Jump to content

Eset Internet Security stops showing Firewall Notifications


Recommended Posts

I've been facing this issue for a while now. Eset internet security v16 and v17 have this issue. Running Windows 10 x64. The firewall popups stop showing after a few hours. When it doesn't show, the application is silently being blocked. The only way to fix this is by restarting Windows which is very annoying.

Example screenshot of window pop-up that stops appearing

zTWX7S4J1fvl.png?o=1

Link to comment
Share on other sites

  • Administrators

Does the issue occur with the latest v17.1.13 installed and automatic gamer mode activation disabled?

image.png

Link to comment
Share on other sites

Hi Marcos,

This still happens on v17.1.13.0. But I have disabled automatic gamer mode activation now. I've a feeling this may not be the issue because after restart it works fine. Will test it out and share an update.

But can I control gamer mode? Like which apps can trigger this?

Link to comment
Share on other sites

Posted (edited)

Hi @Marcos

It happened again. Gamer mode is completely disabled. Now I am no longer getting the Firewall allow/deny screen.

I am already on the latest version. It's been happening for a while and I was hoping it would get fixed. But it's not.

Edit: I also disabled "Do not display notifications when running applications in full-screen mode", still no luck.

Please assist.

Thanks

eset.png

eset2.png

Edited by Shri Ganesh
Link to comment
Share on other sites

The question that should have been asked initially is are you monitoring outbound network traffic in the Eset firewall? By default, Eset will allow all outbound port 80 network traffic.

Link to comment
Share on other sites

  • Administrators

Please provide the following when the network communication is blocked and no interactive firewall window pops up when it's supposed to:

1, A full dump of ekrn.exe created via the advanced setup -> Tools -> Diagnostics -> Create (Dump)
2, A dump of egui.exe (or eguiproxy.exe if egui.exe is not running) via the task manager.

Also temporarily change minimum logging verbosity to "diagnostics". After reproducing the issue collect logs with ESET Log Collector and change the logging verbosity back to "informative".

Link to comment
Share on other sites

On 6/11/2024 at 1:03 AM, itman said:

The question that should have been asked initially is are you monitoring outbound network traffic in the Eset firewall? By default, Eset will allow all outbound port 80 network traffic.

Yes, I've set the firewall mode to interactive. Nothing is allowed by default (blocked by default).

Link to comment
Share on other sites

On 6/11/2024 at 7:54 AM, Marcos said:

Please provide the following when the network communication is blocked and no interactive firewall window pops up when it's supposed to:

1, A full dump of ekrn.exe created via the advanced setup -> Tools -> Diagnostics -> Create (Dump)
2, A dump of egui.exe (or eguiproxy.exe if egui.exe is not running) via the task manager.

Also temporarily change minimum logging verbosity to "diagnostics". After reproducing the issue collect logs with ESET Log Collector and change the logging verbosity back to "informative".

Noted. Will collect and attach this. Is mini dump enough (for ekrn.exe)?

Strangely I hibernated my system and after turned it back on, the issue went away now. But usually it only goes away after I restart.

Anyway, I will collect the logs once issue occurs and attach them here.

Link to comment
Share on other sites

  • Administrators

No, a full dump of ekrn.exe, eguiproxy.exe and egui.exe (may not be running) will be needed.

Link to comment
Share on other sites

Posted (edited)
3 hours ago, Marcos said:

No, a full dump of ekrn.exe, eguiproxy.exe and egui.exe (may not be running) will be needed.

Hi @Marcos

Noted. I've generated full dump and attached via transfernow.net - https://www.transfernow.net/dl/20240612w2aFLzoC

Since the file was too big to attach, I had to attach to transfernow.net. The zip is encrypted with password:

 

Note: The dumps are under -> ESET\Diagnostics\eguiProxy.DMP, ekrn_15c408bc_42a8.dmp, ekrn_15c408bc_42a8.mdmp

Edited by Marcos
Password removed
Link to comment
Share on other sites

  • Administrators

Thank you. While the dumps will be checked, please do the following:

1, Make sure to select "informative" minimum logging verbosity in the advanced setup -> Tools -> Log files
2, Delete C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat in safe mode
3, Check if the CloudCar test file is detected as Suspicious upon download from http://amtso.eicar.org/cloudcar.exe
4, We recommend enabling the LiveGrid Feedback system for maximum protection
5, Enable TLS/SSL filtering so that malware downloaded via https and malicious websites opened via https are blocked.

