Eset Internet Security stops showing Firewall Notifications

[Shri Ganesh 0]

I've been facing this issue for a while now. Eset internet security v16 and v17 have this issue. Running Windows 10 x64. The firewall popups stop showing after a few hours. When it doesn't show, the application is silently being blocked. The only way to fix this is by restarting Windows which is very annoying.

Example screenshot of window pop-up that stops appearing

[Marcos 5,267]

Does the issue occur with the latest v17.1.13 installed and automatic gamer mode activation disabled?

[Shri Ganesh 0]

Hi Marcos,

This still happens on v17.1.13.0. But I have disabled automatic gamer mode activation now. I've a feeling this may not be the issue because after restart it works fine. Will test it out and share an update.

But can I control gamer mode? Like which apps can trigger this?

[itman 1,746]

2 hours ago, Shri Ganesh said:

But can I control gamer mode? Like which apps can trigger this?

Refer to this on-line help article: https://help.eset.com/eis/17/en-US/idh_config_gamer.html?zoom_highlightsub=Gamer+mode

[Shri Ganesh 0]

Hi @Marcos

It happened again. Gamer mode is completely disabled. Now I am no longer getting the Firewall allow/deny screen.

I am already on the latest version. It's been happening for a while and I was hoping it would get fixed. But it's not.

Edit: I also disabled "Do not display notifications when running applications in full-screen mode", still no luck.

Please assist.

Thanks

Edited June 10 by Shri Ganesh

[itman 1,746]

The question that should have been asked initially is are you monitoring outbound network traffic in the Eset firewall? By default, Eset will allow all outbound port 80 network traffic.

[Marcos 5,267]

Please provide the following when the network communication is blocked and no interactive firewall window pops up when it's supposed to:

1, A full dump of ekrn.exe created via the advanced setup -> Tools -> Diagnostics -> Create (Dump)
2, A dump of egui.exe (or eguiproxy.exe if egui.exe is not running) via the task manager.

Also temporarily change minimum logging verbosity to "diagnostics". After reproducing the issue collect logs with ESET Log Collector and change the logging verbosity back to "informative".

[Shri Ganesh 0]

On 6/11/2024 at 1:03 AM, itman said:

The question that should have been asked initially is are you monitoring outbound network traffic in the Eset firewall? By default, Eset will allow all outbound port 80 network traffic.

Yes, I've set the firewall mode to interactive. Nothing is allowed by default (blocked by default).

[Shri Ganesh 0]

On 6/11/2024 at 7:54 AM, Marcos said:

Please provide the following when the network communication is blocked and no interactive firewall window pops up when it's supposed to:

1, A full dump of ekrn.exe created via the advanced setup -> Tools -> Diagnostics -> Create (Dump)
2, A dump of egui.exe (or eguiproxy.exe if egui.exe is not running) via the task manager.

Also temporarily change minimum logging verbosity to "diagnostics". After reproducing the issue collect logs with ESET Log Collector and change the logging verbosity back to "informative".

Noted. Will collect and attach this. Is mini dump enough (for ekrn.exe)?

Strangely I hibernated my system and after turned it back on, the issue went away now. But usually it only goes away after I restart.

Anyway, I will collect the logs once issue occurs and attach them here.

[Marcos 5,267]

No, a full dump of ekrn.exe, eguiproxy.exe and egui.exe (may not be running) will be needed.

[Shri Ganesh 0]

3 hours ago, Marcos said:

No, a full dump of ekrn.exe, eguiproxy.exe and egui.exe (may not be running) will be needed.

Hi @Marcos

Noted. I've generated full dump and attached via transfernow.net - https://www.transfernow.net/dl/20240612w2aFLzoC

Since the file was too big to attach, I had to attach to transfernow.net. The zip is encrypted with password:

 

Note: The dumps are under -> ESET\Diagnostics\eguiProxy.DMP, ekrn_15c408bc_42a8.dmp, ekrn_15c408bc_42a8.mdmp

Edited June 12 by Marcos
Password removed

[Marcos 5,267]

Thank you. While the dumps will be checked, please do the following:

1, Make sure to select "informative" minimum logging verbosity in the advanced setup -> Tools -> Log files
2, Delete C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat in safe mode
3, Check if the CloudCar test file is detected as Suspicious upon download from http://amtso.eicar.org/cloudcar.exe
4, We recommend enabling the LiveGrid Feedback system for maximum protection
5, Enable TLS/SSL filtering so that malware downloaded via https and malicious websites opened via https are blocked.

P_ESSW-18312

[Shri Ganesh 0]

Just now, Marcos said:

Thank you. While the dumps will be checked, please do the following:

1, Make sure to select "informative" minimum logging verbosity in the advanced setup -> Tools -> Log files
2, Delete C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat in safe mode
3, Check if the CloudCar test file is detected as Suspicious upon download from hxxp://amtso.eicar.org/cloudcar.exe
4, We recommend enabling the LiveGrid Feedback system for maximum protection
5, Enable TLS/SSL filtering so that malware downloaded via https and malicious websites opened via https are blocked.

Hi @Marcos

Thank you for the reply.

