Jump to content

Eset Internet Security stops showing Firewall Notifications


Recommended Posts

Hi @Marcos, I think I found something interesting. I think the allow application firewall screen pops up for certain types of apps (Windows App store Apps) and NOT for regular Windows apps installed/extracted.

Link to comment
Share on other sites

Okay, I think I've narrowed the issue down further or may be it's just a Windows 11 thing. It's not that the Firewall window isn't appearing. But rather the Firewall silently blocking connections EVEN when stating that it's unblocked.

Screenshot attached. There is an explicit allow rule and it even states Unblocked. But I still see Blocked counter increasing (17x).

 

ESET_Internet_Security_2024-07-14_16-06-26.png

Link to comment
Share on other sites

  • Administrators

I've noticed that you have wrong default firewall rules. Please uninstall ESET and install the latest version 17.2.7 from scratch (without importing previous configuration) which I believe will fix the issues.

Link to comment
Share on other sites

On 7/15/2024 at 7:07 PM, Marcos said:

I've noticed that you have wrong default firewall rules. Please uninstall ESET and install the latest version 17.2.7 from scratch (without importing previous configuration) which I believe will fix the issues.

Hi @Marcos

Okay noted. It was a painful to create all the firewall rules from scratch. But I will try this and let you know.

Is there any way to just export and import firewall rules only?

Thanks,
Shri 

Link to comment
Share on other sites

  • 4 weeks later...

Just to add my two cents - I have been battling with same issue for a very long time (5-6 years at least). Firewall is in interactive mode, I want to be able to chose which applications can access internet and I usually create rules. I was unable to pinpoint what causes notifications to stop, but they just do at some point and thus applications that don't have rules simply stop being able to access internet since I am not offered an option to allow them.

I have reinstalled multiple versions of ESET internet security over the years, even started with blank rules few times but that doesn't solve the issue. And the only solution is to restart the whole computer which is usually a pain, since I have a lot of apps open with a VM or two running in the background. Based on what I've read here and on other places this seems to be a known issue among users, but not with dev team for some reason.

One of the posts from 2022 lists forum post from 2014 that explains similar issue. So this has been plaguing users of ESET for a long time, with no resolution in sight. Post from 2014 is this - https://forum.eset.com/topic/34571-firewall-interactive-mode-dialogs-stop-appearing/ says that its solved in one specific version but later users complain again in newer versions. And there are new posts every now and then (this one included).

Is this an ESET issue or something with way Windows works?

Link to comment
Share on other sites

1 hour ago, Tarmi Ricmi said:

Is this an ESET issue or something with way Windows works?

There might be something to this worthy of further exploration.

One of the default settings of the Eset firewall is to defer to Win firewall inbound rules prior to blocking the network traffic. The first question is how does this setting work with the Eset firewall set to Interactive mode? It may be possible that Win firewall rules are referenced and if no existing inbound rule exists, the network traffic is just silently blocked in certain instances by the Eset firewall in Interactive mode. On the other hand, this prior processing is supposedly not applicable to outbound network traffic.

Then there is the question of if "stateful" processing of the Eset firewall in Interactive mode is working properly. Stateful processing means any associated inbound network traffic from a prior allowed outbound network connection are auto allowed. Or is this processing being borked in some way by processing noted in the prior paragraph?

Edited by itman
Link to comment
Share on other sites

  • Administrators

Please provide a dump of egui.exe, eguiproxy.exe and ekrn.exe when the network communication is blocked due to the firewall waiting for an action selection but the interactive window is not shown.

Link to comment
Share on other sites

Another point of exploration is the difference between Eset firewall Interactive and Policy mode as noted below;

Eset_Modes.thumb.png.ab10d5cb02871782b25e8ec8e5cce9bf.png

https://help.eset.com/essp/17/en-US/idh_config_epfw_basic_group.html

Of particular interest is Eset firewall in Interactive mode will alert and wait for user input action prior to allowing or blocking the activity. However in Policy mode if an existing firewall rule does not exist for the network activity, the activity is silently blocked.

The behavior being described to date really appears to be the Eset firewall for some unknown reason is reverting from Interactive to Policy mode after an elapsed period of time. Or, something encountered during Eset processing in Interactive mode is causing the firewall to internally change to Policy mode behavior.

