Jump to content

ESS 10.x - Ports


Recommended Posts

I just did a fresh Win7x64 and ESS10.x install for testing.

 

I noticed my gateway firewall log is full of the following entries:

2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="61472" dstport="80" tcpflags="SYN" 
2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="61473" dstport="32007" tcpflags="SYN" 
2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="61474" dstport="62078" tcpflags="SYN" 
2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x3441" app="1089" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="128" srcport="53087" dstport="137" 
2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x34b6" app="1206" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="652" tos="0x00" prec="0x00" ttl="128" srcport="61283" dstport="3702" 
2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x31d7" app="471" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="142" tos="0x00" prec="0x00" ttl="128" srcport="53964" dstport="1900" 
2016:10:27-09:35:42 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x31d7" app="471" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="152" tos="0x00" prec="0x00" ttl="128" srcport="53964" dstport="1900" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x31d7" app="471" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="142" tos="0x00" prec="0x00" ttl="128" srcport="53964" dstport="1900" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x31d7" app="471" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="152" tos="0x00" prec="0x00" ttl="128" srcport="53964" dstport="1900" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x3441" app="1089" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="78" tos="0x00" prec="0x00" ttl="128" srcport="53087" dstport="137" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x34b6" app="1206" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="17" length="652" tos="0x00" prec="0x00" ttl="128" srcport="61283" dstport="3702" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="61472" dstport="80" tcpflags="SYN" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="61473" dstport="32007" tcpflags="SYN" 
2016:10:27-09:35:44 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="61474" dstport="62078" tcpflags="SYN" 
2016:10:27-09:35:51 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="61473" dstport="32007" tcpflags="SYN" 
2016:10:27-09:35:51 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="61474" dstport="62078" tcpflags="SYN" 
2016:10:27-09:35:51 gateway ulogd[10367]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="g7:42:56:1d:4h:45" dstmac="f3:fd:4e:df:31:34" srcip="192.168.0.248" dstip="192.168.0.1" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="61472" dstport="80" tcpflags="SYN"

I do not get any of these entries with ESS8.x. I'm assuming this is caused by ESS10's Home Network Protection.

 

Can someone please verify?

 

The destination ports are:

80, 32007, 62078, 137, 1900, 3702

Link to comment
Share on other sites

Finally found the setting to disable Home Network Protection. Turning it off stops those firewall log entries. I really don't see the need for it. 

post-1634-0-08770900-1477578566_thumb.jpg

Edited by jeffshead
Link to comment
Share on other sites

Is 192.168.0.248 your router and 192.168.0.1 your PC Ethernet connection? I also assume that the packets being dropped are Sync-Received?

 

Of the top of my head and based on the ports you posted, I suspect that incoming ekrn.exe traffic is being dropped. It uses ports 80, 443, 137, 1900, 3702. It also uses UDP which is unstatefull in addition to TCP.  

 

Using TCPView or the equivalent, check to see if ekrn.exe connections are being established. What I have observed since upgrading to ver. 10 is that a UDP connection by ekrn.exe is no longer being established when a browser connection is established as was the case in ver. 9. 

Link to comment
Share on other sites

Finally found the setting to disable Home Network Protection. Turning it off stops those firewall log entries. I really don't see the need for it. 

Enable Home network protection – Protects computers from incoming network (Wi-Fi) threats.

 

On an Ethernet connection you probably don't need it. I use a wireless connection, so I need it.

Link to comment
Share on other sites

Thanks for the replies  :)

 

192.168.0.1 is the router and 148 is the PC.

 

Exactly what protection does Home Network Protection provide? I use a business class gateway/router that allows only explicit traffic so it's always going to drop the Home Network Protection packets. I could create a rule to stop logging that traffic but I don't need ESET to "test your home router for vulnerabilities". If the only other action it performs is to tell me what other devices are on the network, then I will keep it disabled. So does Home Network Protection do anything else?

Link to comment
Share on other sites

I did some more research on this and this new protection is indeed a bit confusing.

 

If you go though the various Eset ver. 10 help topics on Home Network Protection, the following is revealed:

 

1. It is only supposed to be used when your Eset firewall network adapter profile is set to Home or Work Group network.

 

2. It is not supposed to be used when your profile is set to Public. However when ver. 10 is installed, the feature is set on by default regardless of your current Eset network profile setting. Mine for example was set to Public. Go figure?

 

3. Home Network Protection per Eset is supposed to protect you against a hacked home router. If your click on it from the Eset home page when it the protection is enabled another screen is displayed that will show all existing set up connections on your router. Again per Eset, the purpose is to detect any rouge Wi-Fi connections.

