LiveGrid port forwarding issues

[Ssooz 0]

Hi,

I've got this issue where ESET LiveGrid has trouble reaching its online reputation database. I have opened TCP 80, both TCP & UDP 53535 on my modem and even set Firewall rules but I cant seem to get it to work correctly. I suspect something wrong with my modem because testing the ports still return as CLOSED even though they should be OPEN. Am I missing a step? Not sure what I'm supposed to do with all the Hostnames listed on the KB332 webpage...

Thank you

[Marcos 5,158]

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Reboot the machine
3. Reproduce the issue
4. Stop logging
5. Collect logs with ESET Log Collector and upload the generated archive here.

[itman 1,717]

1 hour ago, Ssooz said:

I have opened TCP 80, both TCP & UDP 53535 on my modem and even set Firewall rules but I cant seem to get it to work correctly.

Also per Eset KB article;

Quote

Also, access to your local DNS server is required for DNS queries on UDP/TCP port 53.

The default ESSP firewall rule for DNS would allow for the above communication.

1 hour ago, Ssooz said:

I suspect something wrong with my modem because testing the ports still return as CLOSED even though they should be OPEN.

You can test modem port status here: https://www.grc.com/shieldsup.

Finally, you mention modem. Do you have a router attached to the modem?

[Ssooz 0]

2 minutes ago, itman said:

You can test modem port status here: https://www.grc.com/shieldsup.

I have, 80 comes back as CLOSED but 53535 comes back as STEALTH.

 

3 minutes ago, itman said:

Finally, you mention modem. Do you have a router attached to the modem?

I have Bell's HomeHub 3000 (which I believe is made specifically for Canada but I could be wrong) which I think acts as both a modem and router. It is known for being not so great at port forwarding which is why I suspect it to be the reason ESET has trouble connecting to its Cloud.

53 minutes ago, Marcos said:

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Reboot the machine
3. Reproduce the issue
4. Stop logging
5. Collect logs with ESET Log Collector and upload the generated archive here.

Attached below!

essp_logs.zip

[itman 1,717]

2 minutes ago, Ssooz said:

I have, 80 comes back as CLOSED but 53535 comes back as STEALTH.

On the WAN side of the modem, all your ports should show as Stealth or Closed which is what the GRC app tests for. Assumed is other like web tests you ran would be testing the WAN side of the modem.

 

[itman 1,717]

Did you modify the default Windows inbound firewall rules prior to installing Eset?

[Ssooz 0]

1 minute ago, itman said:

Did you modify the default Windows inbound firewall rules prior to installing Eset?

I didnt. Only added new inbound and outbound rules when trying to get LiveGrid to work.

[Ssooz 0]

Anything I can try?

[itman 1,717]

One strong possibility for your LiveGrid connectivity issue is your Bell HomeHub 3000 modem/router is blocking either outbound or inbound TCP and UDP port 53535 network traffic. You stated you made firewall modifications on the modem/router for this traffic which normally is not required.

You should checked your modem/router firewall log for blocked outbound or inbound TCP and UDP port 53535 network traffic. If no blocked log entries exist for this traffic, the problem is not with the modem/router. If blocked log entries exist for this network traffic, you should contact your ISP; assuming they provided the modem/router, for assistance in creating the required firewall exceptions/rules to allow required Eset LiveGrid network traffic. 

Edited June 22, 2023 by itman

[Marcos 5,158]

Does the issue occur if you are not connected via OpenVPN? Does temporarily uninstalling it make a difference? Is this adapter installed by OpenVPN?

Unknown adapter Mullvad:

   Description . . . . . . . . . . . : Mullvad Tunnel

   Link-local IPv6 Address . . . . . : fe80::4dc0:5438:c35d:200e%14(Preferred)

   IPv4 Address. . . . . . . . . . . : 10.15.0.13(Preferred)

 

As you can see in the pcap log, we didn't receive any response from a LiveGrid server:

[itman 1,717]

2 hours ago, Marcos said:

Is this adapter installed by OpenVPN?

Mullvad is a VPN service originating in Sweden: https://mullvad.net/en . More details here: https://mullvad.net/en/about . It appears to have no connections to OpenVPN.

It would have been beneficial if the OP mentioned initially he was using a VPN.

[Marcos 5,158]

I'd suggest to disable or even temporarily uninstall the VPN to see if it makes a difference.

[itman 1,717]

Here's a forum thread dating to 2021 about issues with LiveGrid connectivity and Mullvad VPN: https://forum.eset.com/topic/30515-eset-live-grid-servers-cannot-be-reached/ .

The OP switched to a different VPN and his LiveGrid issues were resolved.

[Ssooz 0]

Sorry guys for the late reply! 

So it does happen with the VPN disconnected though I did test with AMTSO Testing with its Cloudcar file (with Mullvad ENABLED) and it is correctly blocked by ESET so I figure it does reach LiveGrid servers?

Thank you both and happy 4th of July!

[Marcos 5,158]

Have you figured out the cause of the issue or it still persists when you are not connected via the VPN?