Packet blocked by active defense - bad component update?

Discussion in 'ESET Smart Security' started by funkydude, Sep 23, 2008.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    So today I'm doing my usual surfing on my Vista laptop, with the odity that it is exremely sluggish and timing out. I then found out it was doing it for other apps such as messenger, steam and IRC. It ends up in behavior that seems like packet loss, although I've seen the actual wireless connection be killed from "internet" to "local acess" (vistas wireless modes) for about a second. Looking at eset's firewall log (with all logging turned on) I see a flood of new events in the log.

    Time - Event - Source - Target - Protocol
    Every second - Packet blocked by active defense (IDS) - 192.168.1.1 - 192.168.1.2 - ARP

    I've never seen these events in the log before, and I can't say I've changed any settings during my sleep.

    Booting up my XP laptop on the same wireless network, I don't get this issue. Any ideas what is going on?
     
  2. notwaaaa

    notwaaaa Registered Member

    Joined:
    Sep 23, 2008
    Posts:
    1
    Re: Packet blocked by active defense

    Having this exact same issue. I fixed it by going into setup -> personal firewall -> Change the protection mode of your computer in the network -> set to allow sharing instead of strict protection


    I would like to know why it started doing this just today, when it's worked fine on strict protection for along time now!

    WRT54G w/ Firmware: DD-WRT v24-sp1 (07/27/0:cool: micro
    XP Pro SP3

    also about info:
    Virus signature database: 3466 (20080923)
    Update module: 1024 (20080514)
    Antivirus and antispyware scanner module: 1151 (20080922)
    Advanced heuristics module: 1076 (20080917)
    Archive support module: 1082 (20080911)
    Cleaner module: 1032 (20080724)
    Anti-Stealth support module: 1002 (20080723)
    Personal firewall module: 1039 (20080822)
    Antispam module: 1008 (2008070:cool:
     
    Last edited: Sep 23, 2008
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Re: Packet blocked by active defense

    Thank you! I had actually turned off the firewall, trusting my hardware firewall, just to get my connection to work to make an important skype call, but this is a cleaner solution. I'm very curious why this started happening today though, especially since the firewall module apparently hasn't been updated.
     
  4. MysticG

    MysticG Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    19
    Re: Packet blocked by active defense

    I turned the logs on for that today, just to see what logs would come up...

    A avalanche of logs flooded in, in a matter of 10 seconds (a few hundred). I had to turn it back off quickly. I dunno what exactly it's blocking.
     
  5. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Re: Packet blocked by active defense

    Virus signature database: 3466 (20080923)
    Update module: 1024 (20080514)
    Antivirus and antispyware scanner module: 1151 (20080922)
    Advanced heuristics module: 1076 (20080917)
    Archive support module: 1082 (20080911)
    Cleaner module: 1032 (20080724)
    Anti-Stealth support module: 1002 (20080723)
    Personal firewall module: 1039 (20080822)
    Antispam module: 1008 [noparse](2008070:cool:[/noparse]

    I've also been having exactly these same issues, blocked packets from my dns servers also seemingly spurious blocked packets.

    e.g. Packet blocked by active defense (IDS) source 10.131.130.127 dest 10.131.128.1 protocol ARP.

    I'm behind a hardware firewall, default gateway 192.168.0.1... so where does 10.xxx.xxx.xxx come from?

    End result is loss of network connectivity after about 10 minutes surfing and having to disconnect/reconnect the internet connection.

    I had no such problems until a recent 200+ k/b module update.

    Whatever the problem I hope eset get it sorted out quickly otherwise I'll just have to drop ESS and use only the Antivirus. :mad:
     
  6. MysticG

    MysticG Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    19
    Re: Packet blocked by active defense

    Judging by the common issues people are having at the moment, sounds like a bad module update. I hope Eset gets on this RIGHT AWAY!!!

    I wish there was a revert option so if there was a bad module you can revert and opt out of automatic module updates. At least until a good one was released.
     
  7. KarlBeer

    KarlBeer Registered Member

    Joined:
    Jul 8, 2008
    Posts:
    50
    Re: Packet blocked by active defense

    I reinstalled and hit the update button.

    Restored all my settings via Import/Export settings, and all is good.

    All Settings are there.

    /The Activity light on PC is now off.=)

    Verified that installing over the previous install does work.
    /when deleting all the old files first...


    The Installer and Prog are definitely Out Sourced...=(
     
    Last edited: Sep 24, 2008
  8. Womble29

    Womble29 Registered Member

    Joined:
    Sep 24, 2008
    Posts:
    1
    Re: Packet blocked by active defense

    Is there going to be an update that fixes this - I'm not going to reinstall on 250 laptops just because of some bad coding!
     
  9. bitmap

    bitmap Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    9
    Re: Packet blocked by active defense

    Regretfully adding my name to this growing list. I have the same problem which only seemed to crop up yesterday. As stated, seems to be a bad update component as I did not alter any of my settings.
     
  10. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Re: Packet blocked by active defense

    I also solved this problem by exporting my current settings and doing a clean uninstall/reinstall then importing the settings. (note: some settings in zone config don't seem to save/restore, also upon reboot, active defense had disabled itself so I had to go into the config and reenable it). After running update...all seems ok, no more blocked connections etc...rebooted several times to make sure and all functionality seems as per norm.

    This solution though is rather ridiculous for server environments.
     
  11. johnd

    johnd Registered Member

    Joined:
    Sep 24, 2008
    Posts:
    1
    Re: Packet blocked by active defense

    Same here. This is not a configuration issue. The latest update is bad. In order to get here I had to disable the firewall. Turning it back on means that after about 10 minutes all network traffic is blocked, regardless of the source.
     
  12. nippa

    nippa Registered Member

    Joined:
    Jan 5, 2008
    Posts:
    11
    Re: Packet blocked by active defense

    Currently I have the Firewall turned off. I wasted too much time yesterday trying to figure out what went wrong.
    Some of the fixes above don't work for me:(
     
  13. rafmet

    rafmet Registered Member

    Joined:
    Sep 24, 2008
    Posts:
    1
    Re: Packet blocked by active defense

    I think the simplest workaround for now is to disable 'ARP Poisoning Attack Detection' in 'IDS and advanced options'. At least that worked for me.
     
  14. nippa

    nippa Registered Member

    Joined:
    Jan 5, 2008
    Posts:
    11
    Re: Packet blocked by active defense

    Thanks , I reinstalled and tried that and it seems to work
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Hi all, I just logged on now and noticed that the firewall module has been updated.

    Personal firewall module: 1040 (20080924)

    I have turned strict protection back on and the problem seems to be gone, everyone else noticing this too?

    I'm glad it's fixed, and I'm not so bothered it got broken because of the fast response time, what is really bugging me is why was the update not listed? As you can see in the 2nd post, I highly dislike invisible updates.

    EDIT: Looking at my log all of yesterdays entries have changed to:

    24/09/2008 08:48:20 Unknown code 00058800
    24/09/2008 08:47:59 Unknown code 00020002

    and similar.
     
Thread Status:
Not open for further replies.