I recently found that there's a hardcoded rule for allowing all ICMPv6 communication which obviously isn't working at all.
I get a whole lot of "no usable rule found" spam when running uTorrent 1.9 from ICMPv6, originating from system.

Just wanted to add some IPv6 info:
PID=4, that's system, not sure why it doesn't just say system
The pings appear to happen on vista bootup/login.

209488

In particular


Random blocked web data?
Other PC sending data to itself that I can see?
..then sending it to a non existing IP?
..then finally to the router, why can I see it?
System sending IGMP?

bump.

Bump.

-{ Quote: "I recently found that there's a hardcoded rule for allowing all ICMPv6 communication which obviously isn't working at all.
I get a whole lot of "no usable rule found" spam when running uTorrent 1.9 from ICMPv6, originating from system.

Just wanted to add some IPv6 info:
PID=4, that's system, not sure why it doesn't just say system
The pings appear to happen on vista bootup/login.

209488

In particular


Random blocked web data?
Other PC sending data to itself that I can see?
..then sending it to a non existing IP?
..then finally to the router, why can I see it?
System sending IGMP?
" }-

Same as I but ESSET Support says turn off logging :)
I dont have time I spend solving problems with v4 maybe 2 months.
Now I am on v4 but I am waiting for good build or end of licence.

-{ Quote: "I recently found that there's a hardcoded rule for allowing all ICMPv6 communication which obviously isn't working at all.
I get a whole lot of "no usable rule found" spam when running uTorrent 1.9 from ICMPv6, originating from system.

Just wanted to add some IPv6 info:
PID=4, that's system, not sure why it doesn't just say system
The pings appear to happen on vista bootup/login.

209488

In particular


Random blocked web data?
Other PC sending data to itself that I can see?
..then sending it to a non existing IP?
..then finally to the router, why can I see it?
System sending IGMP?
" }-
I have the same problem... I disable IPv6...

-{ Quote: "Same as I but ESSET Support says turn off logging :)
I dont have time I spend solving problems with v4 maybe 2 months.
Now I am on v4 but I am waiting for good build or end of licence." }-

Personally I just keep bumping this until they fix it, it's worked in the past so. I know they're busy but they get around to it eventually.

-{ Quote: "I have the same problem... I disable IPv6..." }-

Yes that is true. But do you think that is good idea for future?

When IPv6 comes than I think will be more other problems :) why ESET Developers should'nt fix this now?

-{ Quote: "Personally I just keep bumping this until they fix it, it's worked in the past so. I know they're busy but they get around to it eventually." }-

BUMping is not good way but for other side releasing ESET SS v4 was not good idea. For me it is not full product its still very buggy.

Bump.

-{ Quote: "Yes that is true. But do you think that is good idea for future?

When IPv6 comes than I think will be more other problems :) why ESET Developers should'nt fix this now?



BUMping is not good way but for other side releasing ESET SS v4 was not good idea. For me it is not full product its still very buggy." }-
:) buggy...

Hello funkydude,

There is a new firewall module avaliable now. You should have received it automatically with an update. Does the problem still persist after this update?

A bi-directional rule for icmpv6 (port 58) should help. The rule will be made default in the module build 1048.

-{ Quote: "Hello funkydude,

There is a new firewall module avaliable now. You should have received it automatically with an update. Does the problem still persist after this update?" }-


I can tell you now:
IPv6: Not fixed, fixed in 1048 according to Marcos
Random blocked TCP packets: Not fixed, may be firewall performing properly? I'd rather have an ESET reply.
Data sent to non-existant IPs/Data being sent from other IP's I can see: Still investigating with new module, will report back.
Random IGMP: Still investigating with new module, will report back.

Same problems here. Somtetimes thunderbird didn't work, sometimes internet explorer didn't work. Vista with SP2 hang or so slow reaction to commands,.... Installation was no problem but my pc couldn't be used.
No internet connection at all. No online update of ESS possible because no internet connection available. Problems with ESS 4.0.437 and 4.0.424 with Vista SP2. With XP and SP3 I hadn't problems.

Now it's enough !!!

After many spent time I removed ESS and installed NOD32 with comodo firewall. My pc is now running fast and I can use internet again.

I am not satisfied with the new version 4.:(

Still very buggy version like a beta version and not stable or really useful.

