Jump to content

Added local & trusted zone as allowed, still getting asked for local ip


Recommended Posts

Hey there,

 

I added for spoolsv.exe the following rule:

 

Allow - UDP OUT - Port 161 - Trusted Zone + Local Adresses

 

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

Any suggestions? :)

 

Thanks

Link to comment
Share on other sites

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

Any suggestions?

 

I also find "Trusted Zone" doesn't work that reliably.

I guess the problem is it is defined dynamically so may not be set up properly when it is initially used. As my computers are mostly on a network with a static IP range, adding this range appears to fix it for me.

Link to comment
Share on other sites

 

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

Any suggestions?

 

I also find "Trusted Zone" doesn't work that reliably.

I guess the problem is it is defined dynamically so may not be set up properly when it is initially used. As my computers are mostly on a network with a static IP range, adding this range appears to fix it for me.

 

 

Yep that would fix it for me too, but adding "local" or "trusted" would be a lot more comfortable. Especially when using a laptop in different wlan/office networks :)

Link to comment
Share on other sites

  • Administrators

I added for spoolsv.exe the following rule:

Allow - UDP OUT - Port 161 - Trusted Zone + Local Adresses

Still I get asked about an UDP 161 connection to 192.168.1.59 (which is a local adress and within my home network = trusted zone) ?

 

By default, there are no rules that would prompt you for an action so it must be a custom rule you've created that triggers the window with action selection. Without seeing all rules, it's impossible to tell why you keep being prompted for an action.

Link to comment
Share on other sites

I use interactive mode so I get asked for everything that isn't in the standart ESET rules?

 

I added pictures of my (relevant) rules below.

 

Thanks

post-5892-0-25719800-1418742293_thumb.jpg

post-5892-0-59796800-1418742295_thumb.jpg

post-5892-0-86705500-1418742297_thumb.jpg

post-5892-0-09963300-1418742300_thumb.jpg

post-5892-0-35586900-1418742302_thumb.jpg

Link to comment
Share on other sites

  • Administrators

There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.

Link to comment
Share on other sites

There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.

 

Hmm i am not sure if I fully understand the way it works. All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed. For spoolsv.exe there is a specific rule that allows trusted zone and local adresses.

 

Anyway I will enable the log and try it out after work :)

 

Thanks

Link to comment
Share on other sites

  • Administrators

 

All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed.

 

No, that's a wrong assumption. Pre-defined rules either allow or block certain communication, there's no pre-defined rule with the action set to ask.

Link to comment
Share on other sites

 

 

All the ask rules are either for other files or are pre-defined by ESET so that they cannot be changed.

 

No, that's a wrong assumption. Pre-defined rules either allow or block certain communication, there's no pre-defined rule with the action set to ask.

 

 

Yes you are right ofcourse :) 

 

Didnt have time today to enable logging but noticed that port 123 for svchost also gets askes. Although it is already allowed for trusted zone in a pre-defined rule. I am now thinking that my trusted zone might be configures wrong (i didnt touch that though).

 

Will enable logging hopefully tonight :S

Link to comment
Share on other sites

Hmm I enabled logging but when I get asked and I press deny it will not be logged. There is no entry or "more" information about it in the log file? 

 

All I see are a lot of "no application listening to port) entries. Every 2 seconds a new one os popping up in the log file :o

Edited by Utini
Link to comment
Share on other sites

There are many "ask" rules. To find out which one is triggering the window with action selection, tick the "Log" box so that applying a particular rule is logged in the firewall log. It seems there's another rule that is stronger than the rule allowing communication on port 161.

 

Here is a screenshot of all rules in "advanced view" toggeled. I sorted them by rules. So everything else is an "allow" rule. Those are my block or ask rules.

 

I am not really understanding why svchost.exe still asks for port 161 (coming from my networks router) when I have it as allowed rule for trusted zone & local adresse.

post-5892-0-17523600-1418937991_thumb.jpg

Link to comment
Share on other sites

Hello @Utini,

at first nice "Block OpenCandy" rule. :)

 

Secondly in the advanced view you can also sort the rules by the application. If you do so you should find all rules for "spoolsv.exe" and you can have a look whether there is a rule with a higher priority.

 

@Marcos

That there is often written "Ask" is only because no rule is defined for this action and Utini is in interactive mode. If Utini would be in automatic mode there would be written "allow".

