Jump to content

ESS 7.0.104.0 - IDS Exception not working and no notification


Recommended Posts

It took me a very long time to diagnose a problem because ESS did not notify me that it was blocking traffic. I thought the issue was caused by my UTM gateway device.

 

I use Adobe Dreamweaver and ESET is interpreting some of the traffic as an exploit.

 

Here are some log entires:

post-1634-0-50474700-1378877244_thumb.jpg

 

When ESS blocks this traffic, it also blocks all access to the computer that the website files are stored on. This means all shares are no longer accessible. It's as if that computer is no longer on the network and there is no warning from ESS so it took me a long time to find the issue. The only way to access that computer's shares again, is to reboot the machine that I'm using, that has ESS installed.

 

I added and IDS Exception but it will only let me add the IPv4 IP address of the computer.

post-1634-0-60206400-1378877770_thumb.jpg

 

By adding this exception, I can continue to access that IP address but ESS still blocks that computere's DNS name (No2). So I can ping "192.168.0.129" but I cannot ping "No2".

 

In order to use the DNS name, I need to add the IPv6 IP address of No2 to the exception but ESS will not accept it. I get a "Failed to change settings" error when I try to add it to the existing exception and when I create a new exception and attempt to add any IPv6 IP address.This appears to be a bug since I can add that same IPv6 address to the "Addresses excluded from active protection (IDS)" rule under Personal Firewall->Zone and Rule Setup->Zones. Once added, the problem is gone.

 

Please fix this bug so individual IDS exploits can be excluded instead of having to exclude an IPv6 IP address from all IDS rules.

 

 

 

 

 

 

 

 

 

 

 

 

------------------------------------------------------------------------------------------------------

post-1634-0-50474700-1378877244_thumb.jpg

post-1634-0-60206400-1378877770_thumb.jpg

Edited by jeffshead
Link to comment
Share on other sites

  • ESET Moderators

Hello Jeffshead,

 

could you please enable options in troubleshooting in IDS setup:

open ESS, press F5 -> Network -> Personal firewall -> IDS and advanced options -> Troubleshooting and enable all 3 options:

Log all blocked connections

Log blocked incoming worm attacks

Enable advanced PCAP logging

 

reproduce the issue and provide us with:

1. SysInspector log created according to this KB article 

2. Firewall log located in %program data%\ESET\ESET Smart Security\Logs\epfwlog.dat

3. .PCAP log located in %program data%\ESET\ESET Smart Security\Diagnostics\EpfwLog.pcapng

 

Disable all troubleshooting options.

 

By the way you could disable particular group of IDS in Intrusion detection settings by selected protocol.

Link to comment
Share on other sites

  • 3 weeks later...

...could you please enable options in troubleshooting in IDS setup:

 

I do not know how to reproduce the issue, at will, so I enabled the logging and let it run until it alerted again. Because logging was running for so long, the resulting EpfwLog.pcapng file is 3.57 GB; too large to attach to an email. I did submit a ticket but I have not received a reply, yet.

 

How can I transfer the EpfwLog.pcapng file?

 

...you could disable particular group of IDS in Intrusion detection settings by selected protocol.

 

How do I do that for Radmin and will doing so also exclude other, real threats from being handled?

Edited by jeffshead
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...