ICMP or DNS Cache Poisoning Attack
- "ICMP attack" or "DNS Cache poisoning attack" is detected by the ESET Personal firewall
- "Detected ARP cache poisoning attack" is detected by the ESET Personal firewall
- ESET technical support directed you to this article to flush your DNS cache and restore the MS Hosts file
For more information about event names in the ESET Personal firewall log, see the following ESET Knowledgebase article:
If the ESET Personal firewall is detecting a threat to your system, complete solution 1 below to create an exception for internal IP traffic. Continue to solution 2 if the issue is not resolved.
Solution 1: Create an exception for internal IP traffic
Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255):
- 172.16.x.x - 172.31.x.x
If the IP address detected is within the safe range listed above, open your Windows ESET product. How do I open my ESET product? Skip to step 4 and continue with solution 1.
If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the Personal firewall is located on a public network and could be a threat to your system.
See solution 2 to download the ESET DNS-Flush tool and use it to repair any files that may have been damaged by DNS cache poisoning.
Press the F5 key on your keyboard to access the Advanced setup window.
Click Personal Firewall, expand Advanced and then click Edit next to Zones.
If you are running version 8.x: Expand Network → Personal firewall and then click Rules and zones.
In the Zone and rule editor pane, click Setup. Click here for a V8.x screenshot.
In the Firewall zones window, select Trusted zone and click Edit.
If you are running version 8.x: Click the Zones tab, select Addresses excluded from active protection (IDS) and then click Edit. Click here for a V8.x screenshot.
In the Zone setup window, click Add IPv4 address. Click here for a V8.x screenshot.
Type the IP address of the device being incorrectly detected as a threat in the Remote computer address (IPv4, IPv6, range, mask) field.
If you are running version 8.x: Select Single address, and then enter the IP address of the device being incorrectly detected as a threat. Click here for a V8.x screenshot.
Click OK three times to exit Advanced setup and save your changes. You should no longer see any messages about attacks coming from an internal IP address that you know to be safe. If you continue to experience this issue, proceed to solution 2 below.
If you are running version 8.x: Click OK four times to exit the Advanced setup tree and save your changes.
Solution 2: Run the DNS Flush tool (DNS poisoning only)
You can use the ESET DNS Flush tool to flush your DNS cache . Follow the step-by-step instructions below to download and run the DNS Flush tool:
- Download the DNS-Flush.exe tool and save the file to your Desktop.
- Once the download is complete, navigate to your Desktop and double-click DNS-Flush.exe (if you are prompted to continue click Yes). The tool will automatically flush and register your DNS cache.
- After your computer restarts, open your ESET product and run a Computer scan. For assistance, refer to the following Knowledgebase articles:
The Computer scan performed in step 4 should complete without detecting an infection. If no threat is detected, you are finished.
If you are still unable to resolve your issue, please email ESET Technical Support.