Discussion in 'ESET Smart Security' started by tosbsas, Apr 8, 2008.
How do I set a rule for IGMP -my log is full with blue reports of a rule not found for that
Anyone, please -))
First, you have to be in Interactive Mode before you can create any rules. Second, even a rule will not stop IGMP, only stop it from appearing on your log if you desire.
PS: Are you on Juno, or another low/no cost dialup?
no I am on highspeed internet in Lima, and yes, I don't wanna block, but get rid of that message, and yes I am in interactive mode
You could go to "IDS and advanced options" under Firewall options and check to allow incoming IGMP streams. This would eliminate the logs but allow IGMP to hammer your computer more than the block. IGMP deals with Multicast Streaming. If you don't need this it's best to block. I don't do gaming, so I don't know if you need it for that.
You could change to Interactive mode, add block/nolog rule, and then return to Automatic.
I have set IGMP to be allowed - hm
I know the IGMP log entries are probably flooding your log entries and you want to eliminate them to minimize space and make it easier to see other entries. But allowing them to progress any further without a need will only put unneeded strain on your computer. Best to block them at the firewall, or earlier if you use a router. That's the reason ESS blocks them and notifies you in the log by default. Chances are you may need other rules in the future and need the control Interactive Mode provides.
I have both DSL and Dialup running 24/7 and I have no IGMP on the DSL But on the Dialup it is a constant flood with 30 seconds interval. I created a rule to continue blocking IGMP like the default, but the rule allows me to turn logging on/off as I desire. I'm researching how I can turn off the source and whether there are any malware exploits transmitted thru IGMP. If there are known exploits thru IGMP it is imperative to stop them, or create a rule to permit only the ones you need, if any.
The only safe way is to stop all inbound traffic and selectively permit only those you need. Automatic Mode auto-creates the basics which cover the known needs, but there will probably always be a need for custom rules available only thru Interactive mode. The more you know, the better you can stop threats to your system. And online security is a constant, evolving target. What's safe today probably won't be tomorrow, if past experience is the best predictor of the future.
Once you secure inbound traffic, then scrutinize outbound for any spybot and/or zombie traffic your computer is generating by installed malware. Running periodic on-demand scans (I do weekly) should catch those as well as the always present real-time scanning for new inbound traffic.
would you mind sharing that rule you made?
Name: Block IGMP
Local Port: (blank)
Remote port: (blank)
Remote address: One or more addresses, e.g. 220.127.116.11, 18.104.22.168, 22.214.171.124 (these are my three; yours will be different) You will probably only have one address/source and it will probably be related to your ISP. I have three different Dialup numbers that I rotate so that is the reason I need 3.
NOTE: You must have address(es) for rule to establish. Don't use Remote Port without address(es) since that is too broad. This also allows you to see any new IGMP hits that may come from other sources.
NOTE 2: I just tried returning to Automatic Mode and found that it doesn't retain Interactive Rules. Sorry for my mistake in earlier posts. So this means that you will have to run Interactive. ESS will query you on any apps it hasn't recognized in Automatic Mode, which are only the most widely used and popular. As ESS learns about and verifies other apps it will probably add them slowly to their Automatic Mode. I will bring the issue of more IGMP options for Automatic Mode up in this forum to see if they can offer the flexibility of a custom rule for IGMP while staying in Automatic Mode.
Regardless, learning some Interactive Mode rule making is a good thing. It offers you a way to lockdown your security better while allowing confirmed sources thru. And you can log/no log the rules as you desire.
ESS's Firewall is a new capability for Eset and has been it's weak point. It's getting better all the time, especially with v650, and if they reach the same level with it that their malware detection is it will become top-tier.
This thread explains more. Retaining rules entered in Interactive Mode and still operate in Automatic Mode requires Policy Based Mode options. Marcos gives details.
thanks a lot. I will try that (-))
I set your rules, but still get this
12.04.2008 14:14:46 No usable rule found 192.168.1.33 126.96.36.199 IGMP
is outbound here - i got it
Separate names with a comma.