ESET please do your homework.

Bump.

None of these issues are fixed in 1049. Infact I'm having another issue where ESS is blocking a TON of legitimate data from the World of Warcraft patching system, this system uses torrenting traffic, and a lot is simply being blocked for what I see as no apparent reason.

Usually:
Time Packet blocked by active defense (IDS) 192.168.XX.XX:RANDOM_PORT XX.XX.XX.XX:3724 TCP
or
Time Packet blocked by active defense (IDS) XX.XX.XX.XX:3724 192.168.XX.XX:RANDOM_PORT TCP

Your firewall is becoming a joke to me ESET.

Time Detected ICMP Flooding attack XX.XX.XX.XX 192.168.XX.XX ICMP

Fun fact, my router is set to block incoming ICMP from externals addresses, wonder how ESET thinks I'm being attacked, eh?

Hello,

Please enable logging mode to capture the blocked packets and forward them to support@eset.sk along with a link to this message for further analysis.

Regards,

Aryeh Goretsky


-{ Quote: "Time Detected ICMP Flooding attack XX.XX.XX.XX 192.168.XX.XX ICMP

Fun fact, my router is set to block incoming ICMP from externals addresses, wonder how ESET thinks I'm being attacked, eh?" }-

"Logging mode"? An explanation would be nice. If you mean log blocked connections, it's already enabled, and that doesn't capture packets.

Hi funkydude,

I believe he's he's referring to this. http://kb.eset.com/esetkb/index?page=content&id=SOLN742

BFG

Even more fun in ESET land where I need to guess KB articles, those instructions are broken:

1. The directory is actually: HKLM\SOFTWARE\Eset\ESET Security\CurrentVersion\Plugins\01000200\Profiles\@My profile
2. The Vista directory is: C:\ProgramData\ESET\ESET Smart Security\ which isn't even listed

That being said, I've started creating a log. I highly doubt I can replicate the ICMP issue, but I can replicate the torrenting and IPv6 issue.

Hello,

Thank you for letting us know. I'll forward that information to the tech writers.

BFG

I've sent the file

-{ Quote: "This is 1 log of all the blocked packets including:

Blocked IPv6
Blocked torrenting traffic from the World of Warcraft patcher
Blocked TCP data from uTorrent
Blocked data I shouldn't be seeing: E.G. My I.P. is .30 I'm seeing data from .50 going to .2 which doesn't exist.
Blocked IGMP from ?? maybe uTorrent" }-

I really hope this helps.

This gets funner by the day. I just got a brilliant reply from customer support: "Your email request does not contain a valid ticket number". Are you serious? I only just sent the email why would I have a ticket number....

Maybe someone could explain to me what I'm supposed to do now?

In my opinion,IGMP is normal.because,as far as I know,when each computer starts,it will send a data which is IGMP to a same target.But I don't know why.
And that TCP packet may be a packet with some special flags set like SYN.

Hello funkydude,

How did you try to contact support, the way they recommend via the GUI of the program? As the last way sounds like it didn't create a case you might try that.

BFG

-{ Quote: "In my opinion,IGMP is normal.because,as far as I know,when each computer starts,it will send a data which is IGMP to a same target.But I don't know why.
" }-

Sounds like a good explanation, but in this case, a better log entry should be created, it currently has the misleading message of "No usable rule found" as an excuse for blocking.

That being said, I have notice it pop-up frequently whilst running uTorrent.

-{ Quote: "Hello funkydude,

How did you try to contact support, the way they recommend via the GUI of the program? As the last way sounds like it didn't create a case you might try that.

BFG" }-

I sent them an email directly as asked by agoretsky, I will try using the GUI instead, thank you.

-{ Quote: "Sounds like a good explanation, but in this case, a better log entry should be created, it currently has the misleading message of "No usable rule found" as an excuse for blocking." }-

I think ESET's firewall creats many rules for many protocols,but only for some hackneyed protocol.And IGMP is not included in those protocols,so the firewall blocks the IGMP data and creats log which is named "No usable rule found".

The firewall seems to block STEAM and HotSpot Shield.
I can connect to Steam, but I cannot join any servers when the firewall is enabled. Same with HotSpot Shield.

