Automatic mode in ESS

Discussion in 'ESET Smart Security' started by MasterTB, Nov 3, 2007.

Thread Status:
Not open for further replies.
  1. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Hi, I just downloaded the brand new ESS final after betatesting all the previous releases, but to my surprise, when running in automatic mode I was able to obtain a HighID with eMule, which means ESS is allowing incoming connection in this mode, Is that possible or there is a bug there??
     
  2. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    131 views and no one can tell me if there is something wrong??
     
  3. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71
  4. ace11

    ace11 Registered Member

    Joined:
    Aug 23, 2007
    Posts:
    98
    Dont you understand that 90 % of participant here care and complain about GUI gliches. When it comes to "real" questions (like you asked) none care :ninja:
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    A quote from the help file:

    Automatic mode
    The Personal firewall will automatically evaluate all network communications. This will allow all standard outgoing connections and block all non-initiated incoming connections. This mode is suitable for most users.
     
  6. apm

    apm Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    162
    actually how does Automatic mode work?

    is it like windows firewall that will allow all out connection, and prompt for opening ports? or even ports will be auto open for applications? what means "non-initiated incoming connections"? when at Automatic mode i see no options to add manual rules for applications.
     
  7. galloot

    galloot Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    12
    Yeah - i want to know if the firewall can be configured to stop programs 'phoning home' ?
     
  8. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71

    That is the problem, exactly. It doesn't do what the help file says. With the automatic mode enabled, the port which uTorrent uses is open for incoming connections when the client is running. In the same time, another p2p client, Shareaza, can't accept incoming connections with the firewall in automatic mode. Does ESS enforce a whitelist of some sort in automatic mode?

    @galloot - it can, in interactive mode.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In automatic mode, all incoming communication is blocked. If an application connects to a remote computer, the incoming communication from that computer will be allowed. Given that the firewall acts differently, I assume the p2p clients work differently as well. Otherwise the firewall wouldn't block the incoming communication and allow it for the other client in automatic mode.
     
  10. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    How is this mode suitable for most users ... in Automatic mode this thing is actually worse than the windows XP firewall .... before granting in/out acces to an app. Does ESS perform some kind of check as to determine which application to grant acces?? (trusted - untrusted I mean) or it just grant access to whatever asks for it. ....
    BTW in automatic mode there are no rules editor, does this mean that the rules created for certain apps in Automode are temporary rules that are only inforced while the app is running and then are deleted??
     
  11. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71
    That's what I'm saying - a port checker shows that the port is open in automatic mode. This is not a connection requested by the client, it's an unsolicited port probe: http://www.utorrent.com/testport.php?port=12345 (replace the numbers with the actual port.). The firewall must not act differently depending on the application in automatic mode. What's the guarantee that it won't decide to act differently if a trojan slips through the antivirus and wants to listen to a port?

    @MasterTB - there are no prompts in automatic mode, are there? You can't create rules for apps in Automode. The rules are - allow outgoing, block unsolicited incoming, regardless of the application or the port. At least the help file says so.
     
  12. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    You are right, there is no guarantee. There are no prompts at all. And unless Marcos tells us that ESS checks the application to see if it is Trusted or Untrusted Automaitc mode is not an option in terms of security and IMHO should not exist at all.
    When I read Automatic mode I assume that the firewall will not allow Incomming Connections, I mean you can relatively allow outgoing but incoming should never be allowed without the users consent or at least a warning that is being allowed so that the user can decide wether it will allow or not, and that option is not there yet.
     
  13. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    fully agreed this is what i thought about it when i tested it i could not use automatic mode at all. it did me no good and allowed many incoming connections. i had to run in manual mode at all times
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So what is your suggestion for automatic mode? How should it ideally work for you?
     
