Something odd about ESET Smart Security Active Defense

Discussion in 'ESET Smart Security' started by AlwaysLearning, Aug 16, 2010.

Thread Status:
Not open for further replies.
  1. AlwaysLearning

    AlwaysLearning Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    22
    Greetings,

    I noticed something odd in the ESET Smart Security Persomal Firewall Log.

    8/16/2010 6:39:38 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:58 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:38 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:28 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:18 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:08 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:03 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:00 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    8/16/2010 6:38:00 AM Packet blocked by active defense (IDS) 192.168.1.5:1030 89.202.149.36:80 TCP

    The ESET Smart Security Event Log showed these entries (normal for a bootup on my Desktop PC) ...

    8/16/2010 6:38:54 AM Kernel Virus signature database successfully updated to version 5369 (20100816).

    8/16/2010 6:35:11 AM Kernel Error initializing file submission system.

    8/16/2010 6:35:10 AM Kernel Virus scanner initialization failed. Antivirus protection will not function properly.

    The IDS entries were created while the the Virus signature database was being updated to version 5369 (20100816).

    BTW, all of these log entries were created before I logged onto Windows ... as I always allow 5 minutes between power on and login ... to allow ESET to become active.

    The interesting thing about the IP 89.202.149.36 is that it resolves to ESET-NETS.

    This is the response from www.whatismyIP.com

    % Information related to '89.202.149.32 - 89.202.149.63'

    inetnum: 89.202.149.32 - 89.202.149.63
    netname: ESET-NETS
    descr: Eset, spol. s r.o. network
    country: AT
    admin-c: PL3369-RIPE
    tech-c: PL3369-RIPE
    status: ASSIGNED PA
    remarks: In the event of an abuse complaint contact the admin-c or tech-c
    mnt-by: INTEROUTE-MNTNR
    mnt-lower: INTEROUTE-MNTNR
    changed: [Email Removed] 20070205
    source: RIPE

    person: [Name removed]
    address: Svoradova 1
    address: Slovakia
    phone: [Phone removed]
    fax-no: [Phone removed]
    e-mail: [Email Removed]
    nic-hdl: PL3369-RIPE
    changed: [Email Removed] 20060907
    source: RIPE

    % Information related to '89.202.128.0/17AS8928'

    route: 89.202.128.0/17
    descr: Interoute Telecommunications (UK) Ltd
    origin: AS8928
    notify: [Email Removed]
    notify: [Email Removed]
    mnt-by: INTEROUTE-MNTNR
    changed: [Email Removed] 20060426
    source: RIPE

    Seems odd that ESET would block itself ...

    Any/All comments appreciated. Thanks.

    --Always Learning
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    maybe it is blocking all outside traffic until user login
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe an attack was detected before the communication got blocked? It'd be interesting to see the whole firewall log, at least from 5-10 minutes before these connections were blocked.
     
  4. AlwaysLearning

    AlwaysLearning Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    22
    Cudni suggested that ...

    > maybe it is blocking all outside traffic until user login

    In that case how would ESS be able to update the Virus Database?

    BTW, We can see from the event log that it is able to get new definitions before user login.

    Marcos wondered ...

    > Maybe an attack was detected before the communication got blocked?

    ... and also asked ...

    > It'd be interesting to see the whole firewall log, at least from
    > 5-10 minutes before these connections were blocked.

    The prior Firewall log entries were from 1:00 am when the PC was powered off.

    Any/All comments appreciated. Thanks.

    --Always Learning
     
  5. AlwaysLearning

    AlwaysLearning Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    22
    This issue and some other issues led me to upgrade my PC.

    In other words, too much drama and not enough RAM.

    Comments always appreciated.

    --AlwaysLearning
     
Thread Status:
Not open for further replies.