v4 IDS killing internet connection

Discussion in 'ESET Smart Security' started by SEMEYE, Mar 4, 2009.

Thread Status:
Not open for further replies.
  1. silverfox55

    silverfox55 Registered Member

    Joined:
    Apr 28, 2008
    Posts:
    97
    Location:
    The Original Washington
    Or the Register.

    I have no idea why this was released out of Beta let alone RC, apart from an exhibition / trade fair which is just an excuse for free beer and food.

    I will wait for several weeks of good reports before I install V4
     
  2. theseus47

    theseus47 Registered Member

    Joined:
    Feb 24, 2009
    Posts:
    13
    Well to be fair, 1045 did fix the internet connection problem that I was having while using a wired line, so at least I can connect to the internet for more than a few minutes at a time now. I suppose not getting access to google is better than not getting access at all?

    Maybe 1046 will allow access to google but mysteriously deny access to wilders, so we wouldn't even have a forum to complain to! :p

    Besides, I'm sure Google is used to having its services blocked now and then, inadvertently or otherwise :D'

    Although I suppose if you aggregate all the complaints and send enough of them to Google (or better yet, release them to the media and phrase it in terms of censorship or singling out Google instead of just a bug), then Google might take notice if you publicize it loudly enough, and Google would certainly be able to put more pressure on eset than random customers on forums :p Google wields a bigger stick!
     
    Last edited: Apr 4, 2009
  3. Jenee

    Jenee Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    185
    I have have never had issues with any ESS version and Google. I can't imagine why it would be blocked in your system.
     
  4. evilharp

    evilharp Registered Member

    Joined:
    May 20, 2007
    Posts:
    10
    Wow, I guess I am not alone with problems with ESS 4.0.417.

    I opened a thread a few days ago (before the forum became inaccessible). Here are the bugs I've noticed (all web related):

    1) Show Network Connections display goes blank. Does not show anything. I found that a full reinstall (while uninstalling based on KB Solutions ID: SOLN2116) clears this up temporarily. After a few hours of browsing, the Network Connections display drops out.

    2) The Firewall/AV blocks Google, G-Mail, CNN, BBC and a few others. At first I thought this was due to Confickter causing chaos on the web, but it was limited to my PC. My Netbook (running Komodo IS) had no problem accessing anything. Dropped back to ESS 3.0.672 and everything works...

    I checked the logs, and it listed 1000's of attacks (all from Google, CNN, BBC, etc's IP addresses). Is ESS 4 not interpreting traffic correctly?

    3) ESS 4.0.417 does not disable Windows Firewall on install. Really? The freebie garbage disables the Windows firewall, why can't ESS do it?

    My OS - Vista 64 (Ult) SP1
    Internet - Dialup (yes, really... I lived in a rural area)
    Network - A loopback adapter (required for some moronic problems with Securom and Starforce equipped games. They use your IP address as a unique identifier instead of a MAC address)

    I'm staying with ESS 3 until this is cleared up..
     
  5. Riony

    Riony Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    8
    Now ESS is blocking windows live messenger 9. This is insane :eek: ! I can't login when the Firewall is activated but as soon as I turn it off, everything goes back to normal.

    Msn Error code: 80048820

    I have checked the firewall register and there are several DNS attacks using UDP from the ISP server to my computer (since right now, I'm using a dial-up connection)

    The last build added a lot of bugs, everything was working perfectly before. Where can I download the build that was launched before 4.0.417 :doubt: ?

    Edit: Reading this topic https://www.wilderssecurity.com/showthread.php?t=238224, I deactivated that option and WLM is working o_O. Now I will try google and other sites and I will let you know
     
  6. drowell

    drowell Registered Member

    Joined:
    Apr 6, 2009
    Posts:
    1
    Location:
    California
    Guess I'm only chiming in, but having pretty much the same problems, using 4.0.417 under Vista 32 bit; will uninstall, reinstall v. 3 and follow lead of those in this forum;

    thanks to the community for the advice . . .
     
  7. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    Would love to pull ESS v4 for now and reinstall v3 but v3 caused my previous machine and brand new build to reboot.

    I couldn't get help between Eset and a reseller of theirs that I'm a member of to figure out what was going on with v3 so I had to use NOD32. ESS v3 has been great on the laptops here and v4 does not cause my desktop to reboot.

    Just lost all ethernet connection again a moment ago (noticed ESS update not too long ago) and I had to reboot PC to get back online.
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    Ok, this is really starting to get irritating. v4 seems to work ok on my 64 bit desktop machine, but on my 32 bit laptop (both Vista) today I open my browser and cannot connect. Can't access my email either. Turn off the firewall and everything works. I don't think anything has been fixed with the newest build. It worked for me for a short time, and then the problems start again. Currently running on a wireless connection, I don't know if that makes a difference. This seriously needs to be fixed. If I can't find a workaround by the end of the day it's back to v3. Again.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Please enable logging blocked connections, reproduce the problem and then check the firewall log for details. We'll appreaciate if you post an excerpt from the log with relevant records about blocked connections here.
     