P_ESSW-18312

Link to comment
Share on other sites

Just now, Marcos said:

Thank you. While the dumps will be checked, please do the following:

1, Make sure to select "informative" minimum logging verbosity in the advanced setup -> Tools -> Log files
2, Delete C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat in safe mode
3, Check if the CloudCar test file is detected as Suspicious upon download from hxxp://amtso.eicar.org/cloudcar.exe
4, We recommend enabling the LiveGrid Feedback system for maximum protection
5, Enable TLS/SSL filtering so that malware downloaded via https and malicious websites opened via https are blocked.

Hi @Marcos

Thank you for the reply.

1) I've reverted logging verbosity back to Informative.
2) Will reboot and delete the C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat
3) It wasn't detected but ~60s after the file got downloaded, it was detected and cleaned.
4) I don't want to enable LiveGrid for time being.
5) I've had issues with TLS filtering. So I am using browser extension based blocker for now.

Link to comment
Share on other sites

  • Administrators
6 minutes ago, Shri Ganesh said:

3) It wasn't detected but ~60s after the file got downloaded, it was detected and cleaned.

This is due to disabled SSL/TLS filtering. Possible malware on https websites will not be detected upon download at the network layer.

6 minutes ago, Shri Ganesh said:

5) I've had issues with TLS filtering. So I am using browser extension based blocker for now.

Could you elaborate more on these issues? The extension does not scan the website content for malware nor block blacklisted websites so you can't use it a replacement for SSL/TLS filtering.

Link to comment
Share on other sites

19 minutes ago, Marcos said:

This is due to disabled SSL/TLS filtering. Possible malware on https websites will not be detected upon download at the network layer.

Could you elaborate more on these issues? The extension does not scan the website content for malware nor block blacklisted websites so you can't use it a replacement for SSL/TLS filtering.

Hi @Marcos

I don't believe it's due to disabled TLS/SSL filtering as the file was downloaded over http (not https). I was checking after the file was downloaded/written to the disk and was visible in Explorer. It took quite a while after the exe file appeared in the explorer.

But I tried again with different browser Chrome (previously Vivaldi) and this time it was detected quickly.

As for the TLS/SSL issues, the TLS filtering is signing all the certificates (including the ones un-trusted local certificates from my NAS/Router/smart devices etc). I am using AdGuard with Phishing and malware protection. I do agree that it won't scan anything at file level (while being transferred) but mostly at domain level. But due to the certificate signing problem, I had to disable TLS/SSL filtering.

Thanks,
Shri

Link to comment
Share on other sites

  • Administrators

If a particular certificate is trusted because the appropriate CA certificate exists in the trusted root CA cert. store, ESET trusts the certificate as well. Still, it's possible to create exceptions by IP addresses, applications or certificates to workaround possible issues while keeping SSL/TLS filtering enabled.

Link to comment
Share on other sites

32 minutes ago, Marcos said:

If a particular certificate is trusted because the appropriate CA certificate exists in the trusted root CA cert. store, ESET trusts the certificate as well. Still, it's possible to create exceptions by IP addresses, applications or certificates to workaround possible issues while keeping SSL/TLS filtering enabled.

Hi @Marcos

I initially had it enabled when the feature was introduced (may be around v13.x) but it started signing un-trusted certificates. Specifically self-signed certificates were being signed by ESET CA certificate causing my browser to implicitly trust those certificates and this was causing me lot of headache and at that time as I couldn't find a way to exclude ESET from intercepting certain IPs. But once this issue is firewall issue is resolved, I will try enabling it again.

Thanks,

Shri

Link to comment
Share on other sites

I will also add that by disabling LiveGrid, you are putting yourself at risk from 0-day malware. One of the functions of LiveGrid is to check Eset's cloud blacklist which is updated first when new malware is discovered and being evaluated.

Link to comment
Share on other sites

1 minute ago, itman said:

I will also add that by disabling LiveGrid, you are putting yourself at risk from 0-day malware. One of the functions of LiveGrid is to check Eset's cloud blacklist which is updated first when new malware is discovered and being evaluated.

Noted. I had never enabled this feature due to privacy features. I think LiveGrid was called ThreatSense or something in early versions. I couldn't find which files will be uploaded to LiveGrid automatically. Is it possible to make use of LiveGrid without uploading my files?

Thanks,

Shri

Link to comment
Share on other sites

9 minutes ago, Shri Ganesh said:

Is it possible to make use of LiveGrid without uploading my files?

Yes. See below screen shot;

Eset_Submissions.thumb.png.39715aea47eb58105f67a9f59205cbb7.png

Link to comment
Share on other sites

15 minutes ago, itman said:

Yes. See below screen shot;

Eset_Submissions.thumb.png.39715aea47eb58105f67a9f59205cbb7.png

Noted. I've enabled LiveGrid reputation system (without enabling feedback system for submitting samples). But I will try enabling feedback system with manual submission of samples.

Thanks,

Shri

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...