Endpoint Security ICMP Issue

[T3chGuy007 16]

Hello.  This morning, I noticed a large majority, if not all, of my PCs running Endpoint Security v11.1.2039.2 having an issue responding to ICMP requests.  If I run a continuous ping to a workstation running EES, I'm getting a large amount of "request timed out" messages .  I ran a packet capture to a device having this issue, and the device is receiving ICMP requests, but it's not responding to all of them. 

At first, I thought an ESET policy was causing the issue, so I moved a device into the 'Lost & Found' OU.  Once all the policies were removed, I still had significant issues getting ICMP replies.  If I booted the device into Safe Mode with Networking, the issue went away and  I could get 100% of ICMP responses.  I then uninstalled EES from the device and the issue has gone away.  When I reinstalled EES on the device, the issue came back.  I was not having this issue last Friday (8/2) and I have not made any ESET policy changes for several months, if not over a year.  All of my PCs were also updated to v11.1.2039.2 between 7/12-7/16.  Also, none of our servers, which are running Server Security v11.0.12012.0 are affected by this issue.  Would there have been an ESET module update or something over the weekend that would have caused this issue?  Right now, I have EES uninstalled from just one device, so if you need logs from a device that's having the problem and one that's not, let me know where to get them.  Below is a list of modules running on one PC that is having the ICMP issue.  Thank you for any help.

 

Detection Engine;29675;8/5/2024
Rapid Response module;24748;8/5/2024
Update module;1041;6/10/2024
Antivirus and antispyware scanner module;1614.1;7/18/2024
Advanced heuristics module;1229;6/10/2024
Archive support module;1351;6/4/2024
Cleaner module;1250;5/27/2024
Anti-Stealth support module;1192;5/22/2024
Firewall module;1448;6/14/2024
Translation support module;2016;7/22/2024
HIPS support module;1474;6/4/2024
Internet protection module;1475.4;8/1/2024
Web content filter module;1087;1/30/2024
Advanced antispam module;7975.1;7/2/2024
Database module;1126;7/8/2024
Configuration module;2127.7;7/11/2024
Direct Cloud communication module;1139;6/3/2024
Secure Browser module;1356;7/3/2024
Rootkit detection and cleaning module;1033;9/16/2022
Network protection module;1697;5/13/2024
Network Inspector module;1048;1/20/2022
Cryptographic protocol support module;1088;7/18/2024
Databases for advanced antispam module;10889;8/5/2024
Deep behavioral inspection support module;1162;6/17/2024
Advanced Machine Learning module;1155;7/3/2024
Telemetry module;1066.1;5/24/2022
Security Center integration module;1040;8/15/2023

[Marcos 5,234]

Most likely the trusted zone or trusted networks are not set up properly.

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Reproduce the issue
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here (only the ESET staff can access attachments). If the archive is too big to upload here, upload it to a file sharing service and drop me a private message with a download link.

 

[T3chGuy007 16]

Hello.  I enabled advanced logging on a device and from that device, I tried pinging another device on the same subnet.  The majority of the time, it timed out.  Attached is the .zip file containing the logs.

As far as trusted zones, I setup trusted zones in ESET PROTECT for several subnets well over a year ago and it's been working fine.  I also have ICMP allowed in both directions in a firewall rule.

  

 

ees_logs.zip

[Marcos 5,234]

Could you please uninstall ESET Endpoint and install it from scratch? Some of the default firewall rules are incorrect. I didn't find any firewall rules configured through policies so I assume that reinstallation with default settings should suffice to restore original firewall rules. Otherwise it might be necessary to delete custom policies with firewall rules and re-create them from scratch.

[T3chGuy007 16]

Hello.  On a PC that already had EES uninstalled, I downloaded the latest version of EES from here and then installed it.  After it came back up, I tried to ping it, but immediately started to get timeout messages.  Prior to reinstalling EES, I was getting ping responses 100% of the time.  When I logged into the PC, I went into Advanced settings and it had the trusted zones and ICMP firewall rules listed that are set in my ESET PROTECT policy.  These were under Advanced setup->Protections->Network access protection->IP sets->Trusted zone section and the Advanced setup->Protections->Network access protection->Firewall->Rules section.

I'm really confused as to why this just started happening over the weekend.  Nothing has changed in ESET PROTECT recently.

[smcpeek 0]

I'm having the same issues.  Running in safe mode or uninstalling Eset resolves the problem.

[FRiC 10]

I'm experiencing the exact same issue.

