Smart Security v9.0.386.0 Outbound Network Traffic Always Lists My DNS Server

[deloppoled 1]

Hello. This message got kind of long, if you are liking down and dirty to the point messages, please skip everything but what is between the paragraph marked,

"*MAIN PROBLEM*"

 

I've had numerous problems upgrading from ESET SS v8 to v9 back in July. Anyway, after two more uninstall re-installs [Which ESET tech support advised me to do.] the final problem that I am having with ESET SS v9.0.386.0 is that the ESET SS Firewall is reporting that ALL Outbound Network Traffic just wants to go to my ISP's DNS Servers. I am never advised by the firewall where the outgoing application is actually wanting to communicate with.

 

*MAIN PROBLEM*

For instance, if Microsoft Word wants to go visit Microsoft.com fine. But if some malicious program called Microsloth Word wants to go to www.malicious.com it may not be so good. Unfortunately, the way the firewall is currently displaying Outbound Network Traffic Alerts is like ...program.exe is trying to communicate with and then it ALWAYS shows My ISPs DNS Serer.com. When I look at my Firewall Rules, all columns for Incoming and Outgoing are ALL BLANK,

*MAIN PROBLEM*

 

 

In version 8 the firewall would tell me exactly where each and every program wanted to visit so I could make an informed decision on whether or not I wanted the program to go there. This made sense, the current behavior of v9 makes absolutely no sense.

 

This behavior can't be something that ESET put in place for v9, can it? Does anyone know how I can fix this without having to un/re-install for what would be the forth time for this upgrade? Short of reverting back to SS v8, I am at a loss. Actually even if I wanted to revert back to v8 I do not know if that is still available to download?

 

Sorry for running so long, especially on my first post here.

 

Thank you for your time and have a nice day!

Dan AKA deloppoled

 

 

[itman 1,659]

You could try to use a third party DNS server such as Versign or Norton. You would have to configure your IPv4 and IPv6, if supported, network adapter DNS settings with the appropriate provider addresses:

 

Verisign

 

IPv4 - 64.6.64.6, 64.6.65.6

IPv6 - 2620:74:1b::1:1,  2620:74:1c::2:2

 

Norton

 

IPv4 - 199.85.126.10, 199.85.127.10

 

Note: Norton only supports IPv4.

 

If actual destination addresses then are shown by Eset, then it is possible some type of tunnel connection is being established to your ISP. Ver. 9 firewall does have a default rule to allow IPv6 tunneling. 

[deloppoled 1]

You could try to use a third party DNS server such as Versign or Norton. You would have to configure your IPv4 and IPv6, if supported, network adapter DNS settings with the appropriate provider addresses:

 

Verisign

 

IPv4 - 64.6.64.6, 64.6.65.6

IPv6 - 2620:74:1b::1:1,  2620:74:1c::2:2

 

Norton

 

IPv4 - 199.85.126.10, 199.85.127.10

 

Note: Norton only supports IPv4.

 

If actual destination addresses then are shown by Eset, then it is possible some type of tunnel connection is being established to your ISP. Ver. 9 firewall does have a default rule to allow IPv6 tunneling.

 

 

Thank you kindly for the suggestion. I changed my DNS server addresses but unfortunately that brought no joy. Now ESET SS is reporting that applications want to visit the Verisign DNS Servers. While working on your suggestion I noticed something about DNS poisoning attack / flushing DNS casche flushing, maybe I will go ahead and give that a try. I also noticed that it may have something to do with my hosts file so I will back that up since it has MANY entries.

 

Thanks again, I do appreciate the suggestion itman!

[Marcos 5,070]

I see Firefox in the prompt window as the application which attempts to communicate. You can hover the mouse cursor over its name or expand details to see even more information about the process which attempts to communicate.

[deloppoled 1]

I see Firefox in the prompt window as the application which attempts to communicate. You can hover the mouse cursor over its name or expand details to see even more information about the process which attempts to communicate.

Thank you for your response Marcos. The problem isn't me knowing which programs are trying to communicate with the outside world, the problem is who they are trying to communicate with.

