"Detected covert channel exploit" problem.

Took me a while to trace my problem in battlefield 2 bad company to this.

Basically - Eset Smart Security started blocking in-game browser updates, even though i added every possible exception for the game. So i checked logs and found this line appearing whenever i try to update browser window:

Detected covert channel exploit (ICMP protocol) With my current IP address in source tab and several server addresses in target tab.

I have tried allowing IMCP communication specifically for the game and in general but it didn't help. So the only way around it is to disable filtering completely - then everything works fine.

So how else can i prevent eset from blocking connections for my game?

And yes - firewall modules are updated.



Read every post about this issue on this forum

Setup->Personal Firewall->IDS and Advanced Options->uncheck Covert data in ICMP protocol detection

Still - is there a way to disable that thing specifically in one particular application?

 

I'd suggest adding the respective IP address to the list of addresses excluded from active protection (IDS) in the zone setup.

 

This is impossible, since my IP is dynamic and IP's that this thing blocks are numerous as in - every server from around the world in the browser, over 700 IP's.

This is how it looks in the logs:

http://img812.imageshack.us/img812/9444/33696663.jpg the list goes on...

Unless theres a way to add application to this list?

 

Ehum... so no solution to this?

Could you at least clarify whether switching off Covert data in ICMP protocol detection would compromise my pc security?

 

You can run Wireshark with the filter set to "icmp", reproduce the problem, upload the pcap log somewhere and post a link to the file here so that we can see what kind of icmp communication was attempted. If the game actually exploits icmp packets for communication and it's not possible to add a particular IP address to the exception list, the only way to avoid blocking those icmp packets will be disabling the exploit detection in the IDS setup completely.

 

Yes, i already wrote that i figured out how i can switch this thing off, however i was wondering, whether this will compromise my security?

I fiddled with Wireshark, but i am not a nuclear physicist , so i am not sure whether i got a correct log:

http://www.filefront.com/16956299/BFBC2_browser_pings_icmp.pcap

I used ICMP filter and got the part when i update my browser window in battlefield 2. I also compared resulted IP's and they correlate to those that are blocked by ESS.

 

i use 9 online games (as i don't get out much) eset has a problem with all sometimes just slightly higher latency, mostly masses of random logs on the firewall log sometimes disconnects.
use nod 32 with windows firewall if you use a router or a third party one if you prefer. until eset release the next version.
third party firewalls i find no problem with on line games are:
private firewall http://www.privacyware.com/personal_firewall_2.html
zone alarm http://www.filehippo.com/download_zonealarm_free/
or any suite i have tried bar eset smart.

 

I've played dozens of online games and this is the first time i had some trouble with ESS. This has started after a recent patch, which might imply that something was changed in the game itself.

 

This is the official recent post on EA forums, maybe this (and the log i posted above) will help developers to find a workaround:


ESET Smart Security

Symptom: All ping times are displayed as - or 999

Reason: ESET Smart Security thinks that all the ping responses are coming in from servers are the result of a Denial-Of-Service attack that has been triggered from some other machine, and it begins to ignore those the incoming ICMP PING responses.

We have not yet been able to reach ESET about this.

Workaround:
In ESET Smart Security, go into Setup> Personal Firewall> Advanced Personal Firewall Setup> IDS and advanced options> ICMP protocol attack detection: disable
This will not make your machine vulnerable to viruses, it only means that someone can crash your computer remotely using an ICMP-based Denial-Of-Service attack (which is a very unlikely event).