Shri Ganesh 0 Posted June 8 Posted June 8 I've been facing this issue for a while now. Eset internet security v16 and v17 have this issue. Running Windows 10 x64. The firewall popups stop showing after a few hours. When it doesn't show, the application is silently being blocked. The only way to fix this is by restarting Windows which is very annoying. Example screenshot of window pop-up that stops appearing
Administrators Marcos 5,443 Posted June 8 Administrators Posted June 8 Does the issue occur with the latest v17.1.13 installed and automatic gamer mode activation disabled?
Shri Ganesh 0 Posted June 8 Author Posted June 8 Hi Marcos, This still happens on v17.1.13.0. But I have disabled automatic gamer mode activation now. I've a feeling this may not be the issue because after restart it works fine. Will test it out and share an update. But can I control gamer mode? Like which apps can trigger this?
itman 1,799 Posted June 8 Posted June 8 2 hours ago, Shri Ganesh said: But can I control gamer mode? Like which apps can trigger this? Refer to this on-line help article: https://help.eset.com/eis/17/en-US/idh_config_gamer.html?zoom_highlightsub=Gamer+mode
Shri Ganesh 0 Posted June 10 Author Posted June 10 (edited) Hi @Marcos It happened again. Gamer mode is completely disabled. Now I am no longer getting the Firewall allow/deny screen. I am already on the latest version. It's been happening for a while and I was hoping it would get fixed. But it's not. Edit: I also disabled "Do not display notifications when running applications in full-screen mode", still no luck. Please assist. Thanks Edited June 10 by Shri Ganesh
itman 1,799 Posted June 10 Posted June 10 The question that should have been asked initially is are you monitoring outbound network traffic in the Eset firewall? By default, Eset will allow all outbound port 80 network traffic.
Administrators Marcos 5,443 Posted June 10 Administrators Posted June 10 Please provide the following when the network communication is blocked and no interactive firewall window pops up when it's supposed to: 1, A full dump of ekrn.exe created via the advanced setup -> Tools -> Diagnostics -> Create (Dump) 2, A dump of egui.exe (or eguiproxy.exe if egui.exe is not running) via the task manager. Also temporarily change minimum logging verbosity to "diagnostics". After reproducing the issue collect logs with ESET Log Collector and change the logging verbosity back to "informative".
Shri Ganesh 0 Posted June 12 Author Posted June 12 On 6/11/2024 at 1:03 AM, itman said: The question that should have been asked initially is are you monitoring outbound network traffic in the Eset firewall? By default, Eset will allow all outbound port 80 network traffic. Yes, I've set the firewall mode to interactive. Nothing is allowed by default (blocked by default).
Shri Ganesh 0 Posted June 12 Author Posted June 12 On 6/11/2024 at 7:54 AM, Marcos said: Please provide the following when the network communication is blocked and no interactive firewall window pops up when it's supposed to: 1, A full dump of ekrn.exe created via the advanced setup -> Tools -> Diagnostics -> Create (Dump) 2, A dump of egui.exe (or eguiproxy.exe if egui.exe is not running) via the task manager. Also temporarily change minimum logging verbosity to "diagnostics". After reproducing the issue collect logs with ESET Log Collector and change the logging verbosity back to "informative". Noted. Will collect and attach this. Is mini dump enough (for ekrn.exe)? Strangely I hibernated my system and after turned it back on, the issue went away now. But usually it only goes away after I restart. Anyway, I will collect the logs once issue occurs and attach them here.
Administrators Marcos 5,443 Posted June 12 Administrators Posted June 12 No, a full dump of ekrn.exe, eguiproxy.exe and egui.exe (may not be running) will be needed.
Shri Ganesh 0 Posted June 12 Author Posted June 12 (edited) 3 hours ago, Marcos said: No, a full dump of ekrn.exe, eguiproxy.exe and egui.exe (may not be running) will be needed. Hi @Marcos Noted. I've generated full dump and attached via transfernow.net - https://www.transfernow.net/dl/20240612w2aFLzoC Since the file was too big to attach, I had to attach to transfernow.net. The zip is encrypted with password: Note: The dumps are under -> ESET\Diagnostics\eguiProxy.DMP, ekrn_15c408bc_42a8.dmp, ekrn_15c408bc_42a8.mdmp Edited June 12 by Marcos Password removed
Administrators Marcos 5,443 Posted June 12 Administrators Posted June 12 Thank you. While the dumps will be checked, please do the following: 1, Make sure to select "informative" minimum logging verbosity in the advanced setup -> Tools -> Log files 2, Delete C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat in safe mode 3, Check if the CloudCar test file is detected as Suspicious upon download from http://amtso.eicar.org/cloudcar.exe 4, We recommend enabling the LiveGrid Feedback system for maximum protection 5, Enable TLS/SSL filtering so that malware downloaded via https and malicious websites opened via https are blocked. P_ESSW-18312
Shri Ganesh 0 Posted June 12 Author Posted June 12 Just now, Marcos said: Thank you. While the dumps will be checked, please do the following: 1, Make sure to select "informative" minimum logging verbosity in the advanced setup -> Tools -> Log files 2, Delete C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat in safe mode 3, Check if the CloudCar test file is detected as Suspicious upon download from hxxp://amtso.eicar.org/cloudcar.exe 4, We recommend enabling the LiveGrid Feedback system for maximum protection 5, Enable TLS/SSL filtering so that malware downloaded via https and malicious websites opened via https are blocked. Hi @Marcos Thank you for the reply. 1) I've reverted logging verbosity back to Informative. 2) Will reboot and delete the C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat 3) It wasn't detected but ~60s after the file got downloaded, it was detected and cleaned. 4) I don't want to enable LiveGrid for time being. 5) I've had issues with TLS filtering. So I am using browser extension based blocker for now.
