Shri Ganesh 0 Posted July 13 Author Share Posted July 13 Hi @Marcos, I think I found something interesting. I think the allow application firewall screen pops up for certain types of apps (Windows App store Apps) and NOT for regular Windows apps installed/extracted. Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted July 14 Author Share Posted July 14 Okay, I think I've narrowed the issue down further or may be it's just a Windows 11 thing. It's not that the Firewall window isn't appearing. But rather the Firewall silently blocking connections EVEN when stating that it's unblocked. Screenshot attached. There is an explicit allow rule and it even states Unblocked. But I still see Blocked counter increasing (17x). Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted July 15 Administrators Share Posted July 15 I've noticed that you have wrong default firewall rules. Please uninstall ESET and install the latest version 17.2.7 from scratch (without importing previous configuration) which I believe will fix the issues. Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted July 20 Author Share Posted July 20 On 7/15/2024 at 7:07 PM, Marcos said: I've noticed that you have wrong default firewall rules. Please uninstall ESET and install the latest version 17.2.7 from scratch (without importing previous configuration) which I believe will fix the issues. Hi @Marcos Okay noted. It was a painful to create all the firewall rules from scratch. But I will try this and let you know. Is there any way to just export and import firewall rules only? Thanks, Shri Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted July 20 Administrators Share Posted July 20 Please provide logs collected with ESET Log Collector as the previously posted download link has already expired. Quote Link to comment Share on other sites More sharing options...
Tarmi Ricmi 0 Posted August 11 Share Posted August 11 Just to add my two cents - I have been battling with same issue for a very long time (5-6 years at least). Firewall is in interactive mode, I want to be able to chose which applications can access internet and I usually create rules. I was unable to pinpoint what causes notifications to stop, but they just do at some point and thus applications that don't have rules simply stop being able to access internet since I am not offered an option to allow them. I have reinstalled multiple versions of ESET internet security over the years, even started with blank rules few times but that doesn't solve the issue. And the only solution is to restart the whole computer which is usually a pain, since I have a lot of apps open with a VM or two running in the background. Based on what I've read here and on other places this seems to be a known issue among users, but not with dev team for some reason. One of the posts from 2022 lists forum post from 2014 that explains similar issue. So this has been plaguing users of ESET for a long time, with no resolution in sight. Post from 2014 is this - https://forum.eset.com/topic/34571-firewall-interactive-mode-dialogs-stop-appearing/ says that its solved in one specific version but later users complain again in newer versions. And there are new posts every now and then (this one included). Is this an ESET issue or something with way Windows works? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 11 Administrators Share Posted August 11 Please check if disabling this setting helps: Quote Link to comment Share on other sites More sharing options...
Tarmi Ricmi 0 Posted August 11 Share Posted August 11 Its disabled in both those places. When did this "gamer mode" became a thing? Asking because I feel like I am having those issues forever 🙂 Quote Link to comment Share on other sites More sharing options...
itman 1,748 Posted August 11 Share Posted August 11 (edited) 1 hour ago, Tarmi Ricmi said: Is this an ESET issue or something with way Windows works? There might be something to this worthy of further exploration. One of the default settings of the Eset firewall is to defer to Win firewall inbound rules prior to blocking the network traffic. The first question is how does this setting work with the Eset firewall set to Interactive mode? It may be possible that Win firewall rules are referenced and if no existing inbound rule exists, the network traffic is just silently blocked in certain instances by the Eset firewall in Interactive mode. On the other hand, this prior processing is supposedly not applicable to outbound network traffic. Then there is the question of if "stateful" processing of the Eset firewall in Interactive mode is working properly. Stateful processing means any associated inbound network traffic from a prior allowed outbound network connection are auto allowed. Or is this processing being borked in some way by processing noted in the prior paragraph? Edited August 11 by itman micasayyo 1 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 11 Administrators Share Posted August 11 Please provide a dump of egui.exe, eguiproxy.exe and ekrn.exe when the network communication is blocked due to the firewall waiting for an action selection but the interactive window is not shown. Quote Link to comment Share on other sites More sharing options...