I get the same things on Ver3 with module 1049 but I am not running any games or torrents. The logs are full of this

Why oh why can't ESET respond to this or fix it ????:thumbd:

This is getting really frustrating now, I finally got a reply since the weekend is over and I'm being asked for a FW log (which I already provided), an ESI log, for which I have NO IDEA why would be required to debug problems in the firewall when I already provided pcap logs, and my ESS settings? Why, Incase I created rules to block this data just to mislead you guys? Sounds more to me that the support person didn't bother reading this thread to which I explicitly linked.

I don't think I can win this one, I just can't see myself using ESET for much longer, they won't settle for anything less than:

Settings file: Which reveals not only settings but such details as every single email address I've sent a mail to, every single application I've allowed internet access to, even the temporary ones from months ago.

ESI log: Which shows anything anyone could ever dream of about my system, what's on it, how it runs, and basically what it eats for breakfast.

Firewall log: Even though I sent the block pcap log, they still need this why? I've obviously since deleted it from ESS considering the massive size, and the screenshot is self explanatory.

-{ Quote: "
None of these issues are fixed in 1049. Infact I'm having another issue where ESS is blocking a TON of legitimate data from the World of Warcraft patching system, this system uses torrenting traffic, and a lot is simply being blocked for what I see as no apparent reason.

Usually:
Time Packet blocked by active defense (IDS) 192.168.XX.XX:RANDOM_PORT XX.XX.XX.XX:3724 TCP
or
Time Packet blocked by active defense (IDS) XX.XX.XX.XX:3724 192.168.XX.XX:RANDOM_PORT TCP

Your firewall is becoming a joke to me ESET." }-
Same with Firewall 1050
5/07/2009 10:37:37 AM Packet blocked by active defense (IDS) 192.168.1.2:1068 90.183.101.16:80 TCP
5/07/2009 10:45:48 AM Packet blocked by active defense (IDS) 192.168.1.2:1310 93.184.71.21:80 TCP
Where
192.168.1.2 -> my computer IP behind billion 7402vgp router & its firewall
90.183.101.16 -> u46.eset.com
93.184.71.21 -> um10.eset.com

Actually I wonder if there problem is attempting to implement software timers / packet ordering without checking timer accuracy / ordering reliability / cpu load.

ESS was running a full scan when above was reported on older windows 2000 laptop with the scan causing 20-40% cpu load.

Either way the firewall still has an unacceptably high false positive rate.
There fire wall log provides little assistance for them to debug the problem.

-{ Quote: "
Either way the firewall still has an unacceptably high false positive rate.
There fire wall log provides little assistance for them to debug the problem." }-

I just don't have the time for this kind of thing, I mean, it's a firewall, how much more basic can you get, I shouldn't have to worry about packet timings and things. Wonder why the windows firewall hasn't gone through 50 module changes? :dry: At least I can use IPv6 with windows firewall now :)

-{ Quote: "I just don't have the time for this kind of thing" }-
Agree it is letting their suite down.
Reasonable metric to judge a filter by would be
1) Sensitivity / false negative rate (http://www.wilderssecurity.com/showthread.php?t=239070)
2) Specificity / False positive rate (http://tekblogs.com/tb/2009/06/26/internet-access-blocked-by-eset-firewall-solution/) (see all threads on firewall blocking internet)
3) Ease of use (http://www.wilderssecurity.com/showthread.php?p=1438614#post1438614)

Everyone should make up there own mind, however I would not give ESS firewall a glowing report card.

These false positives with IDS and IPv6 are becoming a joke. I'm pleased that ESET have fixed some of the other issues which have caused me to roll back to v3 each time but the false positives issue have been present with every single build of v4. It really isn't good enough. There has been more that enough feedback either directly to ESET or on here to address the issue. I'm just amazed that some aspects of Smart Security seem to be regressing at an alarming rate...but at least it looks pretty now! ;)

What exactly is the criteria required to generate a 'packet blocked by IDS' log entry? Obviously ESET feels loading legitimate, trusted websites should be deemed as some sort of attack...but what exactly is the threat?

It has been mayhem tonight...thousands of IDS block entries have been filling the log at an alarming rate. I'm not even running uTorrent or streaming any content. It's absolutely shocking as traffic becomes affected and the only temp fix is to disable the firewall or reboot.

Some clarification would be nice then perhaps the ESET developers could work to tweak the detection rule a little bit to make it more efficient.

