Lots of allowed services in Eset's Firewall

[cutting_edgetech 25]

Does Eset prompt the user if someone attempts to access their computer using one of the allowed services in the IDS, and advanced settings if the service is configured to allow? So if the service is configured to allow in the IDS, and advanced settings will it allow the service without prompting the user? They were all ticked by default, but I unticked almost all of them after discovering them. I think very few home users would need hardly any of them.

[Marcos 5,074]

I don't see any reasons for disabling those services. It's like not trusting devices in your trusted zone. ESET firewall doesn't prompt the user unless interactive mode is used or a rule asking for an action is applied.

[cutting_edgetech 25]

I strongly disagree. There are known attack vectors for SMB protocol. Do a google search, and you will find multiple articles about SMB flaws/vulnerabilities that were published in the past 2 days. Also why on earth would a home user need to allow remote registry service? Allowing all those services without prompting the user creates a much larger attack surface. Eset should never allow all those services without prompting the user, and that is exactly what they are doing since interactive mode is not ESS's default settings. Are you saying that ESS firewall will prompt the user in interactive mode if someone attempts to access their machine using the remote registry service if that service is enabled in ESS firewall?

Edited April 15, 2015 by cutting_edgetech

[Marcos 5,074]

I don't think so because these IDS settings provide a 2nd level of filtering and take effect only if a connection has been allowed by firewall in the first place. By default, in automatic mode firewall blocks any non-initiated incoming communication attemtps.

[cutting_edgetech 25]

I don't think so because these IDS settings provide a 2nd level of filtering and take effect only if a connection has been allowed by firewall in the first place. By default, in automatic mode firewall blocks any non-initiated incoming communication attemtps.

 

Your first response to my question was, "ESET firewall doesn't prompt the user unless interactive mode is used or a rule asking for an action is applied." It sounded to me like you was saying that automatic mode would allow any of the enabled services in Eset's firewall without prompting the user. I still currently have no use for almost all of those services so I will leave them disabled on my machine. Also, allow incoming connections to admin shares in SMB protocol does not say it is in the trusted zone. Is this service referring to any remote connection?

[Marcos 5,074]

 

I don't think so because these IDS settings provide a 2nd level of filtering and take effect only if a connection has been allowed by firewall in the first place. By default, in automatic mode firewall blocks any non-initiated incoming communication attemtps.

 

Is this service referring to any remote connection?

 

To any, however, such remote connection must first be permitted by a rule as all non-initiated inbound communication attempts are blocked in automatic mode.

[cutting_edgetech 25]

Are there any preset rules created by Eset which come by default that would allow any of the allowed services in automatic mode? I'm just wanting to make sure no such rules come with ESS by default. If i'm understanding you correctly then the user would have to create a filter rule in all cases to allow any of the allowed services in automatic mode.

[ken1943 22]

That is why I always use a router and tell family/friends to use one. It blocks many things that should be blocked. Most ISP's use a modem/router

these days. Now if people would be as smart !!

[cutting_edgetech 25]

I would never use Internet without at least using a router with NAT.

[ken1943 22]

Then I would not be concerned with firewall settings. I always block Remote Regisry and Remote "Anything Else" to be on the safe side. 

If you go to the GRC site and ran all ports test, you would see what ports have nothing running on your computer, they are stealth or closed.

The router blocked everything not used

[cutting_edgetech 25]

Regardless of my router I would still like to get an answer for my last question. It is good to know if any preset rules allowing these services come by default that will allow these services in automatic mode.

Edited April 17, 2015 by cutting_edgetech

[Marcos 5,074]

I have already stated that in automatic mode, all non-initiated incoming communication attempts are blocked and all outgoing communication is allowed.

[yongsua 16]

IMHO, if you want to know if there is any preset rule from ESET firewall, I would suggest you to refer to the Zone and Rules editor and check on which services or connections are allowed from the preset rules. Note that the preset rules are grayed out and user-defined rules are bold, if I am not mistaken. You can check whether there is any preset rule for the SMB communication. However, I cannot give more details here as I have not used ESS for at least a month. Of course, there are definitely some preset rules that allow some inbound connections for core networking purpose and the ESET firewall with automatic mode most probably just works like the Windows Firewall. It blocks all non-initiated incoming communication as Marcos mentioned but I think there are definitely some core inbound connections are allowed from the preset rules.