Something odd about ESET Smart Security Active Defense

Greetings,

I noticed something odd in the ESET Smart Security Persomal Firewall Log.

8/16/2010 6:39:38 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:58 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:38 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:28 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:18 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:08 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:03 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:00 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

8/16/2010 6:38:00 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

The ESET Smart Security Event Log showed these entries (normal for a bootup on my Desktop PC) ...

8/16/2010 6:38:54 AM Kernel Virus signature database successfully updated to version 5369 (20100816).

8/16/2010 6:35:11 AM Kernel Error initializing file submission system.

8/16/2010 6:35:10 AM Kernel Virus scanner initialization failed. Antivirus protection will not function properly.

The IDS entries were created while the the Virus signature database was being updated to version 5369 (20100816).

BTW, all of these log entries were created before I logged onto Windows ... as I always allow 5 minutes between power on and login ... to allow ESET to become active.

The interesting thing about the IP 89.202.149.36 is that it resolves to ESET-NETS.

This is the response from www.whatismyIP.com

% Information related to '89.202.149.32 - 89.202.149.63'

inetnum: 89.202.149.32 - 89.202.149.63
netname: ESET-NETS
descr: Eset, spol. s r.o. network
country: AT
admin-c: PL3369-RIPE
tech-c: PL3369-RIPE
status: ASSIGNED PA
remarks: In the event of an abuse complaint contact the admin-c or tech-c
mnt-by: INTEROUTE-MNTNR
mnt-lower: INTEROUTE-MNTNR
changed: [Email Removed] 20070205
source: RIPE

person: [Name removed]
address: Svoradova 1
address: Slovakia
phone: [Phone removed]
fax-no: [Phone removed]
e-mail: [Email Removed]
nic-hdl: PL3369-RIPE
changed: [Email Removed] 20060907
source: RIPE

% Information related to '89.202.128.0/17AS8928'

route: 89.202.128.0/17
descr: Interoute Telecommunications (UK) Ltd
origin: AS8928
notify: [Email Removed]
notify: [Email Removed]
mnt-by: INTEROUTE-MNTNR
changed: [Email Removed] 20060426
source: RIPE

Seems odd that ESET would block itself ...

Any/All comments appreciated. Thanks.

--Always Learning

 

maybe it is blocking all outside traffic until user login

 

Maybe an attack was detected before the communication got blocked? It'd be interesting to see the whole firewall log, at least from 5-10 minutes before these connections were blocked.

 

Cudni suggested that ...

> maybe it is blocking all outside traffic until user login

In that case how would ESS be able to update the Virus Database?

BTW, We can see from the event log that it is able to get new definitions before user login.

Marcos wondered ...

> Maybe an attack was detected before the communication got blocked?

... and also asked ...

> It'd be interesting to see the whole firewall log, at least from
> 5-10 minutes before these connections were blocked.

The prior Firewall log entries were from 1:00 am when the PC was powered off.

Any/All comments appreciated. Thanks.

--Always Learning

 

This issue and some other issues led me to upgrade my PC.

In other words, too much drama and not enough RAM.

Comments always appreciated.

--AlwaysLearning