T3chGuy007 16 Posted August 5 Share Posted August 5 Hello. This morning, I noticed a large majority, if not all, of my PCs running Endpoint Security v11.1.2039.2 having an issue responding to ICMP requests. If I run a continuous ping to a workstation running EES, I'm getting a large amount of "request timed out" messages . I ran a packet capture to a device having this issue, and the device is receiving ICMP requests, but it's not responding to all of them. At first, I thought an ESET policy was causing the issue, so I moved a device into the 'Lost & Found' OU. Once all the policies were removed, I still had significant issues getting ICMP replies. If I booted the device into Safe Mode with Networking, the issue went away and I could get 100% of ICMP responses. I then uninstalled EES from the device and the issue has gone away. When I reinstalled EES on the device, the issue came back. I was not having this issue last Friday (8/2) and I have not made any ESET policy changes for several months, if not over a year. All of my PCs were also updated to v11.1.2039.2 between 7/12-7/16. Also, none of our servers, which are running Server Security v11.0.12012.0 are affected by this issue. Would there have been an ESET module update or something over the weekend that would have caused this issue? Right now, I have EES uninstalled from just one device, so if you need logs from a device that's having the problem and one that's not, let me know where to get them. Below is a list of modules running on one PC that is having the ICMP issue. Thank you for any help. Detection Engine;29675;8/5/2024 Rapid Response module;24748;8/5/2024 Update module;1041;6/10/2024 Antivirus and antispyware scanner module;1614.1;7/18/2024 Advanced heuristics module;1229;6/10/2024 Archive support module;1351;6/4/2024 Cleaner module;1250;5/27/2024 Anti-Stealth support module;1192;5/22/2024 Firewall module;1448;6/14/2024 Translation support module;2016;7/22/2024 HIPS support module;1474;6/4/2024 Internet protection module;1475.4;8/1/2024 Web content filter module;1087;1/30/2024 Advanced antispam module;7975.1;7/2/2024 Database module;1126;7/8/2024 Configuration module;2127.7;7/11/2024 Direct Cloud communication module;1139;6/3/2024 Secure Browser module;1356;7/3/2024 Rootkit detection and cleaning module;1033;9/16/2022 Network protection module;1697;5/13/2024 Network Inspector module;1048;1/20/2022 Cryptographic protocol support module;1088;7/18/2024 Databases for advanced antispam module;10889;8/5/2024 Deep behavioral inspection support module;1162;6/17/2024 Advanced Machine Learning module;1155;7/3/2024 Telemetry module;1066.1;5/24/2022 Security Center integration module;1040;8/15/2023 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 5 Administrators Share Posted August 5 Most likely the trusted zone or trusted networks are not set up properly. Please carry on as follows: Enable advanced logging under Help and support -> Technical support Reproduce the issue Stop logging Collect logs with ESET Log Collector and upload the generated archive here (only the ESET staff can access attachments). If the archive is too big to upload here, upload it to a file sharing service and drop me a private message with a download link. Quote Link to comment Share on other sites More sharing options...
T3chGuy007 16 Posted August 5 Author Share Posted August 5 Hello. I enabled advanced logging on a device and from that device, I tried pinging another device on the same subnet. The majority of the time, it timed out. Attached is the .zip file containing the logs. As far as trusted zones, I setup trusted zones in ESET PROTECT for several subnets well over a year ago and it's been working fine. I also have ICMP allowed in both directions in a firewall rule. ees_logs.zip Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 5 Administrators Share Posted August 5 Could you please uninstall ESET Endpoint and install it from scratch? Some of the default firewall rules are incorrect. I didn't find any firewall rules configured through policies so I assume that reinstallation with default settings should suffice to restore original firewall rules. Otherwise it might be necessary to delete custom policies with firewall rules and re-create them from scratch. Quote Link to comment Share on other sites More sharing options...
T3chGuy007 16 Posted August 5 Author Share Posted August 5 Hello. On a PC that already had EES uninstalled, I downloaded the latest version of EES from here and then installed it. After it came back up, I tried to ping it, but immediately started to get timeout messages. Prior to reinstalling EES, I was getting ping responses 100% of the time. When I logged into the PC, I went into Advanced settings and it had the trusted zones and ICMP firewall rules listed that are set in my ESET PROTECT policy. These were under Advanced setup->Protections->Network access protection->IP sets->Trusted zone section and the Advanced setup->Protections->Network access protection->Firewall->Rules section. I'm really confused as to why this just started happening over the weekend. Nothing has changed in ESET PROTECT recently. Quote Link to comment Share on other sites More sharing options...
smcpeek 0 Posted August 5 Share Posted August 5 I'm having the same issues. Running in safe mode or uninstalling Eset resolves the problem. Quote Link to comment Share on other sites More sharing options...
FRiC 10 Posted August 5 Share Posted August 5 I'm experiencing the exact same issue. Quote Link to comment Share on other sites More sharing options...
Mra7 0 Posted August 5 Share Posted August 5 (edited) Same here Edited August 5 by Mra7 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 6 Administrators Share Posted August 6 5 hours ago, Marcos said: Some of the default firewall rules are incorrect. I stand corrected, it was just a wrong icon that a log viewer was showing for the rules. The default firewall rules are ok. All ICMP communication captured in the logs was allowed by the firewall. Does temporarily pausing the firewall actually make a difference and you are able to ping the machine then? Does it work after adding the subnet 10.1.0.0/16 to the trusted zone? Quote Link to comment Share on other sites More sharing options...
