same problem is still there until i roll back to 1236

Did you really tried it and the firewall module was updated to 1248?

You can check the version of the modules in the "about-window".

[Marcos 5,090]

Our engineers will check the logs. Unfortunately, the pcapng file was created after collecting logs using Log collector but we'll see if it will be enough to find out the cause or if fresh logs created in reverse order will be needed.