Blocked Akamai connections with ESS Interactive Mode, Now Websites Can't Open

Discussion in 'ESET Smart Security' started by SuperFlyBoy, Aug 19, 2010.

Thread Status:
Not open for further replies.
  1. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    I now know that this might have been the wrong thing to do - block the Akamai connections with ESS in interactive mode, but how do I find the entry to unblock it in ESS?

    I have gone into all of the advanced setup functions and can't see exactly where this is.

    I'm used to ZA, and have just uninstalled it to use ESS from now on, but these ports/site/IP blocks should be clearer...

    Any feedback would be appreciated!
     
  2. AlwaysLearning

    AlwaysLearning Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    22
    Try this ...

    Get into "Advanced Setup" -> Personal Firewall -> Rules and Zones
    Then under Zone and Rule Editor -> Setup

    Under Rules, click Toggle Detailed View of all Rules ...

    Also check Zones ...

    Let us know how this works out for you.

    --Always Learning
     
  3. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Unfortunately, that is indeed what I was looking at and now how to identify the type of request? (No site specified, other than All, etc...)
     
  4. AlwaysLearning

    AlwaysLearning Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    22
    Could you get screen shots of the Rules and Zones and then upload those images?

    --Always Learning
     
  5. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    As requested, the screenshots enclosed.
     

    Attached Files:

  6. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Is there any way to simply start configuring the firewall again?

    Also, I have allowed my Fortinet Client VPN program, but still the firewall appears to be blocking this client's connection.
     
  7. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    I turned off the firewall and was able to print to my office network - not possible when the ESS firewall was enabled!

    Also, after turning off ESS Firewall, reconnecting with no firewall, then re-enabling the ESS Firewall program, I still am able to remain connected.
     
    Last edited: Aug 20, 2010
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please read these instructions and provide the necessary stuff needed when a connection is blocked. To start with, post here the relevant entries from the firewall log as described in the referred thread.
     
  9. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Win XP Pro, Tablet Edition, SP3 installed.

    ESS 4.2.58

    Virus signature database: 5380 (20100819)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1284 (20100729)
    Advanced heuristics module: 1112 (20100813)
    Archive support module: 1121 (20100813)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1021 (20100811)
    Personal firewall module: 1061 (20100607)
    Antispam module: 1014 (20100212)
    SysInspector module: 1216 (20100517)
    Self-defense support module : 1016 (20100404)
    Real-time file system protection module: 1004 (20100727)

    All specified in the posts in this thread.

    Advise if you want it by PM.

    Further advise why clearer identification of blocked events are not provided, so we can reverse these??

    20-Aug-10 12:26:34 PM Detected ARP cache poisoning attack 192.168.200.191 192.168.200.10 ARP
    20-Aug-10 12:17:09 PM Detected ARP cache poisoning attack 192.168.200.191 192.168.200.100 ARP
    20-Aug-10 11:58:33 AM Detected ARP cache poisoning attack 192.168.200.191 192.168.200.100 ARP
    20-Aug-10 11:57:25 AM Detected ARP cache poisoning attack 192.168.200.191 192.168.200.191 ARP
    20-Aug-10 11:57:24 AM Detected ARP cache poisoning attack 192.168.200.191 192.168.200.191 ARP
    20-Aug-10 11:57:23 AM Detected ARP cache poisoning attack 192.168.200.191 192.168.200.191 ARP
    20-Aug-10 4:56:32 AM Detected DNS cache poisoning attack 208.67.222.222:53 192.168.200.1:3870 UDP
    19-Aug-10 10:32:41 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.1:57270 UDP
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What device does the IP 192.168.200.191 belong to?
     
  11. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Something REALLY WEIRD!:

    Another laptop I was configuring (a HP nw8000 with a **fresh** reinstall of WinXP Pro, all service packs installed, and ESS also installed, apparently is attacking this tablet PC!)

    I was logged into the network with DHCP enabled, but apparently this other laptop (at Fixed IP: 192.168.200.191) was attacking this one. (DHCP IP: 192.168.200.1)

    I tried unplugging the LAN cable and also disabling/enabling the LAN connection on the tablet, but nothing worked - showed "Limited or xxx connectivity".

    I then went to a fixed IP (on the tablet) of: 192.168.200.192 and all is well.

    This is very, very unusual!

