jeffshead 0 Posted September 11, 2013 Posted September 11, 2013 (edited) It took me a very long time to diagnose a problem because ESS did not notify me that it was blocking traffic. I thought the issue was caused by my UTM gateway device. I use Adobe Dreamweaver and ESET is interpreting some of the traffic as an exploit. Here are some log entires: When ESS blocks this traffic, it also blocks all access to the computer that the website files are stored on. This means all shares are no longer accessible. It's as if that computer is no longer on the network and there is no warning from ESS so it took me a long time to find the issue. The only way to access that computer's shares again, is to reboot the machine that I'm using, that has ESS installed. I added and IDS Exception but it will only let me add the IPv4 IP address of the computer. By adding this exception, I can continue to access that IP address but ESS still blocks that computere's DNS name (No2). So I can ping "192.168.0.129" but I cannot ping "No2". In order to use the DNS name, I need to add the IPv6 IP address of No2 to the exception but ESS will not accept it. I get a "Failed to change settings" error when I try to add it to the existing exception and when I create a new exception and attempt to add any IPv6 IP address.This appears to be a bug since I can add that same IPv6 address to the "Addresses excluded from active protection (IDS)" rule under Personal Firewall->Zone and Rule Setup->Zones. Once added, the problem is gone. Please fix this bug so individual IDS exploits can be excluded instead of having to exclude an IPv6 IP address from all IDS rules. ------------------------------------------------------------------------------------------------------ Edited September 11, 2013 by jeffshead
ESET Moderators Peter Randziak 1,186 Posted September 11, 2013 ESET Moderators Posted September 11, 2013 Hello Jeffshead, could you please enable options in troubleshooting in IDS setup: open ESS, press F5 -> Network -> Personal firewall -> IDS and advanced options -> Troubleshooting and enable all 3 options: Log all blocked connections Log blocked incoming worm attacks Enable advanced PCAP logging reproduce the issue and provide us with: 1. SysInspector log created according to this KB article 2. Firewall log located in %program data%\ESET\ESET Smart Security\Logs\epfwlog.dat 3. .PCAP log located in %program data%\ESET\ESET Smart Security\Diagnostics\EpfwLog.pcapng Disable all troubleshooting options. By the way you could disable particular group of IDS in Intrusion detection settings by selected protocol.
jeffshead 0 Posted September 27, 2013 Author Posted September 27, 2013 (edited) ...could you please enable options in troubleshooting in IDS setup: I do not know how to reproduce the issue, at will, so I enabled the logging and let it run until it alerted again. Because logging was running for so long, the resulting EpfwLog.pcapng file is 3.57 GB; too large to attach to an email. I did submit a ticket but I have not received a reply, yet. How can I transfer the EpfwLog.pcapng file? ...you could disable particular group of IDS in Intrusion detection settings by selected protocol. How do I do that for Radmin and will doing so also exclude other, real threats from being handled? Edited September 27, 2013 by jeffshead
Recommended Posts