Firewall Issues with v4.0.417

I decided to turn on logging yesterday after updating to see what, if anything, was being blocked. Very enlightening. I have ESS 4.0.417 (BE) installed on Vista SP1, fully patched.

Here are a sample of entries. Hopefully someone from ESET can enlighten me:

4/1/2009 8:14:57 AM Packet blocked by active defense (IDS) 192.168.1.101:49505 192.168.1.1:80 TCP
That's my computer trying to talk to my router web interface. Lots of these.

4/1/2009 8:13:34 AM Packet blocked by active defense (IDS) 192.168.1.1:80 192.168.1.101:49492 TCP
Same thing, other direction


3/31/2009 8:55:23 PM Packet blocked by active defense (IDS) 68.142.212.22:80 192.168.1.101:50346 TCP
That's Inktomi from my Yahoo portal home page. The firewall is blocking the daily play four (word game)(see next post)

Router logging also does not auto start any more. I run Wall Watcher on boot to log the WTR54GS running HyperWRT. Never any issues before ESS. Now I have to disable/enable logging on the router to get it started. It does not make any sense, but it's happening.

Even stranger, on my Laptop running Windows XP SP3, fully patched, the Word game appears. Both browsers are Firefox 3.0.8. No errors logged on the XP computer, but also, no router logging there either.

 

Update. The Word game issue is not an issue with the firewall or IDS. It's fine in IE8 and Opera on the same computer. Also, I forgot the browser was updated to FF 3.1.b3 so it will be a browser issue.

The remaining issue is the one with the router and logging.

 

More info...

The IDS block only occurs on the Vista computer which is the target for the router logs. I can open the router web interface from my Laptop and no blocks are logged.

 

The issue with the IDS blocks has resolved itself. Perhaps a reboot fixed it, but it has not come back so it's a dead issue now.

 

In cases like this when it's not clear if it's a false positive or a real attack (I've run into a case when a network printer was causing udp port scanning attacks), create 2 logs from Wireshark - one with the firewall disabled when everything works and one with the firewall enabled when connections are blocked. Eventually send the logs with a description of the problem to support[at]eset.com.