PDA

View Full Version : I need a rule for the update service in my firewall

Rubi
July 24th, 2006, 12:25 AM
Hello, I have installed deepfreeze, protecting my entire C unit, so what I need to know is where nod32 save the updates, I mean in which folder are made the changes to make a copy of it, and be able to copy later,

I´d like to know too what are the files I have to watch, what are the more exposed to attacks folders, and if the update folder is attacked too? since I have seen that the update service connects to my computer by a range of ports between 1090 to 1115, I think it would be better just give permission to an unique port, not so many, these are the connections made by this service:

local port 1097 remote 82.165.177.173
local port 1096 remote 82.165.177.174
local port 1095 remote 217.67.22.110
local port 1094 remote 82.165.250.33
local port 1093 remote 82.165.250.33
local port 1092 remote 217.67.22.106
local port 1091 remote 72.32.7.91
local port 1090 remote 72.32.7.91
local port 1103 remote 82.165.250.33
local port 1102 remote 82.165.250.33
local port 1104 remote 82.165.250.33
local port 1105 remote 82.165.250.33
local port 1106 remote 82.165.250.33
local port 1107 remote 82.165.250.33
local port 1108 remote 82.165.250.33
local port kpop 1109 remote 82.165.250.33
local port 1110 remote 82.165.250.33
local port 1111 remote 82.165.250.33
local port 1112 remote 82.165.250.33
local port 1113 remote 82.165.177.173
local port 1114 remote 194.213.194.29
local port 1115 remote 213.215.116.226
local port 1113 remote 82.165.177.173

I need to make a rule in my firewall for nod32, the information needed is

the service, (although I think is nod32krn.exe)
protocol (just TCP, right?)
local port this is what I need to know, can I give access just by one port, this service has full access to my computer
remote port (the 80 would be enough?)
remote ips (I´d like to know too if the ips are the ones I give above, or if not what are the ips by which this service connects, for more security)

if anybody of you could give me this information it´d be very useful, I have no way of knowing it,

thanks in advance, and best regards :)
NOD32 user
July 24th, 2006, 01:19 AM
The local port is automatically assigned by the OS for the outgoing connection and will be the first available, different every time.

Why not just make your rule to permit nod32krn.exe for locally initiated traffic since the IP's for update servers could easily change (as could their ports)?

NOD32 for workstations doesn't need to accept inbound connections does it?

Cheers :)
alglove
July 24th, 2006, 12:57 PM
For the remote IP addresses, you can go to Update --> Setup --> Location and then look at the "Server:" box to see the addresses of the update servers. I think the remote ports are TCP port 80.
Rubi
July 24th, 2006, 10:13 PM
{QUOTE-> The local port is automatically assigned by the OS for the outgoing connection and will be the first available, different every time.

Why not just make your rule to permit nod32krn.exe for locally initiated traffic since the IP's for update servers could easily change (as could their ports)?

NOD32 for workstations doesn't need to accept inbound connections does it?

Cheers <-QUOTE}

then I think I can tell the firewall where I want the update server enter in my system, since maybe anyone suplanting nod32 could access to my system for this port, by entering in a dangerous or trojan port?

that´s the reason I want to make my rule more tightened......and yes, I did the update, and the rule I have just permit the outbound connections (dangerous too)

{QUOTE-> For the remote IP addresses, you can go to Update --> Setup --> Location and then look at the "Server:" box to see the addresses of the update servers. I think the remote ports are TCP port 80. <-QUOTE}

thank you, I have looked in there and I have all names and just one ip address, it´s important to know the exacts ips from nod32, since if I´m not precise any ip could have access to my pc by entering for any address by any port, this is: 82.165.250.33

so temporarily I´ll enter this address, and if anyone knows some others ips more to add, please let me know

Thank you all and cheers ;)
tristantzara
July 25th, 2006, 09:26 AM
hi,

from looking at my recent firewall logs i get these.. probably not complete but anyway...


194.213.194.29 (194.213.194.0 - 194.213.194.63; GTS-CZ-HOSTING2-PPAHA)

209.200.224.54 (209.200.224.0 - 209.200.239.255; ADDD2NET COM INC DBA LUNARPAGES)

82.165.250.33 (82.165.240.0 - 82.165.255.255; SCHLUND-CUSTOMERS)

213.215.116.226 (213.215.116.224 - 213.215.116.239; SK-ESET-SH)

82.208.27.3 (82.208.27.0 - 82.208.27.255; CASABLANCAINT-CZ)


greetings,
smith2006
July 25th, 2006, 10:21 AM
I am using Outpost Firewall Pro 3.51.

This is the rule (rule name: NOD32 Antivirus Control Centre HTTP connection) created automatically for NOD32KRN.EXE, you can use it as reference :

Where the protocol is TCP
and Where the direction is Outbound
and Where the remote port is 80-83
Allow it

Of course you can still fine tune the setting (like specific the remote host, restrict access to remote HTTP port etc), but I am quite comfortable with it.

This is what I gather from the firewall log & I hope they are useful to you:

Remote Host IP
U1.eset.com 62.168.97.102
U2.eset.com 140.239.119.12
U3.eset.com 82.208.27.3
U4.eset.com 62.168.97.99
U7.eset.com 213.215.116.226
U8.eset.com 209.200.224.54
U11.eset.com 82.165.177.173
U12.eset.com 82.165.177.174
U13.eset.com 217.67.22.110
U14.eset.com 217.67.22.106
U15.eset.com 217.67.22.97
Rubi
July 27th, 2006, 02:30 AM
o.k, thank you, I´ll try with this addresses ;)
smith2006
July 27th, 2006, 09:14 PM
{QUOTE-> o.k, thank you, I´ll try with this addresses ;) <-QUOTE}

No problem :)
echokoma
July 27th, 2006, 09:51 PM
you could find that nod updates save in the forlder of --updfiles-- which path you have installed.
Rubi
August 1st, 2006, 06:13 PM
Hello Echokoma :)

and thanks, I will watch and back up this folder everytime I do an update

cheers