ESET web protection not working properly

[Ahmeduchiha 2]

I noticed that ESET safe search flagged website as malicious but, didn't block it.

but, it blocked EICAR test file and AMTSO phishing test webpage.

[Marcos 5,074]

Blocking of the website works for me. Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Launch the browser
3. Clear browser's cache
4. Open the website and make sure it's not blocked
5. Stop logging
6. Collect logs with ESET Log Collector and upload the generated archive here.

[itman 1,659]

It's the same DNS over HTTPS Eset bypass discussed at length in this thread: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/ .

With DoH disabled, Eset blocks access to web site via blacklist detection.

With DoH enabled, web site access is granted w/o issue. The only difference in this case when using Firefox, no Eset Filtered Web site log block entries are created. Perhaps with Browser Security & Privacy enabled - I have it disabled - the search result malicious icon display factored into Eset block log entries not being created as has been previously documented.

[Ahmeduchiha 2]

I uploaded the logs but, first try to access the website it was blocked but, after that ESET allowed access to the website.

I am not sure if that has anything to do with the DOH but, it's not configured through the browser.

essp_logs.zip

[Marcos 5,074]

I don't know why but I'm unable to reproduce the issue with DoH enabled and set to Max protection with Cloudflare selected as the provider:

[itman 1,659]

46 minutes ago, Marcos said:

I don't know why but I'm unable to reproduce the issue with DoH enabled and set to Max protection with Cloudflare selected as the provider:

Same setting in Firefox. Of note is I am also using Cloudflare as my Win 10 DNS servers;

[Ahmeduchiha 2]

I am using Microsoft Edge so, this DNS option that Firefox has isn't available and this issue still persist even after clearing cache it seems the problem not because the browser but, ESET itself.

I submitted ESET logs to Marcos, and I hope this help diagnose and fix this issue.

[itman 1,659]

57 minutes ago, Ahmeduchiha said:

I am using Microsoft Edge so, this DNS option that Firefox has isn't available

Refer to this article: https://winaero.com/enable-dns-over-https-in-microsoft-edge/ to determine if DNS over HTTPS is enabled in Edge and what DNS provider it is using. 

[Ahmeduchiha 2]

I use Cloudflare DNS but, on the network level not in the browser.

and when I reproduced the issue first time visiting the website it was blocked but, trying to open the webpage again it opened and bypassed ESET protection.

[itman 1,659]

11 hours ago, Ahmeduchiha said:

I use Cloudflare DNS but, on the network level not in the browser.

Your posted screen shot shows you have DNS over HTTPS enabled.

Edge refers to DNS over HTTPS as "secure DNS." You also have "Use current service provider" enabled. You stated that you are using Cloudflare as your Windows DNS servers; i.e. current service provider. Therefore, you are using Cloudflare as your DNS over HTTPS provider.

Disable the "Use secure DNS" setting; close and reopen Edge; and retest. Eset should alert and block access to this malicious web site every time

Edited March 19 by itman

[Marcos 5,074]

This is because the server uses HTTP/3. If you disable QUIC in Chrome per https://support.eset.com/en/kb6757, blocking should work. With v17.1+ it should work even with QUIC enabled.

[Ahmeduchiha 2]

I tried to disable DOH on the network and indeed ESET was able to block the website it seems that ESET is not compatible with DOH and encrypted DNS connection.

I hope ESET fix this issue as soon as possible.

[Marcos 5,074]

From your logs it was obvious that HTTP/3 was used which was the reason for not blocking the site. I assume it has nothing to do with DoH. Is the website blocked in Chrome with QUIC disabled in the setup?

[Ahmeduchiha 2]

I use the default settings in Microsoft Edge and I believe that QUIC is disabled.

[Marcos 5,074]

6 minutes ago, Ahmeduchiha said:

I use the default settings in Microsoft Edge and I believe that QUIC is disabled.

The network logs show otherwise:

Please make sure you have it set to "disabled":

[Ahmeduchiha 2]

I am so confused now after restarting Edge and try to test the website it opened normally and not blocked.

QUIC is disabled by default.

I don't know what to do now should I collect new logs?

[Marcos 5,074]

Please post a screenshot of your QUIC setting in Edge, the same as I did.

[Ahmeduchiha 2]

it's default. I don't know if enabled or not.

[Marcos 5,074]

It's set to "default". Please set it to "disabled" and restart the browser.

[Ahmeduchiha 2]

yes, it worked but, why ESET can't scan Quic protocol.

 

[Marcos 5,074]

I assume that virtually no AV can scan QUIC. It's been experimental for a long time. As I have already mentioned, HTTP/3 will be supported as of v17.1.

[Ahmeduchiha 2]

I see, thank you so much for your help.

I will wait for the new release but, when it will be released?

[itman 1,659]

3 hours ago, Marcos said:

This is because the server uses HTTP/3. If you disable QUIC in Chrome per https://support.eset.com/en/kb6757,

According to Watchguard, you also need to also create a firewall rule to block UDP port 80 and 8080 network traffic: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/manage-settings/disable-http-3-protocol-for-web-access-control.html?TocPath=Troubleshooting|_____19 .

1 hour ago, Marcos said:

I assume it has nothing to do with DoH.

Except for Firefox which uses its own DNS processing with DoH enabled. Also, Firefox has QUIC enabled by default.

[sesk 23]

ya win-users, always complaining. never happy. we macos-users/cs-users, no https scan, and we are not complaining. we are not asking anymore when it is gonna be supported. we got it. it is a feature. ya pu**ies 😅

Edited March 19 by sesk

[Marcos 5,074]

Should be available on the pre-release update channel soon.