Would be grateful if someone from ESET could answer this question for me please:
-{ Quote: "What exactly is the criteria required to generate a 'Packet blocked by active defense (IDS)' log entry?" }-

In the last 10 hours, I have seen well over 600 log entries created for 'Packet blocked by active defense (IDS)'.

It's nuts.

Same here I suppose I could just disable ipv6 too stop it.

ESET do not have a clue what they are doing. That is why it is not fixed and never will be. If they do not have the courtesy to respond to people and offer solutions then they will loose people like they have done with the absolute cr?p they dished out with ver4

I plan on looking at comodo.com

In another post a recounted how my inquiries about false positive TCP flooding attacks was preventing a Samsung application from working properly (use TV to view/listen to photos, movies, music stored on pc). It should be clear even to first level support that a log entry of TCP flooding attack is controled by the IDS option TCP protocol overload detection. It took me several days, and the luck of finding a thread discussing ICMP issues to determine wherein ESET SS needed to be disabled. Further, I should not have to disable a global rule that is turned on by default to simply allow my TV and pc to communicate on my home network.

I am not saying ESET is not working hard at fixing problems. I am saying their failure to respond to end-user inquiries, which are clearly pointing out weaknesses in their product, in a collaborative and informational way rather than providing short, errant, and incomplete responses shows a lack of appreciation and respect for their customers.

I switched from Norton to Trendmicro when Symantec got to big. I switched from Trendmicro to ESET when after 5+ years of loyal patronage the product became an impediment to getting the job done--where reported problems when on for months, actually nearly a year. In fact it was a Trendmicro forum post that pointed me to ESET as this post points me to comodo.com just a little over 18 months ago.

My recommendation is that ESET customer support should turn up the customer appreciation level by a huge margin, and prioritize the issues that we're complaining about most loudly. GM thought they did not have to listen to their customers (not the ones who buy loyally regardless of product quality or cost effectiveness, but the ones who said if you don't listen we walk--and they did--and GM collapsed).

I was just looking at firewall specific software and ZoneAlarm seems to be the way to go if you are going to use best of breed products. NOD32 and ZoneAlarm. ZoneAlarm even allows you to integrate another vendors AV software.

I will need to reevaluate when my ESET SS software licensing comes full-term.

-{ Quote: "I plan on looking at comodo.com

In another post a recounted how my inquiries about false positive TCP flooding attacks was preventing a Samsung application from working properly (use TV to view/listen to photos, movies, music stored on pc). It should be clear even to first level support that a log entry of TCP flooding attack is controled by the IDS option TCP protocol overload detection. It took me several days, and the luck of finding a thread discussing ICMP issues to determine wherein ESET SS needed to be disabled. Further, I should not have to disable a global rule that is turned on by default to simply allow my TV and pc to communicate on my home network.

I am not saying ESET is not working hard at fixing problems. I am saying their failure to respond to end-user inquiries, which are clearly pointing out weaknesses in their product, in a collaborative and informational way rather than providing short, errant, and incomplete responses shows a lack of appreciation and respect for their customers.

I switched from Norton to Trendmicro when Symantec got to big. I switched from Trendmicro to ESET when after 5+ years of loyal patronage the product became an impediment to getting the job done--where reported problems when on for months, actually nearly a year. In fact it was a Trendmicro forum post that pointed me to ESET as this post points me to comodo.com just a little over 18 months ago.

My recommendation is that ESET customer support should turn up the customer appreciation level by a huge margin, and prioritize the issues that we're complaining about most loudly. GM thought they did not have to listen to their customers (not the ones who buy loyally regardless of product quality or cost effectiveness, but the ones who said if you don't listen we walk--and they did--and GM collapsed)." }-

Its a shame, NOD32 was a great app, ESS is a joke. My 3 year multi user licence runs out next month and i wont be renewing.

V4 should never have been released when it was, i remember it was cutting you off from the internet, this board was awash with people complaining, it took ages to fix and during this, they released it anyway, that was when they lost my vote going forward.

Like you guys say, who's got the time to do their work for them, i'm off elsewhere.

-{ Quote: "i remember it was cutting you off from the internet" }-

As I've stated a few times now, Windows Firewall is brilliant. I've even been using it confidently at wireless hotspots (just make sure you set the network to public).