jasonX

Level 9
Hello,

I have just installed Eset Smart Security last week and I am getting a fail at GRC test. Failed notice was,

"Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."



Prior to GRC posting the results I get a pop-up of Inbound Traffic from GRC. Kindly see image. I clicked "Deny" and "Remember Action (Create Rule)". I repeated the test but all 3 failed. This is on wired connection(not behind a router --I hooked it on a dial-up connection). This is the first time I failed GRC.



What settings can I adjust in the firewall to pass this ping fail...? What settings should be checked...? Kindly see attached the IDS and Advanced options.



Is "ICMP protocol message checking" and "Covet data in ICMP protocol detection" responsible for the ping fail..? I tried checking and un-checking it the result was the same.

To check with other security setup I loaded a clean system image without AV/firewall only MalwarebytesPro(I keep this image when I wanna try a new setup). Upon loading, I installed Avast IS Build 1426(default settings). Connected to the same conditions as what I try --dial-up connection/wired. It passed both GRC.

Now there was a suggestion that I should set protection mode to "Strict Protection". I am not permanently a part of a network and a pop-up appears when I click Advanced Settings>Rules and Zones>Setup. So I can't set it up there. See image.



Since I cannot set it there, what can I do to remedy that ping fail..?

I some reading of the manual of ESSv5 and I saw there was a lot of rules for Trusted Zone. So given the situation that I have "No active authentication zone detected...", what happens to the rules in the advanced setup that says, Allow communication / requests / incoming / outgoing /etc etc in Trusted Zone...?

If not applicable what rules does Eset firewall use...? What is the default rule applied if the pc is identified as "No active authentication zone detected..."...?

Is it different for Automatic mode and Interactive Mode? I am in interactive mode now because I wanna see those pop-ups. Is it different per mode if the pc is identified as "No active authentication zone detected..."...?

Earlier I had a pop-up of Outbound traffic for System trying to communicate to an IP address 192.88.99.1, I clicked DENY and I forgot to check the "Remember Action" button. See image. I checked it out in WhoIs but it was "Unknown". What is that pop-up? In Comodo and other firewalls I used I had seen that "System" is only 'Listening' at port 445 not trying to connect outbound. I also see it in "listen" mode in Process Hacker. Is that behavior bad? What should be done on that..?



In relation to that, I was searching for some logs from which I can refer to some of the previous pop-ups I have had. Review the events. The log files do not contain it. Even the alert pop-up I just posted. The firewall logs only contained the FF plugin-container.exe rule from April 10th! Does Eset log those alerts? If I want to modify and make a rule for that, what must I do..?

4/10/2012 2:46:39 AM Communication allowed by rule 10.xxx.7.9:1531 211.5.xxx.39:80 TCP Allow communication for plugin-container.exe C:\Program Files\Mozilla Firefox\plugin-container.exe XXXXXXXX-PC\JXXXXXXXXX

4/10/2012 2:46:39 AM Communication allowed by rule 10.xxx.7.9:1531 211.5.1xx.39:80 TCP Allow communication for plugin-container.exe C:\Program Files\Mozilla Firefox\plugin-container.exe XXXXXXXX-PC\JXXXXXXXXX

Can I terminate a connection with the Eset firewall..? I cannot see any documentation that says so. I use Process Hacker at the moment to do that.

Now I have used different firewall's before (Comodo/Emsisoft/Privatefirewall/Outpost) but I am no expert. I just learn from advices and I take it from there. This is the first time I had a ping fail and I do not know what to do really. This is my first spin with Eset firewall. I installed it to use a license I obtained from a blog win. I thought it will expire so I used it. It was only later that I knew that it doesn't have a shelf-life. So too late but good in the sense that I discovered that there are problems with it(as with all first time usages).

This is on a dial-up connection(the fail). The router I use from the ISP provider passed GRC. Now I use both depending on certain situations I am in so I need it to be safe whichever I use.

Can you guys help me understand what's going on here...? I seem to be getting confused using the firewall...Can you give me some ideas/advice/explanations on how to use the Eset firewall effectively...?

I already posted on the support forum pf Eset but it seems mods/support are busy there. I was advised by a forum friend to join and post here. Please help me.

Thank you so much.

