Phantom rule creation

Discussion in 'ESET Smart Security' started by KFBeaker, Dec 30, 2007.

Thread Status:
Not open for further replies.
  1. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    I just had the strangest thing happen and would like to hear what you all have to say.

    I was installing the latest version of ESS today when out of nowhere a rather cryptic rule appeared in the firewall rules. No screenshot but the rule was named "New rule" and its parameters were to allow everything through to everything on every protocol in every zone!

    This happened within minutes of installing ESS and switching to interactive mode. I did not create this rule nor did I click on any pop up box for ESS to create this rule. In fact the only reason I went to look at the rules is that no matter what application I ran to connect to the internet, I was getting no pop ups and everything was being allowed through the ESS firewall!

    Is this a glitch any of you have run across?

    Could there be a trojan or malware out there with the ability to write disabling rules to the ESS firewall?

    ESET online scanner says my system is clean, but should I do more online scanning to be sure?
     
  2. ASpace

    ASpace Guest

    Although nowadays everything's possible , I doubt it is a trojan software because it would be a really rare one and no point to do , how many people worldwide use ESS ? Still not so much.

    Try to reinstall Eset Smart Security:
    1. Download fresh new Eset v3 product from http://www.eset.com/download .Make sure that you choose the correct version.
    2. Uninstall your current version from Control Panel -> Add/Remove programs
    3. Reboot the computer when prompted
    4. Delete manually this folders:

    - C:\Documents and Settings\All users\Application data\Eset

    5. Reinstall your ESET smart protection with the file you just downloaded . Use typical install. Reconfigure everything from scratch
     
  3. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    Thanks HTB. Done as you outlined.

    I must say I almost wish the online ESET scanner turned up a trojan or virus as it would at least explain the phantom rule creation. Not knowing how this happened leaves me feeling a bit concerned.

    All well for now though.
     
  4. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52
    Saw the exact same thing (New Rule allowing all I/O) when installing ESS .621 on my Vista PC. Did not see on either of my XP PCs. There is no C:\Documents and Settings\All users\Application data\Eset on the Vista PC. Also can find no Eset folders or files after removing ESS via add/remove. Is this a possible bug in ESS. On line scan at Eset shows no problems. Removed the 'New Rule" and will try to reinstall agian.

    Deleted the 'new rule' and reinstalled ESS. All was ok and then the 'new rule' was once again added for no known reason. Deleted it again and will try to find out what is causing this. All scans show PC clean and had very recently imaged back to a 'clean' install of windows.

    the system runs for a sort while after deleting the 'new rule' which allows all outgoing TCP/UDP and then the 'new rule' gets added again.
     
    Last edited: Jan 4, 2008
  5. Jacqui D

    Jacqui D Registered Member

    Joined:
    Nov 26, 2007
    Posts:
    31
    I have had a similar situation with New rules created. The first is to allow all TCP/UDP inbound traffic, but it only applies to the Trusted zone/all/all/all. A second rule, called: New rule (2) was also created to deny all outbound traffic (TCP/UDP), all/all/all/all which I have deleted. It hasn't reappeared and I don't know how either got there in the first place.

    Jacqui
     
  6. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52
    Had a chance to look into it a little further. It is my Wife's PC and she was doing most of the use. Some pop ups concerning port 5355(llmnr) and port 67(bootps) requests were being seen an responded with 'allow and remember'. These seem to be legitimate but the rule generated for allow was the 'new rule' that allowed all outgoing requests. If a 'deny and remember' response is given all outgoing traffic is denied! Since she was allowing there were no further pop ups and all outgoing was allowed just as in the 'automatic' firewall mode.

    Everyone running interactive mode should check the detailed view of all rules to see if the 'New Rule' has been added. Don't know if this only applies to Vista users but have not seen this on my two XP PCs yet.
     
  7. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    I had this on my XP x64 pc. I downloaded a new browser just to try this out with. Before I deleted the rule it allowed the new browser without question. Then I uninstalled the new browser, deleted the rule then reinstalled the browser. This time it asked what to do with it. I'd like to know what's up with this too. Oh boy, something new to worry about. o_O
     
  8. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Do you have any way of knowing what she was doing when this came up? I deleted the rule. It's probably going to come up again.

    I know, I'll check every time it asks about allowance for a new thing. Maybe I can catch that booger.
     
  9. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52
    @Stuey,

    No particular operation in progress at the time. Note the pop up requests did not occur to her recollection until the firewall was set for 'sharing'. ESS has been removed from the PC for the time being. Back to the old reliable NOD32 2.7. Will use Windows firewall as ESS is currently not better on that PC. When PC becomes available for a time I will do some more testing.

    regards
     
  10. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Ok thanks kringles. I thought when I asked that it was probably too much to ask. That's just something we'll really have to keep an eye on. Now that we know it's really not a problem.

