oh dear v4 firewall 1045 under the weather

Last night v4 started to play up. Nowhere near as bad as previous posts, but intermittent large lags accessing websites, with no entry showing in the log.

Today it is more frequent and I'm now getting log entries.

The outgoing problem is still showing up in the log as well as incoming - all are Packet Blocked by active defense on TCP apart from one which had the interesting incoming error of No application listening on the port UDP. The port was very high up the list 55931

I have unticked:
Block unsafe address
TCP protocol overload
ARP and DNS poisoning attack.

What happens is the webpage will start to load and then it will stop as will all incoming packets, then, if the page suddenly becomes available it will load. About 2 minutes later the log will burst into a flurry of activity and all the IDS entries will be listed. CPU usage (dual core) rises to a steady 6% whilst this is happening.

Looking in SysInternals tools from Microsoft, I notice that there are a few entries of buffer overflows from Tcpip\Linkage\Bind, which is from explorer, and when ekrn.exe queries some Windows drivers such as rapti.sys, usbstor.sys, mrxsmb.sys.

Colin

 

Can i ask how/why you get v1045 of firewall, whereas i get v1044 and have no issues whatsoever with ESS v4?

 

https://www.wilderssecurity.com/showthread.php?t=236335

Until a better answer arrives: Verbiage below is Post 12 in above Thread from Miki69 as to how 1044 was achieved (ie)

 

There are a whole caboodle of posts here by others having difficulty with v4. As an example I have no problem with v4 on my laptop running Vista SP1, but problems with the desktop machine running XPpro SP3.

Module 1045 is an experimental module that Eset are trying out with some of us who have been having problems with 1044 etc.

This morning even though there are many entries in the log file purporting to have blocked my outgoing (me: 192.168.5.101:1081,1083,1089 to 203.206.129.17/18:80 that might be an IP of some autoupdate address), the firewall had not been playing up so far.

Interesting - I've just looked up that IP address - and it is an Internet Provider here in Australia - except it isn't mine!

Colin

 

I have just noticed a difference between my laptop and desktop installation. This might be a red herring but in Advanced Setup under Web Access Protection on my desktop I have:

HTTP,HTTPS
-> Address Management
-> Web Browsers
-> Active Mode

On my laptop - I don't have the Web Browsers option, just the Address and Active mode.

Now under Web Brosers Opera and IE7 are marked as Internet Browsers - so I'll try unticking them and see what happens.

Colin