ARP blocked by IDS

Discussion in 'ESET Smart Security' started by MelbTime, Feb 23, 2013.

Thread Status:
Not open for further replies.
  1. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Hi All,

    I have a problem with my ESS 6.0.308.0 on Win XP SP3 with Firefox 19.0

    Two days ago on the 21/02/2013 9:14 PM (GMT +11 AEDST Melbourne Australia) according to my ESS Events log, there was a "The program modules have been updated" event.

    Immediately after that, I began experiencing Firefox connectivity problems, with pages timing out without loading.

    I checked the Personal Firewall log and noticed that immediately after "The program modules have been updated" event, there was a very large number of "Packet blocked by active defense (IDS)" for Protocol ARP events - about 1 every second or two.

    Packet blocked by active defense (IDS)
    Source: 192.168.1.1 which is the router/gateway
    Destination: 192.168.1.3 which is my laptop
    Protocol: ARP

    My questions are:

    1. what happened during the "The program modules have been updated" event that caused this problem ?

    2. how do I resolve this securely ?

    ESS is set to Interactive Mode
    In the "IDS and advanced options" settings for the Personal firewall
    Under "Allowed services"
    For the setting "Allow response to ARP requests from outside the Trusted zone" the checkbox is de-selected
    (if I select this checkbox then everything seems to work normally, but I should not have to compromise security when it was working OK BEFORE "The program modules have been updated" event)

    As I side issue, I noticed that by repairing the Windows Network connection it will temporarily restore Firefox to normal working order, but a few seconds later the "Packet blocked by active defense (IDS)" for Protocol ARP events start again - about 1 every second or two - then Firefox timeouts and becomes unusable again (a DNS problem ?)

    An In-depth scan reveals NO threats found.

    I hope that "The program modules have been updated" can be indeed be updated again to put this back the way it was BEFORE.

    Thanks for any answers to my 2 questions.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Allow it in the Trusted zone. No impact on security in your config
     
  3. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Thanks for a quick reply :)

    Allow what exactly in the Trusted zone ?
     
  4. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    I have not been able to resolve this problem.

    Repairing the Windows Network connection only gives a temporary fix, then after about a few seconds the dreaded "Packet blocked by active defense (IDS)" for Protocol ARP events start again and once that occurs then Firefox timeouts and becomes unusable again.

    Anyone else know how to resolve this securely ?

    Any help much appreciated :)
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    How about what you tried already that resolved the issue?
    Pluse, more info
    http://kb.eset-la.com/esetkb/index?page=content&id=SOLN2906
     
  6. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Thanks for your response.

    From the KB:

    Allow response to ARP requests from outside the Trusted zone – Address Resolution Protocol (ARP) is used by network application or device to determine the Ethernet address of another device by matching IP address with a hardware address. It is critical in local area networking as well as for routing internet working traffic across gateways (routers) based on IP addresses when the next-hop router has to be determined. Select this option if you wish the system to respond to Address resolution protocol requests.

    Why is it necessary to respond to ARP requests from Outside the Trusted Zone all of a sudden ? - it was not necessary before hand.

    Is Allow response to ARP requests from outside the Trusted zone secure ?
    (my knowledge of these things is limited)

    Thanks :)
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    If it is the range you specified earlier then yes, it is safe

    Code:
    Source: 192.168.1.1 which is the router/gateway
    Destination: 192.168.1.3 which is my laptop
     
  8. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Yes - the Personal Firewall log shows those are the Source and Destination IP addresses.

    So, if I select Allow response to ARP requests from outside the Trusted zone then presumably it will allow any Source IP address ? - not just the router/gateway ?
    (this is why I am asking if this is secure)

    Thanks again :)
    Appreciate your help and patience.
    (keeping in mind my limited knowledge of these things)
     
  9. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Your assumption is correct however, your logs show no foreign address plus you are behind a router so I think it would be secure. Maybe after another module update whatever is causing in your machine will be fixed (if having that setting on is of concern)
     
  10. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Thanks - that is what I thought.

    Hopefully the ESET guys will read this and provide a fix.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please carry on as follows:
    1, enable logging of blocked communications in the IDS setup
    2, restart the computer
    3, reproduce the issue
    4, post here the recent firewall log records as well as the information about installed modules.
     
  12. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Hi Marcos,

    Information as requested:

    Virus signature database: 8046 (20130224)
    Update module: 1041 (20120430)
    Antivirus and antispyware scanner module: 1382 (20130213)
    Advanced heuristics module: 1139 (2013020:cool:
    Archive support module: 1160 (20130206)
    Cleaner module: 1059 (20121212)
    Anti-Stealth support module: 1038 (20130110)
    Personal firewall module: 1114 (20130206)
    Antispam module: 1023 (20120803)
    ESET SysInspector module: 1232 (20130206)
    Real-time file system protection module: 1007 (20111129)
    Translation support module: 1100 (20121205)
    HIPS support module: 1067 (20130214)
    Internet protection module: 1051 (20121203)
    Web content filter module: 1028 (20121113)
    Advanced antispam module: 1222 (20130224)
    Database module: 1027 (20130129)
     
  13. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    And Firewall Log

    Thanks :)
     

    Attached Files:

  14. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    And IDS Settings
     

    Attached Files:

  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Is there any reason why you disabled the default services? The issue most likely occurs because:
    1, your router is not in the Trusted zone
    2, reponses to ARP requests from outside the Trusted zone are disabled according to your screen shot. There was a change regarding this in the current firewall module 1114 so that ARP reponses to requests from outside the Trusted zone are denied even if the computer has already responded to some ARP requests before. This change will be reverted in the next firewall module so that disabling this check-box wouldn't have any effect on the communication with routers for instance.

    I'll wait for the stuff I asked you for so that we can confirm that that's the case.
     
  16. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    OK - Thanks :)
    PM sent
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Our assumption was confirmed - the router is not in the Trusted zone and thus ARP requests were blocked. If you wish, we can provide you with a newer firewall module for testing which allows ARP responses to requests from outside the Trusted zone even with that option in the IDS setup disabled for some reason.
     
  18. MelbTime

    MelbTime Registered Member

    Joined:
    Aug 14, 2010
    Posts:
    18
    Thanks Marcos :)

    I am happy to wait for this module change reversion.

    Appreciate all your assistance :)
     
Thread Status:
Not open for further replies.