Discussion in 'ESET Smart Security' started by funkydude, Apr 5, 2009.
See this: http://www.wilderssecurity.com/showthread.php?t=234632
still an issue in .417
You should capture the communication using Wireshark and send the log to support[at]eset.com with a description of the issue. Couldn't it be that you're running the firewall in automatic mode?
Most definitely not.
So what mode are you running the firewall in?
I should have said, Interactive. The application in question had both in/out allowed.
I should add that this happens in p2p gaming also, such as LAN RTS where no server is used. Sharing mode is still required for people to connect to you.
I have never used wireshark before so I'll try tinker with it, but I might not be able to get a log for a while. What exactly is it you're looking for? Have the firewall on in sharing mode and just log?
Bump, I need a reply from you on what situation you want me to start logging/with what settings or I will miss my opportunity.
That happens because ARP requests from computers not being in the Trusted zone are dropped if they weren't initiated by your computer. Disabling ARP cache poisoning should help, or simply add the remote computer to the Trusted zone.
I'd prefer not to do either as I feel they are a compromise in security, this worked fine in v3 so what changed that made ESET require you to turn of sharing (which in my opinion doesn't relate to gaming) in v4?
Enabling ARP cache poisoning detection with the firewall module v. 1045 will make your computer stealth against unitiated arp requests from outside the Trusted zone.
I don't mean to be rude Marcos but I'm not sure how that helps. I had this problem during rc at which point the module was 1044. Are you saying I'm going to need to use allow sharing on every pc from now on encase they might want to LAN game? Before I could in most cases use strict protection because I could guarantee the person would never need to share files/etc in their current situation but I can never guarantee if one day they might want to play a game.
I dont understand your problem.
You can set the LAN or just the PCs you game with as trusted, then disable the netbios rules. It takes a couple of minutes at most.
Are you saying allow the application in/out on the trusted zone in my firewall rules? If so, that was automatically requested by the app when launching it, it has full access. It still won't work without sharing enabled, again, this was not a problem at all in v3.
Here is a screenshot:
I will never, ever, make custom rules for a firewall. It has always automatically asked for everything and worked perfect in v3, the fact it now fails to show something is broken.
You have rules to allow inbound/outbound to the trusted zone, but what is in the trusted zone? If you have not placed any IPs or the LAN in the trusted zone, then the application as no other IP to comm with.
you are comparing 2 different implementations
So I'm guessing in v3 every networked computer was assumed to be trusted which has changed in v4?
In which case, is allow sharing the correct approach for this problem?
It needs to be a simple set it and forget it not a customize every rule as it's made, because I need to be able to set this up for other PC's without needing to configure it when he/she installs a new game.
Also, the IP's on the network can be dynamic as PC's join/leave.
There are a number of ways to help prevent ARP poisoning/DOS. ESSv4 as gone to what I would class as, going to the far extreme of protection by blocking all Unsolicited inbound ARP, and blocking requests not from the gateway. This type of protection, when implemented correctly, will block all the nodes on LAN, simply because the other nodes on LAN cannot retrieve routing info from the PC with ESSV4 installed. Therefore for example, if there is then an attempt to scan you from another node on LAN, then such a scanner as Nmap will return with a "host not up"
I have not looked at version 3, so do not know what ARP protection was in place (if any?)
I think your best approach at this time would be to disable the ARP poisoning protection, which will then allow routing(ARP) info to be requested. Yes, it is disabling protection, but such protection is normally only needed on an unknown/not trusted LAN.
I did look at that possibility, and due to the inability to bind MAC/IP, then on such a LAN placing specific IPs as trusted can be a possible future problem if IPs do change.
Personally, I would go with disabling the ARP poisoning IDS rule.
Thanks for the suggestion, the problem I have with that is gaming on unsafe public networks, which is what a lot of the PC's are doing. Public LAN gaming. It seems a bit flawed to have this new extra protection, yet need to disable it (allow sharing) to game, seems like back to square one?
I actually feel less secure now than with the old modules, even though they technically upgraded security.
Why do you mention "allow Sharing"?
If you disable the ARP poisoning, then keep the LAN as restricted, then there is no sharing, it is just a case that other PC(s) on LAN can then ping or connect to you if you have rules set to allow the inbound, or if set to interactive and no set rules, then you will be given a popup.
I think the ARP protection does need changing, possibly splitting into a poisoning/DOS protection option, then an option to block all ARP requests from all nodes within the LAN.
I have been looking at V3. The ARP protection is not good, I can bypass and DOS the PC.
If you had no problems with V3 with gaming on the untrusted LAN, then you can disable the ARP poisoning attack IDS rule with V4.
I have put in a bug report for V4 ARP protection, so we will see what develops.
Thanks, so you're saying I'm more secure disabling ARP and gaming than allowing sharing and gaming?
With the latest ESSv4 release. If you set the LAN as trusted, which then allows file/print sharing due to the current default rules, then also the ARP poisoning IDS rule does not cover that trusted LAN. If you just disable the ARP poisoning rule, then you can allow with rules inbound from the restricted LAN and file/print sharing will be blocked.
the good news is that the upcoming version of the firewall module will introduce a new option in the IDS setup that will enable you to allow ARP request from outside the Trusted zone.
As much as I'm grateful:
1. I haven't even had a chance to test whether disabling ARP works.
2. Won't such a feature leave me as unsecure as disabling the protection anyway? How will it be better than disabling ARP protection?
I'm testing it right now, I actually disabled everything under "intrusion detection" and it won't work, the only thing that works is running Allow sharing.
But this issue is currently only with Warhammer 40,000: Dawn of War 2. I tried with Left4Dead +strict+all attacks detection on and it works. Hosting a game in dow2 (which is mainly p2p) does not work without allow sharing, no matter if intrusion detection methods are on or off.
So currently I think adding that feature would be useless Marcos.
Separate names with a comma.