ARP blocked by IDS

Hi All,

I have a problem with my ESS 6.0.308.0 on Win XP SP3 with Firefox 19.0

Two days ago on the 21/02/2013 9:14 PM (GMT +11 AEDST Melbourne Australia) according to my ESS Events log, there was a "The program modules have been updated" event.

Immediately after that, I began experiencing Firefox connectivity problems, with pages timing out without loading.

I checked the Personal Firewall log and noticed that immediately after "The program modules have been updated" event, there was a very large number of "Packet blocked by active defense (IDS)" for Protocol ARP events - about 1 every second or two.

Packet blocked by active defense (IDS)
Source: 192.168.1.1 which is the router/gateway
Destination: 192.168.1.3 which is my laptop
Protocol: ARP

My questions are:

1. what happened during the "The program modules have been updated" event that caused this problem ?

2. how do I resolve this securely ?

ESS is set to Interactive Mode
In the "IDS and advanced options" settings for the Personal firewall
Under "Allowed services"
For the setting "Allow response to ARP requests from outside the Trusted zone" the checkbox is de-selected
(if I select this checkbox then everything seems to work normally, but I should not have to compromise security when it was working OK BEFORE "The program modules have been updated" event)

As I side issue, I noticed that by repairing the Windows Network connection it will temporarily restore Firefox to normal working order, but a few seconds later the "Packet blocked by active defense (IDS)" for Protocol ARP events start again - about 1 every second or two - then Firefox timeouts and becomes unusable again (a DNS problem ?)

An In-depth scan reveals NO threats found.

I hope that "The program modules have been updated" can be indeed be updated again to put this back the way it was BEFORE.

Thanks for any answers to my 2 questions.

 

Allow it in the Trusted zone. No impact on security in your config

 

Thanks for a quick reply

Allow what exactly in the Trusted zone ?

 

I have not been able to resolve this problem.

Repairing the Windows Network connection only gives a temporary fix, then after about a few seconds the dreaded "Packet blocked by active defense (IDS)" for Protocol ARP events start again and once that occurs then Firefox timeouts and becomes unusable again.

Anyone else know how to resolve this securely ?

Any help much appreciated

 

How about what you tried already that resolved the issue?
Pluse, more info
http://kb.eset-la.com/esetkb/index?page=content&id=SOLN2906

 

Thanks for your response.

From the KB:

Allow response to ARP requests from outside the Trusted zone – Address Resolution Protocol (ARP) is used by network application or device to determine the Ethernet address of another device by matching IP address with a hardware address. It is critical in local area networking as well as for routing internet working traffic across gateways (routers) based on IP addresses when the next-hop router has to be determined. Select this option if you wish the system to respond to Address resolution protocol requests.

Why is it necessary to respond to ARP requests from Outside the Trusted Zone all of a sudden ? - it was not necessary before hand.

Is Allow response to ARP requests from outside the Trusted zone secure ?
(my knowledge of these things is limited)

Thanks

 

If it is the range you specified earlier then yes, it is safe

Code:

Source: 192.168.1.1 which is the router/gateway
Destination: 192.168.1.3 which is my laptop

 

Yes - the Personal Firewall log shows those are the Source and Destination IP addresses.

So, if I select Allow response to ARP requests from outside the Trusted zone then presumably it will allow any Source IP address ? - not just the router/gateway ?
(this is why I am asking if this is secure)

Thanks again
Appreciate your help and patience.
(keeping in mind my limited knowledge of these things)

 

Your assumption is correct however, your logs show no foreign address plus you are behind a router so I think it would be secure. Maybe after another module update whatever is causing in your machine will be fixed (if having that setting on is of concern)

 

Thanks - that is what I thought.

Hopefully the ESET guys will read this and provide a fix.

 

Please carry on as follows:
1, enable logging of blocked communications in the IDS setup
2, restart the computer
3, reproduce the issue
4, post here the recent firewall log records as well as the information about installed modules.

 

Hi Marcos,

Information as requested:

Virus signature database: 8046 (20130224)
Update module: 1041 (20120430)
Antivirus and antispyware scanner module: 1382 (20130213)
Advanced heuristics module: 1139 (2013020
Archive support module: 1160 (20130206)
Cleaner module: 1059 (20121212)
Anti-Stealth support module: 1038 (20130110)
Personal firewall module: 1114 (20130206)
Antispam module: 1023 (20120803)
ESET SysInspector module: 1232 (20130206)
Real-time file system protection module: 1007 (20111129)
Translation support module: 1100 (20121205)
HIPS support module: 1067 (20130214)
Internet protection module: 1051 (20121203)
Web content filter module: 1028 (20121113)
Advanced antispam module: 1222 (20130224)
Database module: 1027 (20130129)

 

And Firewall Log

Thanks

 

And IDS Settings

 

Is there any reason why you disabled the default services? The issue most likely occurs because:
1, your router is not in the Trusted zone
2, reponses to ARP requests from outside the Trusted zone are disabled according to your screen shot. There was a change regarding this in the current firewall module 1114 so that ARP reponses to requests from outside the Trusted zone are denied even if the computer has already responded to some ARP requests before. This change will be reverted in the next firewall module so that disabling this check-box wouldn't have any effect on the communication with routers for instance.

I'll wait for the stuff I asked you for so that we can confirm that that's the case.

 

OK - Thanks
PM sent

 

Our assumption was confirmed - the router is not in the Trusted zone and thus ARP requests were blocked. If you wish, we can provide you with a newer firewall module for testing which allows ARP responses to requests from outside the Trusted zone even with that option in the IDS setup disabled for some reason.

 

Thanks Marcos

I am happy to wait for this module change reversion.

Appreciate all your assistance