boardlord 0 Posted August 8, 2023 Share Posted August 8, 2023 Since an update to Lenovo Vantage on Win10 22H2 EIS cannot block (or allow) Lenovo Vantage connections to the web in interactive mode. More specifically the module "LenovoVantage-(VantageCoreAddin).exe". Everytime I open Vantage EIS throws up the dialogue windows to allow/block this file from accessing the web. It doesn't matter whether I allow or deny permanently, this comes up every time I start up the app. "Thanks" to that I've a truckload of rules for the same thing: Link to comment Share on other sites More sharing options...
boardlord 0 Posted August 8, 2023 Author Share Posted August 8, 2023 Additional info: This is with EIS 16.1.14, as I need port info in the popups, so I downgraded from 16.2. Nevertheless, the behaviour is the same with 16.2. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted August 8, 2023 Administrators Share Posted August 8, 2023 Please provide logs collected with ESET Log Collector. Does the problem persist if you install EIS and create rules from scratch? Link to comment Share on other sites More sharing options...
boardlord 0 Posted August 8, 2023 Author Share Posted August 8, 2023 1 hour ago, Marcos said: Please provide logs collected with ESET Log Collector. Does the problem persist if you install EIS and create rules from scratch? Log collector output sent in PM. When I downgraded to 16.1.14, I uninstalled 16.2 and reinstalled the previous version form scratch. Link to comment Share on other sites More sharing options...
itman 1,786 Posted August 8, 2023 Share Posted August 8, 2023 It appears to me that the Eset firewall can't process the "(" and ")" symbols in the file name; i.e. LenovoVantage-(VantageCoreAddin).exe. I have never seen a file name using those symbols although they are allowable characters. Link to comment Share on other sites More sharing options...
boardlord 0 Posted September 4, 2023 Author Share Posted September 4, 2023 Any updates on this bug? Getting really annoyed with constant access popups related to Vantage (constantly have to purge my FW rules related to Vantage...) I'm afraid that legitimate access request get lost in the noise. Link to comment Share on other sites More sharing options...
Blizzard8349 0 Posted November 10, 2023 Share Posted November 10, 2023 Same thing still happens here as well. Vantage runs on startup here, so whenever the system starts I get a few prompts from ESET Internet Security about it, no matter how I choose to handle them. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted November 10, 2023 Administrators Share Posted November 10, 2023 Lenovo seems to have started using hard links, each pointing to the same physical file. C:\Program Files (x86)\Lenovo\VantageService\3.13.72.0>fsutil hardlink list "LenovoVantage-(SmartPrivacyAddin).exe" \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(MultimediaAddin).exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(SmartPrivacyAddin).exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(VantageCoreAddin).exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\Lenovo.Vantage.AddinHost.exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(LenovoServiceBridgeAddin).exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(GenericTelemetryAddin).exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(LenovoCompanionAppAddin).exe \Program Files (x86)\Lenovo\VantageService\3.13.72.0\LenovoVantage-(LenovoProductivitySystemAddin).exe I've tried to duplicate it now with Lenovo Vantage and v17 to no avail. Please let us know if switching to the pre-release update channel and upgrading to v17.0.10 makes a difference. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
boardlord 0 Posted November 10, 2023 Author Share Posted November 10, 2023 (edited) I've updated to the pre-release versiob (17.0.10.0) and I'm sorry to say this issue still isn't fixed while using FW in interactive mode. ESET is still asking me what to do about Vantage multiple times, and thus creating multiple, identical rules: eis_logs.zip Edited November 10, 2023 by boardlord Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted November 10, 2023 Administrators Share Posted November 10, 2023 Those are not actually identical. Firewall rules are created for a specific file, however, the firewall internally works with aliases / hard links which are different in this case. According to the output of fstuil shown above, there can be 8 rules for 1 file that appear identical but they are not identical in fact because each is created for a different alias of the file. If you notice this behavior also for other than the Lenovo app, let us know so that we can investigate if it uses hard links / aliases as well. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
boardlord 0 Posted November 11, 2023 Author Share Posted November 11, 2023 I've 30 rules for blocking LenovoVantage-(VantageCoreAddin).exe... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted November 12, 2023 Administrators Share Posted November 12, 2023 You could try switching to learning mode while using the Lenovo app as it will automatically create and merge several rules into one. Then you can switch to interactive mode which should no longer ask about it. Link to comment Share on other sites More sharing options...