    I wonder how many of us have this and are unaware. Everybody who is using interactive mode needs to check it out.
     
    Last edited: Jan 6, 2008
  11. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52
    @Stuey,

    Got a chance to play around with the Vista PC, the wife had Bunion sugery and is resting. Installed ESS in interactive mode and as soon as it was set up as 'shared' on the local LAN got a pop up;

    Application; {blank}
    Remote Computer; 255.255.255.255
    Remote Port 67(bootps)

    If a remember/allow is done the following rule is added;

    New Rule allow out TCP&UDP all all all all

    This effectively allows all future outgoing requests.

    Then removed this rule and when it popped up again selected advanced and set up a custom rule as follows;

    bootps rule; allow out; UDP; IP 255.255.255.255; Local port all; Remote Port DHCPS(67); Application all

    This seems to (for the time being) have resolved the problem. I know there were some other requests that came up that caused the same type of problem but theyhave not yet occurred on this installation yet. It seems that the rule generated by the ESS firewall may be too general especially when no specific application is identified. Hope this helps identify this apparent bug in ESS.

    regards

    PS have submitted a Customer Service support request to ESET referencing this thread.
     
    Last edited: Jan 8, 2008
  12. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Thanks kringles. That gives us an idea on what to look out for. I expected it to pop back up on mine but it hasn't. I'm going to be trying some settings changes for the "View workgroup computers" issue tonight. Maybe it'll come back up then. We'll see.
     
  13. NBP Pipsquack Bird

    NBP Pipsquack Bird Registered Member

    Joined:
    Aug 12, 2007
    Posts:
    59
    Location:
    Kingdom of NOD
    It appears the odd rule creations are a bug and start once a pop up dialog box for rule creation appears. And from what you all are saying, those instances and the fudged rule created can happen a number of different ways.

    However, I want to stress,

    THERE WAS NO POP UP DIALOG BOX FOR ANY RULE CREATION in the case I described when starting this thread. Nothing to allow, deny, or anything else for that matter. (Thus the name "phantom" rule creation, not "odd" rule creation.)

    Yes, it did happen soon after installation, and yes I had recently selected sharing mode and interactive mode. But beyond that - no pop ups. In fact it was the lack of pop ups that had me go look at the rules when I noticed the "New Rule" that was allowing everything past the firewall!

    I appreiciate all the posts and input, but it seems we may not all be talking about the same issue here.
     
  14. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Mine still hasn't returned. :thumb:
     
  15. rwt325

    rwt325 Registered Member

    Joined:
    Jul 28, 2005
    Posts:
    101
    Location:
    Strasburg VA
    I have been using ESS since June of last year. Every time I installed an upgrade on top of the existing version, I got trouble, both on my XP and Visa computers. The last few upgrades clean install only and no problems.

    I uninstall previous version, then manually clean out the remnants from the registry, then install an updated version.
     
  16. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52
    @NBP Pipsquack Bird,

    When I first saw your post I checked my three PCs for the 'new rule' and found it present on my wife's PC (Vista Home Premium), see my post #4 in this thread. At that time did not know of the association with pop up requests for communication. After some testing realized that in my case the 'new rule' was being generated as a result of certain pop up requests for communication. This was tested on a 'clean' install of windows. The problem I am having is apparently somewhat different than what you reported but the 'new rule' generated by ESS was identical.

    Note; if the pop up mentioned is responded with a deny and remember a different 'new rule' is generated that denies all UDP & TCP out going communication. This would be noticed quite quickly as all internet and inter PC communication would be lost.

    On my Wife's PC I selected custom when the pop up request occurred and let ESS generate the 'fudged' rule. This seemed to fix the problem as a temporary workaround in this case. After running the PC with the 'fudged' rule for several days I then deleted the 'fudged' rule and have seen no further occurrances, strange.

    In your case the problem seems worse as there is not pop up request associated an one would be less likely to notice the addition of the 'new rule' until a new application requiring communication was added and no pop up request for communication occurred. Even then the operator would have to realize that the request was missing, something not always obvious to the casual observer.

    Also note that I reported this problem to ESET on 8 Jan (referencing this thread) and have not got any response from ESET.

    regards
     
  17. wormog

    wormog Registered Member

    Joined:
    Feb 1, 2008
    Posts:
    3
    Thank you!

    I had two of theese phantom rules. Allow All of everything. Just removed thoose rules and the firewall works again in interactive mode!