Link to comment
Share on other sites

On 8/12/2024 at 12:46 AM, Tarmi Ricmi said:

Just to add my two cents - I have been battling with same issue for a very long time (5-6 years at least). Firewall is in interactive mode, I want to be able to chose which applications can access internet and I usually create rules. I was unable to pinpoint what causes notifications to stop, but they just do at some point and thus applications that don't have rules simply stop being able to access internet since I am not offered an option to allow them.

I have reinstalled multiple versions of ESET internet security over the years, even started with blank rules few times but that doesn't solve the issue. And the only solution is to restart the whole computer which is usually a pain, since I have a lot of apps open with a VM or two running in the background. Based on what I've read here and on other places this seems to be a known issue among users, but not with dev team for some reason.

One of the posts from 2022 lists forum post from 2014 that explains similar issue. So this has been plaguing users of ESET for a long time, with no resolution in sight. Post from 2014 is this - https://forum.eset.com/topic/34571-firewall-interactive-mode-dialogs-stop-appearing/ says that its solved in one specific version but later users complain again in newer versions. And there are new posts every now and then (this one included).

Is this an ESET issue or something with way Windows works?

Wow that's quite surprising! And exactly like you, I am also running one or two VMs (on VMWare Workstation) any most times. May be this has something to do with this issue?

Link to comment
Share on other sites

On 8/12/2024 at 7:31 AM, itman said:

Another point of exploration is the difference between Eset firewall Interactive and Policy mode as noted below;

Eset_Modes.thumb.png.ab10d5cb02871782b25e8ec8e5cce9bf.png

https://help.eset.com/essp/17/en-US/idh_config_epfw_basic_group.html

Of particular interest is Eset firewall in Interactive mode will alert and wait for user input action prior to allowing or blocking the activity. However in Policy mode if an existing firewall rule does not exist for the network activity, the activity is silently blocked.

The behavior being described to date really appears to be the Eset firewall for some unknown reason is reverting from Interactive to Policy mode after an elapsed period of time. Or, something encountered during Eset processing in Interactive mode is causing the firewall to internally change to Policy mode behavior.

This is definitely a possibility. But after a system restart, it automatically reverts from Policy based mode to interactive. But I've verified the settings, the does show as interactive only.

Link to comment
Share on other sites

  • Administrators
14 minutes ago, Shri Ganesh said:

This is definitely a possibility. But after a system restart, it automatically reverts from Policy based mode to interactive. But I've verified the settings, the does show as interactive only.

A system restart cannot make changes in ESET's configuration, especially when talking about non-managed consumer products.

Are you able to reproduce the change of the firewall mode by restarting the machine?

Link to comment
Share on other sites

On 7/20/2024 at 8:56 PM, Marcos said:

Please provide logs collected with ESET Log Collector as the previously posted download link has already expired.

Hi @Marcos, I am back to the place where I've access to my PC. I've re-uploaded the previously collected logs

https://filebin.net/ahjroaq8wh33gs8g/eis_logs.zip

(OR)

https://file.io/bBZPZKA05lUc

PWD: Fg3cy4542tkTix

Link to comment
Share on other sites

18 minutes ago, Marcos said:

A system restart cannot make changes in ESET's configuration, especially when talking about non-managed consumer products.

Are you able to reproduce the change of the firewall mode by restarting the machine?

Hi @Marcos

No it's just a theory that seems to match the symptoms. There is no way to tell when this issue occurs. And the only way to resolve it, is by restarting the machine.

Link to comment
Share on other sites

  • Administrators

1, The logs were collected 2 months ago with v17.1 installed
2, Make sure to upgrade to v17.2 and disable this setting in the Gamer mode setup:

image.png

If that doesn't make any difference and you are still not asked when a new network communication for which no rule exists is detected, provide a complete dump of egui.exe, eguiproxy.exe and ekrn.exe via the Task manager.

The logs you've provided didn't include these process dumps from time when the network communication is blocked and the interactive firewall window was supposed to pop up.