This confusing thing is one reason why I like the advanced view of the rules more.

Link to comment
Share on other sites

Hello @Utini,

at first nice "Block OpenCandy" rule. :)

 

Secondly in the advanced view you can also sort the rules by the application. If you do so you should find all rules for "spoolsv.exe" and you can have a look whether there is a rule with a higher priority.

 

@Marcos

That there is often written "Ask" is only because no rule is defined for this action and Utini is in interactive mode. If Utini would be in automatic mode there would be written "allow".

This confusing thing is one reason why I like the advanced view of the rules more.

 

I did sort them by app and spoolsv.exe is allowed for trusted zone and local addresses. there is no ask rule for spoolsv :/ Still I get asked when my local router requests it.

Link to comment
Share on other sites

Okay, but you haven'z made a screenshot of this in your last post.

spoolsv.exe's "user-friendly name" is "Spooler SubSystem App".

 

In your post before you have two rules for spoolsv.exe. One one allowing and one blocking (a specific IP).

So I don't see any ask rule too.

 

Can you maybe make a screenshot of the interactive message you still get?

Edited by rugk
Link to comment
Share on other sites

Okay, but you haven'z made a screenshot of this in your last post.

spoolsv.exe's "user-friendly name" is "Spooler SubSystem App".

 

In your post before you have two rules for spoolsv.exe. One one allowing and one blocking (a specific IP).

So I don't see any ask rule too.

 

Can you maybe make a screenshot of the interactive message you still get?

 

Mhh if I happen to get the request again I will make a screenshot. But basically it is UDP Out at port 161 to my routers local ip adress.

Link to comment
Share on other sites

Okay, I think I found your issue (more or less). You have a very specific blocking rule for the process and even a specific allowing rule. Let's talk about the allowing rule, because the blocking rule is not important for this.

The allowing rule only allows connections to:

  • a/some specific IPs
  • from local port: UDP
  • to remote port: SNMP

 

So if you get the notification from ESS next time, please double check if the connection is not trying to use another port or trying to connect to another IP.

That's also the reason why I said a screenshot would be very helpful, because there we would see where/how the connection is really trying to connect to your router.

Edited by rugk
Link to comment
Share on other sites

The allowing rule allows:

Local IP's and trusted zone IP's

From local port UDP

To remote port SNMP

 

And the request is "router ip" from local UPD to SNMP.

 

Anyway, I hope I will get anoter request and will then make a screenshot :)

Link to comment
Share on other sites

 

Anyway, I hope I will get anoter request and will then make a screenshot :)

Yes, I think that's a good idea.

 

 

Here is the rule + the request pop up. 

post-5892-0-77301900-1419717337_thumb.jpg

post-5892-0-36313900-1419717339_thumb.jpg

Link to comment
Share on other sites

And another request that is actually allowed in the default rules but still asks for permission (port 123) ?

 

@edit: Oh the standard rules say "trusted zone" only.

post-5892-0-71617600-1419760535_thumb.jpg

Edited by Utini
Link to comment
Share on other sites

Hmm I would need to try that in a VirtualBox.. maybe I have time to do that on monday. Altough I am running a virtualbox with "learning mode" active all the time and it hasn't created any rules for spoolsv.exe yet. So it looks like my virtualbox never got the request from spoolsv.exe.

 

 

@edit: That is because no printer was added to windows in the virtual box yet. I will now add the printer to the virtualbox windows and then wait to find out...

Edited by Utini
Link to comment
Share on other sites

It doesn't seem like I can reproduce the same event in a virtulbox. 

 

In the virtualbox I added the same rule as on my main system and the "learning mode" didn't create an additional rule yet (although I specified to create rules for each IP if there isn't a "master rule" already). So it seems like ESS uses the rule in my virtualbox like it should use it. How ever on my main system "trusted zone" and "local addresses" don't seem to work ?

Link to comment
Share on other sites

How ever on my main system "trusted zone" and "local addresses" don't seem to work ?

It is completely not working? (Okay, it also depends on how you define "not working")

I think it's only not working for the spoolsv.exe...

Also in your VM you maybe have a different local zone or spoolsv.exe just doesn't connect to 192.168.1.59.

Maybe make a allow rule with a notification, so you see when spoolsv.exe wants to connect to 192.168.1.59.

Edited by rugk
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...