    I didnt have to reinstall the whole thing.

     
  18. CyGho

    CyGho Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    35
    Location:
    The Netherlands
    I'v had it once on a XP machine. I noticed it after installing a program and there were no popups.

    I think it has something to do with allowing a program to connect and remember it (via the popup).
    It looks like the rule is saved but not the program, so the rule will allow any program after that.
     
  19. jobeard

    jobeard Registered Member

    Joined:
    Jan 31, 2008
    Posts:
    15
    Location:
    So. Cailf
    this is the broadcast ip address on port 67 (bootp) and should not cause anyone
    any harm.

    Originally, this protocol was used to boot a diskless system from an image across the network.

    Today, it's just 'so what' as there's other controls to control the results.

    The (local) broadcast address would be on your gateway xxx.xxx.xxx.255 and that is typically OPEN too.
     
  20. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52


    @jobeard,

    You are correct in your analysis on the quoted 'fudged rule'. The problem is that the 'new rule' (New Rule allow out TCP&UDP all all all all) is a problem. It effectively allows all out going communication for any current or future applications on the PC. It does this without notification to the user rendering the 'interactive' mode inoperative for outgoing communication. It does still allow for blocking of unsolicited incoming requests.

    The 'fudged' custom rule (bootps rule; allow out; UDP; IP 255.255.255.255; Local port all; Remote Port DHCPS(67); Application all) that was added ( created by ESS) when the custom rule option was selected on the 'pop up' works ok. It does not allow for all outgoing I/O as does the 'new rule' added when the 'pop up' request is given the usual 'allow/remember' response. If ESS created this rule when the 'allow/remember' option is selected it would a better result. Note; I chose to rename the 'fudged' rule 'bootps' since that was the 'pop up' request. ESS called it 'new rule' as I remember.

    Since my last post I have removed the 'fudged' custom version of the rule and so far have not seen the 'new rule' added again either via response to a 'pop up' request or spontaneously, strange!


    best regards
     
    Last edited: Feb 4, 2008
  21. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Since the time I found the "New Rule" and deleted it I have checked to see if it comes back almost daily. It still has never returned. I guess I'll keep on til I hear that someone has found the reason for it and we are certain it isn't going to return.
     
  22. Mikey2

    Mikey2 Registered Member

    Joined:
    Jan 21, 2008
    Posts:
    5
    Thank you for posting this!

    I was wondering why I haven't seen an interactive-mode popup in a while! (Sure enough I had this "new rule" on my system.)

    This should almost be a "sticky" thread; thank you so much for bringing this to my attention.

    However, I am still unclear why this happened. I have version 3.0.621.0 and have had it for while. It looks like this "new rule" was created on 1/25/08...

    I guess I will continue to look for it (especially when allow new applications to have access...)
     
  23. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    Hello All

    I just wanted to ask whether this New Rule that suddenly appears and allows everything out (which I also found on my two machines and immediately deleted) is a serious flaw in ESS or not.

    I was struck by the relaxed view posters have taken re. this bizarre event - I thought there would be more incredulity at how this basically puts the ESS firewall on a par with its much maligned Windows counterpart.

    My understanding was that we all are supposed to run s/w firewalls to protect at application level and that the accepted wisdom is that the Windows effort is inadequate given that it only provides inbound protection....

    Please refrain from flaming if I've got this totally wrong, as I'm really on the steep side of the learning curve re. security - I just don't get why all ESS users aren't complaining about their firewalls allowing all outbound traffic without user consciousness.

    Philby
     
  24. kringles

    kringles Registered Member

    Joined:
    Aug 5, 2005
    Posts:
    52
    @philby,

    If you look back at my posts you will see that I reported it to ESET. They did respond after a few days and have requested additional info on my system. I have supplied them with all the info they requested and referred them to this (and similar) threads. I also agree that when this occurs (usually without warning) the ESS firewall 'Interactive' mode is effectivly disabled and operates like the Windows firewall. I agree that it should be treated as a serious flaw/bug.

    To all; if operating in the 'Inteactve' mode please check for this 'New Rule' and if found report to ESET via their reporting mechanism. A number of people on this forum have reported this problem in various threads. Maybe if enough report it directly to ESET they will give it a higher priority and get the info needed to duplicate and correct it.

    regards
     
  25. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    I don't really know how other users feel about this but I am concerned. Like I said in a previous post I check on the "new rule" pretty much daily. I'm not relaxed about it at all.

    On the other hand I feel that being impatient and bitchy with Eset is going to do no good. They'll fix it when they can. I'll just keep an eye on it til they do.
     
Thread Status:
Not open for further replies.