  10. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    I did this just the other day. However, when I go to look at the log it keeps "loading log files" every few seconds so I cannot look at the log and ESS always comes to the top of any windows I have open when it refreshes (which is very frequently - measured in seconds).
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    After you've replicated the issue, disable logging blocked connections so that you can work with the firewall log.
     
  12. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    Marcos: the log has a lot of info. Not sure what to grab to copy/paste here in the forum. I saved it all to .txt file but every time I try to upload the file I get a message from FF say connection to server was reset and the file never gets uploaded. The file is 8.5mb so I'm guessing the size is the cause of this issue.
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    Ok, I enabled the firewall and logging and attempted to access a website. Here is the xml from the log:

    <RECORD>
    <COLUMN NAME="Time">
    <DATE>4/7/2009</DATE>
    <TIME>11:22:30 AM</TIME>
    </COLUMN>
    <COLUMN NAME="Event">No usable rule found</COLUMN>
    <COLUMN NAME="Source">192.168.2.22</COLUMN>
    <COLUMN NAME="Target">224.0.0.251</COLUMN>
    <COLUMN NAME="Protocol">IGMP</COLUMN>
    <COLUMN NAME="Rule/worm name"></COLUMN>
    <COLUMN NAME="Application">System</COLUMN>
    <COLUMN NAME="User"></COLUMN>
    </RECORD>

    I don't know if this is helpful but for what I did this is all it logged. I can try to use it longer if that is more helpful.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Do you use the firewall in automatic mode? Do you have IGMP protocol enabled in the IDS section of the firewall setup? Does switching the firewall to learning or interactive mode for the time necessary to create the desired rules make a difference?
     
  15. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    Marcus: I hope you don't mind my jumping in on this also. I forgot to switch to interactive, which is my preference, when updating to recent releases. This I think will help. I set this to interactive yesterday morning. I am seeing some reports in the log about IGMP. My log file is huge and it hasn't been enabled that long. I'm including some snippets below.

    4/7/2009 9:03:28 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:03:23 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:03:18 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:03:14 AM No usable rule found 192.168.0.100 239.255.255.250 IGMP
    4/7/2009 9:03:13 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:03:12 AM No usable rule found 192.168.0.100 224.0.0.251 IGMP
    4/7/2009 9:03:03 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:02:58 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:02:56 AM Communication denied by rule 192.168.0.105:1025 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests
    4/7/2009 9:02:56 AM Communication denied by rule 192.168.0.105:1025 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests
    ***
    4/7/2009 9:01:51 AM Packet blocked by active defense (IDS) 192.168.0.100:2890 65.212.121.29:80 TCP
    ***
    4/7/2009 9:01:11 AM No usable rule found 192.168.0.100 239.255.255.250 IGMP
    4/7/2009 9:01:11 AM Packet blocked by active defense (IDS) 192.168.0.100:2890 65.212.121.29:80 TCP
    4/7/2009 9:01:11 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/7/2009 9:01:07 AM No usable rule found 192.168.0.100 224.0.0.251 IGMP
    ***
    4/7/2009 9:00:20 AM Communication denied by rule 5.158.51.183:138 5.255.255.255:138 UDP Block outgoing NETBIOS requests System NT AUTHORITY\SYSTEM
    ***
    4/7/2009 8:59:08 AM No usable rule found 192.168.0.100 224.0.0.251 IGMP
    4/7/2009 8:59:08 AM No usable rule found 192.168.0.100 239.255.255.250 IGMP
    ***
    4/7/2009 8:58:29 AM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    ***
    4/7/2009 8:58:29 AM Communication denied by rule 192.168.0.105:1025 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests
    4/7/2009 8:58:29 AM Communication denied by rule 192.168.0.105:1025 239.255.255.250:1900 UDP Block incoming SSDP (UPNP) requests
    ***
    4/6/2009 2:04:53 PM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    4/6/2009 2:04:48 PM Communication denied by rule 0.0.0.0:1031 192.168.0.1:53 UDP Deny communication for mDNSResponder.exe C:\Program Files\Bonjour\mDNSResponder.exe NT AUTHORITY\SYSTEM
    ***
    4/6/2009 2:04:24 PM Packet blocked by active defense (IDS) 192.168.0.100:4902 65.212.118.29:80 TCP
    ***

    192.168.0.105 is my Epson multi function printer. (lots of messages in the log)

    I'm seeing several IGMP messages. My desktop is the 192.168.0.100.

    192.168.0.1 is my D-Link WiFi router.

    I've blocked the Bonjour service. Must have installed with Safari. Don't see an uninstall option in add/remove.

    I may have easily missed some things but the above are repeated a lot.
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    I don't use automatic mode, causes more problems than I already have. I use interactive mode, and rules (allow) have already been created for the applications that are refusing to connect. All setting in the IDS section are defaults (all are checked by default).
     
