Nod32 v3: Software firewall made useless b/c all connections are running through v3?

[veri]

Using the last Sygate 5.6 debug build before they stopped developing it.

I noticed that an application that had no known setting in the firewall was automatically given access, so to test something, I removed all apps, closed Firefox, and fired it up again. Sure enough, ekrn.exe was requesting permission -- not Firefox or anything else, but ekrn.exe.

This is echoed in other programs requesting access (email clients, etc.), meaning that actual outbound control just became rather hit-or-miss.

So this is either:

1. Nod32 insisting on control over net traffic, or;
2. Some issue with that last Sygate debug build that I've never seen mentioned here on Wilders.

Thoughts?

[Shelty]

Nod v3 uses a proxy. If I remember correctly, Sygate does not handle proxy, therefore, allowing all of Nod traffic to go through without any alerts. You might want to consider a different firewall.

[Alaska99]

I use Outpost (the best firewall) and I have the same problem. I revert to nod2.7 because this. The worst, this ekrn.exe proxy slowdown my internet speed and use a lot of cpu.......
Proxy is a scrap... and complicate compatibility with all other security software.....

[Woody777]

I would recommend that if you wish to use version 3 with Sygate that you will either have to set up advanced rules for everything & then I'm not sure its safe or get another firewall.

[Escalader]

Quote:

Originally Posted by veri

Using the last Sygate 5.6 debug build before they stopped developing it.

I noticed that an application that had no known setting in the firewall was automatically given access, so to test something, I removed all apps, closed Firefox, and fired it up again. Sure enough, ekrn.exe was requesting permission -- not Firefox or anything else, but ekrn.exe.

This is echoed in other programs requesting access (email clients, etc.), meaning that actual outbound control just became rather hit-or-miss.

So this is either:

1. Nod32 insisting on control over net traffic, or;
2. Some issue with that last Sygate debug build that I've never seen mentioned here on Wilders.

Thoughts?

Suggest an immediate revert to 2.7.

Not only because of this FW issue but because there are just too many issues with V3 anyway. This is just my personal opinion.

[creapure]

Quote:

Originally Posted by Alaska99

I use Outpost (the best firewall) and I have the same problem. I revert to nod2.7 because this. The worst, this ekrn.exe proxy slowdown my internet speed and use a lot of cpu.......
Proxy is a scrap... and complicate compatibility with all other security software.....

I had the same problem. I installed, 64 Bit Vista Home Premium on my computer and installed Nod32 V3 and Outpost (the latest 64 bit version). Had no problems accessing the net without the firewall, however, as soon as I installed the outpost firewall, could not access the net. So had to uninstall nod32 v3 and install nod32 2.70.39 and every thing's fine now....

[veri]

Thanks for the comments, all.

Have reverted to 2.70.39.

[Shelty]

I have used both Outpost v4 and Comodo v3 with Nod v3. The browser will prompt for access and then ekrn.exe will also ask for access. You're not really losing any security through the firewall. In my firewall, ekrn.exe asked for HTTP port 80 and Pop 3 port 110. If any other ports are needed, the firewall asks.

I guess I've been lucky because I haven't noticed any slow downs or any of the problems that most of the others have.

[Pfipps]

So this is why none of my browsers, itunes, etc. don't ask for connection access in the new Comodo Firewall Pro? If I allow ekrn to access the internet, then the firewall effectively allows all programs to access the net?

edit: itunes asks for a connection in Comodo Firewall.

[SteveBlanchard]

Quote:

Originally Posted by Pfipps

So this is why none of my browsers, itunes, etc. don't ask for connection access in the new Comodo Firewall Pro? If I allow ekrn to access the internet, then the firewall effectively allows all programs to access the net?

edit: itunes asks for a connection in Comodo Firewall.

Are you still in train with safe mode? Perhaps (like mine) the firewall has learnt all the programs on your PC.

Also I think ekrn will show 100% traffic as it is monitoring all the time.

[Marcos]

It is a standard to use a proxy server for filtering email. It is much better than a scanner working on Winsock level like IMON did. This resulted in many problems, especially on servers.

If you don't want a particular program communicating via HTTP/POP3 to be routed via the local proxy, set web access protection to route only marked applications through the proxy and put a cross next to the applications that you want to bypass the proxy. Applications that do not communicate through HTTP/POP3 are not routed through the proxy whatsoever.

[Klaus_1250]

Quote:

It is much better than a scanner working on Winsock level like IMON did. This resulted in many problems, especially on servers.

That depends on your persepective I guess. It breaks firewall setups, traffic-shaping setups and adblocking setups, so if you are using any of those, it doesn't scan better without breaking any of those.
One of the reason I liked NOD, was because it was not acting as a proxy.

Quote:

If you don't want a particular program communicating via HTTP/POP3 to be routed via the local proxy, set web access protection to route only marked applications through the proxy and put a cross next to the applications that you want to bypass the proxy.

Where is the setting for "not routing though ekrn.exe"?

[12fw]

NOD 2.7 working fine with protowall, kerio 2.1.5 and privoxy.

12fw

[Woody777]

Sooo, EKrn.exe creates a tunnel through your firewall. How nice. So unless I have a really good Hips I don't have much control. This is not apparently a local proxy but is actually replac ing firewall control through any firewall. Understanding ESS contains a firewall & would have inherent control capabilitys because its an all in one suite. When we use EAV we replace firewall control with Ekrn which acts as a tunnel through any firewall. So how safe is this? Woulden't 2.7 be a lot safer? I don't know. I am starting to think that Sygate or any other firewall would have its security completely degraded by a this type of tunnel.

[Klaus_1250]

It doesn't create a tunnel, it proxies all connections through ekrn.exe . You can still use a firewall, but no longer application specific (still sucks). Or you can buy the Smart Security Suite (long live the "freedom" to choose).