Administrators Marcos 5,443 Posted June 12 Administrators Posted June 12 6 minutes ago, Shri Ganesh said: 3) It wasn't detected but ~60s after the file got downloaded, it was detected and cleaned. This is due to disabled SSL/TLS filtering. Possible malware on https websites will not be detected upon download at the network layer. 6 minutes ago, Shri Ganesh said: 5) I've had issues with TLS filtering. So I am using browser extension based blocker for now. Could you elaborate more on these issues? The extension does not scan the website content for malware nor block blacklisted websites so you can't use it a replacement for SSL/TLS filtering.
Shri Ganesh 0 Posted June 12 Author Posted June 12 19 minutes ago, Marcos said: This is due to disabled SSL/TLS filtering. Possible malware on https websites will not be detected upon download at the network layer. Could you elaborate more on these issues? The extension does not scan the website content for malware nor block blacklisted websites so you can't use it a replacement for SSL/TLS filtering. Hi @Marcos I don't believe it's due to disabled TLS/SSL filtering as the file was downloaded over http (not https). I was checking after the file was downloaded/written to the disk and was visible in Explorer. It took quite a while after the exe file appeared in the explorer. But I tried again with different browser Chrome (previously Vivaldi) and this time it was detected quickly. As for the TLS/SSL issues, the TLS filtering is signing all the certificates (including the ones un-trusted local certificates from my NAS/Router/smart devices etc). I am using AdGuard with Phishing and malware protection. I do agree that it won't scan anything at file level (while being transferred) but mostly at domain level. But due to the certificate signing problem, I had to disable TLS/SSL filtering. Thanks, Shri
Administrators Marcos 5,443 Posted June 12 Administrators Posted June 12 If a particular certificate is trusted because the appropriate CA certificate exists in the trusted root CA cert. store, ESET trusts the certificate as well. Still, it's possible to create exceptions by IP addresses, applications or certificates to workaround possible issues while keeping SSL/TLS filtering enabled.
Shri Ganesh 0 Posted June 12 Author Posted June 12 32 minutes ago, Marcos said: If a particular certificate is trusted because the appropriate CA certificate exists in the trusted root CA cert. store, ESET trusts the certificate as well. Still, it's possible to create exceptions by IP addresses, applications or certificates to workaround possible issues while keeping SSL/TLS filtering enabled. Hi @Marcos I initially had it enabled when the feature was introduced (may be around v13.x) but it started signing un-trusted certificates. Specifically self-signed certificates were being signed by ESET CA certificate causing my browser to implicitly trust those certificates and this was causing me lot of headache and at that time as I couldn't find a way to exclude ESET from intercepting certain IPs. But once this issue is firewall issue is resolved, I will try enabling it again. Thanks, Shri
itman 1,799 Posted June 12 Posted June 12 I will also add that by disabling LiveGrid, you are putting yourself at risk from 0-day malware. One of the functions of LiveGrid is to check Eset's cloud blacklist which is updated first when new malware is discovered and being evaluated.
Shri Ganesh 0 Posted June 12 Author Posted June 12 1 minute ago, itman said: I will also add that by disabling LiveGrid, you are putting yourself at risk from 0-day malware. One of the functions of LiveGrid is to check Eset's cloud blacklist which is updated first when new malware is discovered and being evaluated. Noted. I had never enabled this feature due to privacy features. I think LiveGrid was called ThreatSense or something in early versions. I couldn't find which files will be uploaded to LiveGrid automatically. Is it possible to make use of LiveGrid without uploading my files? Thanks, Shri
itman 1,799 Posted June 12 Posted June 12 9 minutes ago, Shri Ganesh said: Is it possible to make use of LiveGrid without uploading my files? Yes. See below screen shot;
Shri Ganesh 0 Posted June 12 Author Posted June 12 15 minutes ago, itman said: Yes. See below screen shot; Noted. I've enabled LiveGrid reputation system (without enabling feedback system for submitting samples). But I will try enabling feedback system with manual submission of samples. Thanks, Shri
Shri Ganesh 0 Posted June 24 Author Posted June 24 Hi @Marcos Was there anything wrong identified on analysis of the dump files? Thanks, Shri
Administrators Marcos 5,443 Posted July 11 Administrators Posted July 11 Please provide an export of the registry key HKEY_CURRENT_USER\Software\ESET\ESET Security.
Shri Ganesh 0 Posted July 13 Author Posted July 13 Hi @Marcos, I am currently out of station and can't access my desktop. But I am facing the SAME EXACT issue with my laptop. My laptop is running Windows 11 x64 and running ESET Internet Security v17.2.7.0. Will it be helpful if I provide with reg key export of HKEY_CURRENT_USER\Software\ESET\ESET Security from my Windows 11 laptop? I do remember backing up and restoring config from older version of ESET. I do regularly backup even now so that I can restore and don't need to bother with all the custom firewall rules. If a reg key export of HKEY_CURRENT_USER\Software\ESET\ESET Security from my Windows 11 laptop will help, I will share it as well.
Recommended Posts