 

4. Adding to the confusion is Eset introduced a network protection type, "use Windows settings", without any explanation I could find as to what that setting does. It might apply if the firewall is set to automatic mode and the option is selected to "Also evaluate rules from the Windows firewall"?  

 

5. If Home Network Protection is disabled, the option for "Detecting new networks" is also disabled? This implies to me that if you are using a Public profile Eset will longer detect a new network? That doesn't make any sense. Perhaps it only applies to detecting a new home network connection which I would think you always want enabled? Appears the overall new network detection is controlled by the like setting in the "Known Networks" section which needs to be set to "Ask User" if you want new networks to be detected.

 

What I do know is if you installed ver. 10 on top of ver. 9 and your were using a Public profile, you better check your existing network connections. On my PC, ver. 10 set up two identical new connections for my wireless adapter and named them the DNS suffix that was assign to the Public network connection?

 

Given the complexity of the Home Network Protection feature, Eset needs to create a detail tutorial on how to use this feature along with different configuration scenario examples.

Edited by itman
Link to comment
Share on other sites

  • Administrators

It is not supposed to be used when your profile is set to Public. However when ver. 10 is installed, the feature is set on by default regardless of your current Eset network profile setting. Mine for example was set to Public. Go figure?

I'm actually getting a warning when trying to open Home network protection in gui:

 

post-10-0-72540900-1477663701_thumb.png

 

Adding to the confusion is Eset introduced a network protection type, "use Windows settings"

"Use Windows settings" means that the detected network will be considered public or home/office based on existing Windows settings. With this setting, the network will be considered trusted or public, depending on the Windows setting "Make this pc discoverable" in the network adapter setup.

Link to comment
Share on other sites

I'm actually getting a warning when trying to open Home network protection in gui:

 

 

I meant this:

 

post-6784-0-02334100-1477664932_thumb.png

 

"Use Windows settings" means that the detected network will be considered public or home/office based on existing Windows Firewall settings.

 

 

Interesting. Does this also override other Eset firewall options such as file and printer sharing?

Link to comment
Share on other sites

  • Administrators

5. If Home Network Protection is disabled, the option for "Detecting new networks" is also disabled? This implies to me that if you are using a Public profile Eset will longer detect a new network? That doesn't make any sense. Perhaps it only applies to detecting a new home network connection which I would think you always want enabled? Appears the overall new network detection is controlled by the like setting in the "Known Networks" section which needs to be set to "Ask User" if you want new networks to be detected.

 

I've made a quick test. Disconnected the computer from network, disabled home network protection in the advanced setup, deleted known networks and clicked OK. After connecting the computer to the network I was prompted to choose the type of network (Public or Home/office).

Link to comment
Share on other sites

  • Administrators

"Use Windows settings" means that the detected network will be considered public or home/office based on existing Windows Firewall settings.

 

Interesting. Does this also override other Eset firewall options such as file and printer sharing?

 

Yes as these options depend on whether ESS considers a network trusted or public.

Link to comment
Share on other sites

I decided to leave Home Network Protection enabled and see if the added network traffic is worth it. I added a firewall rule to not log the dropped packets so my logs are not so cluttered.

 

One annoyance is the fact that the types of devices to select from is very limited. There's no option to add a custom device type, either. I'm referring to identifying "Unknown" device types as indicated below:

 

post-1634-0-08054300-1477706428_thumb.jpg

 

ESET should add the following device types:

  • Wireless access points
  • UPS's
  • Media players
  • A custom type so you can add whatever text you want to describe the type of device. The ability to add your own image would be really nice.
Edited by jeffshead
Link to comment
Share on other sites

I am going to expound on something I posted previously; namely: 

 

 On my PC, ver. 10 set up two identical new connections for my wireless adapter and named them the DNS suffix that was assign to the Public network connection?

 

I believe I know what caused this since I saw it happened again today. When I looked at the details for the new wireless connection created, the only details present beside the DNS suffix for my wireless adapter was that the IPv4 DHCP address from the router was initialized and the connection type indicated wireless. No SID details or anything else. 

 

I had issues in ver. 9 with DHCP. So far those same issues haven't appeared yet in ver. 10. However, I have seen enough to say I believe Eset has a problem with properly recognizing a DHCP server on a home router when using the Public profile for a wireless adapter connection. 

 

The issue might be also related to the USB wireless adapter I use. It connects to a WAP that is in turn connected to the router. The WAP in itself is an Ethernet gateway. Perhaps I need to create a network connection for the WAP? Problem is the WAP is also used by my TV wireless desktop devices.

 

-EDIT- I switched the wireless network setting over to Windows settings. I have that already set to Public with all sharing disabled. Will see how that goes.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...