    Another desktop's AOL (actual program, not web) connection was also stopped, but I don't know if the nw8000 was responsible for that, but both events occurred at the same time.

    Posted above, which I was updating the thread on, when you replied.
     
  12. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Now on the nw8000, posting the ESS Firewall log here:

    20-Aug-10 12:58:13 PM Communication denied by rule 192.168.200.191 208.67.222.222 ICMP Apply ICMP filter
    20-Aug-10 12:57:27 PM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 12:57:26 PM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 12:57:26 PM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 12:57:22 PM Communication denied by rule 192.168.200.76:138 192.168.200.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:46:32 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 12:45:29 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 12:44:26 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 12:43:22 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 12:42:39 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.222.222:53 192.168.200.191:61265 UDP
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.222.222:53 192.168.200.191:61265 UDP
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.222.222:53 192.168.200.191:61265 UDP
    20-Aug-10 12:42:32 PM Communication denied by rule 192.168.200.191 208.67.220.220 ICMP Apply ICMP filter
    20-Aug-10 12:42:32 PM Communication denied by rule 192.168.200.191 208.67.220.220 ICMP Apply ICMP filter
    20-Aug-10 12:42:32 PM Communication denied by rule 192.168.200.191 208.67.220.220 ICMP Apply ICMP filter
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.222.222:53 192.168.200.191:50811 UDP
    20-Aug-10 12:42:32 PM Communication denied by rule 192.168.200.191 208.67.220.220 ICMP Apply ICMP filter
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.222.222:53 192.168.200.191:50811 UDP
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.220.220:53 192.168.200.191:61265 UDP
    20-Aug-10 12:42:32 PM Communication denied by rule 192.168.200.191 208.67.220.220 ICMP Apply ICMP filter
    20-Aug-10 12:42:32 PM Communication denied by rule 192.168.200.191 208.67.220.220 ICMP Apply ICMP filter
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.222.222:53 192.168.200.191:50811 UDP
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.220.220:53 192.168.200.191:61265 UDP
    20-Aug-10 12:42:32 PM No application listening on the port 208.67.220.220:53 192.168.200.191:61265 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.222.222:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.222.222:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.191:58522 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.222.222:53 192.168.200.191:58522 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:32 PM Detected DNS cache poisoning attack 208.67.220.220:53 192.168.200.191:57790 UDP
    20-Aug-10 12:42:19 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 12:41:39 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:41:16 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 12:41:15 PM Communication denied by rule 192.168.200.191 208.67.222.222 ICMP Apply ICMP filter
    20-Aug-10 12:40:41 PM Communication denied by rule 192.168.200.191:1333 239.255.255.250:1900 UDP Block outgoing SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM
    20-Aug-10 12:40:41 PM Communication denied by rule 192.168.200.191:1333 239.255.255.250:1900 UDP Block outgoing SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM
    20-Aug-10 12:40:39 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:39 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:39 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:39 PM Communication denied by rule 192.168.200.191:1333 239.255.255.250:1900 UDP Block outgoing SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM
    20-Aug-10 12:40:38 PM Communication denied by rule 192.168.200.191:1333 239.255.255.250:1900 UDP Block outgoing SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM
    20-Aug-10 12:40:38 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:37 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:36 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:36 PM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 12:40:36 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:35 PM Communication denied by rule 192.168.200.191:1333 239.255.255.250:1900 UDP Block outgoing SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM
    20-Aug-10 12:40:35 PM Communication denied by rule 192.168.200.191:1333 239.255.255.250:1900 UDP Block outgoing SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\SYSTEM
    20-Aug-10 12:40:35 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:35 PM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 12:40:34 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:33 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:33 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:32 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:31 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:30 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:29 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:27 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:26 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:24 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:23 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:23 PM Communication denied by rule 169.254.13.78:138 169.254.255.255:138 UDP Block incoming NETBIOS requests
    20-Aug-10 12:40:22 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:22 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:21 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:21 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:21 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:20 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:20 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:20 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:19 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:18 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:17 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:17 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:17 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:16 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:16 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:16 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:15 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:14 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:14 PM No application listening on the port 169.254.13.78:137 169.254.255.255:137 UDP
    20-Aug-10 12:40:13 PM No application listening on the port 169.254.13.78:1185 169.254.255.255:137 UDP
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1039 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1038 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1037 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 11:59:26 AM No usable rule found 192.168.200.191:402 225.1.2.3:402 UDP C:\Program Files\Altiris\AClient\ACLIENT.EXE NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1036 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1035 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1033 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1032 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1030 127.0.0.1:2301 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1026 127.0.0.1:49400 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    20-Aug-10 11:59:26 AM No usable rule found 0.0.0.0:1025 127.0.0.1:49400 TCP C:\Program Files\Compaq\Compaq Management Agents\cpqWebDmi\Webdmi.exe NT AUTHORITY\SYSTEM
    19-Aug-10 1:25:16 PM No usable rule found 192.168.200.191 224.0.0.22 IGMP
    19-Aug-10 1:24:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:24:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:23:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:23:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:22:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:22:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:21:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:21:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:20:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:20:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:19:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:19:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:18:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:18:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:17:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:17:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:16:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:16:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:15:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:14:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:14:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:13:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:13:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:12:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:12:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:11:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:11:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:10:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:10:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:09:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:09:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:08:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:08:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:07:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:07:25 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    19-Aug-10 1:06:55 PM Communication denied by rule 192.168.200.146:50001 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests C:\WINDOWS\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE
    192.168.200.191:2776 188.165.126.152:80 TCP
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Not sure what exactly is blocking the communication. Make sure the subnet 192.168.1.0/255.255.255.0 is in the TZ, enable UPnP within the TZ in the IDS setup and also switch the fw to learning mode. What computer / device does the IP 169.254.13.78 belong to?
     