boardlord 0 Posted November 13, 2023 Author Share Posted November 13, 2023 (edited) No joy... I switched to Learning mode, started Vantage multiple times (got the popups that new rules have been created), switched back to Interactive, and the prompts started again. I repeated this a number of times, and the result was the same. eis_logs.zip Edited November 13, 2023 by boardlord Attached logs Link to comment Share on other sites More sharing options...
boardlord 0 Posted November 17, 2023 Author Share Posted November 17, 2023 And now up to a 100 rules - this is definitely not fixed. Link to comment Share on other sites More sharing options...
boardlord 0 Posted November 21, 2023 Author Share Posted November 21, 2023 (edited) This is getting a bit ridiculous now... Up to 165 rules. Any info on what can you do? Frankly, I'm getting tired of this. I NEED Vantage to limit battery charging so cannot uninstall it, but I also need an interactive FW. Edited November 21, 2023 by boardlord Link to comment Share on other sites More sharing options...
boardlord 0 Posted December 1, 2023 Author Share Posted December 1, 2023 Feedback here would be appreciated here @Marcos This issue literally makes Interactive FW unusable is Vantage is installed. Link to comment Share on other sites More sharing options...
JackSparrow 0 Posted December 1, 2023 Share Posted December 1, 2023 I had the same issue with Lenovo Vantage. And found a workaround. I have blocked Vantage IP addresses for all processes and now I am not getting any interactive firewall prompts regarding Vantage. Just delete manually all rules related to Vantage and when you will get next prompt, set rules so they apply only to IP and be sure to uncheck Application. Link to comment Share on other sites More sharing options...
boardlord 0 Posted December 1, 2023 Author Share Posted December 1, 2023 OK, that seems to be a better approach and seems to silence the nags, thanks... But, this still is a major bug! Link to comment Share on other sites More sharing options...
JackSparrow 0 Posted December 1, 2023 Share Posted December 1, 2023 Agreed, it's annoying. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted December 1, 2023 Administrators Share Posted December 1, 2023 We now know what is causing it. It's that we started to ask the Anti-Stealth about processes both from the kernel and user mode when they start compared to asking when they were already started in older firewall module versions. We'll make some optimizations to reduce the number of rules due to processes differently identified at various stages of running by the operating system that provides data to Anti-stealth. Link to comment Share on other sites More sharing options...
DWGP 0 Posted December 15, 2023 Share Posted December 15, 2023 (edited) Por favor me pueden indicar cual es la solución?. Yo tengo el mismo problema y hasta ahora no encuentro la solución. Machine translation: Please can you tell me what the solution is? I have the same problem and so far I can't find the solution. Edited December 15, 2023 by Marcos Machine translation added Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted December 15, 2023 Administrators Share Posted December 15, 2023 For now you can create a rule for IP addresses accessed by the Lenovo tool instead of specifying the application. Link to comment Share on other sites More sharing options...
DWGP 0 Posted December 15, 2023 Share Posted December 15, 2023 4 hours ago, Marcos said: Por ahora, puede crear una regla para las direcciones IP a las que accede la herramienta Lenovo en lugar de especificar la aplicación. No sé donde se realiza ese precedimiento. Me puede detallar como realizar ese procedimiento, por favor? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted December 15, 2023 Administrators Share Posted December 15, 2023 48 minutes ago, DWGP said: No sé donde se realiza ese precedimiento. Me puede detallar como realizar ese procedimiento, por favor? This is an English forum. We kindly ask you to post in English. Link to comment Share on other sites More sharing options...
DWGP 0 Posted December 15, 2023 Share Posted December 15, 2023 Sorry. Could you detail how to carry out this procedure? I don't know where I can create a rule for IP addresses. Link to comment Share on other sites More sharing options...
Recommended Posts