Jump to content

Issues with 10.1.2046 update


Recommended Posts

Both ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11 suffer from the same issue that did NOT exist prior to these updates. Every thing worked until these updates were installed. No other changes were made.

I use interactive mode. Several apps stopped functioning because ESET is blocking connections even though rules do exist to allow those connections. To keep this simple, I'll focus on one application; Veeam Agent for Microsoft Windows.

After every system reboot, ESET prompts about traffic for which I have already added a permanent rule for, from previous prompts. I currently have 8 identical rules for the same Veeam exe. After selecting Allow and adding a permanent rule, everything works until the next reboot. After each reboot, I'm promted again… Rinse, repeat.

And before anyone asks, there's no corresponding entries listed under Setup->Network->Resolve blocked Communication or Resolve temporarily blocked IP addresses.

Why is 127.0.0.1 a remote site?

2023-07-31_13-28-15.jpg.888a54cac18636f07d3e32ec8182b4c2.jpg

I even created a rule and added 127.0.0.1. Shouldn't the rule depicted below, allow the traffic depicted in the image above:

2023-07-31_13-30-41.thumb.jpg.0521e024099b4bacb767d0b91036f435.jpg

For the sake of clarity, if I get the prompt depicted in the first image and select Remember until application quits, or if I select Create rule and remember permanently, and click the Allow button, traffic is allowed and the app works until I reboot the system even when I have selected Create rule and remember permanently. After reboot, the traffic is once again blocked and I get the same prompt.

So what's going on here?

I've even used the ESET Cleaner and performed fresh installs.

This only happens with Interactive mode. I've even tried Learning mode but after switching back to Interactive mode, the issue comes back.

Edited by jeffshead
Link to comment
Share on other sites

I worked on this issue for many hours and got tired of dealing with it. I performed a clean uninstall and reinstalled 10.1.2045 and everything works as it should. Not only that, but the new interface for editing rules from the prompt is a step backwards. You can no longer select the IP address that you are being prompted about.

Link to comment
Share on other sites

18 minutes ago, jeffshead said:

I worked on this issue for many hours and got tired of dealing with it. I performed a clean uninstall and reinstalled 10.1.2045 and everything works as it should.

This is starting to appear the recommended fix since you are not the first to post about issues with the ver. 16.2.11 firewall processing. However, in the other incidents, uninstalling and reinstalling ver, 16.2.11 fixed their issues.

Edited by itman
Link to comment
Share on other sites

1 hour ago, jeffshead said:

Why is 127.0.0.1 a remote site?

Eset ver. 16.2.21 made changes to certain default firewall rules. One of those changes was the "Allow all traffic within the computer" rule. Previous to ver. 16.2.21, the rule was for both inbound and outbound network traffic. Now it applies to only inbound network traffic.

My suspicion is the firewall is not allowing outbound localhost traffic because Eset's firewall internal default processing as far as localhost addresses is not being covered by its default processing to allow all outbound traffic.

Another posting here about firewall localhost issue: https://forum.eset.com/topic/37252-only-localhost-ip-blocked/

Edited by itman
Link to comment
Share on other sites

There also been forum postings in regards to ESET Endpoint 10.1.2046 that is not referring in Win firewall inbound rules as it should under Eset default firewall setting. This also might be occurring in ESSP/EIS  ver. 16.2.21.

Edited by itman
Link to comment
Share on other sites

So I took the 10.1.2046.0 update, again, to do some more testing. Being that I'm in Interactive mode, I get prompted every time there's traffic for which there's no existing rule. I noticed that all of the prompts that I'm receiving are for the broken apps and traffic is going to either 127.0.0.1 or ::1. So apparently, the default rules are not the same as they were in 10.0.2045.

So what rule do I need to add to fix this issue?