FRiC 10 Posted August 6 Share Posted August 6 I found that pausing firewall and adding 10.1.0.0/16 to trusted zone has no effect, but if I disable network traffic scanner then ping returns to normal. I don't even need to test by pinging another host, I can ping localhost. Quote Link to comment Share on other sites More sharing options...
T3chGuy007 16 Posted August 6 Author Share Posted August 6 Disabling the firewall nor adding 10.1.0.0/255.255.0.0 to the trusted zone fixed the issue. In both cases, I still got the same "request timed out" message the majority of the time when pinging a PC. As @FRiC noted, as soon as I disabled Detection engine->Network traffic scanner on a PC, ping requests immediately returned to normal. As soon as I enabled it again, the "request timed out" messages returned. Since it appears disabling Network traffic scanner fixes the issue, how do we get around this? As soon as I disabled it on a PC, ESET brought up a couple of warning messages. I'm assuming I can turn these off using a policy, but is there a way to fix Network traffic scanner or add a trusted zone to it? Quote Link to comment Share on other sites More sharing options...
John PW 2 Posted August 6 Share Posted August 6 Hello, I have the same. But I diagnose the problem is with http/3 scanning module. When I disable this option icmp/ping is ok. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 6 Administrators Share Posted August 6 The issue has been reported to developers. Please temporarily disable HTTP/3 scanning while the issue is investigated and fixed. We'll keep you posted. P_EESW-11721 Quote Link to comment Share on other sites More sharing options...
h0td0g 0 Posted August 6 Share Posted August 6 (edited) Can confirm the issue and it's happening only with Regular update type. If you switch to Pre-release or Delayed updates the issue resolves. Also the issue only occurs on EES v11.1.2039.2. Version 11.0.2044 works fine even with Regular updates. Edited August 6 by h0td0g Quote Link to comment Share on other sites More sharing options...
mwgbr 0 Posted August 6 Share Posted August 6 Hello, I can confirm this behavior. While it does not seem to be a problem in most cases, some software like SIMATIC WinCC from Siemens is not working correctly anymore. The connection between client and server is unstable, and after uninstalling ESET everything is Ok again. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted August 6 Administrators Share Posted August 6 The issue will be fixed in about 3-4 hours with the next module update. Hans Christiansen, FRiC, mwgbr and 2 others 5 Quote Link to comment Share on other sites More sharing options...
T3chGuy007 16 Posted August 6 Author Share Posted August 6 Either disabling "Enable SSL/TLS" under Advanced setup->Protections->SSL/TLS or disabling "HTTP(S) traffic scanning" under Advanced setup->Protections->Web access protection->HTTP(S) traffic scanning fixed the issue for me. With disabling "HTTP(S) traffic scanner", ESET brought up security warnings, but disabling "Enable SSL/TLS" did not generate any additional warnings. Quote Link to comment Share on other sites More sharing options...
T3chGuy007 16 Posted August 6 Author Share Posted August 6 Correction on my previous post since I can no longer edit it. I didn't have to disable the entire "HTTP(S) traffic scanning" section under Advanced setup->Protections->Web access protection->HTTP(S) traffic scanning. I just had to disable "Enable HTTP/3 traffic scanning" under Advanced setup->Protections->Web access protection->HTTP(S) traffic scanning as @John PW and @Marcos have noted. Quote Link to comment Share on other sites More sharing options...
John PW 2 Posted August 6 Share Posted August 6 Hi @Marcos My endpoint received update to version 29680 but the problem still exists persists. smcpeek 1 Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,243 Posted August 6 Administrators Solution Share Posted August 6 32 minutes ago, John PW said: @Marcos My endpoint received update to version 29680 but the problem still exists persists. It should work with Rapid response module 24753. What version do you have? Quote Link to comment Share on other sites More sharing options...
smcpeek 0 Posted August 6 Share Posted August 6 24753 is installed and I'm still having this issue. Quote Link to comment Share on other sites More sharing options...
Dionyzus 1 Posted August 6 Share Posted August 6 After confirming that the Rapid response module 24753 is installed and restarting the computer, the problem appears to be resolved. smcpeek 1 Quote Link to comment Share on other sites More sharing options...
FRiC 10 Posted August 6 Share Posted August 6 I noticed you need to restart the computer or at least toggle the HTTP/3 scanning for it to work. smcpeek 1 Quote Link to comment Share on other sites More sharing options...
John PW 2 Posted August 6 Share Posted August 6 34 minutes ago, Marcos said: It should work with Rapid response module 24753. What version do you have? OK. After restart resolved. smcpeek 1 Quote Link to comment Share on other sites More sharing options...
TobiasL 0 Posted August 6 Share Posted August 6 (edited) Hi @ all, thank you, i can confirm that after a restart (after auto-installing update 24753 this afternoon) everything is ok. I noticed the problem with PRTG yesterday afternoon, all ping sensors were going crazy even though the machines were actually reachable. Based on the time when the packet loss occurred and the communicated time of the pattern updates, it quickly became clear to me that it had to be related to ESET, especially since PINGS on my Linux systems and my switches continued to work without errors. Thank you for this fast solving. This is why I´am an ESET-Partner. Greetings and best regards Edited August 6 by TobiasL Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.