Am I Safe?

[supervergil 1]

good day ladies and gentleman..
-
I'm using ESET Smart Security 8 on Windows 8.1 Pro x86, Office LAN (has proxy), IIS 8, my computer IP Address is xx.xx.x.44, other computer IP Address is xx.xx.x.45 (on the same network), both use Firefox 33.1, proxy turned off.
**
I open my xx.xx.x.44 on my browser. IIS 8 default page appeared. It works.
I open xx.xx.x.44 from xx.xx.x.45 on Firefox. Error page appeared. It's not work.
I turn 44's ESET Personal Firewall off. Open 44 from 45. IIS 8 default page appeared. It works.
I turn 44's firewall on. Open 44 from 45. Error page appeared. It's not work.
So it's safe to assume that I have a firewall problem. My ESET Personal Firewall Filtering Mode is set in Automatic.
I change the Filtering mode to Interactive. I open 44 from 45. On the 45 browser is loading. On my 44 appear this..

then I do this..

then I click Allow
I do refresh on 45. IIS 8 default page appeared. It works.
I leave my current firewall mode like that.
I set log for that rule, so that I can see anyone that access. Then I remember, in my office network, there's some computers that have virus that always 'walk' from its den to another computer through network.
Not long since I set the log. I see this..

I believe that I only access my 44 from 45. The 29 must be that virus. Then I see on the detected threat. I can't find 29 on the log.

I don't know, but I think if the firewall for "Application : System" is already set to allow, then ESET won't detect any virus that come through it.

I don't know.. so if I leave my current firewall setting like that, am I safe?

**

good day ladies and gentleman..

-

I'm sorry, thank you.. 

[Marcos 5,074]

So you're saying you don't know the device with the IP address ending with .29 ? Is that server accessible from the web or within your LAN only?

[supervergil 1]

I know the 29.. it's my partner's.. and I believe that computer has viruses.. I checked it..

the server accessible just within the LAN..

[rugk 397]

FYI you can adjust the firewall rule in a way it only allows the connection from one specific IP.

This is maybe what you're looking for.

[supervergil 1]

FYI you can adjust the firewall rule in a way it only allows the connection from one specific IP.

This is maybe what you're looking for.

 

no, no..

I want the 29 could access my computer too.. but not with its threats.. I want all IPs in my LAN access my 44..

that's why my question is simply "am I safe?" 

[Arakasi 549]

Hello,

 

What you need to distinguish here is that a virus/threat may be in the form of a file, and a network connection from another object is an "intrusion" and this is what the firewall is built for... Preventing intrusions and irregular network activity.

 

Malicious files vs Intrusions 101

 

If computer A sends a virus to computer B while "B" has firewall to block all incoming connections - (No connection made and file not transferred)

If computer A sends a virus to computer B while "B" has firewall set to allow all incoming connections - (Connection made and file transferred) - however "real-time protection" or the part of the software watching disk activity will quarantine the threat upon arrival if it is indeed bad or surely listed in ESET's database. Will recognize.

 

However in the result that a virus on computer A has instructions to change network settings on computer B without moving itself and the firewall is set to allow all incoming connections... This is a totally different story, and you would not be safe without the firewall locked down and configured properly to block the connection(intrusion).

 

So in short, you may be safe, but depending on the threats, i would say an accurate answer is unobtainable with the amount of information given.

 

If it were my network, i would straight up create a rule to block the ip ending in 29, re-image that workstation completely, then delete the block and get back on track.

Creating generalized rules, although convenient, is not a good rule of thumb in the field if you require tight security.

Edited November 17, 2014 by Arakasi

[Arakasi 549]

To answer your question about the logs and your rule created.

You created a rule that always allows connections to .44 on port 80 regardless of the incoming IP.

This is why .29 is allowed and showing up in your logs.

 

This is a generalized rule.

 

To fix it, create a rule like this per your quote "I believe that I only access my 44 from 45."

 

Allow access only from .45 on port 80, switch firewall to interactive, and any connections made to .44 from others like .29 will have a prompt so you can create a block rule.

Edited November 18, 2014 by Arakasi

[Arakasi 549]

 

FYI you can adjust the firewall rule in a way it only allows the connection from one specific IP.

This is maybe what you're looking for.

 

no, no..

I want the 29 could access my computer too.. but not with its threats.. I want all IPs in my LAN access my 44..

that's why my question is simply "am I safe?" 

 

 

If you allow all connections to access 44 that remain in your subnet, this is a generalized rule.

While it works, no it is not as safe, unfortunately.

If you add more specificity like only port 80, you are getting a little safer.

In the end, it is much easier to simply add your network's subnet to the list of trusted zones. Then all ip's in your subnet will be considered safe connections.

[supervergil 1]

If computer A sends a virus to computer B while "B" has firewall to block all incoming connections - (No connection made and file not transferred)

If computer A sends a virus to computer B while "B" has firewall set to allow all incoming connections - (Connection made and file transferred) - however "real-time protection" or the part of the software watching disk activity will quarantine the threat upon arrival if it is indeed bad or surely listed in ESET's database. Will recognize.

 

then.. as long as the real-time protection is alive.. it will recognize any coming virus, even if I turned the firewall off?

I have shared my files over my LAN, encrypted, no password.. but I never see any incoming attack from the log.. I can't understand the difference between accessing my 44 using hxxp:// hxxp:// from browsers and using \\ from explorer..

Edited November 20, 2014 by supervergil

[Arakasi 549]

Keep real time on, and if a major threat hits your disk no matter the location; if it tries to run , move, or launch itself etc. It will be caught provided the malware data of said threat is embedded inside ESET's definitions.

[Arakasi 549]

 

If computer A sends a virus to computer B while "B" has firewall to block all incoming connections - (No connection made and file not transferred)

If computer A sends a virus to computer B while "B" has firewall set to allow all incoming connections - (Connection made and file transferred) - however "real-time protection" or the part of the software watching disk activity will quarantine the threat upon arrival if it is indeed bad or surely listed in ESET's database. Will recognize.

 

then.. as long as the real-time protection is alive.. it will recognize any coming virus, even if I turned the firewall off?

I have shared my files over my LAN, encrypted, no password.. but I never see any incoming attack from the log.. I can't understand the difference between accessing my 44 using hxxp:// hxxp:// from browsers and using \\ from explorer..

 

\\ shell or windows explorer uses IPC(inter-process communication & DDE (dynamic data exchange).

Component Object Model might help you understand, and windows explorer, previously file explorer uses named pipes.

 

Http:\\ from browser is using the application layer of IP suite with HTTP protocol, actually using a network interface and is internet facing protocol.

this will get grief from a software firewall monitoring the adapter.