itman 1,748 Posted August 11 Share Posted August 11 Another point of exploration is the difference between Eset firewall Interactive and Policy mode as noted below; https://help.eset.com/essp/17/en-US/idh_config_epfw_basic_group.html Of particular interest is Eset firewall in Interactive mode will alert and wait for user input action prior to allowing or blocking the activity. However in Policy mode if an existing firewall rule does not exist for the network activity, the activity is silently blocked. The behavior being described to date really appears to be the Eset firewall for some unknown reason is reverting from Interactive to Policy mode after an elapsed period of time. Or, something encountered during Eset processing in Interactive mode is causing the firewall to internally change to Policy mode behavior. Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted August 15 Author Share Posted August 15 On 8/12/2024 at 12:46 AM, Tarmi Ricmi said: Just to add my two cents - I have been battling with same issue for a very long time (5-6 years at least). Firewall is in interactive mode, I want to be able to chose which applications can access internet and I usually create rules. I was unable to pinpoint what causes notifications to stop, but they just do at some point and thus applications that don't have rules simply stop being able to access internet since I am not offered an option to allow them. I have reinstalled multiple versions of ESET internet security over the years, even started with blank rules few times but that doesn't solve the issue. And the only solution is to restart the whole computer which is usually a pain, since I have a lot of apps open with a VM or two running in the background. Based on what I've read here and on other places this seems to be a known issue among users, but not with dev team for some reason. One of the posts from 2022 lists forum post from 2014 that explains similar issue. So this has been plaguing users of ESET for a long time, with no resolution in sight. Post from 2014 is this - https://forum.eset.com/topic/34571-firewall-interactive-mode-dialogs-stop-appearing/ says that its solved in one specific version but later users complain again in newer versions. And there are new posts every now and then (this one included). Is this an ESET issue or something with way Windows works? Wow that's quite surprising! And exactly like you, I am also running one or two VMs (on VMWare Workstation) any most times. May be this has something to do with this issue? Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted August 15 Author Share Posted August 15 On 8/12/2024 at 7:31 AM, itman said: Another point of exploration is the difference between Eset firewall Interactive and Policy mode as noted below; https://help.eset.com/essp/17/en-US/idh_config_epfw_basic_group.html Of particular interest is Eset firewall in Interactive mode will alert and wait for user input action prior to allowing or blocking the activity. However in Policy mode if an existing firewall rule does not exist for the network activity, the activity is silently blocked. The behavior being described to date really appears to be the Eset firewall for some unknown reason is reverting from Interactive to Policy mode after an elapsed period of time. Or, something encountered during Eset processing in Interactive mode is causing the firewall to internally change to Policy mode behavior. This is definitely a possibility. But after a system restart, it automatically reverts from Policy based mode to interactive. But I've verified the settings, the does show as interactive only. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 15 Administrators Share Posted August 15 14 minutes ago, Shri Ganesh said: This is definitely a possibility. But after a system restart, it automatically reverts from Policy based mode to interactive. But I've verified the settings, the does show as interactive only. A system restart cannot make changes in ESET's configuration, especially when talking about non-managed consumer products. Are you able to reproduce the change of the firewall mode by restarting the machine? Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted August 15 Author Share Posted August 15 On 7/20/2024 at 8:56 PM, Marcos said: Please provide logs collected with ESET Log Collector as the previously posted download link has already expired. Hi @Marcos, I am back to the place where I've access to my PC. I've re-uploaded the previously collected logs https://filebin.net/ahjroaq8wh33gs8g/eis_logs.zip (OR) https://file.io/bBZPZKA05lUc PWD: Fg3cy4542tkTix Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted August 15 Author Share Posted August 15 18 minutes ago, Marcos said: A system restart cannot make changes in ESET's configuration, especially when talking about non-managed consumer products. Are you able to reproduce the change of the firewall mode by restarting the machine? Hi @Marcos No it's just a theory that seems to match the symptoms. There is no way to tell when this issue occurs. And the only way to resolve it, is by restarting the machine. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 15 Administrators Share Posted August 15 1, The logs were collected 2 months ago with v17.1 installed 2, Make sure to upgrade to v17.2 and disable this setting in the Gamer mode setup: If that doesn't make any difference and you are still not asked when a new network communication for which no rule exists is detected, provide a complete dump of egui.exe, eguiproxy.exe and ekrn.exe via the Task manager. The logs you've provided didn't include these process dumps from time when the network communication is blocked and the interactive firewall window was supposed to pop up. Here are some tips for improving protection: Enable detection of potentially unsafe applications that could be misused to terminate the AV and let the adversary run malware undetected. Check if the LiveGrid Reputation system works alright. The CloudCar test file should be detected as Suspicious upon download: http://amtso.eicar.org/cloudcar.exe Enable the LiveGrid Feedback system to enable additional protection features in HIPS-based protection modules, such as Ransomware Shield. Enable SSL protocol scanning to scan https traffic. Consider removing G:\Downloads\Jdownloader\New folder from detection exclusions. It appears that some keygens / trojans were detected there earlier. Quote Link to comment Share on other sites More sharing options...