 

Every program that produces an outgoing alert is displayed as wanting to reach the DNS Server that my system is currently configured to use. In version 8 every time that an ESET firewall outgoing alert notification would pop up, the destination IP Address that the program was trying to reach would be displayed. That is no longer occurring since upgrading to version 9, now just the DNS Server IP address is displayed for a brief moment and then the web site that the IP Address resolves to is displayed. Here's an example:

 

Hello_World is trying to communicate with 64.6.64.6

then shortly thereafter the "64.6.64.6" changes to recpubns.com like this,

Hello_World is trying to communicate with recpubns.com

 

I really need to know where the outgoing programs are trying to communicate with, not that they are using my DNS Server to resolve that sites' IP Address.

 

Thanks again, I do appreciate the suggestion Marcos.

Dan AKA deloppoled

 

BTW I edited the firewall rules and removed the entry for Firefox because I wanted something that I knew would want to communicate with the outside world right away.

Edited August 18, 2016 by deloppoled

[deloppoled 1]

Does ESET Customer/Technical Support monitor these forums?

 

The ESET Personal Firewall has been render 90% useless since I've been experiencing this same issue since I purchased another year and 'upgraded' the software back in June, 2016.

 

I started this thread in August, 2016 and I still have no solution offered by ESET. I did get a moderator to chime in once and that was appreciated but unfortunately not fruitful.

 

I have never received an email or telephone call from ESET so it's a bit frustrating to say the least.

 

Is there a phone number to reach ESET technical support?

 

ESET PLEASE CONTACT ME.

 

Thank you.

Edited November 4, 2016 by deloppoled

[itman 1,659]

Let's start from ground zero. Weird behavior like this can occur if two firewalls are active at the same time.

 

Using Win's Control Panel setting, select System and Security, then Windows Firewall. What should be displayed is similar to the below screen shot showing Eset firewall is doing the managing.

 

Also, go back to System and Security and then select Security. Under the Network Firewall section should be displayed that the Eset personal firewall is turned on. Next, click on the Installed firewall apps setting. It should state that the Windows firewall is turned off.

 

Report back your findings.

 

Edited November 4, 2016 by itman

[deloppoled 1]

Let's start from ground zero. Weird behavior like this can occur if two firewalls are active at the same time.

 

Using Win's Control Panel setting, select System and Security, then Windows Firewall. What should be displayed is similar to the below screen shot showing Eset firewall is doing the managing.

 

Also, go back to System and Security and then select Security. Under the Network Firewall section should be displayed that the Eset personal firewall is turned on. Next, click on the Installed firewall apps setting. It should state that the Windows firewall is turned off.

 

Report back your findings.

 

Win_Firewall_Managed.png

 

Hello and thank you for your assistance itman.

 

As per your instructions, I followed the steps and it seems that what you mentioned should be there, is there.

 

I've attached the screen captures.

[itman 1,659]

Did you check out that "Finish installing device software" status? Go into Device Manager and make sure your the network adapter you are connecting to the Internet with has been fully installed.

[deloppoled 1]

Did you check out that "Finish installing device software" status? Go into Device Manager and make sure your the network adapter you are connecting to the Internet with has been fully installed.

I had done that just after my last post. I am not positive but I think that was probably related to a new SATA expansion card I installed earlier this week. After completing that I was not asked to reboot but I will do that now, remove a ESET PF setting to trigger a popup and see if it's resolved.

 

Thanks again itman.

[deloppoled 1]

 

Did you check out that "Finish installing device software" status? Go into Device Manager and make sure your the network adapter you are connecting to the Internet with has been fully installed.

I had done that just after my last post. I am not positive but I think that was probably related to a new SATA expansion card I installed earlier this week. After completing that I was not asked to reboot but I will do that now, remove a ESET PF setting to trigger a popup and see if it's resolved.

 

Thanks again itman.

 

Unfortunately that did not resolve the issue. This time I removed the ESET PF rule for Outlook and then ran Outlook. Attached is the popup the ESET PF gave me.

