ESET Internet Security Firewall stopped blocking traffic it should

[Panos 0]

 

In my workplace I have a Windows 10 machine that accepts Remote Desktop connections. It has ESET Internet Security installed and I have created a Firewall Rule that accepts connections on port 3389 from specific IPs. Those IPs are all local plus the IP I have each time at home (dynamic IP VDSL). So, everytime my home ISP changed my IP, I couldn't connect to my workplace and had to update the rule with my current home IP.

That method worked perfectly for years. But today I realized that, although my home IP changed, I could connect to the Remote Desktop. Just to be sure, I checked the allowed hosts list and my IP wasn't there. I tried rebooting the workplace machine and deleting and re-creating the rule with the same results. No matter what my home IP is, I can connect to the Remote Desktop.

Given that I haven't touched any ESET settings for a while, could it be some malfunction/misconfiguration from a Windows or ESET update? I hope there is solution soon because that's a really serious security problem.

Thanks

 

Edited October 13, 2024 by Panos

[Marcos 5,742]

RDP is allowed in private / trusted networks by default. You could try temporarily disabling these default rules and see if it makes a difference:

You can also provide logs collected with ESET Log Collector as well as the IP address from which you'd expect RDP communication to be blocked.

[Panos 0]

Thanks for the answer!

The two PCs are on completely different ISPs and I definitely never added manually my home IP to the Trusted Zone.

Anyway, just to be safe, I shut down the remote computer for now so I'll get back to you tomorrow.

[Panos 0]

 

I tried it and it didn't change anything. I ran the log collector. Please let me know how to upload the zip file without it being viewable by anyone else. Do I have to open a case?

Thanks!

[Marcos 5,742]

You can upload the logs here, attachments are available only to ESET staff. If I don't find anything obvious in the logs, I'll ask you to create a support ticket.

Prior to collecting logs:

1. Enable advanced logging under Help and support -> Technical support
2. Reproduce the issue
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

[Panos 0]

In the Collector I selected 1 day max age but the zip file is 355MB and cannot be uploaded. Any other way to send you the file?

Thanks!

[Marcos 5,742]

You can upload the file to a safe location (e.g. OneDrive, Google Drive, Dropbox, etc.) and drop me a personal message with a download link.

[Panos 0]

I re-collected the logs (I had deleted the old ones) and the new archive is much smaller. I don't really know what happened. Anyway, i attached the logs to this post.

The rule should only allow Remote Desktop connections from some IPs starting from 10.x.x.x But I could connect from the IP 91.140.29.133.

Thanks

eis_logs.zip

[itman 1,924]

8 hours ago, Panos said:

The rule should only allow Remote Desktop connections from some IPs starting from 10.x.x.x But I could connect from the IP 91.140.29.133.

Try this.

1. Disable Eset firewall two default rules for RDP.

2. Change your custom RDP firewall rule Application setting to C:\Windows\System32\svchost.exe.

Retest.

[itman 1,924]

12 hours ago, Panos said:

But I could connect from the IP 91.140.29.133.

This IP address is identified as NOVA TELECOMMUNICATIONS & MEDIA SINGLE MEMBER S.A. in Athens, Greece. Is this your ISP?

Also, are you using a VPN?

[Panos 0]

1 hour ago, itman said:

This IP address is identified as NOVA TELECOMMUNICATIONS & MEDIA SINGLE MEMBER S.A. in Athens, Greece. Is this your ISP?

Also, are you using a VPN?

To do the testing I used a laptop connected to my mobile's hotspot. NOVA is my mobile provider.

During the testing, no VPN was used.

 

As for your previous suggestion, I'll check that tomorrow, when I'll have physical access to the computer.

[itman 1,924]

1 hour ago, Panos said:

To do the testing I used a laptop connected to my mobile's hotspot. NOVA is my mobile provider.

Have you previously created an Eset firewall rule to allow inbound traffic from the phone to the laptop? If so, did you create the firewall rule previous to your RDP rule and as such, this cell phone rule exists position-wise prior to the custom RDP rule in the Eset firewall rule set?

