Eset blocking local network computers

[demonlight 0]

This started about a month ago, after an update.   ESET started blocking computers on my local network.  I have a Plex server running on Computer A and after an update, ESET started to block my other computers and devices (phones and tablets) that are on my local network.   Nothing changed except for the ESET update.     Before this update, I did not have this issue.    Now whenever I have a new device (or device that has not accessed Computer A Plex server),  I have to open ESET on Computer A,  Setup  -> Resolve Blocked Communications -> Remote devices.   I then have to unblock the device.   Why is ESET considering devices on my local network "remote devices" ?

[Marcos 5,085]

Do you have any custom firewall rules created? In automatic mode, non-initiated inbound communication requires a permissive rule to be created.

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Reproduce the issue
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

[demonlight 0]

13 hours ago, Marcos said:

Do you have any custom firewall rules created? In automatic mode, non-initiated inbound communication requires a permissive rule to be created.

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Reproduce the issue
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

The only custom firewall rules that I created is using 'Resolve Blocked Communications' section to unblock these local devices.   You say " In automatic mode, non-initiated inbound communication requires a permissive rule to be created."   Ive been using ESET Smart Security for about 6 years now and I have never had to create any rules for my local network devices.    Did anything change recently with ESET?  

 

[Marcos 5,085]

It has always worked that way and in automatic mode it was necessary to create a permissive rule to allow non-initiated inbound communication. However, I'd need to check ELC logs to find out what communication was blocked and how the firewall is set up.

[itman 1,667]

Review my comment with suggested mitigation at the end of this thread: https://forum.eset.com/topic/37455-incoming-connections-on-private-trusted-network-profile-are-blocked/ . It appears to have worked for this poster.

[demonlight 0]

On 9/4/2023 at 5:47 PM, itman said:

Review my comment with suggested mitigation at the end of this thread: https://forum.eset.com/topic/37455-incoming-connections-on-private-trusted-network-profile-are-blocked/ . It appears to have worked for this poster.

 

Removing the network connection didn't  work.   What did work is I created a Firewall rule called "Allow communication for Trusted Zone".     See screenshot.  

Any negatives in doing this if I trust all devices on my local network?     I'm still not sure what changed since the update, I never had this issue in the 6+ years using Eset Internet Security (Smart Security).

 

[itman 1,667]

13 hours ago, demonlight said:

Removing the network connection didn't  work.   What did work is I created a Firewall rule called "Allow communication for Trusted Zone". 

That should not be necessary and is potentially dangerous.

If you reviewed my comments in the above linked posting I referred you to, Eset default rules are conditioned upon what firewall profile is used. As long as your Eset network connection/s is set to Private, it has the same effect as the rule you created and does so in a safe manner.

[itman 1,667]

Also verify that your current Eset version is 16.2.13. If not, force an Eset product update.

There was an issue with the original 16.2 release in regards to handling inbound local subnet network traffic.

[Marcos 5,085]

Default firewall rules were fixed by an automatic module update. I'd be interested in checking ELC logs from the machine as it looks as though modules were not updated.

[demonlight 0]

3 hours ago, itman said:

Also verify that your current Eset version is 16.2.13. If not, force an Eset product update.

There was an issue with the original 16.2 release in regards to handling inbound local subnet network traffic.

Current version is 16.2.13.0   

Here are some other things I tried on Computer A:

1. Reset to Defaults (Advanced Setup -> Default)

2.  Set local network connection from Private to Public than to Private again.

2. Uninstalled ESET Internet Security, restarted, downloaded fresh copy of EIS, installed, updated, restarted

I still have this issue where all local devices are being blocked on that computer for Plex.

Next, I installed Plex server on another computer on my network, Computer B.  Computer B also has ESET Internet Security installed.   I then tried to access Plex on Computer B from both my phone and my laptop (both on the same network).     ESET is blocking those devices on that Computer B also.     So this rules out a computer specific issue.      It seems like my only option is to create Firewall rules to allow 'Trusted' devices to access the Plex server computer.     Is there anything else I should look at?

 

@Marcos - I dont feel comfortable uploading logs to a public forum.   Is there another support channel that can take a look at them?

[itman 1,667]

I'm pretty sure I know what the problem is.

The Eset firewall has a default enabled setting to defer to Win firewall inbound rules prior to blocking any inbound network traffic. As noted in other forum postings, that capability is busted in ver. 16.2.x and won't be fixed until ver. 17 is released.

Open the Win firewall and review existing inbound firewall rules. Assumed is that when you installed the Plex Media Server, the installer created the necessary Win Firewall inbound rules needed. Search for these rule/s. It probably is just a single rule allowing all inbound traffic for the associated Plex .exe. You can duplicate these rule/s in the Eset firewall rules set as inbound rule/s which should resolve this issue. If it does, then delete the Eset firewall rule to allow all inbound Trusted zone network traffic.

BTW - I also got burned by this bug and had to create an Eset inbound firewall rule to resolve it.

Quote

The most important port to make sure your firewall allows is the main TCP port the Plex Media Server uses for communication:

• TCP: 32400 (access to the Plex Media Server) [required]

The following additional ports are also used within the local network for different services:

• UDP: 1900 (access to the Plex DLNA Server)
• UDP: 5353 (older Bonjour/Avahi network discovery)
• TCP: 8324 (controlling Plex for Roku via Plex Companion)
• UDP: 32410, 32412, 32413, 32414 (current GDM network discovery)
• TCP: 32469 (access to the Plex DLNA Server)

Ref.: https://support.plex.tv/articles/201543147-what-network-ports-do-i-need-to-allow-through-my-firewall/

Edited September 6, 2023 by itman

[Marcos 5,085]

Frankly, I don't understand what you mean by deferring to Windows firewall rules. If the issue is related to Win firewall rules, does disabling this setting make a difference?

[demonlight 0]

2 hours ago, Marcos said:

Frankly, I don't understand what you mean by deferring to Windows firewall rules. If the issue is related to Win firewall rules, does disabling this setting make a difference?

Disabling that setting didn't do anything.

I ended up creating a custom rule for Plex, port 32400, inbound, Trusted Zone.

[itman 1,667]

40 minutes ago, demonlight said:

I ended up creating a custom rule for Plex, port 32400, inbound, Trusted Zone.

That makes sense since most of the installation postings I reviewed state that is the main port used.

Edited September 6, 2023 by itman

[demonlight 0]

43 minutes ago, itman said:

That makes sense since most of the installation postings I reviewed state that is the main port used.

Thanks for the help on this.   You mentioned earlier this was confirmed to have been a bug/break in version 16.2.13.0.   Did anyone from ESET confirm it would be fixed in the next update?

[Marcos 5,085]

15 minutes ago, demonlight said:

Thanks for the help on this.   You mentioned earlier this was confirmed to have been a bug/break in version 16.2.13.0.   Did anyone from ESET confirm it would be fixed in the next update?

As far as I know, there are no firewall related bugs that would not be fixed already. Please provide logs according to my instructions above.

[itman 1,667]

14 hours ago, demonlight said:

You mentioned earlier this was confirmed to have been a bug/break in version 16.2.13.0

Actually, I mis-posted on the bug. It pertains to missing data on Eset firewall alerts while in Interactive mode.

The issue is the Eset firewall does not correctly process inbound network traffic when the IP address associated with the local device is interpreted  as a remote IP address.