[itman 1,659]

It appears to me that Win's DNS Client service is either disabled or not functioning properly. When this service is disabled, Windows will perform a DNS request for every Internet connection. -EDIT- That is your e-mail client, browser, explorer.exe, etc. will require a firewall rule for DNS e.g. outbound UDP for svchost.exe with target port of 53. This also explains the alerts you have been receiving from the Eset firewall in regards to DNS server connections.

 

For starters, lets check the status of the DNS Client service. Go into Control Panel. Then select: Administrative Tools -> Services. Then scroll down to DNS Client. Its status should be running. If it is not running, do a mouse right click and select "Properties." Make sure its Start Up setting is set to Automatic. Then click on the Start button. If the service will not start, you have an OS problem. If the service starts, then click on the Apply button and exit from Services. At this point the Eset firewall should be functioning properly.

 

Later do a reboot. Then repeat the above to check that the DNS Client service is running. If it is not, again you have an OS problem.

 

-EDIT-

 

It is also possible you have DNS related malware. If the above doesn't resolve the issue and assuming you live in the U.S., go to this web site: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS. Then enter the Comcast IP address you posted previously. I assume that Comcast is your ISP?

Edited November 4, 2016 by itman

[deloppoled 1]

It appears to me that Win's DNS Client service is either disabled or not functioning properly. When this service is disabled, Windows will perform a DNS request for every Internet connection. -EDIT- That is your e-mail client, browser, explorer.exe, etc. will require a firewall rule for DNS e.g. outbound UDP for svchost.exe with target port of 53. This also explains the alerts you have been receiving from the Eset firewall in regards to DNS server connections.

 

For starters, lets check the status of the DNS Client service. Go into Control Panel. Then select: Administrative Tools -> Services. Then scroll down to DNS Client. Its status should be running. If it is not running, do a mouse right click and select "Properties." Make sure its Start Up setting is set to Automatic. Then click on the Start button. If the service will not start, you have an OS problem. If the service starts, then click on the Apply button and exit from Services. At this point the Eset firewall should be functioning properly.

 

Later do a reboot. Then repeat the above to check that the DNS Client service is running. If it is not, again you have an OS problem.

 

-EDIT-

 

It is also possible you have DNS related malware. If the above doesn't resolve the issue and assuming you live in the U.S., go to this web site: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS. Then enter the Comcast IP address you posted previously. I assume that Comcast is your ISP?

Thank you for all of your help today itman! The joy, ESET PF is working like it should thanks to you!!!

 

I don't know how the heck you figured that out so quickly and with so little information, but I wish I could trade brains because that was shockingly amazing!

 

That FBI site said that "Your IP is not configured to use the rogue DNS servers." so I guess that I am good to go in that aspect too.

 

The only thing that I can think of that would have possibly turned off the DNS Client was a Firefox Addon that was supposed to keep ads from showing up while browsing. That addon, added over 100,000 lines/entries into my "c:\windows\system32\drivers\etc\hosts" file. I did not keep that very long and when I removed it, I believe that it restored my hosts file or I did with TrueImage I can't remember. But that was mucking about with DNS related stuff so possibly that. I wish that I could tell you the name of the addon but I don't remember what it was called. I will do a search and see if I can find it again on Mozillas' site and report back when I find it, or when / if I can find it.

 

Thanks again itman. It is such a relief to know where outbound traffic is going again!

All the best.

Dan AKA deloppoled

Edited November 4, 2016 by deloppoled

[itman 1,659]

You're welcome. Glad it is resolved.

As far as c:\windows\system32\drivers\etc\hosts goes, what's in that file should be looked at from time to time. The add blocker probably added all the IP addresses with a 0.0.0.0 prefix assuming all the addresses were IPv4. Also Eset's HIPS monitors write activity to that file, so you must have received an alert and allowed it? In any case, IP blocking host file is a bit archaic. You can do the equivalent by using an existing Eset Web Filtering URL address list or creating your own said list. Also I assume your web surfing speed is greatly improved since the browser is not parsing through those 100K+ entries.

I just use Fanboy's ad blocking and privacy lists added to IE11's tracking protection.

Edited November 4, 2016 by itman