Shri Ganesh 0 Posted August 16 Author Share Posted August 16 11 hours ago, Marcos said: 1, The logs were collected 2 months ago with v17.1 installed 2, Make sure to upgrade to v17.2 and disable this setting in the Gamer mode setup: If that doesn't make any difference and you are still not asked when a new network communication for which no rule exists is detected, provide a complete dump of egui.exe, eguiproxy.exe and ekrn.exe via the Task manager. The logs you've provided didn't include these process dumps from time when the network communication is blocked and the interactive firewall window was supposed to pop up. Here are some tips for improving protection: Enable detection of potentially unsafe applications that could be misused to terminate the AV and let the adversary run malware undetected. Check if the LiveGrid Reputation system works alright. The CloudCar test file should be detected as Suspicious upon download: hxxp://amtso.eicar.org/cloudcar.exe Enable the LiveGrid Feedback system to enable additional protection features in HIPS-based protection modules, such as Ransomware Shield. Enable SSL protocol scanning to scan https traffic. Consider removing G:\Downloads\Jdownloader\New folder from detection exclusions. It appears that some keygens / trojans were detected there earlier. Okay will do. Upgraded to 17.2.7.0 just now. Gamer mode was already disabled. Will reproduce the issue and generate complete dump of egui.exe, eguiproxy.exe and ekrn.exe via the Task manager and upload them. Quote Link to comment Share on other sites More sharing options...
Tarmi Ricmi 0 Posted August 18 Share Posted August 18 (edited) Currently I am running VMs in HyperV, but I used VMware workstation and VirtualBox also. So that in itself should not be the issue (except if its related to the way network is configured, but since its various tools over the years, there should be no common setup). But bottom line is that after a while (based on trigger I am not aware of at the moment) it simply stops. Now, I have disabled gaming mode completely and haven't seen the issue for few days. But even if Gaming mode is on it should either (according to my knowledge, which may be wrong) tell me after I am out of full screen app that notifications were blocked or I should be able to find them in that blocked but that is never the case. For me, main issue which makes this one "bigger" is that ESET doesn't "honor" existing rules all the time. I will get question about Discord for example multiple times (even though the rule exist) and now I have 6 rules for Discord and for now it seems to be working but at some point it might ask me to create rule again. And yes, I when app is updated I do get questions to keep the rules which I always do. I have 5 rules for Skype (at least), 4 for GoogleDriveFS.exe, etc. So, for ESET gurus, is there log which should tell when such app is blocked (due to gaming mode or anything else) so I can check them once it happens again? Also, how long are those files kept (and can it be configured) and can they be exported to CSV/Excel? Edited August 18 by Tarmi Ricmi Quote Link to comment Share on other sites More sharing options...
itman 1,748 Posted August 19 Share Posted August 19 (edited) 16 hours ago, Tarmi Ricmi said: I will get question about Discord for example multiple times (even though the rule exist) and now I have 6 rules for Discord and for now it seems to be working but at some point it might ask me to create rule again. Examine the Eset firewall existing rules for Discord. I strongly suspect that the firewall is creating a Discord rule with a different remote IP address or ports; etc.. Ditto for other apps exhibiting the same behavior. The only way to prevent this is to create what Eset refers to as a "permissive" rule. That is to set remote address/ports to "Any". Alternatively, if the all remote IP addresses are known previously, these can be specified in a single Discord firewall rule. Ditto for ports used by Discord. Also of note is Discord is an app abused by attackers. As such, creating a permissive firewall rule for it might open up your device to being remotely attacked. Edited August 19 by itman Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 19 Administrators Share Posted August 19 It could be that there are several aliases (symlinks) for the executable and a rule is created for each alias with same app path. Quote Link to comment Share on other sites More sharing options...
itman 1,748 Posted August 20 Share Posted August 20 (edited) In regards to Discord is this Reddit posting; Quote I am using windows firewall outgoing firewall so by default all connections are blocked except selected ports and applications. Every time discord updates, firewall complains about blocked connections and Discord won't start untill I add an exception for a new executable plus each version has it's own firewall entry. Discord is the only application from hundreds I use which has this problem. https://www.reddit.com/r/discordapp/comments/138stbi/how_to_make_discord_windows_firewall_friendly/ Relating this to Eset firewall operation assumed is on each Discord update, Eset Application Modification detection; only applicable in Interactive mode, will trigger resulting in a new firewall rule required. I believe this is what @Marcos was referring to in his above "aliases" posting. Edited August 20 by itman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.