Jason :)
 

jasonX

Level 9
jamescv7 said:
http://www.wilderssecurity.com/showthread.php?t=245680

Well likely the problem is that your router must be the one to deal during ping test.
Hi jamescv7,

This fail is not on a router. The router I am using passed the GRC test. This "fail" is on a dial-up connection. Any ideas...?

Thank you :)
 

jamescv7

Level 61
Verified
Trusted
Well I just edited my previous post, did you miss something configuration on the link from KB Article of ESET? (On my first post)
 

jasonX

Level 9
jamescv7 said:
Well I just edited my previous post, did you miss something configuration on the link from KB Article of ESET? (On my first post)
Hi jamescv7,

That was fast :) Well the Strict Protection setting I cannot set because of the pop-up

But I'll check the link to the KB article and print it. Thanks will be back here by tomorrow. I am sleepy just got out from work earlier and had been tinkering with this Eset. Might you be able to check out the other post I did on the Eset HIPS thing..?

Thanks again :)
 

jamescv7

Level 61
Verified
Trusted
I like also to view the image so that I can contribute as possible for your problem. Unfortunately those pictures were blocked by the censorship URL Blocked (Saudi Arabia).
 

jasonX

Level 9
Hello jamescv7,

Thank you for the reply and help :)

KB Solution ID: SOLN2887 which is "How do I resolve network connectivity issues with ESET Smart Security? (5.x)" is not applicable to my case as in the first post I mentioned when I go to Advanced Settings>Personal Firewall>Trusted zone>Setup I get the pop-up image below



I am already in intercative mode as I need to see those popups. I agree with you there as it will prompt you towards deciding and there you can set it up --the rules. Using Eset for more than a week now and all I get in interactive mode is the Outbound/Inbound alerts of which I also posted here. Nothing more. Not even VLC trying to call home! I saw that through Process Hacker and if it weren't for PH I would not know and it would not have been terminated(the connection).

Transferring to automatic or automatic mode with exceptions and going to Trusted zone>Setup, I still get that popup.

So I am in a stand-off there, cannot set the Trusted Zone as I the popup states that "No active authentication zone detected...etc".

I tried to insert a bluetooth stick and there I can set and select the Strict Protection. But when I eject bluetooth stick, there it goes again..."No active authentication zone detected...etc".

Any ideas...:(

PS:

I can't seem to send you the links via PM
 

jamescv7

Level 61
Verified
Trusted
DId you try to ticked "Allow Communication for bridged connection" and "Maintain inactive TCP Connection"? Not sure if its connected through the problem but try it only.
 

jasonX

Level 9
jamescv7 said:
DId you try to ticked "Allow Communication for bridged connection" and "Maintain inactive TCP Connection"? Not sure if its connected through the problem but try it only.
I did check the respective check-boxes and the GRC result was the same PING fail. :(
 

jamescv7

Level 61
Verified
Trusted
Oh wait, did you slide up for automatic mode? Caused from this discussion on Wilders someone said ESS made it pass on the test.

Also from another KB Article other mode types for firewall, however not sure if those modes were available on that version.
 

jasonX

Level 9
It was in still in interactive mode. Okay will check that link out. I'll reload the previous system image with the ESS settings. Thanks for the help.
 

malbky

New Member
Jason hi I am the same avibky but malbky here. Just got my internet connection renewed. Was without net and was using limited mobile broadband and could not do much research on your topic. James seems a pretty resourceful person.

I just had a doubt. IS your network set as a trusted one or a public one. Choose public and see what happens.
 

jasonX

Level 9
@malbky,

Hi there dude:) Yeah and thanks also for convincing me to join here. Seems to be a good forum. And it's true that the research for the topic I posted is quite limited. Really was waiting for Eset support but I guess busy..busy..busy...

As to the network settings, I have an issue of the pop-up "No active authentication zone detected"(the computer is not connected to any network that could be considered trusted)". Setting up "Strict protection or Allow Sharing" in the Rules and Zone>setup can neither be set.


@jamescv7,

I just set it up at "Automatic mode" again and the PING fail is still there.

Interesting is the link given, the logic of the ping fail was clarified and indeed I agree that the ping is from the ICMP echo request which is inbound. In KIS 2012 you'd have to manually set it to "Block" as the default settings are "Allow". As well as "Any Incoming TCP stream and Any Incoming UDP stream" to get full stealth.

