After a few hours, the firewall starts blocking applications with rules that use environment variables

[labynko 6]

Hello.

After the release of the new firewall module 1438.2 dated 07/13/2023, problems began to be observed with blocking applications for which allow rules were created using environment variables (for example, %userprofile%). Programs begin to block a few hours after they have been launched. It helps to restart the blocked program.

Is this a known issue and how soon will it be fixed?

[PatrickB 0]

Its certainly known to users, but ESET so far is yet to ackowledge anything except for "well, just create firewall rules for everything"

Even though it has worked normally for years.

Edited July 26, 2023 by PatrickB

[labynko 6]

I have collected, I hope, all the necessary information that can help deal with the problem.

At the moment, I do not have the opportunity to create a case through my personal account, but I hope that ESET is interested in solving the problem.

I recorded a video that demonstrates how ESET Endpoint Security 10.1.2046.0 blocks Opera's network communication with the ESET PROTECT web interface, ignoring an allow rule that specifies the process path using an environment variable.

I sent the password and a link to the archive with diagnostic information to Marcus in private messages.

[Marcos 5,741]

Thanks for the logs, we have successfully reproduced the issue. It will be fixed in the Firewall module 1440 soon. We have also fixed default rules that now match those from v10.0 and older, this fix will be distributed via an automatic module Configuration engine update soon.

[labynko 6]

Glad to hear that. Thank you. We are waiting for the update of the firewall module.

[labynko 6]

Marcos, how soon will a new version of the firewall module get into regular updates?

[labynko 6]

A month has passed since the release date of the firewall module 1438.2.

When will the new version of the firewall module get into regular updates?

[Marcos 5,741]

The firewall module 1439 has been fully released just yesterday, we are now working on v1439.1 which is expected to include also a fix for the variables in the app path. It should be available on the pre-release update channel around Oct 21.

[labynko 6]

Almost two weeks have passed, and the firewall module version 1438.2 has been distributed in regular updates and is still being distributed. At the same time, it's funny that if you install ESET Endpoint Security 10.1.2050.0, then the firewall module will have version 1439, and if you upgrade to ESET Endpoint Security 10.1.2050.0, it will be 1438.2.

What is the reason for such a delay?

[Marcos 5,741]

The firewall module 1439.1 with a fix was put on the pre-release update channel on August 21. I assume that we'll start to distribute it gradually to users on the regular update channel next week.

[labynko 6]

Do I understand correctly that the problem has not yet been resolved, and it will be resolved in version 1440 of the firewall module, which will be released on October 21?

[Marcos 5,741]

The issue was addressed in the Personal firewall module 1439.1 fully released on Sept. 5.

[labynko 6]

I inform you that the problem indicated in the topic is not resolved in the firewall module 1439.1.

After the new version of the firewall module was installed, in my case it was 09/06/2023, a problem arose with Opera at least four times. Sometimes restarting the browser does not help, and you have to restart it again.

Edited September 22, 2023 by labynko

[Marcos 5,741]

Then it must be a different issue. What we have fixed was that a restart of the application was needed for the firewall rule to work. Please raise a support ticket.