[Hiker]

Quote:

Originally Posted by Klaus_1250

It doesn't create a tunnel, it proxies all connections through ekrn.exe . You can still use a firewall, but no longer application specific (still sucks). Or you can buy the Smart Security Suite (long live the "freedom" to choose).

I like NOD32 a lot and have been using it for years now, but if it comes to forcing me to get the ESS, rather than a firewall of my choosing I may very well drop my subscription. I hope Eset corrects the problem with a v 3 update, if it's at all possible.

Quote:

Originally Posted by Hiker

I like NOD32 a lot and have been using it for years now, but if it comes to forcing me to get the ESS, rather than a firewall of my choosing I may very well drop my subscription. I hope Eset corrects the problem with a v 3 update, if it's at all possible.

But how can this happen ?! This is not a bug , this is software design . Moreover it proxies only HTTP/POP3 traffic

Quote:

Originally Posted by Marcos

If you don't want a particular program communicating via HTTP/POP3 to be routed via the local proxy, set web access protection to route only marked applications through the proxy and put a cross next to the applications that you want to bypass the proxy. Applications that do not communicate through HTTP/POP3 are not routed through the proxy whatsoever.

[HAN]

I've started this reply several times and each time, they went bad because this is perhaps THE issue about version 3 for me.

I guess the best way to say this is that moving the HTTP filtering to a proxy is NOT a good idea and IMO, could very well be a source for outbound HTTP security problems. Affected users may never know that things are passing through their software firewall unfettered because they don't understand how NOD32 could be facilitating it.

As for the server filtering/IMON problem, to me, that seems to be an easy fix. Have a client version and a server version. Optimize each one for it's intended purpose...

[Shelty]

I use Nod v3 and Comodo v3. I have the firewall set to ask me every time something accesses the internet. If Firefox wants to access the internet, Comodo will ask for DNS for Firefox which I allow and then ekrn.exe asks for HTTP filtering and then I can set it to so HTTP only uses port 80. That way when HTTP is using another port then ekrn.exe will ask. Any program that needs to access the internet through HTTP has to ask for DNS first so how can you have a security problem?

I fail to see the big deal about the proxy.

[Woody777]

What EKrn does from what I can surmise is exactly what Sygate does since it does not control proxies very well. So you can either go back to 2.7 which is now under limited development or use ESS . Correct me if I'm wrong but you would have to make up specific rules for every app in your firewall to completely control what is happening. There is also a third possibility which I might consider which is find another AV which does not use a Proxy server. Unfortunately not many don't . However but I believe suites do control application traffic since they have an integrated firewall. I really hope I'm wrong about this since I really like NOD32's EAV which otherwise works flawlessly.

[BerserkerPup]

Just from reading this thread, I can tell that a lot of NOD32 users (myself included) are going to get confused about how 3.0 actually works, why they may have problems, and what the best settings for it should be.

[Pfipps]

They should allow the option of either a proxy or a winsock driver. The problem with disabling IE/Firefox proxy scanning is that it effectively stops the webscanner. I had to disable web scanning in firefox because comodo blocked an ftp download for ekrn.exe (since it can't detect Firefox because of the proxy).

IMHO, the firewall in ESS isn't robust enough, but the proxy certainly makes the suite more convenient

edit: this is the first gripe I have had so far with the new AV version.

[Pfipps]

Quote:

Originally Posted by Shelty

I use Nod v3 and Comodo v3. I have the firewall set to ask me every time something accesses the internet. If Firefox wants to access the internet, Comodo will ask for DNS for Firefox which I allow and then ekrn.exe asks for HTTP filtering and then I can set it to so HTTP only uses port 80. That way when HTTP is using another port then ekrn.exe will ask. Any program that needs to access the internet through HTTP has to ask for DNS first so how can you have a security problem?

I fail to see the big deal about the proxy.

If I have NOD32 web scanning on for firefox, only ekrn.exe asks for a connection, not firefox. How'd you get that to work?

[Moirai]

NOD32 v3 will only act as a HTTP/POP3 proxy for applications you want it to. If you don't want it to do so, and want all individual application traffic to continue to be monitored by your firewall, then tell NOD32 not to proxy those applications by configuring it appropriately.

You could alternatively just turn off the proxy behaviour as well.

There seems to be a lot of running around with hair on fire/knee jerk reactions going on here that could be easily avoided by just taking a few moments to learn how to configure the program to suit your needs.

Mark

[Woody777]

I think this question is legitimate. But you have to decide if you want control of your system or do you want to let NOD do it for you. If you accept that NOD will take care of all malware with no intervention ok its for you. what is disturbing to me is that any time you give an app permission to use the internet from that moment on it can by simply going through ekrn. I think that if you are willing to let ekrn take over your system communications you have to control this. Therefor HIPs no longer becomes optional but becomes essential, you also need a firewall with a great log viewer. You need to be able to set ports. at least I do. I once bought a computer with Macafe on it. It worked fine but you never knew what was going on. I truly understand why some of the people who posted on this issue are concerned. I really have to think about what I will do now. Do I really want to go back to my Sygate days when I tried to control all these variables with a firewall. Event
ualy it just became too much & I switched to Zone Alarm. Now ekrn apparently happily charges through Zone Alarm I may get one warning from the firewall & thats it. Now the issue of which firewall to use becomes paramount & lets face it there are not many Sygates around anymore. I suppose if you were to use version 3 to maintain control you would need something Comodo 3 Eqsecure or SSM maybe even WinSonar. A note of interest is that when I installed ZASS in a snapshot to see what it did ZA completely controlled Traffic & access. I am inclined to believe that ESS or a suite is essential for complete system control. It may be just too hard to "roll your own" using Version 3.