I have a problem

Discussion in 'ESET Smart Security' started by rebelscum0000, Oct 17, 2012.

Thread Status:
Not open for further replies.
  1. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Hi

    Last week I have installed ESS V.5. latest version and I have been seeing the "Detected DNS cache poisoning attack on average about 50-100 times a day so far

    I read @ ESET Knowledgebase
    http://kb.eset.com/esetkb/index?page=content&id=SOLN2933


    I understand it is an ESS issue, Why bother to fix it by following the instructions?

    I decided to downgrade to ESS V.4.X (latest version) and a friend of mine use my computer meanwhile I was out of the town.

    Just out of curiosity, How do I know how many Detected DNS cache poisoning attack messages my friend received in ESS V.4.X GUI OR log file?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    V5 detects the same attacks as v4 except that it notifies the user when an attack is detected instead of just logging it in the firewall log. Attack notifications can be disabled in v5 and newer.
    What are the source IP addresses of these DNS cache poisoning attacks?
     
  3. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    V5: Most of them are: Source 10.3.77.26:53 Target 197.168.0.122:1040

    Then if V5 notifies the user when an attack is detected, and v4 does not...

    V4: I do not know o_O How many Detected DNS cache poisoning attack messages I have meanwhile my friend was using my compute, How can I found out?

    Thank you
     
    Last edited: Oct 18, 2012
  4. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Hello?
     
  5. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Where is the official Eset support forum? Could you be son kind to provide me the link?

    TIA
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    You are writing in it right now :D

    I guess that you are waiting for an reply from Marcos/or other ESET Mod?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Does the IP address 10.3.77.26 belong to your Internet provider's DNS server?
     
  8. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Yes, Confirmed with my ISP and ipconfig /all

    And once again my main question

    I downgrade to V.4
    How do I know How many DNS cache poisoning attacks I have meanwhile my friend was using my computer and I was out of the town?

    V.4 GUI Or Log File?
     
    Last edited: Oct 23, 2012
  9. encus

    encus Registered Member

    Joined:
    Nov 2, 2009
    Posts:
    535
    For ESS v4, you can view all the attacks in the firewall log.

    Good luck!
     
  10. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Thank sir, But I can not find the firewall logs :doubt:

    Where are they located?

    Windows XP Pro SP3

    TIA
     
  11. encus

    encus Registered Member

    Joined:
    Nov 2, 2009
    Posts:
    535
    1. Open ESS main menu
    2. Click Tools -> Log
    3. From drop down menu, select Personal Firewall Log

    HTH.
     
  12. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Thank you but Using the V.4 GUI and following your intructions The Eset Personal firewall log is empty, I do not understand why i can not view all the attacks in the firewall log.

    Or If I need to post my firewall Log, here @ this forum, where is located the log file?

    Windows XP SP3

    Thanks in advance for any help you can provide me
     
  13. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There are no differences in DNS cache poisoning detection between v4 and v5 as both utilize the same firewall module which includes the functionality for attack detetections. If the attack is not detected any more with v4, it shouldn't be detected after installing v5 either.
     
  15. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    i confirmed the IP address 10.3.77.26 belong to my Internet provider's DNS server then is a real attack?
     
  16. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    You need to enable logging of the firewall so the firewall log will be filled with information.
     
  17. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    how to upload a pic ... this poster needs a visual!

    Someone elses intrusion scap.JPG

    did that work!??!

    HA :) thar it beeee!

    OP, tick the yellow highlighted box then click OK. after a short while, your log will reveal the relevant activity.

    fyi, google the offending ip addy/s to identify them.

    i had a couple intruders (from china and germany) but it turned out they were just *looking* [common, recurring attempts] so i ran checks on my computer using ShieldsUp! via grc.com and i was satisfied with the results: my computer provided zero access.

    so i unchecked the box 'Display notification afer attack detection' box [see above pic under intrusion detection]

    HTH :)

    good luck, btw!

    edited to add necessay clarification
     
    Last edited: Nov 6, 2012
  18. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Thank you very much and sorry for the delay, using ShieldsUp my IP is dynamic I will never pass the test, so I can not run checks in my computer any other suggestion?
     
  19. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    hey rebel :) sorry, i missed your post...

    even tho your IP is dynamic [about which i know nothing], did you at least try ShieldsUp!?

    i have no other suggestions for you, but perhaps with the passage of time, you've been able to work out something.

    if not, good luck in your endeavours :)
     
  20. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    so, i researched dynamic IP and i came up with this: http://whatismyipaddress.com/dynamic-static

    it says tho that and i quote: ... Dynamic IP addressing assigns a different IP address each time the ISP customer logs on to their computer, ...! so, if that were the case, ShieldsUp! will scan your computer during your current computer session and if there are any hiccups, they'll be revealed. so, it doesn't matter the ip addy, it matters that your computer is silent to the outside world.

    unless however: If you have Dynamic IP Addressing through your Website Host it means that you are sharing an IP Address with several other customers. in which case, ShieldsUp! would be pointless.
     
  21. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Thank you BellaBoo, yup I tried ShieldsUp! but I was not sure :D
     
  22. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    OK I will try again, Thank you very much :)
     
  23. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Hi,

    Could be a possibility that I am receiving DNS cache poisoning detection since I am sending from my Mac massive emails to my Outlook Express?

    Thanks in advance for any help you can provide me

    Win XP SP3
     
  24. dwomack

    dwomack Eset Staff Account

    Joined:
    Mar 2, 2011
    Posts:
    588
    This could be a possibility. What the KB article does not state is the various reasons that your IP address could be triggering the DNS Cache Poisoning Attack Detections. This is because there are simply too many reasons to reasonably list and we don't want to speculate on causes without complete information.

    I've seen this happen with non-standard data traffic or when the router pings your network to verify it's still connected. There are many other reasons for the detection to be triggered. The IP addresses you provided for the Source (ISP) and Target (you) are within the safe range so it's very likely one of these reasons (including the one you gave) could be the reason you have seen these notifications. Again, without complete information, it's hard to speculate. It might be worth placing a call or submitting a support ticket with your local ESET distributor for more efficient support: http://www.eset-la.com/soporte/contacto
     
  25. rebelscum0000

    rebelscum0000 Registered Member

    Joined:
    Oct 29, 2006
    Posts:
    70
    Location:
    Mexico City
    Thank you sir :D
     
Thread Status:
Not open for further replies.