v4 IDS killing internet connection

I installed ESET Smart Security v4 and had problems, but i believe the latest Internet explorer v7 updates also has problems of stability.

I tried all options including uninstalling ESET Smart Security completely to clean installing win xp with all Microsoft updates and still had problems.

As I keep image files of my C drive I put back my old set-up reverted back to ESET Smart Security v3 and also installed Internet explorer v8 Beta.

I now have a computer that is steady as a rock again.

Internet explorer v8 although a beta seems very good and even worked with all my add-ons.

My conclusion is that Microsoft IEv7 latest updates are not stable and that ESET Smart Security has broken since v3

 

Well, after some consideration I decided to uninstall ESS 4 (again) and download NOD32 and Online Armore or Comodo. I decided not to return to ESS3 because independent testing shows its firewall to be not very effective at all.

Take a look: http://www.matousec.com/projects/firewall-challenge/results.php

I can't waste anymore time on ESS4 considering ESET's silence on the issues brought to light here. Hope you all can work it out ...

 

After this weeks Windows update, I tried re-installing ESS v4.

No change, still randomly blocks outgoing packets, even the log reports that.

Tried unticking everything in IDS and rebooting, no difference, except now I get a message 'Personal Firewall Rules cannot be converted for an unknown reason '

The antivirus/spam is showing 'Web access protection' as 'non functional'

I think this only leaves unticking the threat sense options to see if the problem can be resolved.

Tried on - XPproSP3 with Opera 9.63, IE7, and W7 beta with IE8 beta - same problem.

Colin

 

Have you tried deleting all rules and changing to learning mode?

 

Yes, as I uninstalled v3, but I might try it again.

Colin

 

Hi Colin,

Have you any examples of the log entries?

What mode is the firewall set to?

If you are in "Interactive mode" then you may need to add a rule to the browser to allow it all outbound/inbound to/from the localhost (127.0.0.1).


- Stem

 

Aargh, I uninstalled v4, I've just re-installed it again.

The log stated blocked (outgoing) 192.168.5.100 , which is my router and random incoming, - such as Seek, Yahoo, this forum, Nuts and Volts, and my email client (pocomail). Pocomail is set up as the email client in ESS.

I changed it from interactive to learning, when it started blocking this morning.

If it starts doing it again, I'll try this and perhaps adding the router as well.

The router is a Draytek Vigor 2820VN.

So far this 3rd installation seems to be behaving itself.

Are the log files backed up anywhere, when ESS is uninstalled, as I see the sysinspector I created on the 9/3 is still in the list.

Thanks for your suggestions.

Colin

 

why should this all need to be done though? should this not be fixed yet. i was considering going back to ess4 but now i think i will be waiting...

 

V4 is just not usuable.

Sad.

But I think I will have to look for another Suite.
As much as I liked Eset... But with this Firewall I cannot work.

 

The same question is repeatedly being asked. Why won't ESET do anything about these problems or even accept that there are problems and that they are working on them. This is supposed to be the official forum and even when I post a direct question to the mods, it goes unanswered. I expect this from Symantec but not ESET.

 

Ok, I've been able to kind of replicate the issue to the point i can post some useful info, firstly an image:-

http://img232.imageshack.us/img232/9651/ess4.jpg

This shows whats happening when i simply try to use the IP for digg.com (which doesnt work) as opposed to the actual domain name www.digg.com (which does). Im not sure if there is some blocking in place on digg not to accept requests directly to the IP address though so this may be a red herring if thats the case.

Secondly, i have a wireshark trace which i will PM over to Stem as i would rather not share it here.

The trace shows me trying to connect to 64.191.203.30 by just putting this into Firefox URL bar, then after this fails, typing www.digg.com (which works), and finally by turning off the firewall and entering 64.191.203.30, which didnt work but got further.

Not in the trace, but observed, was that i couldnt ping 64.191.203.30 when i tried it moments later at the command prompt, but i could from another machine which is also running ESS4 but freshly booted.

Incidentally, im in LEARNING MODE, nothing should be being blocked.

I also have allow uPnP in the trusted zone and Maintain inactive TCP connections ticked and ARP + DNS poisioning unticked for testing.

Hope this helps.

 

Hi,

I am getting the same direct connection problem to 64.191.203.30 on a PC just with the XP firewall, so the problem is not with the firewall.

Other direct IP entry for sites such as here work without a problem, so I m not sure as yet as to why this direct connection will fail.


- Stem

 

So why is it showing as blocked in the log?

Thanks for looking though.

 

I can report after the fourth install of ESS 4 (is there a link there for the supersticious?), it is behaving better, I'm no longer getting "Packet Blocked by active defense " (IDS) 192.168.5.100, but I'm getting occasional timeouts on various sites - mainly Seek, Yahoo and Ebay - this is not down to the sites per se, as my laptop is able to access them with no problem, which has ESS3 installed.

Seek (202.177.198.1:53) is captured by the log as providing DNS cache poisoning attacks, which seems unlikely.

Colin

 

From a logged direct connection attempt to 64.191.203.30 on a non 3rd party firewalled system, when the attempt to make a direct connection to that IP, the connection is made but the GET/HTTP/1.1 is ignored by the server, the browser does make retransmits to attempt a connection, but does eventually time out with no_data. During that time there are no comms from that IP that could be blocked.

Maybe the logs are from a previously made/established connection that is now closed?


- Stem

 

Hi Colin,

What mode are you using?

If using interactive mode/rules system, then allow both outbound and inbound to the DNS servers remote port 53. You can do that as a global rule, or on a per-app basis.
It does appear to stop some connection problems and does not decrease security as the port is still fully filtered for a DNS reply.


- Stem

 

I've spat the dummy over this and I am now trialing Kapersky - so far so good.
A bonus - with Eset V3 & V4 - when using VOIP from my Netgear DG834GV, my internet suffered badly(I have plenty of bandwidth), some sites unreachable, some slow, and some OK.
Since I've changed to Kapersky these problems have disappeared.
Goodby Eset - what a shame.

 

I agree with ibarnett

ESET launch a broken suite and doesn't fix it ASAP!

I'm gona buy a kaspersky license and destroy my ESET license! I'm very hungry with ESET

Goodbye ESS Generation 4

 

A copy of my log file.

192.168.5.105 is me, most of the 202.177.x.x is my ISP's DNS servers, 202/203.5.x.x is Seek website.

Is this a light bulb moment for anyone?

Colin

 

I am not sure what you are trying to show. Where you blocked from Internet access during the times in the log?

- Stem

 

Yes indeed, you did ask me to post the log in post 82.

I would expect to occasionally have incoming blocked, by why outgoing? Either way, I lose all external access whilst the events above are occuring.

I have unticked the 'block unsafe addresses after attack detection'.

Under zones the trusted zone automatically has 127.0.0.1 with subnet 192.168.5.0 and it also lists the IPS's DNS servers and I have added 192.168.5.100 - which is my router, to see if that made a difference.


Colin

 

Cool - Online Armor's broad range of features help keep you safe when suring the internet. I want surfing, not suring the internet. Its on Product Features main page. And belive me man thats fuc*** ratings on many sites is only for a private advertisement.

 

Went back to version 3 myself, working a treat - no issues.

 

i have uninstalled it myself and for the time being went back to nis2009 and vipre on my other machine. ill try it again maybe when they figure this mess out. i personally didnt like ver3 to much and had hopes for ver4 and this is not at all what i expected. id try it again maybe once all these reports are gone

 

As i've just posted in another thread, I took the plunge and installed v4 on my laptop - works fine.

I wonder if it is just XP that is more likely to have the firewall problem?

Colin