ESET Module Updates upset Belkin Router

[ozziblue]

Windows XP SP3 fully Updated
ESET Smart Security Version 4.2.40.0
Belkin Wireless Router Model SURF N300


I happened to visualy notice the arrival of ESET Module Updates on 6 September 2011 and immediately after that the Belkin Icon on the taskbar began to dim indicating a problem with the Router. Hovering over the icon gave the message "Not connected". The connection was between my desktop and the router directly by LAN (wireless actually off as not needed at that time).

I tried everything with the router - update software (not needed) complete re-install (no difference).

After some time of persuing possible outcomes I concentrated on ESET thinking that it must have NOT been a co-incidence that the problem seemed to be related to the Module Update.

Long story - shortened - I discovered that in the IDS Firewall settings that unticking "covert data in ICMP protocol detection" fixed the problem i.e. the Router stabilised and began to glow green and work again.

The Firewall logs showed the following messages continuously (reprinting every second) :-

6/09/2011 6:35:48 PM Detected covert channel exploit in ICMP packet 192.168.2.2 192.168.2.1 ICMP

6/09/2011 6:35:47 PM Detected covert channel exploit in ICMP packet 192.168.2.2 192.168.2.1 ICMP

I suspect the update module causing the issue was the Personal firewall module: 1068 (20110727)

My worry is that I have unticked what was a default setting in the firewall and am now at increased risk.

Will there be a fix from ESET so I can once again re-tick that setting?

Thanks for your help.

[Marcos]

Please create a Wireshark log with the network communication captured when the exploit detection occurs. When done, compress it, upload it somewhere and PM me the download link.

As an interim solution, you can add the router's IP address to the list of addresses excluded from active protection (IDS) in the zone setup.

[ozziblue]

Marcos , thank you for your prompt reply.

I will use your interim suggestion until I have an opportunity to d/l and learn wireshark etc. Although I wonder what wireshark may show as the setup at the moment is just my desktop direct connected to a LAN socket on the router - as mentioned the router is turned off wireless wise. I shall persue that avenue as soon as I get a chance.

Many thanks,

[kusiobache]

I just want to add that I am having this exact same issue, except I have Windows 7. I would post firewall logs but I do not know how to obtain them as I am not familiar with eset.

However, unticking "covert data in ICMP protocol detection" fixed my issue as well, so thank you ozziblue. I had been unticking the actually detections (like code red worm detection, etc), which had been doing nothing to help me.

I will add my router to my trusted zone as well, however it would be nice to see a fix considering Eset was wonderful before this ( it still is, but this was a minor annoyance).

[ozziblue]

kusiobache,

It's almost reassuring to know someone else has the same problem!

Glad my cure helped you.

Cheers

[ozziblue]

@ Marcos,

I have run and saved 2 Wireshark files.

1. with my system running "normally" and

2. with my system running normally and in the middle of running I ticked the "covert data in ICMP protocol detection" and left it ticked for about 1min 30secs and then UNticked it again to see the return to "normal".

The problem now is the forum PM system seems to be unavailable so I can't send you the links to the two files until someone fixs the PM system!

Cheers

[ozziblue]

@ Marcos,

See your PM's (The PM now seems to be working.)

Cheers

[ozziblue]

I just noticed a new personal firewall module come in:1069

Was hoping that this was the "fix" - but the problem remains, so I'm back with the original situation of my first post at the top of the thread.

Have not heard yet if my wireshark logs were of any help.

Cheers,

[Marcos]

The firewall module 1069 doesn't contain any changes in the code, it just adds support for 2 new languages. A newer firewall module addressing the "false" detection will be released shortly. As a side note - firewall module updates belong to high risky updates so they must be always tested carefully before the release which usually takes several weeks.

[auburn]

Same problem here. Windows 7, Belkin Play Router. I was also able to get ESET to allow the connection by unclicking the "covert data in ICMP protocol dectection" tab.

I reinstalled smart security 4, and it worked fine, until it updated, then it went back to blocking the connection. Upgrading to the new Smart Security 5 was no help.

The addresses it is flagging are 192.168.2.9 and 192.168.2.1

[Marcos]

What about adding the whole TZ subnet to the list of addresses excluding from active protection (IDS) in the Zone setup? This should work as an interim solution and would be safer than disabling ICMP cover data checking completely.

[ozziblue]

Quote:

Originally Posted by Marcos

The firewall module 1069 doesn't contain any changes in the code, it just adds support for 2 new languages. A newer firewall module addressing the "false" detection will be released shortly. As a side note - firewall module updates belong to high risky updates so they must be always tested carefully before the release which usually takes several weeks.

Thanks for that Marcos.

However can I raise a point here:- There appears to be a dichotomy whereby under "Automatic Filtering Mode" (My prefered setting) The router and its subnet are already shown as being in the TZ - which is the default setting when installing and accepting "sharing".

In other words if the router is supposedly already in the TZ in Automatic mode why do you have to change it in the Interactive Mode

The only way to manually add the zone rule is to accept a change to Interactive Mode (otherwise the zone rule editor is greyed out).

I prefer not to have to set all interactive rules so I am hoping that the cure in module 1070 - when it comes, will allow for and work correctly in "Automatic Mode". Will this be the case?

Thank you

[dmaasland]

Change it to automatic mode with exceptions

[Marcos]

Quote:

Originally Posted by ozziblue

The only way to manually add the zone rule is to accept a change to Interactive Mode (otherwise the zone rule editor is greyed out).

Not any more with ESS v5. If you don't want to upgrade to v5 yet, switch to Automatic mode with exceptions as advised above.

[ozziblue]

Just noticed Personal firewall module: 1071 (20110912) has arrived.

I have reverted to all original settings and can confirm that the original issue appears to have been fixed by this latest module.

Therefore - many thanks to the ESET team.

Cheers,