Smart Security messes with TCP streams

[Aptann 1]

I noticed recently that TCP streams weren't acting like I was expecting them to. Specifically, write operations would sometimes not reach their destination until a null byte, newline, or carriage return was written to the stream. At first I dismissed it as a bug with the programming language I was using (golang), but then I noticed the same behavior in other languages(python, C#). I managed to figure out that it was Eset Smart Security's doing. Disabling the firewall made no difference, but uninstalling Smart Security fixed it.

 

I'm assuming this is a bug. But, if it's not, Is there a setting that could affect this?

[Marcos 4,703]

Does temporarily disabling protocol filtering make a difference? If so, we'll need additional debug logs from you as well as step-by-step instructions how to reproduce it.

[Aptann 1]

Disabling protocol filtering worked. I've sent the pcapng files in a PM, I didn't feel comfortable uploading those anywhere public.

Here's some code to reproduce the problem:

 

server.py

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 8080))
s.listen(1)

conn, addr = s.accept()
try:
    data = conn.recv(1024)
    print(data)
except Exception:
    pass

conn.close()

client.cs

using System;
using System.Net;
using System.Net.Sockets;
using System.Text;

namespace this_is_broken
{
    class Program
    {
        static void Main(string[] args)
        {
            var client = new TcpClient();
            client.Connect(new IPEndPoint(IPAddress.Parse("127.0.0.1"), 8080));

            var stream = client.GetStream();
            var greeting = Encoding.UTF8.GetBytes("hello server!"); // adding \n, \0, or \r anywhere inside this string will allow it to pass through
            stream.Write(greeting, 0, greeting.Length);

            client.Close();
        }
    }
}

Edit:

For convenience, here's the client written in python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 8080))

s.send('hello server!'.encode()) # adding \n, \0, or \r anywhere inside this string will allow it to pass through
input()

The recv call ends up blocking until the socket either is closed, or until \n, \0, or \r is written to the stream.

Edited December 7, 2015 by Aptann

[Marcos 4,703]

Before I raise a ticket for developers, please also copy & paste the information about installed ESET modules from the About window as well as information about the operating system and platform (e.g. Windows 7 x64). Also let me know if switching to pre-release updates and running an update makes a difference.

[Aptann 1]

Switched to pre-release and ran an update, and the problem remains.

 

I'm on Windows 10 x64

And here's the module list:

 

Virus signature database: 12684P (20151207)
Rapid Response module: 7142 (20151207)
Update module: 1060 (20150617)
Antivirus and antispyware scanner module: 1475 (20151204)
Advanced heuristics module: 1163 (20151201)
Archive support module: 1241 (20151124)
Cleaner module: 1116 (20151113)
Anti-Stealth support module: 1091 (20151117)
Personal firewall module: 1292 (20151111)
ESET SysInspector module: 1257 (20151113)
Real-time file system protection module: 1012 (20151124)
Translation support module: 1429 (20151119)
HIPS support module: 1207 (20151130)
Internet protection module: 1238 (20151124)
Web content filter module: 1046.1 (20151202)
Advanced antispam module: 2899P (20151207)
Database module: 1072 (20150831)
Configuration module (33): 1213B.8 (20151124)
LiveGrid communication module: 1020 (20150807)
Specialized cleaner module: 1010 (20141118)
Banking & payment protection module: 1056 (20151207)