Here are some tips for improving protection:

  1. Enable detection of potentially unsafe applications that could be misused to terminate the AV and let the adversary run malware undetected.
  2. Check if the LiveGrid Reputation system works alright. The CloudCar test file should be detected as Suspicious upon download: http://amtso.eicar.org/cloudcar.exe
  3. Enable the LiveGrid Feedback system to enable additional protection features in HIPS-based protection modules, such as Ransomware Shield.
  4. Enable SSL protocol scanning to scan https traffic.
  5. Consider removing G:\Downloads\Jdownloader\New folder from detection exclusions. It appears that some keygens / trojans were detected there earlier.
Link to comment
Share on other sites

11 hours ago, Marcos said:

1, The logs were collected 2 months ago with v17.1 installed
2, Make sure to upgrade to v17.2 and disable this setting in the Gamer mode setup:

image.png

If that doesn't make any difference and you are still not asked when a new network communication for which no rule exists is detected, provide a complete dump of egui.exe, eguiproxy.exe and ekrn.exe via the Task manager.

The logs you've provided didn't include these process dumps from time when the network communication is blocked and the interactive firewall window was supposed to pop up.

Here are some tips for improving protection:

  1. Enable detection of potentially unsafe applications that could be misused to terminate the AV and let the adversary run malware undetected.
  2. Check if the LiveGrid Reputation system works alright. The CloudCar test file should be detected as Suspicious upon download: hxxp://amtso.eicar.org/cloudcar.exe
  3. Enable the LiveGrid Feedback system to enable additional protection features in HIPS-based protection modules, such as Ransomware Shield.
  4. Enable SSL protocol scanning to scan https traffic.
  5. Consider removing G:\Downloads\Jdownloader\New folder from detection exclusions. It appears that some keygens / trojans were detected there earlier.

Okay will do. Upgraded to 17.2.7.0 just now. Gamer mode was already disabled. Will reproduce the issue and generate complete dump of egui.exe, eguiproxy.exe and ekrn.exe via the Task manager and upload them.

Link to comment
Share on other sites

Currently I am running VMs in HyperV, but I used VMware workstation and VirtualBox also. So that in itself should not be the issue (except if its related to the way network is configured, but since its various tools over the years, there should be no common setup). But bottom line is that after a while (based on trigger I am not aware of at the moment) it simply stops.

Now, I have disabled gaming mode completely and haven't seen the issue for few days. But even if Gaming mode is on it should either (according to my knowledge, which may be wrong) tell me after I am out of full screen app that notifications were blocked or I should be able to find them in that blocked but that is never the case.

For me, main issue which makes this one "bigger" is that ESET doesn't "honor" existing rules all the time. I will get question about Discord for example multiple times (even though the rule exist) and now I have 6 rules for Discord and for now it seems to be working but at some point it might ask me to create rule again. And yes, I when app is updated I do get questions to keep the rules which I always do. I have 5 rules for Skype (at least), 4 for GoogleDriveFS.exe, etc.

So, for ESET gurus, is there log which should tell when such app is blocked (due to gaming mode or anything else) so I can check them once it happens again? Also, how long are those files kept (and can it be configured) and can they be exported to CSV/Excel?

Edited by Tarmi Ricmi
Link to comment
Share on other sites

16 hours ago, Tarmi Ricmi said:

I will get question about Discord for example multiple times (even though the rule exist) and now I have 6 rules for Discord and for now it seems to be working but at some point it might ask me to create rule again.

Examine the Eset firewall existing rules for Discord. I strongly suspect that the firewall is creating a Discord rule with a different remote IP address or ports; etc.. Ditto for other apps exhibiting the same behavior.

The only way to prevent this is to create what Eset refers to as a "permissive" rule. That is to set remote address/ports to "Any". Alternatively, if the all remote IP addresses are known previously, these can be specified in a single Discord firewall rule. Ditto for ports used by Discord.

Also of note is Discord is an app abused by attackers. As such, creating a permissive firewall rule for it might open up your device to being remotely attacked.

Edited by itman
Link to comment
Share on other sites

  • Administrators

It could be that there are several aliases (symlinks) for the executable and a rule is created for each alias with same app path.

Link to comment
Share on other sites

In regards to Discord is this Reddit posting;

Quote

I am using windows firewall outgoing firewall so by default all connections are blocked except selected ports and applications.

Every time discord updates, firewall complains about blocked connections and Discord won't start untill I add an exception for a new executable plus each version has it's own firewall entry.

Discord is the only application from hundreds I use which has this problem.

https://www.reddit.com/r/discordapp/comments/138stbi/how_to_make_discord_windows_firewall_friendly/

Relating this to Eset firewall operation assumed is on each Discord update, Eset Application Modification detection; only applicable in Interactive mode, will trigger resulting in a new firewall rule required. I believe this is what @Marcos was referring to in his above "aliases" posting.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...