  15. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    i would myself like to see maybe what outpost does or used to do (not sure if they still do) it setup a list of known apps on the system it was installed on and then simply added them to the list. after this that list could be adjusted to suit my needs. while still applying rules if i wanted to. but maybe this is just me. but def still allow rules to be applied while in auto mode for the items that need them. or maybe offer a few different types a "settings" with different rule sets to pick from. like a p2p setting or "stealth" etc... for the people that dont want to mess with rules i think this would be very helpful to get them started. again maybe this will end up just my opinion though. but this way i am not bombarded with pop ups upon starting the firewall and on the other hand at least it still shows me whats going one unlike the auto mode in ess
     
  16. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Well if it was up to me automatic mode would allow all outgoing connection since there shold be no risk there. As for incoming connections I would allow them only for certified (Trusted) applications and deny all others unles told otherwise by the user.
    It would also be nice if all the rules created by the firewall under Automatic Mode were recorded so that if the user would change to Interactive or Policy Based, the firewall would already be configured.
    Bottom line I would never allow incoming traffic unsolicited or otherwise unless allowed by the user or by Trusted software certified by ESS.
     
  17. capatt

    capatt Registered Member

    Joined:
    Jan 23, 2007
    Posts:
    84
    MasterTB, you are incorrect by saying automatic mode should allow all outgoing connection since there shold be no risk there. What if a bot landed on your computer, was undetected (unlikely) by NOD 32, and phoned home to the botmaster? And sent tons of spam? Or a Trojan employs your computer for a DDOS attack? Or captures banking info and sends it home? One could go on.....

    One should have complete visibility of what establishes outbound connections and be able to have it screened by a whitelist, or logged for your inspection and rule creation.

    Can anyone say if automatic mode has this capability? Does it exist in manual mode?
     
  18. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    Surely what you are asking for is already in interactive mode where all inbound and outbound activity has to be allowed by the user ?
     
  19. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126

    I don't see where it does. I was hoping the forewall would have soft rule set like Look n stop, I don't want something calling out from my computer with out me knowing. Trojans come to mind & phone home ie-apps like ZA...auto is well too auto. should have a soft set of ok's for apps & added to rules. At least where you would be able to chg or reconfigure...
     
  20. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71
    Guys, at least install the program and see what it does before you discuss what would have been nice. It's already there in interactive mode. We're discussing the automatic mode here and application control is not among its functions.

    On Marcos' question - it's good the way the help file says it is - the problem is that it doesn't do that. On the other hand, that would be no different than the Windows firewall, which makes it useless. It could be done so that it allows all outgoing and asks for the incoming, thus creating rules for the incoming connections only. But to me, the outgoing control is crucial, so I'd always go for the interactive mode anyway.
     
  21. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I do not run auto mode because it seems to be the same as Window's firewall. However, there are IDS options and Application modification options. If these apply during Auto mode, then it is certainly better than Windows firewall. However, Interactive mode is still more secure, since you have an idea of what's connecting.
     
  22. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    IMHO Automatic mode should work just as you have already described.
    For those that wish to have an approval process before allowing communication, they should make use of interactive mode as that is what it is for.

    Cheers :)
     
  23. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Well, first of all If a bot landed on your pc and phoned home since I request that rules created should be recorded, the user would have an option overide the rule. In any case, even in todays auotmatic mode, you have the option to disable a connection even from the connections windows so there should be no harm there.
    Second, as I said you DO have complete visibility over established connection even today so I don't see the problem there.

    @larryb52 ZA's auto records the rules created, and that is the difference with ESS because with ZA you can edit them at will and that is what I suggested for ESS automatic mode. which would be a great improvement and would make automatic mode more trust worthy.
     
  24. Ade 1

    Ade 1 Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    471
    Location:
    In The Bath
    I've been using Automatic mode since Beta 2 but now with the final build I have decided to switch to Interactive Mode which is no hardship as I don't have that many apps which require access. So once I've allowed and created rules for them there's no problem. I acutally feel more secure now using Interactive mode as at least when anything attempts to phone out or in I get to know about it first so I can choose to allow or deny.

    Perhaps what the firewall needs is an autolearn mode like other firewalls have. What I mean is if it is initially set to automatic when you first install, then for about a week any rules which are created automatically will be saved. Then after switching back to interactive mode you will only be alerted about any news connections. I guess this is what other posters are saying.
     
  25. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    That is more or less what I meant. Thanks for putting it so easy;)
     
Thread Status:
Not open for further replies.