Edited November 7, 2024 by itman

[Marcos 5,742]

You have the default rules 38 and 39 enabled:

As a result, RDP is allowed both from the Trusted zone which you have set up in "IP sets" as well as from 4 other networks that are marked as trusted under Network access protection -> Network connection profiles which use specific DNS and DHCP servers and Windows network profiles "Domain" and "Private" as activators. Then you have also a custom rule RDesktop created with specific IP ranges in the remote host setup.

While unrelated to RDP, we strongly recommend enabling SSL/TLS filtering which you have disabled:

[Panos 0]

14 hours ago, itman said:

Try this.

1. Disable Eset firewall two default rules for RDP.

2. Change your custom RDP firewall rule Application setting to C:\Windows\System32\svchost.exe.

Retest.

Tried that. Nothing changed.

 

8 hours ago, itman said:

Have you previously created an Eset firewall rule to allow inbound traffic from the phone to the laptop? If so, did you create the firewall rule previous to your RDP rule and as such, this cell phone rule exists position-wise prior to the custom RDP rule in the Eset firewall rule set?

It seems there is a misunderstanding. The RDP host machine (which has the problem) is a desktop machine in my workplace. The laptop-mobile combination is used to test the connection to the host from an external real IP that should be blocked.

 

5 hours ago, Marcos said:

You have the default rules 38 and 39 enabled:

As a result, RDP is allowed both from the Trusted zone which you have set up in "IP sets" as well as from 4 other networks that are marked as trusted under Network access protection -> Network connection profiles which use specific DNS and DHCP servers and Windows network profiles "Domain" and "Private" as activators. Then you have also a custom rule RDesktop created with specific IP ranges in the remote host setup.

While unrelated to RDP, we strongly recommend enabling SSL/TLS filtering which you have disabled:

I tried to disable those default rules but nothing changed.

Also checked the IP sets and they contain only local IPs and the DNS servers. 

About the profiles, my understanding is that, since the RDesktop rule "profile" option is set to "Any", it should apply to all profiles/connections. Am I missing something there?

[itman 1,924]

6 hours ago, Panos said:

It seems there is a misunderstanding. The RDP host machine (which has the problem) is a desktop machine in my workplace. The laptop-mobile combination is used to test the connection to the host from an external real IP that should be blocked.

Now this is clarified, let's move on to what @Marcos posted;

12 hours ago, Marcos said:

As a result, RDP is allowed both from the Trusted zone which you have set up in "IP sets" as well as from 4 other networks that are marked as trusted under Network access protection -> Network connection profiles which use specific DNS and DHCP servers and Windows network profiles "Domain" and "Private" as activators. Then you have also a custom rule RDesktop created with specific IP ranges in the remote host setup.

Assumed is your laptop is included in one of the 4 Eset networks connections or IP sets trusted on the work desktop assuming you physically use it at work. Is this correct?

I will also suggest for testing RDP blocking on the work desktop, you try to connect to it externally via RDP from another PC other than your laptop.

Edited November 8, 2024 by itman

[Panos 0]

The laptop isn't actually mine. I borrowed it just to use it for testing for the specific problem.

When I turn it on, it gets a local IP through DHCP so it normally connects to the desktop. That's why I connect it to my mobile's network so it only has external IP (and access) from my mobile provider (NOVA).

The laptop is just a test machine. I test it from my home ISP too with the same results. The big problem is that, approximately a month ago, the desktop started accepting RDP connections from IPs that should be blocked.

[itman 1,924]

7 hours ago, Panos said:

That's why I connect it to my mobile's network so it only has external IP (and access) from my mobile provider (NOVA).

The laptop is just a test machine. I test it from my home ISP too with the same results.

My question is how is this RDP traffic getting through your company's network perimeter firewall?

Add to this is how is it getting past the firewall on the corporate server?

Edited November 8, 2024 by itman

[Panos 0]

13 hours ago, itman said:

My question is how is this RDP traffic getting through your company's network perimeter firewall?