[Mra7 0]

Same here

Edited August 5 by Mra7

[Marcos 5,234]

5 hours ago, Marcos said:

Some of the default firewall rules are incorrect.

I stand corrected, it was just a wrong icon that a log viewer was showing for the rules. The default firewall rules are ok. All ICMP communication captured in the logs was allowed by the firewall. Does temporarily pausing the firewall actually make a difference and you are able to ping the machine then?  Does it work after adding the subnet 10.1.0.0/16 to the trusted zone?

[FRiC 10]

I found that pausing firewall and adding 10.1.0.0/16 to trusted zone has no effect, but if I disable network traffic scanner then ping returns to normal.

I don't even need to test by pinging another host, I can ping localhost.

[T3chGuy007 16]

Disabling the firewall nor adding 10.1.0.0/255.255.0.0 to the trusted zone fixed the issue.  In both cases, I still got the same "request timed out" message the majority of the time when pinging a PC.  As @FRiC noted, as soon as I disabled Detection engine->Network traffic scanner on a PC, ping requests immediately returned to normal.  As soon as I enabled it again, the "request timed out" messages returned.

Since it appears disabling Network traffic scanner fixes the issue, how do we get around this?  As soon as I disabled it on a PC, ESET brought up a couple of warning messages.  I'm assuming I can turn these off using a policy, but is there a way to fix Network traffic scanner or add a trusted zone to it?

[John PW 2]

Hello,

I have the same.

But I diagnose the problem is with http/3 scanning module.

When I disable this option icmp/ping is ok.

[Marcos 5,234]

The issue has been reported to developers. Please temporarily disable HTTP/3 scanning while the issue is investigated and fixed. We'll keep you posted.

P_EESW-11721

[h0td0g 0]

Can confirm the issue and it's happening only with Regular update type. If you switch to Pre-release or Delayed updates the issue resolves.

Also the issue only occurs on EES v11.1.2039.2. Version 11.0.2044 works fine even with Regular updates.

Edited August 6 by h0td0g

[mwgbr 0]

Hello,

I can confirm this behavior. While it does not seem to be a problem in most cases, some software like SIMATIC WinCC from Siemens is not working correctly anymore. The connection between client and server is unstable, and after uninstalling ESET everything is Ok again.

[Marcos 5,234]

The issue will be fixed in about 3-4 hours with the next module update.

[T3chGuy007 16]

Either disabling "Enable SSL/TLS" under Advanced setup->Protections->SSL/TLS or disabling "HTTP(S) traffic scanning" under Advanced setup->Protections->Web access protection->HTTP(S) traffic scanning fixed the issue for me.  With disabling "HTTP(S) traffic scanner", ESET brought up security warnings, but disabling "Enable SSL/TLS" did not generate any additional warnings.

[T3chGuy007 16]

Correction on my previous post since I can no longer edit it.  I didn't have to disable the entire "HTTP(S) traffic scanning" section under Advanced setup->Protections->Web access protection->HTTP(S) traffic scanning.  I just had to disable "Enable HTTP/3 traffic scanning" under Advanced setup->Protections->Web access protection->HTTP(S) traffic scanning as @John PW and @Marcos have noted.

 

 

[John PW 2]

Hi

@Marcos My endpoint received  update to version 29680 but the problem still exists persists.

[Marcos 5,234]

32 minutes ago, John PW said:

@Marcos My endpoint received  update to version 29680 but the problem still exists persists.

It should work with Rapid response module 24753. What version do you have?

[smcpeek 0]

24753 is installed and I'm still having this issue.

[Dionyzus 1]

After confirming that the Rapid response module 24753 is installed and restarting the computer, the problem appears to be resolved.

[FRiC 10]

I noticed you need to restart the computer or at least toggle the HTTP/3 scanning for it to work.

[John PW 2]

34 minutes ago, Marcos said:

It should work with Rapid response module 24753. What version do you have?

OK. After restart resolved.

[TobiasL 0]

Hi @ all,

thank you, i can confirm that after a restart (after auto-installing update 24753 this afternoon) everything is ok.
I noticed the problem with PRTG yesterday afternoon, all ping sensors were going crazy even though the machines were actually reachable. Based on the time when the packet loss occurred and the communicated time of the pattern updates, it quickly became clear to me that it had to be related to ESET, especially since PINGS on my Linux systems and my switches continued to work without errors.
Thank you for this fast solving. This is why I´am an ESET-Partner.

Greetings and best regards

Edited August 6 by TobiasL