Link to comment
Share on other sites

Posted (edited)
3 hours ago, itman said:

Eset ver. 16.2.21 made changes to certain default firewall rules. One of those changes was the "Allow all traffic within the computer" rule. Previous to ver. 16.2.21, the rule was for both inbound and outbound network traffic. Now it applies to only inbound network traffic...

So I see that the first default rule in 10.0.2045 allows both in and out traffic for local addresses. That same rule in 10.1.2046.0 allows only inbound. I copied that rule and changed the direction to outbound and then added it.

2023-07-31_19-29-41.thumb.jpg.08e2ec6bfd0b04fdd423ee85ee60cd2e.jpg

That seems to solve this issue.

Why was that default rule changed in 10.1.2046.0? Is this a bug? Is my workaround safe? If not, what other way can this issue be fixed?

Edited by jeffshead
Link to comment
Share on other sites

14 hours ago, jeffshead said:

Why was that default rule changed in 10.1.2046.0?

The real question is why other previous in/out firewall rules were likewise changed?

As far as I am concerned, the previous in/out "Allow all traffic within the computer" rule was more secure. It restricted this network traffic to local subnet addresses only for the default Automatic profile which by default, allows all outbound traffic. Note that there are documented malware that deploy a hidden localhost proxy that allows communication to their C&C attack server.

Edited by itman
Link to comment
Share on other sites

Also of note is this article: https://helpcenter.veeam.com/docs/agentforwindows/userguide/ports.html?ver=60 that shows all protocols and ports use by Veeam Agent Components. No where is mentioned localhost communication. One possible reason for lack of this is the Win firewall does not monitor localhost communication.

I would verify with Veeam that the localhost traffic observed is normal and legit.

Edited by itman
Link to comment
Share on other sites

54 minutes ago, itman said:

No where is mentioned localhost communication. One possible reason for lack of this is the Win firewall does not monitor localhost communication.

The Veeam agent has a service and a systray exe. The systray exe has to communicate with the service. Hence, localhost traffic.

Regardless of the Windows firewall, this issue is ONLY with ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11; not any other prior version of either ESET product.

I also tried adding the local addresses set to individual rules and disabling that catch all outbound rule that I created. It didn't work. That catch all outbound rule is necessary.

Link to comment
Share on other sites

So here is a screen cap of the default rule that comes with versions prior to ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11:

oldrule.thumb.jpg.59323f626307efeb661ef59bc054881a.jpg

 

Below is the default rule that comes with ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11:

newrule.jpg.de25fa9bee355204edc6fab111ff4728.jpg

I had to create a "catch all" outbound rule, as a workaround, to fix several applications that were broken by this latest ESET update. Maybe there's a system process that needs outbound to Local addresses for which I'm not receiving a prompt, but simply adding Local addresses to individual outbound rules for each application does not work for me.

Did ESET intentionally remove outbound from that default rule?

Link to comment
Share on other sites

23 minutes ago, Marcos said:

Please switch to the pre-release update channel and check again.

Thanks for the suggestion but I already tried that. It made no difference so I switched back.

Link to comment
Share on other sites

1 minute ago, Marcos said:

Are you sure there was no difference?

I just tried again. Mine is still inbound only. Maybe there is an update caching issue somewhere. Is there a module version that I can check?

Link to comment
Share on other sites

  • Administrators

Couldn't it be that you update from a mirror that downloads updates from the regular update channel?

Link to comment
Share on other sites

48 minutes ago, jeffshead said:

I just tried again. Mine is still inbound only. Maybe there is an update caching issue somewhere. Is there a module version that I can check?

I tried enabling pre-release and it works for me. I notice the firwall module is now 1439 7/18/2023. Previously it was 1438.2 7/13/2023.

Link to comment
Share on other sites

For those who haven't noticed it, I observed this morning that the ver. 16.2.11 of consumer products firewall rules were auto updated. The "Allow all connections with computer" rule plus the DHCP rules were changed to allow inbound/outbound network traffic from the previous only allow inbound network traffic.

I assume the same rule changes were also made on EES.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...