Web Access Protection problems

[Marcos 5,091]

Please raise a support ticket if you are having issues with Web access protection on Linux.

[eab 25]

hxxp://www.giss.nasa.gov/ is blocked by WAP, even with SSL/TLS scanning disabled:

Only way to load the page is to disable WAP completly.

Can someone from ESET please tell me why this website is blocked!?

[Marcos 5,091]

No problems opening the site on Windows.

Please report it via a support ticket if temporarily disabling Web access protection actually makes a difference.

[eab 25]

@Marcos by now I think it should be obvious that there is a problem specifically with the Linux version of WAP and not the Windows version.

Like I already said - disabling WAP entirely is the only way (other than stopping the eea service entirely) to load the website (in Chrome and/or FF).

Edited March 8 by eab

[Marcos 5,091]

Please raise a support ticket then.

[eab 25]

13 minutes ago, Marcos said:

Please raise a support ticket then.

Done. Ticket  #00727066. Let's see what comes of it 🤷‍♂️

[eab 25]

OK, the reply from ESET support was completely predictable:

Quote

 

'Have you already tested adding the URL to the exceptions?'

 

No, I didn't do that because I wanted to know from ESET Business support why this URL was being blocked in the first place.

In any case, I decided to try to add it as to the Allowed and Excluded lists:

This does nothing to solved the problem.

I know for a fact that WAP is blocking this website because if I disable WAP completely the website loads immediately.

So what gives?

(Yes, I already replied with this info to ESET Business support, but they take a day or two to reply each time 😕 )

Edited March 11 by eab

[Marcos 5,091]

I suspect there is a bug which causes this particular (and maybe also other trusted sites) not to be scanned regardless of the settings. I've asked our testers to re-test it and possibly file a bug for developers:

Tested with ESET Endpoint Antivirus 10.2.2.0 on Ubuntu 20.04 LTS and Firefox.

No problem with Chrome 122.0.621.111 either. The website is not scanned by ESET and opens alright:

[eab 25]

Thanks for testing @Marcos. But do you have WAP enabled as well? And if so, are you saying that, with WAP enabled that URL loads for you in the web browser?

[Marcos 5,091]

After clearing cache it works for me:

[eab 25]

Is there any way to get the assigned policy to update right away? It seems like sometimes it's updated on the client immediately, and other times it takes 10 minutes or so. And Linux command to pull the new policy settings from the server?

[eab 25]

Now magically the website is loading with WAP enabled, SSL/TLS disabled, and no URLs in the Allowed or Exceptions lists. 🤷‍♂️ 

[eab 25]

And again today this URL is not loading:

And the only change to the policy is disabling WAP -> SSL/TLS.

Yesterday this same URL magically loaded with the same policy on the same PC, and today it's not loading again.

With eea service stopped, or WAP completely disabled, the website loads.

Exclusion lists do not work! 😠

[Marcos 5,091]

Please raise a support ticket for help with further troubleshooting of the issue.

 

[eab 25]

Look at this - my fritz.box router page is also "blocked" by ESET/WAP - all I get is a white page:

6 minutes ago, Marcos said:

Please raise a support ticket for help with further troubleshooting of the issue.

 

I already did! They haven't done anything yet to help. 

I have now redirected them to this forum thread .. 🙄

This WAP feature is extremely buggy!

Edited March 13 by eab

[Marcos 5,091]

Would it be possible to try a different router than Fritzbox? Which model do you have by the way?

[eab 25]

26 minutes ago, Marcos said:

Would it be possible to try a different router than Fritzbox? Which model do you have by the way?

I don't have another router to test. But how  would that help even if I did? 

I have the: FRITZ!Box 7590

[eab 25]

New finding!

It seems that accessing the NASA website (https://www.giss.nasa.gov) via IPv6 is blocked, whereas via IPv4 is not blocked.

Ideas?

[eab 25]

The following was sent to ESET Support:
 

Quote

 

Here are our findings:

 

The URL (https://www.giss.nasa.gov) points to both an IPv4 and IPv6 address:

user@pc:~$ host www.giss.nasa.gov
www.giss.nasa.gov is an alias for gs611-web3-pz.giss.nasa.gov.
gs611-web3-pz.giss.nasa.gov has address 129.164.128.233
gs611-web3-pz.giss.nasa.gov has IPv6 address 2001:4d0:2310:230::233

 

When accessing the URL, for example in a web browser or using curl in the terminal, from a device and network/Internet connection which is IPv6-ready, the IPv6 address is automatically tried first.

And if the IPv6 address does not work/resolve, then the web browser, or curl, tries to use the IPv4 address.

 

However, when accessing the URL from a device and network/Internet connection which is not IPv6-ready, the IPv4 address is automatically tried first.

 

In the case of this particular URL, the IPv4 address is working, whereas the IPv6 address is not working - this particular issue is not a problem with ESET.

 

However, this is where ESET does introduce a problem:

 

When this URL is accessed from a device and network/Internet connection which is IPv6-ready, and the IPv6 address fails to resolve, ESET seems to stop the diversion to the IPv4 address.

 

On the other hand, when accessing the URL from a device and network/Internet connection which is not IPv6-ready, the IPv4 address is automatically tried first, and the site loads without problems - ESET does not block it.

 

This man-in-the-middle-ing by ESET/WAP effectively disrupts the handover of a URL from IPv6-to-IPv4, and most likely also vice-versa. 

 

You and your technicians and/or developers should have no trouble reproducing this.

 

I will add here as well that I recently was setting up a new Synology server and also experienced ESET/WAP blocking the Synology setup web page, which is the only way to correctly setup a Synology server.

So it seems pretty clear that WAP is far too aggressive, especially for a PC-grade security tool, and needs to be thoroughly tested.