Packet blocked by active defense - bad component update?

So today I'm doing my usual surfing on my Vista laptop, with the odity that it is exremely sluggish and timing out. I then found out it was doing it for other apps such as messenger, steam and IRC. It ends up in behavior that seems like packet loss, although I've seen the actual wireless connection be killed from "internet" to "local acess" (vistas wireless modes) for about a second. Looking at eset's firewall log (with all logging turned on) I see a flood of new events in the log.

Time - Event - Source - Target - Protocol
Every second - Packet blocked by active defense (IDS) - 192.168.1.1 - 192.168.1.2 - ARP

I've never seen these events in the log before, and I can't say I've changed any settings during my sleep.

Booting up my XP laptop on the same wireless network, I don't get this issue. Any ideas what is going on?

 

Re: Packet blocked by active defense

Having this exact same issue. I fixed it by going into setup -> personal firewall -> Change the protection mode of your computer in the network -> set to allow sharing instead of strict protection


I would like to know why it started doing this just today, when it's worked fine on strict protection for along time now!

WRT54G w/ Firmware: DD-WRT v24-sp1 (07/27/0 micro
XP Pro SP3

also about info:
Virus signature database: 3466 (20080923)
Update module: 1024 (20080514)
Antivirus and antispyware scanner module: 1151 (20080922)
Advanced heuristics module: 1076 (20080917)
Archive support module: 1082 (20080911)
Cleaner module: 1032 (20080724)
Anti-Stealth support module: 1002 (20080723)
Personal firewall module: 1039 (20080822)
Antispam module: 1008 (2008070

 

Re: Packet blocked by active defense

Thank you! I had actually turned off the firewall, trusting my hardware firewall, just to get my connection to work to make an important skype call, but this is a cleaner solution. I'm very curious why this started happening today though, especially since the firewall module apparently hasn't been updated.

 

Re: Packet blocked by active defense

I turned the logs on for that today, just to see what logs would come up...

A avalanche of logs flooded in, in a matter of 10 seconds (a few hundred). I had to turn it back off quickly. I dunno what exactly it's blocking.

 

Re: Packet blocked by active defense

Virus signature database: 3466 (20080923)
Update module: 1024 (20080514)
Antivirus and antispyware scanner module: 1151 (20080922)
Advanced heuristics module: 1076 (20080917)
Archive support module: 1082 (20080911)
Cleaner module: 1032 (20080724)
Anti-Stealth support module: 1002 (20080723)
Personal firewall module: 1039 (20080822)
Antispam module: 1008 [noparse](2008070[/noparse]

I've also been having exactly these same issues, blocked packets from my dns servers also seemingly spurious blocked packets.

e.g. Packet blocked by active defense (IDS) source 10.131.130.127 dest 10.131.128.1 protocol ARP.

I'm behind a hardware firewall, default gateway 192.168.0.1... so where does 10.xxx.xxx.xxx come from?

End result is loss of network connectivity after about 10 minutes surfing and having to disconnect/reconnect the internet connection.

I had no such problems until a recent 200+ k/b module update.

Whatever the problem I hope eset get it sorted out quickly otherwise I'll just have to drop ESS and use only the Antivirus.

 

Re: Packet blocked by active defense

Judging by the common issues people are having at the moment, sounds like a bad module update. I hope Eset gets on this RIGHT AWAY!!!

I wish there was a revert option so if there was a bad module you can revert and opt out of automatic module updates. At least until a good one was released.

 

Re: Packet blocked by active defense

I reinstalled and hit the update button.

Restored all my settings via Import/Export settings, and all is good.

All Settings are there.

/The Activity light on PC is now off.=)

Verified that installing over the previous install does work.
/when deleting all the old files first...


The Installer and Prog are definitely Out Sourced...=(

 

Re: Packet blocked by active defense

Is there going to be an update that fixes this - I'm not going to reinstall on 250 laptops just because of some bad coding!

 

Re: Packet blocked by active defense

Regretfully adding my name to this growing list. I have the same problem which only seemed to crop up yesterday. As stated, seems to be a bad update component as I did not alter any of my settings.

 

Re: Packet blocked by active defense

I also solved this problem by exporting my current settings and doing a clean uninstall/reinstall then importing the settings. (note: some settings in zone config don't seem to save/restore, also upon reboot, active defense had disabled itself so I had to go into the config and reenable it). After running update...all seems ok, no more blocked connections etc...rebooted several times to make sure and all functionality seems as per norm.

This solution though is rather ridiculous for server environments.

 

Re: Packet blocked by active defense

Same here. This is not a configuration issue. The latest update is bad. In order to get here I had to disable the firewall. Turning it back on means that after about 10 minutes all network traffic is blocked, regardless of the source.

 

Re: Packet blocked by active defense

Currently I have the Firewall turned off. I wasted too much time yesterday trying to figure out what went wrong.
Some of the fixes above don't work for me

 

Re: Packet blocked by active defense

I think the simplest workaround for now is to disable 'ARP Poisoning Attack Detection' in 'IDS and advanced options'. At least that worked for me.

 

Re: Packet blocked by active defense

Thanks , I reinstalled and tried that and it seems to work

 

Hi all, I just logged on now and noticed that the firewall module has been updated.

Personal firewall module: 1040 (20080924)

I have turned strict protection back on and the problem seems to be gone, everyone else noticing this too?

I'm glad it's fixed, and I'm not so bothered it got broken because of the fast response time, what is really bugging me is why was the update not listed? As you can see in the 2nd post, I highly dislike invisible updates.

EDIT: Looking at my log all of yesterdays entries have changed to:

24/09/2008 08:48:20 Unknown code 00058800
24/09/2008 08:47:59 Unknown code 00020002

and similar.