"Detected covert channel exploit" problem.

Discussion in 'ESET Smart Security' started by allure, Jul 1, 2010.

Thread Status:
Not open for further replies.
  1. allure

    allure Registered Member

    Joined:
    Jul 1, 2010
    Posts:
    6
    Took me a while to trace my problem in battlefield 2 bad company to this.

    Basically - Eset Smart Security started blocking in-game browser updates, even though i added every possible exception for the game. So i checked logs and found this line appearing whenever i try to update browser window:

    Detected covert channel exploit (ICMP protocol) With my current IP address in source tab and several server addresses in target tab.

    I have tried allowing IMCP communication specifically for the game and in general but it didn't help. So the only way around it is to disable filtering completely - then everything works fine.

    So how else can i prevent eset from blocking connections for my game?

    And yes - firewall modules are updated.



    Read every post about this issue on this forum :rolleyes:

    Setup->Personal Firewall->IDS and Advanced Options->uncheck Covert data in ICMP protocol detection

    Still - is there a way to disable that thing specifically in one particular application?
     
    Last edited: Jul 1, 2010
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest adding the respective IP address to the list of addresses excluded from active protection (IDS) in the zone setup.
     
  3. allure

    allure Registered Member

    Joined:
    Jul 1, 2010
    Posts:
    6
    This is impossible, since my IP is dynamic and IP's that this thing blocks are numerous as in - every server from around the world in the browser, over 700 IP's.

    This is how it looks in the logs:

    http://img812.imageshack.us/img812/9444/33696663.jpg the list goes on...

    Unless theres a way to add application to this list?
     
    Last edited: Jul 1, 2010
  4. allure

    allure Registered Member

    Joined:
    Jul 1, 2010
    Posts:
    6
    Ehum... so no solution to this?

    Could you at least clarify whether switching off Covert data in ICMP protocol detection would compromise my pc security?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can run Wireshark with the filter set to "icmp", reproduce the problem, upload the pcap log somewhere and post a link to the file here so that we can see what kind of icmp communication was attempted. If the game actually exploits icmp packets for communication and it's not possible to add a particular IP address to the exception list, the only way to avoid blocking those icmp packets will be disabling the exploit detection in the IDS setup completely.
     
  6. allure

    allure Registered Member

    Joined:
    Jul 1, 2010
    Posts:
    6
    Yes, i already wrote that i figured out how i can switch this thing off, however i was wondering, whether this will compromise my security?

    I fiddled with Wireshark, but i am not a nuclear physicist :rolleyes:, so i am not sure whether i got a correct log:

    http://www.filefront.com/16956299/BFBC2_browser_pings_icmp.pcap

    I used ICMP filter and got the part when i update my browser window in battlefield 2. I also compared resulted IP's and they correlate to those that are blocked by ESS.
     
  7. stratoc

    stratoc Guest

    i use 9 online games (as i don't get out much) eset has a problem with all sometimes just slightly higher latency, mostly masses of random logs on the firewall log sometimes disconnects.
    use nod 32 with windows firewall if you use a router or a third party one if you prefer. until eset release the next version.
    third party firewalls i find no problem with on line games are:
    private firewall http://www.privacyware.com/personal_firewall_2.html
    zone alarm http://www.filehippo.com/download_zonealarm_free/
    or any suite i have tried bar eset smart.
     
  8. allure

    allure Registered Member

    Joined:
    Jul 1, 2010
    Posts:
    6
    I've played dozens of online games and this is the first time i had some trouble with ESS. This has started after a recent patch, which might imply that something was changed in the game itself.
     
  9. allure

    allure Registered Member

    Joined:
    Jul 1, 2010
    Posts:
    6
    This is the official recent post on EA forums, maybe this (and the log i posted above) will help developers to find a workaround:


    ESET Smart Security

    Symptom: All ping times are displayed as - or 999

    Reason: ESET Smart Security thinks that all the ping responses are coming in from servers are the result of a Denial-Of-Service attack that has been triggered from some other machine, and it begins to ignore those the incoming ICMP PING responses.

    We have not yet been able to reach ESET about this.

    Workaround:
    In ESET Smart Security, go into Setup> Personal Firewall> Advanced Personal Firewall Setup> IDS and advanced options> ICMP protocol attack detection: disable
    This will not make your machine vulnerable to viruses, it only means that someone can crash your computer remotely using an ICMP-based Denial-Of-Service attack (which is a very unlikely event).
     
Thread Status:
Not open for further replies.