Added local & trusted zone as allowed, still getting asked for local ip

[Utini 1]

Hey there,

 

I added for spoolsv.exe the following rule:

 

Allow - UDP OUT - Port 161 - Trusted Zone + Local Adresses

 

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

Any suggestions?

 

Thanks

[Patch 16]

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

Any suggestions?

 

I also find "Trusted Zone" doesn't work that reliably.

I guess the problem is it is defined dynamically so may not be set up properly when it is initially used. As my computers are mostly on a network with a static IP range, adding this range appears to fix it for me.

[Utini 1]

 

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

Any suggestions?

 

I also find "Trusted Zone" doesn't work that reliably.

I guess the problem is it is defined dynamically so may not be set up properly when it is initially used. As my computers are mostly on a network with a static IP range, adding this range appears to fix it for me.

 

 

Yep that would fix it for me too, but adding "local" or "trusted" would be a lot more comfortable. Especially when using a laptop in different wlan/office networks

[Marcos 5,069]

I added for spoolsv.exe the following rule:

Allow - UDP OUT - Port 161 - Trusted Zone + Local Adresses

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

By default, there are no rules that would prompt you for an action so it must be a custom rule you've created that triggers the window with action selection. Without seeing all rules, it's impossible to tell why you keep being prompted for an action.

[Utini 1]

I use interactive mode so I get asked for everything that isn't in the standart ESET rules?

 

I added pictures of my (relevant) rules below.

 

Thanks

[Marcos 5,069]

There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.

[Utini 1]

There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.

 

Hmm i am not sure if I fully understand the way it works. All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed. For spoolsv.exe there is a specific rule that allows trusted zone and local adresses.

 

Anyway I will enable the log and try it out after work

 

Thanks

[Marcos 5,069]

 

All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed.

 

No, that's a wrong assumption. Pre-defined rules either allow or block certain communication, there's no pre-defined rule with the action set to ask.

[Utini 1]

 

 

All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed.

 

No, that's a wrong assumption. Pre-defined rules either allow or block certain communication, there's no pre-defined rule with the action set to ask.

 

 

Yes you are right ofcourse  

 

Didnt have time today to enable logging but noticed that port 123 for svchost also gets askes. Although it is already allowed for trusted zone in a pre-defined rule. I am now thinking that my trusted zone might be configures wrong (i didnt touch that though).

 

Will enable logging hopefully tonight :S

[Utini 1]

Hmm I enabled logging but when I get asked and I press deny it will not be logged. There is no entry or "more" information about it in the log file? 

 

All I see are a lot of "no application listening to port) entries. Every 2 seconds a new one os popping up in the log file

Edited December 18, 2014 by Utini

[Utini 1]

There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.

 

Here is a screenshot of all rules in "advanced view" toggeled. I sorted them by rules. So everything else is an "allow" rule. Those are my block or ask rules.

 

I am not really understanding why svchost.exe still asks for port 161 (coming from my networks router) when I have it as allowed rule for trusted zone & local adresse.

[rugk 397]

Hello @Utini,

at first nice "Block OpenCandy" rule.

 

Secondly in the advanced view you can also sort the rules by the application. If you do so you should find all rules for "spoolsv.exe" and you can have a look whether there is a rule with a higher priority.

 

@Marcos

That there is often written "Ask" is only because no rule is defined for this action and Utini is in interactive mode. If Utini would be in automatic mode there would be written "allow".

This confusing thing is one reason why I like the advanced view of the rules more.

[Utini 1]

Hello @Utini,

at first nice "Block OpenCandy" rule.

 

Secondly in the advanced view you can also sort the rules by the application. If you do so you should find all rules for "spoolsv.exe" and you can have a look whether there is a rule with a higher priority.

 

@Marcos

That there is often written "Ask" is only because no rule is defined for this action and Utini is in interactive mode. If Utini would be in automatic mode there would be written "allow".

This confusing thing is one reason why I like the advanced view of the rules more.

 

I did sort them by app and spoolsv.exe is allowed for trusted zone and local addresses. there is no ask rule for spoolsv :/ Still I get asked when my local router requests it.

[rugk 397]

Okay, but you haven'z made a screenshot of this in your last post.

spoolsv.exe's "user-friendly name" is "Spooler SubSystem App".

 

In your post before you have two rules for spoolsv.exe. One one allowing and one blocking (a specific IP).

So I don't see any ask rule too.

 

Can you maybe make a screenshot of the interactive message you still get?

Edited December 22, 2014 by rugk

[Utini 1]

Okay, but you haven'z made a screenshot of this in your last post.

spoolsv.exe's "user-friendly name" is "Spooler SubSystem App".

 

In your post before you have two rules for spoolsv.exe. One one allowing and one blocking (a specific IP).

So I don't see any ask rule too.

 

Can you maybe make a screenshot of the interactive message you still get?

 

Mhh if I happen to get the request again I will make a screenshot. But basically it is UDP Out at port 161 to my routers local ip adress.

[rugk 397]

Okay, I think I found your issue (more or less). You have a very specific blocking rule for the process and even a specific allowing rule. Let's talk about the allowing rule, because the blocking rule is not important for this.

The allowing rule only allows connections to:

• a/some specific IPs
• from local port: UDP
• to remote port: SNMP

 

So if you get the notification from ESS next time, please double check if the connection is not trying to use another port or trying to connect to another IP.

That's also the reason why I said a screenshot would be very helpful, because there we would see where/how the connection is really trying to connect to your router.

Edited December 22, 2014 by rugk

[Utini 1]

The allowing rule allows:

Local IP's and trusted zone IP's

From local port UDP

To remote port SNMP

 

And the request is "router ip" from local UPD to SNMP.

 

Anyway, I hope I will get anoter request and will then make a screenshot

[rugk 397]

Anyway, I hope I will get anoter request and will then make a screenshot

Yes, I think that's a good idea.

[Utini 1]

 

Anyway, I hope I will get anoter request and will then make a screenshot

Yes, I think that's a good idea.

 

 

Here is the rule + the request pop up. 

[Utini 1]

And another request that is actually allowed in the default rules but still asks for permission (port 123) ?

 

@edit: Oh the standard rules say "trusted zone" only.

Edited December 28, 2014 by Utini

[Utini 1]

Any help with this?

[rugk 397]

Can you reprodce this issue or does it only happen on one computer?

[Utini 1]

Hmm I would need to try that in a VirtualBox.. maybe I have time to do that on monday. Altough I am running a virtualbox with "learning mode" active all the time and it hasn't created any rules for spoolsv.exe yet. So it looks like my virtualbox never got the request from spoolsv.exe.

 

 

@edit: That is because no printer was added to windows in the virtual box yet. I will now add the printer to the virtualbox windows and then wait to find out...

Edited January 3, 2015 by Utini

[Utini 1]

It doesn't seem like I can reproduce the same event in a virtulbox. 

 

In the virtualbox I added the same rule as on my main system and the "learning mode" didn't create an additional rule yet (although I specified to create rules for each IP if there isn't a "master rule" already). So it seems like ESS uses the rule in my virtualbox like it should use it. How ever on my main system "trusted zone" and "local addresses" don't seem to work ?

[rugk 397]

How ever on my main system "trusted zone" and "local addresses" don't seem to work ?

It is completely not working? (Okay, it also depends on how you define "not working")

I think it's only not working for the spoolsv.exe...

Also in your VM you maybe have a different local zone or spoolsv.exe just doesn't connect to 192.168.1.59.

Maybe make a allow rule with a notification, so you see when spoolsv.exe wants to connect to 192.168.1.59.

Edited January 4, 2015 by rugk