NOD32 Smart Security dropping PPPoE connection during high traffic

Discussion in 'ESET Smart Security' started by Flying Panda, Jan 2, 2010.

Thread Status:
Not open for further replies.
  1. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    For many years I faced this problem without solution and now I figured out whos the culprit: NOD32.

    In 2009 Christmas I purchased NOD32 Smart Security (the last 2 years I was using just NOD32 Antivirus) and no matter what version was installed I just keep having my PPPoE connection dropped during high traffic (e.g.: Azureus/uTorrent torrent clients, over 3 downloads in Fifefox or other heavy uses).

    Since I installed NOD32 Smart Security 4 I'm facing a new problem - everytime I open Microsoft Outlook 2007, even if my connection is idle (no downloads) my PPPoE connection drops and I'm unable to connect for the next 3 minutes. This happen once everytime I open Outlook 2007 in a fresh boot, the next times I open the program the connection won't drop.

    I changed my ADSL modem 3 times (One Siemens, One Huawei, now I'm using a D-Link) believing its was a modem hardware failure and this problem keeps hauting me. I checked my line quality (SNR/Att) and everything is running under superb conditions without variations during bandwidth usage changes.

    Now I can strongly believe its a NOD32 fault. Another proof that I'm may be right thats not a ADSL line or modem issues it's because I have 3 computers at home, just mine have NOD32 and when my connection drop, the other 2 PCs continues connected as if notting happened.

    Do somebody is facing the similar problem? I have nothing else strange installed in my computer. I just use MSN, Firefox and two torrent clients. I did not change anything in NOD32 Smart Security 4 configurations, maybe I'm missing something that I should have changed to avoid those problems?

    My system is running Windows XP Professional SP3 (32-bit).
     
  2. muppetman

    muppetman Registered Member

    Joined:
    Feb 18, 2009
    Posts:
    18
    Why don't you just uninstall NOD32 and see if it helps? I find it hard to believe it could be the cause, but there's an easy way to find out!
     
  3. CvP

    CvP Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    13
  4. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    Its hapenning in Mozilla Thunderbird too. I open the program, and the connection drop. Tomorrow I'll start some tests with Wireshark to see what happens at the exact moment when the connection is lost.

    My connection is just 1 mbps for downloads and 368kbps for uploads.
     
  5. CvP

    CvP Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    13
    first check if you have lots of "TCP IP Incorrect Checksum" in eset logs (firewall).
     
  6. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    I have some "TCP IP Incorrect Checksum" on logs, but everytime my connection is dropped I take a look at ESS logs and nothing is reported at that exact moment.

    The reported "TCP IP Incorrect Checksum" times does not match with the times I lost my PPPoE connection.
     
  7. flexchor

    flexchor Registered Member

    Joined:
    Jan 6, 2010
    Posts:
    1
    I specially registered to tell you this:

    I have exactly the same problem, atm uninstalled ESET Smart Security, to test if it still drops out.

    My provider sent a technician to repair all the splitters & give a new router because I thought it was those who made the problem, now I remember I deinstalled AVG 2 months ago & installed ESET, just around the time that this problem started :doubt: .

    Hopefully it's this, I'll probably return to AVG or get another anti virus program.

    Good luck!
     
  8. WayneP

    WayneP Support Specialist

    Joined:
    Apr 9, 2009
    Posts:
    339
    Hello,

    Sometimes communication between the computer and the router or modem can cause the firewall module to temporarily block a false-positive attack. See the knowledgebase article below for some steps to take to resolve this issue.

    http://kb.eset.com/esetkb/index?page=content&id=SOLN969
     
  9. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    While monitoring Wireshark packets, nothing abnormal happens when I open Outlook or Thunderbird, just standard queries to the mail servers on both softwares.

    Then suddenly I get ICMP - Destination Unreachable (Network Unreachable) pointing that my connection was lost and the reconnection window shows up and I cant reconnect for the next 1~3 minutes without a thousand attempts to reconnect.

    My house wiring is also new. I even tested the signal quality in the street with the phone line provider to make sure the signal was OK at the entry.

    I'll take a look at this and later I can tell if this solved my problem.

    I really don't want to uninstall NOD32 and change to another AV solution.
     
  10. RyanH

    RyanH Eset Staff Account

    Joined:
    Nov 9, 2009
    Posts:
    64
    To access the firewall log, please follow the steps below:

    1. Open the main program window by clicking the ESET icon next to your system clock or by clicking 'Start' -> 'All Programs' -> 'ESET' -> 'ESET Smart Security'.

    2. If you see 'Display: Standard mode' in the lower left corner, switch to Advanced mode by a)clicking ‘Change…’ (version 4.0) or b)clicking the arrow and then clicking ‘Toggle Advanced mode’ (version 3.0). Then click ‘Setup’ -> ‘Enter entire advanced setup tree…’. (You can also press F5 to open the Advanced Setup window.)

    3. From the Advanced Setup tree on the left, click ‘Personal firewall’ -> ‘IDS and advanced options’ and select the ‘Log all blocked connections’ option under the Troubleshooting section.

    4. Click ‘OK’ to save the changes and then reproduce the problematic behavior.

    5. Reopen the main program window (see step #1), and then toggle to Advanced Mode by clicking 'Toggle Advanced mode' in the lower left corner or by pressing CTRL + M on your keyboard.

