jeffshead 0 Posted July 31, 2023 Share Posted July 31, 2023 (edited) Both ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11 suffer from the same issue that did NOT exist prior to these updates. Every thing worked until these updates were installed. No other changes were made. I use interactive mode. Several apps stopped functioning because ESET is blocking connections even though rules do exist to allow those connections. To keep this simple, I'll focus on one application; Veeam Agent for Microsoft Windows. After every system reboot, ESET prompts about traffic for which I have already added a permanent rule for, from previous prompts. I currently have 8 identical rules for the same Veeam exe. After selecting Allow and adding a permanent rule, everything works until the next reboot. After each reboot, I'm promted again… Rinse, repeat. And before anyone asks, there's no corresponding entries listed under Setup->Network->Resolve blocked Communication or Resolve temporarily blocked IP addresses. Why is 127.0.0.1 a remote site? I even created a rule and added 127.0.0.1. Shouldn't the rule depicted below, allow the traffic depicted in the image above: For the sake of clarity, if I get the prompt depicted in the first image and select Remember until application quits, or if I select Create rule and remember permanently, and click the Allow button, traffic is allowed and the app works until I reboot the system even when I have selected Create rule and remember permanently. After reboot, the traffic is once again blocked and I get the same prompt. So what's going on here? I've even used the ESET Cleaner and performed fresh installs. This only happens with Interactive mode. I've even tried Learning mode but after switching back to Interactive mode, the issue comes back. Edited July 31, 2023 by jeffshead Link to comment Share on other sites More sharing options...
jeffshead 0 Posted July 31, 2023 Author Share Posted July 31, 2023 I worked on this issue for many hours and got tired of dealing with it. I performed a clean uninstall and reinstalled 10.1.2045 and everything works as it should. Not only that, but the new interface for editing rules from the prompt is a step backwards. You can no longer select the IP address that you are being prompted about. Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 31, 2023 Share Posted July 31, 2023 (edited) 18 minutes ago, jeffshead said: I worked on this issue for many hours and got tired of dealing with it. I performed a clean uninstall and reinstalled 10.1.2045 and everything works as it should. This is starting to appear the recommended fix since you are not the first to post about issues with the ver. 16.2.11 firewall processing. However, in the other incidents, uninstalling and reinstalling ver, 16.2.11 fixed their issues. Edited July 31, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 31, 2023 Share Posted July 31, 2023 (edited) 1 hour ago, jeffshead said: Why is 127.0.0.1 a remote site? Eset ver. 16.2.21 made changes to certain default firewall rules. One of those changes was the "Allow all traffic within the computer" rule. Previous to ver. 16.2.21, the rule was for both inbound and outbound network traffic. Now it applies to only inbound network traffic. My suspicion is the firewall is not allowing outbound localhost traffic because Eset's firewall internal default processing as far as localhost addresses is not being covered by its default processing to allow all outbound traffic. Another posting here about firewall localhost issue: https://forum.eset.com/topic/37252-only-localhost-ip-blocked/ Edited July 31, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 31, 2023 Share Posted July 31, 2023 (edited) There also been forum postings in regards to ESET Endpoint 10.1.2046 that is not referring in Win firewall inbound rules as it should under Eset default firewall setting. This also might be occurring in ESSP/EIS ver. 16.2.21. Edited July 31, 2023 by itman Link to comment Share on other sites More sharing options...
jeffshead 0 Posted July 31, 2023 Author Share Posted July 31, 2023 So I took the 10.1.2046.0 update, again, to do some more testing. Being that I'm in Interactive mode, I get prompted every time there's traffic for which there's no existing rule. I noticed that all of the prompts that I'm receiving are for the broken apps and traffic is going to either 127.0.0.1 or ::1. So apparently, the default rules are not the same as they were in 10.0.2045. So what rule do I need to add to fix this issue? Link to comment Share on other sites More sharing options...
jeffshead 0 Posted July 31, 2023 Author Share Posted July 31, 2023 (edited) 3 hours ago, itman said: Eset ver. 16.2.21 made changes to certain default firewall rules. One of those changes was the "Allow all traffic within the computer" rule. Previous to ver. 16.2.21, the rule was for both inbound and outbound network traffic. Now it applies to only inbound network traffic... So I see that the first default rule in 10.0.2045 allows both in and out traffic for local addresses. That same rule in 10.1.2046.0 allows only inbound. I copied that rule and changed the direction to outbound and then added it. That seems to solve this issue. Why was that default rule changed in 10.1.2046.0? Is this a bug? Is my workaround safe? If not, what other way can this issue be fixed? Edited July 31, 2023 by jeffshead Link to comment Share on other sites More sharing options...