1) I've reverted logging verbosity back to Informative.
2) Will reboot and delete the C:\ProgramData\ESET\ESET Security\Logs\epfwlog.dat
3) It wasn't detected but ~60s after the file got downloaded, it was detected and cleaned.
4) I don't want to enable LiveGrid for time being.
5) I've had issues with TLS filtering. So I am using browser extension based blocker for now.

[Marcos 5,267]

6 minutes ago, Shri Ganesh said:

3) It wasn't detected but ~60s after the file got downloaded, it was detected and cleaned.

This is due to disabled SSL/TLS filtering. Possible malware on https websites will not be detected upon download at the network layer.

6 minutes ago, Shri Ganesh said:

5) I've had issues with TLS filtering. So I am using browser extension based blocker for now.

Could you elaborate more on these issues? The extension does not scan the website content for malware nor block blacklisted websites so you can't use it a replacement for SSL/TLS filtering.

[Shri Ganesh 0]

19 minutes ago, Marcos said:

This is due to disabled SSL/TLS filtering. Possible malware on https websites will not be detected upon download at the network layer.

Could you elaborate more on these issues? The extension does not scan the website content for malware nor block blacklisted websites so you can't use it a replacement for SSL/TLS filtering.

Hi @Marcos

I don't believe it's due to disabled TLS/SSL filtering as the file was downloaded over http (not https). I was checking after the file was downloaded/written to the disk and was visible in Explorer. It took quite a while after the exe file appeared in the explorer.

But I tried again with different browser Chrome (previously Vivaldi) and this time it was detected quickly.

As for the TLS/SSL issues, the TLS filtering is signing all the certificates (including the ones un-trusted local certificates from my NAS/Router/smart devices etc). I am using AdGuard with Phishing and malware protection. I do agree that it won't scan anything at file level (while being transferred) but mostly at domain level. But due to the certificate signing problem, I had to disable TLS/SSL filtering.

Thanks,
Shri

[Marcos 5,267]

If a particular certificate is trusted because the appropriate CA certificate exists in the trusted root CA cert. store, ESET trusts the certificate as well. Still, it's possible to create exceptions by IP addresses, applications or certificates to workaround possible issues while keeping SSL/TLS filtering enabled.

[Shri Ganesh 0]

32 minutes ago, Marcos said:

If a particular certificate is trusted because the appropriate CA certificate exists in the trusted root CA cert. store, ESET trusts the certificate as well. Still, it's possible to create exceptions by IP addresses, applications or certificates to workaround possible issues while keeping SSL/TLS filtering enabled.

Hi @Marcos

I initially had it enabled when the feature was introduced (may be around v13.x) but it started signing un-trusted certificates. Specifically self-signed certificates were being signed by ESET CA certificate causing my browser to implicitly trust those certificates and this was causing me lot of headache and at that time as I couldn't find a way to exclude ESET from intercepting certain IPs. But once this issue is firewall issue is resolved, I will try enabling it again.

Thanks,

Shri

[itman 1,746]

I will also add that by disabling LiveGrid, you are putting yourself at risk from 0-day malware. One of the functions of LiveGrid is to check Eset's cloud blacklist which is updated first when new malware is discovered and being evaluated.

[Shri Ganesh 0]

1 minute ago, itman said:

I will also add that by disabling LiveGrid, you are putting yourself at risk from 0-day malware. One of the functions of LiveGrid is to check Eset's cloud blacklist which is updated first when new malware is discovered and being evaluated.

Noted. I had never enabled this feature due to privacy features. I think LiveGrid was called ThreatSense or something in early versions. I couldn't find which files will be uploaded to LiveGrid automatically. Is it possible to make use of LiveGrid without uploading my files?

Thanks,

Shri

[itman 1,746]

9 minutes ago, Shri Ganesh said:

Is it possible to make use of LiveGrid without uploading my files?

Yes. See below screen shot;

[Shri Ganesh 0]

15 minutes ago, itman said:

Yes. See below screen shot;

Noted. I've enabled LiveGrid reputation system (without enabling feedback system for submitting samples). But I will try enabling feedback system with manual submission of samples.

Thanks,

Shri

[Shri Ganesh 0]

Hi @Marcos

Was there anything wrong identified on analysis of the dump files?

Thanks,

Shri

[Shri Ganesh 0]

Is there anyway that I can reach support team?

[Marcos 5,267]

Please provide an export of the registry key HKEY_CURRENT_USER\Software\ESET\ESET Security.

[Shri Ganesh 0]

Hi @Marcos, I am currently out of station and can't access my desktop. But I am facing the SAME EXACT issue with my laptop. My laptop is running Windows 11 x64 and running ESET Internet Security v17.2.7.0.

Will it be helpful if I provide with reg key export of HKEY_CURRENT_USER\Software\ESET\ESET Security from my Windows 11 laptop?

I do remember backing up and restoring config from older version of ESET. I do regularly backup even now so that I can restore and don't need to bother with all the custom firewall rules.

If a  reg key export of HKEY_CURRENT_USER\Software\ESET\ESET Security from my Windows 11 laptop will help, I will share it as well.