ESET Online Help

Search English
Select the topic

Allowed services and advanced options

Advanced options in Firewall and Network attack protection sections enable you to configure access to some of the services running on your computer from the Trusted zone.

You can enable or disable the detection of several types of attacks and exploits that may harm your computer.


In some cases, you will not receive a threat notification about blocked communications. See the Logging and creating rules or exceptions from log section for instructions to view all blocked communications in the firewall log.


The availability of specific options in this window may vary depending on the type or version of your ESET product and firewall module, as well as the version of your operating system.

icon_section Allowed services

Settings in this group simplify the configuration of access to this computer's services from the trusted zone. Many of them enable/disable pre-defined firewall rules. You can edit allowed services in Advanced setup (F5) > Network protection > Firewall > Advanced > Allowed services.

Allow file and printer sharing in the Trusted zone—Allows remote computers in the Trusted zone to access your shared files and printers.

Allow UPNP for system services in the Trusted zone—Allows incoming and outgoing requests of UPnP (Universal Plug and Play, also known as Microsoft Network Discovery) protocols for system services.

Allow incoming RPC communication in the Trusted zone—Enables TCP connections from the Trusted zone allowing access to the Microsoft RPC Portmapper and RPC/DCOM services.

Allow remote desktop in the Trusted zone—Enables connections via Microsoft Remote Desktop Protocol (RDP) and allows computers in the Trusted zone to access your computer using a program that uses RDP (for example, Remote Desktop Connection).

Enable logging into multicast groups through IGMP—Allows incoming/outgoing IGMP and incoming UDP multicast streams, for example, video streams generated by applications using the IGMP protocol (Internet Group Management Protocol).

Allow communication for bridged connections—Select this option to avoid terminating bridged connections. Bridged networking connects a virtual machine to a network using the host computer's Ethernet adapter. If you use bridged networking, the virtual machine can access other devices on the network and vice versa as if it were a physical computer on the network.

Allow automatic Web Services Discovery (WSD) for system services in the Trusted zone—Allows incoming Web Services Discovery requests from Trusted zones through the firewall. WSD is the protocol used to locate services on a local network.

Allow multicast address resolution in the Trusted zone (LLMNR)—The LLMNR (Link-local Multicast Name Resolution) is a DNS packet-based protocol that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link without requiring a DNS server or DNS client configuration. This option allows incoming multicast DNS requests from the Trusted zone through the firewall.

Windows HomeGroup support—Enables HomeGroup support. A HomeGroup can share files and printers on a home network. To configure a Homegroup, navigate to Start > Settings > Network and Internet > HomeGroup.

icon_section Intrusion detection

Intrusion detection monitors the device network communication for malicious activity. You can edit these settings in Advanced setup (F5) > Network protection > Network attack protection > Advanced options > Intrusion detection.

Protocol SMB—Detects and blocks various security problems in the SMB protocol.

Protocol RPC—Detects and blocks various CVEs in the remote procedure call system developed for the Distributed Computing Environment (DCE).

Protocol RDP—Detects and blocks various CVEs in the RDP protocol (see above).

ARP Poisoning attack detection—Detection of ARP poisoning attacks triggered by man-in-the-middle attacks or detection of sniffing at the network switch. ARP (Address Resolution Protocol) is used by the network application or device to determine the Ethernet address.

TCP/UDP Port Scanning attack detection—Detects attacks of port scanning software—application designed to probe a host for open ports by sending client requests to a range of port addresses to find active ports and exploit the vulnerability of the service. Read more about this type of attack in the glossary.

Block unsafe address after attack detection—IP addresses that have been detected as sources of attacks are added to the Blacklist to prevent connection for a certain time.

Notify about attack detection—Turns on the Windows notification area notification at the bottom right corner of the screen.

Notify about incoming attacks against security holes—Alerts you if attacks against security holes are detected or if an attempt is made by a threat to enter the system this way.

icon_section Packet inspection

Packet analysis that filters data being transferred through the network. You can edit these settings in Advanced setup (F5) > Network protection > Network attack protection > Advanced options > Packet inspection.

Allow incoming connection to admin shares in SMB protocol—The administrative shares (admin shares) are the default network shares that share hard drive partitions (C$, D$, ...) in the system together with the system folder (ADMIN$). Disabling connection to admin shares should mitigate many security risks. For example, the Conficker worm performs dictionary attacks to connect to admin shares.

Deny old (unsupported) SMB dialects—Deny SMB sessions that use an old SMB dialect unsupported by IDS. Modern Windows operating systems support old SMB dialects due to backward compatibility with old operating systems such as Windows 95. The attacker can use an old dialect in an SMB session to evade traffic inspection. Deny old SMB dialects if your computer does not need to share files (or use SMB communication in general) with a computer with an old version of Windows.

Deny SMB sessions without extended security—Extended security can be used during the SMB session negotiation to provide a more secure authentication mechanism than LAN Manager Challenge/Response (LM) authentication. The LM scheme is considered weak and is not recommended for use.

Deny opening of executable files on a server outside the Trusted zone in SMB protocol—Drops connection when you are trying to open an executable file (.exe, .dll, ...) from a shared folder on the server that does not belong to the Trusted zone in the firewall. Note that copying executable files from trusted sources can be legitimate. However this detection should mitigate risks from the unwanted opening of a file on a malicious server (for example, a file opened by clicking a link to a shared malicious executable file).

Deny NTLM authentication in SMB protocol for connecting a server inside or outside the Trusted zone—Protocols that use NTLM (both versions) authentication schemes are subject to a credentials forwarding attack (known as an SMB Relay attack in the case of the SMB protocol). Denying NTLM authentication with a server outside the Trusted zone should mitigate risks from forwarding credentials by a malicious server outside the Trusted zone. Similarly, you can deny NTLM authentication with servers in the Trusted zone.

Allow communication with the Security Account Manager service—For more information about this service, see [MS-SAMR].

Allow communication with the Local Security Authority service—For more information about this service, see [MS-LSAD] and [MS-LSAT].

Allow communication with the Remote Registry service—For more information about this service, see [MS-RRP].

Allow communication with the Service Control Manager service—For more information about this service, see [MS-SCMR].

Allow communication with the Server service—For information about this service, see [MS-SRVS].

Allow communication with the other services—Other MSRPC services.