Firewall Issues with v4.0.417

Discussion in 'ESET Smart Security' started by LoPhatPhuud, Apr 1, 2009.

Thread Status:
Not open for further replies.
  1. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    I decided to turn on logging yesterday after updating to see what, if anything, was being blocked. Very enlightening. I have ESS 4.0.417 (BE) installed on Vista SP1, fully patched.

    Here are a sample of entries. Hopefully someone from ESET can enlighten me:

    4/1/2009 8:14:57 AM Packet blocked by active defense (IDS) 192.168.1.101:49505 192.168.1.1:80 TCP
    That's my computer trying to talk to my router web interface. Lots of these.

    4/1/2009 8:13:34 AM Packet blocked by active defense (IDS) 192.168.1.1:80 192.168.1.101:49492 TCP
    Same thing, other direction


    3/31/2009 8:55:23 PM Packet blocked by active defense (IDS) 68.142.212.22:80 192.168.1.101:50346 TCP
    That's Inktomi from my Yahoo portal home page. The firewall is blocking the daily play four (word game)
    (see next post)

    Router logging also does not auto start any more. I run Wall Watcher on boot to log the WTR54GS running HyperWRT. Never any issues before ESS. Now I have to disable/enable logging on the router to get it started. It does not make any sense, but it's happening.

    Even stranger, on my Laptop running Windows XP SP3, fully patched, the Word game appears. Both browsers are Firefox 3.0.8. No errors logged on the XP computer, but also, no router logging there either.
     
    Last edited: Apr 1, 2009
  2. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Update. The Word game issue is not an issue with the firewall or IDS. It's fine in IE8 and Opera on the same computer. Also, I forgot the browser was updated to FF 3.1.b3 so it will be a browser issue.

    The remaining issue is the one with the router and logging.
     
  3. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    More info...

    The IDS block only occurs on the Vista computer which is the target for the router logs. I can open the router web interface from my Laptop and no blocks are logged.
     
  4. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    The issue with the IDS blocks has resolved itself. Perhaps a reboot fixed it, but it has not come back so it's a dead issue now.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In cases like this when it's not clear if it's a false positive or a real attack (I've run into a case when a network printer was causing udp port scanning attacks), create 2 logs from Wireshark - one with the firewall disabled when everything works and one with the firewall enabled when connections are blocked. Eventually send the logs with a description of the problem to support[at]eset.com.
     
Thread Status:
Not open for further replies.