  14. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Which unit are we talking about?

    Subnet of 192.168.1.0 required?? What does TZ mean - Trusted Zone?

    Is learning mode better?
     
  15. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    I have now switched the TabletPC (192.168.200.192) to Learning Mode, and report the following:

    ActiveSync for WinMobile phone was being blocked previously, no interactive input requested.

    Once I switched to Learning Mode, was able to immediately connect with no problem.

    However, what does LM do if we are not assisting it in showing the correct actions to take? o_O (Is it allowing everything to pass through? Isn't this dangerous?)
     
  16. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Another interesting observation of ESS is that the "i" in a circle next to Learning Mode stated, indicating "Information", is not clickable, as it should be - to provide us information about this mode!
     
  17. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    There is no device on the network with that IP.

    Has the nw8000 already been compromised?? Wow!

    Update: nw8000 removed from network.

    Found this on the TabletPC (see .jpg file) - could this be the VPN connection?

    Yes, this was stopped when VPN client was disconnected from the VPN gateway.
     

    Attached Files:

    Last edited: Aug 20, 2010
  18. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    Can you please update this thread with further procedures, so that I can get the other unit (nw8000 running ESS as well) off the network (it is off) and try reinstalling XP if required??
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    "i" is not a clickable icon. Additional information will be displayed if you hover the mouse cursor over it.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You posted a log from nw8000. If you're having certain problem on that computer as well, please provide more details about the issue.

    Let's get back to the original problem. Please confirm or deny that disabling ARP and DNS cache poisoning attack detection in the IDS setup actually makes a difference. Also create the pcap log as mentioned in the KB article I initially referred to, upload it to a file sharing service or ftp and PM me the link along with the output of the command "ipconfig /all".
     
  21. AlwaysLearning

    AlwaysLearning Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    22
    The "Limited Connectivity" IP address 169.254.xx.xx might indicate no access to a DHCP server.

    --Always Learning
     
  22. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    TabletPC is now on fixed IP of 192.168.200.192.

    I'll have to do this a bit later, in about 4 hours when work is done.

    I use OpenDNS IP addresses to resolve internet sites, for safety, on each machine.

    These are: 208.67.222.222 and -220.220.
     
  23. SuperFlyBoy

    SuperFlyBoy Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    41
    I even turned off the firewall, but I think that some of the port blocking is still working, unfortunately.

    I think I'm going to have to uninstall ESS, install NOD32 and then use Comodo as the firewall.

    Does anyone have any feedback about this arrangement?

    ESS has too many beta-type appearances and behavior with their firewall, imo.

    If I get the chance, will follow eset's guidance for ESS, but I can't waste any more time on this sort of activity, similar to Online Armor's pain-in-the-you-know-what firewall!
     
Thread Status:
Not open for further replies.