    6. Click ‘Tools’ -> ‘Log Files’ and then select ‘ESET Personal firewall log’ from the drop-down menu.
     
  11. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    Hi RyanH. I just did what you told. I'll wait the probem happen again and hope NOD32 log something.

    What WayneP posted did not solve my problem. To make worse, I changed my ISP provider from ADSL to WiMAX and I'm still having the same problem. This comes to prove thats nothing related to my old ISP.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Running multiple Torrent clients likely is not helping yout PPoE situation if you leave exceptions for them always on, they would flood your router constantly.
    All possible scenarious, my 2 centavos.
     
  13. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    To make things more clear:

    1 - I don't run multiple torrent clients. I run just one at a time and it's also rare. I usually download very large linux distros.

    2 - I run a single torrent file and limit the bandwidth usage for 70%.

    3 - I don't open my email client when I'm downloading something.

    For example, I turn on my PC. Establish a connection with my ISP. Open my email client - connection dropped :isay:
     
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You have made things more clear Flying Panda I leave you in the most capable hands of the ESET Moderators for the remainder of this thread.
     
  15. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    Following RyanH post, I configured NOD32 SS to log blocked connections.

    I connected to my ISP, opened Microsoft Outlook 2007, the auth window to my email account pop-up then Im disconnected.

    Comunicação negada por regra -> Communication denied by rule
    Bloquear solicitações NETBIOS de saída -> Blocked NETBIOS Exit Solicitations
    192.168.254.2 -> Me
    192.168.254.1 -> Router gateway
    192.168.254.255 -> Router

    NOD32 SS Firewall Log:

    Code:
    9/1/2010 20:56:00	Comunicação negada por regra	192.168.254.2:138	192.168.254.255:138	UDP	Bloquear solicitações NETBIOS de saída	System	AUTORIDADE NT\SYSTEM
    9/1/2010 20:55:55	Comunicação negada por regra	192.168.254.2:138	192.168.254.255:138	UDP	Bloquear solicitações NETBIOS de saída	System	AUTORIDADE NT\SYSTEM
    9/1/2010 20:55:51	Comunicação negada por regra	192.168.254.2:138	192.168.254.255:138	UDP	Bloquear solicitações NETBIOS de saída	System	AUTORIDADE NT\SYSTEM
    9/1/2010 20:55:47	Comunicação negada por regra	192.168.254.2:138	192.168.254.255:138	UDP	Bloquear solicitações NETBIOS de saída	System	AUTORIDADE NT\SYSTEM
    9/1/2010 20:55:43	Comunicação negada por regra	192.168.254.2:138	192.168.254.255:138	UDP	Bloquear solicitações NETBIOS de saída	System	AUTORIDADE NT\SYSTEM
    
    Wireshark packets:

    Code:
    74	9.955614	[I](ISP local remote server)[/I]	[I](ISP remote server)[/I]	DNS	Standard query A 1.0.0.223.lbl7.mailshell.net
    Above is one sample (packet 74). Wireshark shows 244 queries - exactly what is shown above, all 244 (I intentionally removed the IP addresses - you can reach my house doing a IP lookup :p). I don't even start to type my password and I get this:

    Code:
    370	13.034059	192.168.254.1	192.168.254.2	ICMP	Destination unreachable (Network unreachable)
    NOD32 Firewall stands between my machine and my router. Maybe NOD32 is detecting some kind of flood attack coming from the router (due to the multiple requests from Outlook) and block all my network? I'm confused o_O
     
  16. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    I just had the definitive proof thats a NOD32 fault. Since yesterday I had up to five disconnections in one hour and I using about just 50% of my bandwidth. I got furious, restarted my computer in safe mod and disabled all NOD32 kernel services.

    Without NOD32 I can overload my PPPoE and LAN to the limit without any disconnection. I'm amazed and can't understand why NOD32 is doing this to my network.
     
  17. WayneP

    WayneP Support Specialist

    Joined:
    Apr 9, 2009
    Posts:
    339
  18. Flying Panda

    Flying Panda Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    10
    Location:
    Brazil
    I already tried that. I also tried to disable all Intrusion Detection under IDS and advanced options and still the same problem.

    Right now I'm downloading Mandriva 2010.1 Alpha 1 to test in VMware and everything is running smooth. Lots hours of download ahead and no disconnections since I disabled NOD32.

    Most people might be thinking "if you are having problems, just uninstall it". It's not about just uninstalling. I really like NOD32 AV since I found pretty effective but the fact I'm getting disconnected due to a NOD32 software fault is really freaking me out.

    Edit:

    Wooow nice, now all my Virtual Machines lost the shared network with the host just by disabling NOD32 kernel modules. I tried to disable Eset Personal Firewall drive in my network but my machines were still unconnectable. I had to reactivate all modules =/

    Another curious thing: even If I disable all protection (right click on NOD32 icon > Disable AV, anti-spyware, real time protection and network filter) the disconnection problem still occurs.

    Edit2:

    I just uninstalled NOD32 SS. Disable kernel modules just don't work, it looks like all ports become closed if SS is not running. If I leave it running, my connection drops even if I'm not making intense use of my availabe bandwidth - If I disable the protection I still have the same problem - If I disable kernel modules all my virtual machines and any other software (Azureus, iTunes, etc) can't access the web due to closed ports.

    I'm going to try Kaspersky IS for the 30-day trial and see if I get the same problem as NOD32 SS.
     
    Last edited: Jan 12, 2010
Thread Status:
Not open for further replies.