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    It could have come with many things, including iTunes or one of Adobe's CS suites. If you want to get rid of it and don't have an uninstall option you can download the full version from Apple's site (or one of many other download sites) and install that, then uninstall it. Unfortunately that is their recommended way to get rid of it. Don't try to remove it manually, you could lose all networking ability on your machine. Especially do not try to remove its entries from the LSP stack yourself. Found that one out the hard way. :D
     
  18. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    This is off the beaten path but I thought I'd respond.

    I'm going to try http://www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ to remove Bonjour. Or look for another way. Otherwise I'd have to install some other application to get Bonjour on my PC to add/remove. Like iTunes or Quicktime (I'm using QT Alternative).
     
  19. Temp Member

    Temp Member Registered Member

    Joined:
    Mar 28, 2009
    Posts:
    263
    Location:
    Glasgow
  20. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    Apparently I need a rule setup for IGMP as I'm seeing these a frequently in the log:

    4/7/2009 11:52:22 AM No usable rule found 5.158.51.183 224.0.0.22 IGMP
    4/7/2009 11:52:22 AM No usable rule found 5.158.51.183 224.0.0.22 IGMP
    4/7/2009 11:52:22 AM No usable rule found 192.168.0.100 224.0.0.2 IGMP

    The IP starting with 5. is LogMeIn Hamachi. I'm the 192.x.x.100.

    *****

    Is this killing my Network Nieghborhood from working from the .100 PC:

    4/7/2009 12:00:20 PM Communication denied by rule 5.158.51.183:138 5.255.255.255:138 UDP Block outgoing NETBIOS requests System NT AUTHORITY\SYSTEM (I see this is for Hamachi but not sure if this might be an indicator the local network issue mentioned above.)

    I've allowed UPNP for trusted zones and the errors have really dropped.
     
    Last edited: Apr 7, 2009
  21. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I personally don't use any of that bloated crap from apple(quicktime/itunes/safari all bundles it). VideoLAN/VLC is my "play apple files" alternative.
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    I turned on UPNP and turned off "Block unsafe address after attack detection" (this worked for someone else) and I still get nothing with the firewall turned on.
     
  23. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    Well, this has helped me weed through some minor issues. The dropped connection comes and goes. I've seen it work for a while fine and then it becomes chronic. Twice I've seen this occur after an update. Happened yesterday and I lost all LAN/WAN connection. After I rebooted I was fine.

    Now, I'm just looking at the log to see what's getting tripped up that shouldn't.

    Seems to be narrowed down to these three now (I think):

    4/7/2009 1:48:42 PM No usable rule found 192.168.0.100 239.255.255.250 IGMP (my desktop)
    4/7/2009 1:48:21 PM Packet blocked by active defense (IDS) 192.168.0.100:1668 65.212.121.29:80 TCP (my desktop)
    4/7/2009 1:48:00 PM Communication denied by rule 5.158.51.183:138 5.255.255.255:138 UDP Block outgoing NETBIOS requests System NT AUTHORITY\SYSTEM (my desktop - Hamachi)

    I've attached a jpg of the items being blocked that in the rules. Maybe I've screwed up or this happened while it was in automatic mode.
     

    Attached Files:

    • ess.jpg
      ess.jpg
      File size:
      67.2 KB
      Views:
      8
    Last edited: Apr 7, 2009
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,624
    Location:
    USA
    I thought I would just try to reboot my machine and now it works with the firewall on. My only thought for something that would have been cleared by a reboot is that earlier I was prompted that another machine was trying to communicate with mine and I selected Block and checked the box to temporarily remember as I bring my laptop to work with me and don't want coworkers trying to access my machine. If that was the cause it appears that blocking communication with another machine stops all network connections? v3 did not behave this way, and it is not what I would expect.
     
  25. SBMongoos

    SBMongoos Registered Member

    Joined:
    Oct 6, 2008
    Posts:
    215
    Anyone? Seems that the three items listed above should be allowed.

    1. 4/7/2009 1:48:42 PM No usable rule found 192.168.0.100 239.255.255.250 IGMP (my desktop)
    2. 4/7/2009 1:48:21 PM Packet blocked by active defense (IDS) 192.168.0.100:1668 65.212.121.29:80 TCP (my desktop)
    3. 4/7/2009 1:48:00 PM Communication denied by rule 5.158.51.183:138 5.255.255.255:138 UDP Block outgoing NETBIOS requests System NT AUTHORITY\SYSTEM (my desktop - Hamachi)

    On #3 I'm wondering if there is something similar happening with NETBIOS preventing Network Neighborhood from working properly. As I understand NETBIOS handles the name handling for PCs on the network. I believe the image I posted above shows some details from the rules/zone view. I do have it set for Trusted Zone but I wonder if the two are overlapping and causing issues.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.