Add to this is how is it getting past the firewall on the corporate server?

Well... it DOES get through. That's all that matters in the specific case.

[Marcos 5,742]

It appears that the RDP connection was allowed by the Windows firewall. Please try disabling this setting:

[Panos 0]

I tried that (unfortunately from home) and I'm now completely blocked out of that computer. Even local IPs in the trusted zone can't connect. At least it will be more secure for the weekend! 🤣

That is really weird for two reasons:

1. I don't have access to Windows Firewall rules due to ESET running. So how did the RDP rule change?

2. Even if the Windows Firewall rule had problems. Why is my ESET rule not working now?

 

[Marcos 5,742]

After you install or enable the ESET firewall, the Windows firewall will be disabled, however, the permissive rules in the Windows firewall that existed will be honored as long as you leave the above setting enabled.

1, If you want to edit the Windows firewall rules, you must disable the ESET firewall in the advanced setup first.

2, Unfortunately we don't have logs from the situation so we don't know what IP address you were connecting from.

With the default (bult-in) firewall RDP rules enabled, RDP should be allowed from:
1, The trusted zone

 

2, Networks marked as trusted (Setup -> Network -> Network connections).

3, Network connection profiles marked as trusted (you have 4 custom ones besides Private).

4, IP addresses and IP ranges allowed by the custom RDesktop rule:

 

[itman 1,924]

3 hours ago, Panos said:

I tried that (unfortunately from home) and I'm now completely blocked out of that computer.

Now that it has been revealed that Win firewall RDP rules are enabled, I have a simple solution. This applies to the company desktop device.

1. Re-enable this setting;

2. Ensure Eset default RDP rules are disabled.

3. Create a new Eset firewall rule identical to the custom RDesktop you created with the following changes;

a. Change rule name to Block RDesktop.

b. Change Action setting to Block.

c. For Remote host setting remove all IP addresses and set to Any.

The above will result in all inbound RDP network traffic using local port 3389 being blocked other than for IP addresses listed in your Eset Allow RDesktop rule.

In the way of background info on how the Eset firewall works, it does not disable the Win firewall but rather, interacts with it in regards to its inbound firewall rules as long as the above "Also evaluate local Windows firewall rules" is enabled. What this means is if an existing Eset firewall rule doesn't exist for a specific inbound network traffic, it will then examine existing Win firewall inbound rules for a rule to apply to this inbound traffic. If an allow rule exists for it, Eset will apply that rule and allow the inbound network traffic. If no inbound allow rule exists, the inbound network traffic will be blocked.

Edited November 9, 2024 by itman

[itman 1,924]

3 hours ago, Panos said:

I don't have access to Windows Firewall rules due to ESET running.

Yes you have access to these rules and they can modified if so desired. To access Win firewall rules, perform the following;

1. Via Win Control Panel, access System and Security option. Then Windows Defender Firewall option per below screen shot;

2. Access Advanced settings per below screen shot;

3. Access Inbound Rules per below screen shot. I have navigated to what the rule/s default settings for RDP on my Win 10 desktop are which show all are disabled.

[itman 1,924]

@Marcos in regards to my above RDP related postings, do you observe a security issue in existing Eset firewall RDP rules?

Since its a relative trivial undertaking for attackers to add/modify Win firewall rules, Eset needs to add a default block rule for inbound RDP traffic. For my Win installation, I took the "nuclear" option and disabled all Win RDP services.

[Panos 0]

So, the problem is solved. I disabled the evaluation of Windows Firewall rules and re-enabled the two default ESET rules.

Now it blocks all the IPs not included in the RDesktop allowed remote hosts.

 

As a final note,  changing the Windows Firewall rules with ESET running, is obviously a rather complicated process that cannot be done by "mistake". I can't understand what/how it changed one month ago since it was working flawlessly since 2020 (COVID quarantine). Could it be some Windows update? Since the problem is hard to detect (I got really "lucky") I'm afraid that  there are people out there who believe they are protected but they are not!

Anyway, thanks for all the help!