EIS - Blocking RDP on Cisco Anyconnect VPN.

[Knowguy 1]

Emsisoft,

As I use your Internet Security product more and more I am finding a few issues... I am a geek so I like to help fix issues in the hope that it helps others find this awesome software.

• EIS 2017.1.1.7166
• Windows 10, 64bit
• I have been working from home as a NOC analyst for awhile (Had to stay home and help with my second baby girl!). I noticed that when connecting to the Cisco Anyconnect VPN that my company uses that there really isn't any problems, until I started using EIS, I notice that when I RDP into one of our jump servers that the connecting would drop after like 5 minutes of being connected.  Also after I would disconnect the only way to reconnect was to 'disconnect' the VPN client and 'reconnect' it.  So I tried disabling EIS's firewall and lo and behold, it started working again.  So I would like to have this worked out so I can run the firewall and RDP into remote Windows servers that I need to work on.  Thanks again, let me know if you need detailed logs sent again!

 

[GT500 589]

Have you created rules to allow the ports for the VPN? Sometimes VPN's will have issues with firewalls when there are no port rules explicitly allowing the VPN.

[Knowguy 1]

TCP port 3389 removed from the Windows services block was the trick.  Any inherent risk in enabling this globally?

[GT500 589]

Opening that port opens RDP to outside connections. If your router isn't forwarding that port to your computer, then there shouldn't be a security risk. If it is, then you may want to see if you can open it only for outbound traffic and leave it blocked for inbound.

[Knowguy 1]

It may be a concern that while that port was blocked I was still able to redo if I disconnected the Cisco Anyconnect VPN and then reconnected.  But after about 5 minutes it would block me again... I'm thinking that is a flaw and it shouldn't allow me to connect at all.  Something you should report as a bug.  

[GT500 589]

I'll need some debug logs to report it as a bug, if you feel up to it. Here's how to get them:

1. Open Emsisoft Internet Security from the icon on your desktop.
2. In the 4 little gray boxes at the bottom, move your mouse into the one that says Support, and click anywhere in that gray box.
3. At the bottom, turn on the option that says Enable advanced debug logging.
4. Either click on Overview in the menu at the top, or close the Emsisoft Internet Security window.
5. Reproduce the issue you are having with connecting to your VPN without the custom port rule, and then getting disconnected after a few minutes.
6. Once you have reproduced the issue, open Emsisoft Internet Security again, and click on the gray box for Support again.
7. Click on the button that says Send an email.
8. Select the logs in the left that show today's dates.
9. Fill in the e-mail contact form with your name, your e-mail address, and a description of what the logs are for (if possible please leave a link to the topic on the forums that the logs are related to in your message).
10. If you have any screenshots or another file that you need to send with the logs, then you can click the Attach file button at the bottom (only one file can be attached at a time).
11. Click on Send now at the bottom once you are ready to send the logs.
    

Important: Please be sure to turn debug logging back off after sending us the logs. There are some negative effects to having debug logging turned on, such as reduced performance and wasting hard drive space, and it is not recommended to leave debug logging turned on for a long period of time unless it is necessary to collect debug logs.

Please note that if you have a lot of debugs logs, then you should not send all of them. There is a size limit, and currently there is no error if the message is rejected due to the size being too large. Normally we only need one copy of the 4 or 5 different logs that have been saved after the time you reproduced the issue (the list shows what time each log was saved). Those logs have the following names:

• Security Center
• Protection Service
• Real-Time Protection
• Firewall
• Logs database (contains the logs you can view in Emsisoft Internet Security by clicking on Logs at the top of the window).
  

[Knowguy 1]

Submitted advanced debug logs.

[GT500 589]

I don't see any new debug logs from your e-mail address. The only new e-mails I see from you are the ones related to Cloudbleed (which shouldn't have effected our domains, as it required three options to be on in our Cloudflare configuration to be exploitable, and to my knowledge we did not have all three of those options on for any of our domains).

Did you enter a different e-mail address when sending the logs? Or perhaps did you try to send all available logs instead of just the new ones?

[Knowguy 1]

I sent them under the same E-mail unless I fat fingered it... Either way I will pull the logs back up and send them again.

 

[GT500 589]

I still don't see anything new from your e-mail address. It's possible that the logs are too large, and are being rejected after EIS finishes sending them. You can do the following to send them manually:

1. Hold down the Windows key on your keyboard (the one with the Windows logo on it, usually between the Ctrl and Alt keys) and then tap R to open the Run dialog.
2. Type in %AllUsersProfile%\Emsisoft\Logs and click OK to open the folder where the debug logs are saved.
3. While holding down the Ctrl key on your keyboard, select the logs you want to send to us (we'll need copies of at least the firewall and a2service logs from the day you created the debug logs for this issue).
4. Right-click on one of the logs you selected, go to Send to, and select Compressed (zipped) folder.
5. Send me a private message and attach the logs to a reply (do not attach them to a reply to your topic, or post them anywhere else publicly, as the logs have your license key in them).

[Knowguy 1]

Sending PM now.

[Knowguy 1]

One of my e-mails must have went through just now because I got an e-mail back from David Biggar and he said he would assign the ticket to you.  Sorry for making extra work for you.

[GT500 589]

Looks like it came through a few hours after the last time I checked.

I'll get your logs together and forward them to one of our developers.