itman 1,667 Posted August 1, 2023 Share Posted August 1, 2023 (edited) 14 hours ago, jeffshead said: Why was that default rule changed in 10.1.2046.0? The real question is why other previous in/out firewall rules were likewise changed? As far as I am concerned, the previous in/out "Allow all traffic within the computer" rule was more secure. It restricted this network traffic to local subnet addresses only for the default Automatic profile which by default, allows all outbound traffic. Note that there are documented malware that deploy a hidden localhost proxy that allows communication to their C&C attack server. Edited August 1, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,667 Posted August 1, 2023 Share Posted August 1, 2023 (edited) Also of note is this article: https://helpcenter.veeam.com/docs/agentforwindows/userguide/ports.html?ver=60 that shows all protocols and ports use by Veeam Agent Components. No where is mentioned localhost communication. One possible reason for lack of this is the Win firewall does not monitor localhost communication. I would verify with Veeam that the localhost traffic observed is normal and legit. Edited August 1, 2023 by itman Link to comment Share on other sites More sharing options...
jeffshead 0 Posted August 1, 2023 Author Share Posted August 1, 2023 54 minutes ago, itman said: No where is mentioned localhost communication. One possible reason for lack of this is the Win firewall does not monitor localhost communication. The Veeam agent has a service and a systray exe. The systray exe has to communicate with the service. Hence, localhost traffic. Regardless of the Windows firewall, this issue is ONLY with ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11; not any other prior version of either ESET product. I also tried adding the local addresses set to individual rules and disabling that catch all outbound rule that I created. It didn't work. That catch all outbound rule is necessary. Link to comment Share on other sites More sharing options...
jeffshead 0 Posted August 5, 2023 Author Share Posted August 5, 2023 So here is a screen cap of the default rule that comes with versions prior to ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11: Below is the default rule that comes with ESET Endpoint 10.1.2046 and ESET Internet Security 16.2.11: I had to create a "catch all" outbound rule, as a workaround, to fix several applications that were broken by this latest ESET update. Maybe there's a system process that needs outbound to Local addresses for which I'm not receiving a prompt, but simply adding Local addresses to individual outbound rules for each application does not work for me. Did ESET intentionally remove outbound from that default rule? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted August 5, 2023 Administrators Share Posted August 5, 2023 Please switch to the pre-release update channel and check again. Link to comment Share on other sites More sharing options...
jeffshead 0 Posted August 5, 2023 Author Share Posted August 5, 2023 23 minutes ago, Marcos said: Please switch to the pre-release update channel and check again. Thanks for the suggestion but I already tried that. It made no difference so I switched back. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted August 5, 2023 Administrators Share Posted August 5, 2023 Are you sure there was no difference? Link to comment Share on other sites More sharing options...
jeffshead 0 Posted August 5, 2023 Author Share Posted August 5, 2023 1 minute ago, Marcos said: Are you sure there was no difference? I just tried again. Mine is still inbound only. Maybe there is an update caching issue somewhere. Is there a module version that I can check? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted August 5, 2023 Administrators Share Posted August 5, 2023 Couldn't it be that you update from a mirror that downloads updates from the regular update channel? Link to comment Share on other sites More sharing options...
FRiC 9 Posted August 5, 2023 Share Posted August 5, 2023 48 minutes ago, jeffshead said: I just tried again. Mine is still inbound only. Maybe there is an update caching issue somewhere. Is there a module version that I can check? I tried enabling pre-release and it works for me. I notice the firwall module is now 1439 7/18/2023. Previously it was 1438.2 7/13/2023. Link to comment Share on other sites More sharing options...
itman 1,667 Posted August 7, 2023 Share Posted August 7, 2023 (edited) For those who haven't noticed it, I observed this morning that the ver. 16.2.11 of consumer products firewall rules were auto updated. The "Allow all connections with computer" rule plus the DHCP rules were changed to allow inbound/outbound network traffic from the previous only allow inbound network traffic. I assume the same rule changes were also made on EES. Edited August 7, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts