tommy456 12 Posted November 4, 2014 Share Posted November 4, 2014 As above i have been using networking app, called ping plotter pro for several years, it combines a tracert and ICMP as well as other protocols, as of 13:15 today following the downloading of a module update the firewall possibly being one of the modules that got updated, eset started blocking without any reason The program would no longer display dns names and ip addresses from my router to the hop prior to the target IP , so rendering using the program useless I tried to change the settings in IDS and with every tick box unselected it made no difference turning off the firewall briefly allowed the program to work as it should , as did rolling back the update , but the problem with this is i can't get virus sigs updated , why do eset break what wasn't already broken? 04/11/2014 14:47:02 Communication denied by rule ICMP Apply ICMP filter 04/11/2014 14:46:25 Communication denied by rule ICMP Apply ICMP filter 04/11/2014 14:45:49 Communication denied by rule ICMP Apply ICMP filter 04/11/2014 14:43:33 Communication denied by rule ICMP Apply ICMP filter 04/11/2014 14:29:36 Packet blocked by active defense (IDS) ICMP 04/11/2014 14:29:36 Packet blocked by active defense (IDS) ICMP 04/11/2014 14:29:36 Packet blocked by active defense (IDS) ICMP 03/11/2014 12:15:19 Incorrect UDP packet checksum 0 01/11/2014 17:05:56 Incorrect UDP packet checksum 0 01/11/2014 11:48:09 Incorrect UDP packet checksum 0 01/11/2014 11:47:43 Incorrect UDP packet checksum 0 01/11/2014 11:47:31 Incorrect UDP packet checksum 0 01/11/2014 09:49:53 Incorrect UDP packet checksum 0 Just a few edited samples from the firewall log Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted November 4, 2014 Administrators Share Posted November 4, 2014 I was unable to reproduce the issue. Please carry on as follows: - enable logging of blocked connections - enable advanced logging to pcap (both in the IDS setup) - clear your firewall log - restart the computer - reproduce the problem - turn off logging When done, download and run ESET Log Collector and add pcapng file from C:\ProgramData\ESET\ESET Smart Security\Diagnostics folder to the archive. Then upload the archive to a safe location and pm me the download link. Link to comment Share on other sites More sharing options...
tommy456 12 Posted November 5, 2014 Author Share Posted November 5, 2014 After rolling back the update and clearing the update cache, the problem stopped, But i probably can still reproduce this issue if need be, To me it seems like the IDS is ignoring being told to allow the app to send or receive the icmp packets I have since also added am additional rule in the firewall to allow pingplotter to send and receive ICMP , As well as adding the app to the ids exceptions list Link to comment Share on other sites More sharing options...
tommy456 12 Posted November 10, 2014 Author Share Posted November 10, 2014 (edited) ok it suddenly started blocking icmp requests again, followed your instructions, you have pm with link to log And i was also able to get eset to stop blocking ICMP again by rolling back 1 update , maybe the 2 are connected? Further to that after clearing the update cache and allowing updates, immediately following the download of update 10700 ids is again blocking ICMP generated by pingplotter pro The pre release modules make no difference Update:@16:45 , Having done some head scratching ect, i think that i may have found the underlying cause currently after roll back of the vsd to 10693 the issue isn't present everything working as intended But i notice that the virus signature updates are also downloading/installing program modules by stealth as the firewall module changes with virus sig updates after 10693 , there maybe 3 more module updates also but the firewall module update from 1236 to 1245 seems to be the underlying cause , In testing if i allow virsus sigs to update, the ICMP blocking starts, roll-back to 10693 and the blocking ceases this is 100% re producible currently On another issue also in ways connected, why does eset still download product components even when the option is set not to do this? if this worked as it should i would still be able to update the virus sigs ,but instead i have a broken product due to this latest firewall module being pushed out , and out of date virus sigs, makes having eset on my system a tad pointless or will do soon enough Edited November 10, 2014 by tommy456 Link to comment Share on other sites More sharing options...
SweX 871 Posted November 11, 2014 Share Posted November 11, 2014 (edited) On another issue also in ways connected, why does eset still download product components even when the option is set not to do this? if this worked as it should i would still be able to update the virus sigs ,but instead i have a broken product due to this latest firewall module being pushed out , and out of date virus sigs, makes having eset on my system a tad pointless or will do soon enough AFAIK, the product modules found in the "about" window (including the firewall for example) is not tied to the "program component updates" settings that you refer to. The modules will be updated regardless of how you set up the "program component updates" in the setup-tree. The modules are modules (I know the About window says "installed components: " ) and some of them are updated very often. There is no setting to disable module updates for obvious reasons, as it is essential to keep the modules updated. Especially when ESET in many cases can fix a reported problem in a module, then release a updated module wich would fix the issue for all users, even for those that might not be affected by the problem at that point in time, so I don't think it would be a good idea if customers was able to disable module updates. Edited November 11, 2014 by SweX Link to comment Share on other sites More sharing options...
rugk 397 Posted November 11, 2014 Share Posted November 11, 2014 (edited) Yes I think the same like SweX.The module updates are included in the VSD updates. So the only way to prevent them updating would be to disable the automatic VSD updates.Well, but what describe the "component updates" in the settings if it's not the VSD module updates? Edited November 12, 2014 by rugk Link to comment Share on other sites More sharing options...
tommy456 12 Posted November 11, 2014 Author Share Posted November 11, 2014 (edited) The possible problem with eset doing this is that they also break can something else, especially when the IDS still works even once its not selected any more, eset is starting to nag, because updates are suspended whilst i wait to see what eset make of the log from the firewall which even lists my routers ip thanks eset As for being able to prevent module updates but continue to receive virus sigs should be possible for trouble shooting and cases like mine, surely the roll-back option could be programmed to roll back modules only, and only ,and still allow vsd files to update ? where the updated module actually breaks something that wasn't broken Edited November 11, 2014 by tommy456 Link to comment Share on other sites More sharing options...
rugk 397 Posted November 11, 2014 Share Posted November 11, 2014 (edited) No I don't think it's a good idea to split this, but for troubleshooting you of course can deactivate the automatic VSD update. (but of course only for a short time) Well, but what describe the "component updates" in the settings if it's not the VSD module updates? About this I'd like to answer myself: At first it's quite useful to read this kb article: What is the difference between a Virus Signature Database update and a Program Component Update (PCU)? Secondly here is the answer to my question: All settings you can see in the tab "Update mode" there are about PCUs. These are - in contrast to the module updates which are downloaded with the VSD updates - the "upgrades" you can download from the ESET website or if you click on the button "Check for updates" below "Product update": However you can also activate the option that ESET automatically checks for this updates too. (More information in this post) So what happens when you click on the button or the task for the automatic update runs? This is controlled by the setting you choose. (see screenshot above) By default you'll be asked when the update is available and you can download and install it with a few clicks. But you can also set the setting to not notify you or to automatically download and install the PCU. (without a notification to you before) See also: Suggestion: Different product upgrade channels for ESET products Edited November 12, 2014 by rugk Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted November 11, 2014 Administrators Share Posted November 11, 2014 Today a new firewall module 1248 was put on pre-release servers. Please try it with the new module. Also I'd suggest upgrading to v8. Link to comment Share on other sites More sharing options...
tommy456 12 Posted November 11, 2014 Author Share Posted November 11, 2014 (edited) Tried that earlier, but the same problem is still there until i roll back to 1236 , the other thing that we, eset tech support and me,(remote session) noticed is that creating rules in the IDS to allow ICMP requests from ping-plotter have no effect, eset also blocks UDP pings, but TCP is fine, at the moment if i want to use the pingplotter i have to roll back the update's and suspend them , and the exact same issue was present with version 8 , but as it uses the same module sets that's to be expected I also experienced other issues when i tried version 8 ,So i'm not a fan of moving to v8 I think that the way forward would be to submit the firewall log i uploaded yesterday( link in PM) and see if the devs can find why /what changed with newer versions of the module after 1236 Edited November 11, 2014 by tommy456 Link to comment Share on other sites More sharing options...
rugk 397 Posted November 12, 2014 Share Posted November 12, 2014 Tried that earlier, but the same problem is still there until i roll back to 1236 Did you really tried it and the firewall module was updated to 1248? You can check the version of the modules in the "about-window". Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted November 13, 2014 Administrators Share Posted November 13, 2014 Our engineers will check the logs. Unfortunately, the pcapng file was created after collecting logs using Log collector but we'll see if it will be enough to find out the cause or if fresh logs created in reverse order will be needed. Link to comment Share on other sites More sharing options...
Recommended Posts