[KB2933] ARP, ICMP or DNS Cache Poisoning Attack in ESET home and small office products for Windows

Issue

• "ICMP attack" or "DNS Cache poisoning attack" warning message is displayed in ESET home and small office products for Windows
• "Detected ARP cache poisoning attack" records are logged in the Network protection log files
• ESET Technical Support directed you to this article to flush your DNS cache
• Create an exception for internal IP traffic
• Run the DNS Flush tool (DNS poisoning only)

Solution

If the Firewall incorrectly detects a threat to your system, you can create an exception for internal IP traffic. If the issue is not resolved, run the DNS flush tool.

Create an exception for internal IP traffic

1. Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255):

   • 172.16.x.x–172.31.x.x
   • 192.168.x.x
   • 10.x.x.x
     
     

2. Review the IP addresses in the notification:

   • If the IP address detected is within the safe range listed above, open the main program window of your ESET Windows product and skip to step 3
   • If the IP address detected is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device detected by the Firewall is located on a public network and could be a threat to your system. See the ESET DNS-Flush tool section and use it to repair any files that may have been damaged by DNS cache poisoning
     
     

3. Press the F5 key to open Advanced setup.

4. Click Network access protection and click Edit next to IP sets.

   

5. In the IP sets window, select Addresses excluded from IDS and click Edit.

   

6. In the Remote computer address (IPv4, IPv6, range, mask) field, type the IP addresses incorrectly detected as a threat. Click OK three times to save your changes and to exit Advanced setup.

   You should no longer see any messages about attacks from an internal IP address you know to be safe. If the issue persists, run the DNS flush tool.

   

Run the DNS Flush tool (DNS poisoning only)

Instead of entering ipconfig /flushdns in the Command Prompt, you can use the ESET DNS Flush tool to flush your DNS cache.

1. Download the DNS-Flush tool and save the file to your Desktop.

2. Navigate to your Desktop, extract or open Flush DNS.zip and double-click Flush DNS.exe. The tool will automatically flush and register your DNS cache.

3. After your computer restarts, open your ESET product and run a Computer scan.

The Computer scan should finish without detecting an infection. If no threat is detected, no further action is needed.

Need further assistance? Contact ESET Technical Support.