ESS 642 on automatic mode passed the Shields Up test with all ports on stealth, but when I switched to interactive mode port 135 is open, however it passed the Leaktest in that mode.
So how can I prevent it from passing the firewall's outbound protection in automatic mode?

Depending on your network configuration, the ping test might be beyond the abilities of any firewall. If your modem is configured to reply to ping requests instead of forwarding them to your computer (that is done by some ISP's for easier troubleshooting), then there is no way to block the ping requests. It does not pose any security threat in itself, the potential danger comes from the fact that a hacker would know that there is a machine running on that IP address and might make further attempts to infiltrate it. Other than that, there is no need to worry.
-- I think they are talking about router modem and not dial-up modem there. My router passed GRC and has a TruStealth because it's set to "not-reply" to ICMP requests. Now with the dial-up modem case is different. It does allow ping request owing to the type of service of the ISP as mentioned. BUT I disagree that,

..the ping test might be beyond the abilities of any firewall
Definitely a NO because as mentioned and tested, I used different firewall's on this system just to check. Comodo, Online Armor Premium and earlier I tried the combination I posted in "System Configuration" section --with KIS 2012(used Acronis Universal restore and included the drivers for this machine for a smooth setup). Setting those mentioned above with the same connection I am using. KIS 2012 passed GRC as TruStealth. I am thinking of imaging this and installing Outpost Pro to check also(EsetNOD32 and Outpost Pro).

Also I believe "leaktest" is "not useless" as another have said. He may chose to use a firewall even if he fails a leaktest but on me I still prefer that I am stealthed and I pass leaktests. I believe without the proper explanation there the questions still remains.

Other's have opted to agree that it's fine to have a "ping fail"...why? (maybe because there was not any solution given there as to the ping fail --I did not find any there.)

Security wise, will anyone allow himself to be vulnerable..? I think more than 90% will say "no"--well to the forum persons maybe ha ha!:). Failing a leaktest or some aspect in connection with a leaktest is imho a "fail" nonetheless..right?

It's something like you know you have a malware in a program you downloaded and you disregard it and still use it..why? Because you need the program etc..etc. That is foolish.

Interesting also that there was no Eset Support that gave an explanation there. I wonder why that is...? Hmmmm...I seem to see that seldom in all that I googled.

You have been greatly patient with my topic and I thank you for it ;) You rock man!!!!

So as the issue still remains maybe we'll look into something again ;)




 

jamescv7

Level 61
Verified
Trusted
Is there a recommendation to ticked allow printer sharing on ESET Firewall configuration? Caused based on numerous search even Windows Firewall need to disable it.
 

jasonX

Level 9
Just an update on the issue. A different combination, Outpost Pro version 7.5.2 and Nod32 ver5. GRC ShieldsUP and PCFlank was TruStealth.



I'll be reloading the former setup with ESSver5 later and see if the file and printer sharing is in "Allow". Be back here again :)

Thanks :)
 

jasonX

Level 9
@jamescv7,

I just reloaded the setup with the ESSver5 and there was an "Allow file and printer sharing in the Trusted zone". I unchecked that and went on to test via ShieldsUP. The result was the same. Kindly see images atached. Any ideas what to further tinker...?





Thank you :)

Jason
 

jamescv7

Level 61
Verified
Trusted
Hmm... try the default settings from ESET and if not then try to configure your connection on Windows 7 like turn off the "Allow file and printer sharing" and others related even though its a dial up connection hook cause it may one to be a problem there.

Then if everything were not right then something is having a problem for ESET when dial up connection.
 

jasonX

Level 9
jamescv7 said:
Hmm... try the default settings from ESET and if not then try to configure your connection on Windows 7 like turn off the "Allow file and printer sharing" and others related even though its a dial up connection hook cause it may one to be a problem there.

Then if everything were not right then something is having a problem for ESET when dial up connection.
Okay will do that by tomorrow or next day. Thank you for the patience :)

Incidentally, I tried to insert a bluetooth dongle so I can set the Rules and zone>Setup to "Strict Protection" and tested it with GRC. The printer sharing in the Trusted zone is still unchecked. The GRC result is still the same. See attached image please.