NOD32 web access protection blocks HTTP traffic

[rpremuz]

Hi!

In a Windows domain I have about 60 MS Windows XP Pro. SP3 machines with ESET NOD32 AV Business Edition 4. All PCs have similar software configuration and the same NOD32 AV configuration.

A few of the PCs have a problem with NOD32 AV web access protection. Mostly the web access protection works fine but occasionally the HTTP traffic gets totally blocked and no web browser is able to open web pages. At such occasions I notice the following:

• ESET NOD32 AV GUI (egui.exe) says that antivirus and antispyware protection is active.
  
• There is no errors or warnings in the Event Log.
  
• The network connectivity is in order and other network protocols work fine (e.g. DNS resolving, file sharing, connection to the MS Exchange Server). So, I'd say the problem must be caused by NOD32 AV web access protection which filters HTTP traffic.

All PCs have both Internet Explorer 8 and Mozilla Firefox 3.6 installed. The problem occurs regardless of the user's preferred browser.

The problem first appeared with NOD32 AV v. 4.0.474. The upgrade to NOD32 AV v. 4.2.40 didn't make any difference. In versions 4.0.314 and 3.0.* there was no such problem.

If the PC is restarted, the NOD32 AV Web access protection works well again but the problem may reoccur the same day, which annoys the users.

The NOD32 configuration and system info are attached.

Has anyone seen such a problem?
Any suggestions on fixing it?

-- rpr.

[rpremuz]

Here is another report on this problem:
http://www.wilderssecurity.com/showthread.php?t=273249
(should use a better thread title).

-- rpr.

[Marcos]

Does disabling self-defense and restarting the computer make a difference?

[rpremuz]

Quote:

Originally Posted by Marcos

Does disabling self-defense and restarting the computer make a difference?

Why should I try disabling self-defense?

[kjz]

Quote:

Originally Posted by rpremuz

Why should I try disabling self-defense?

Is disabling self-defence (in this situation) possible? I tried to disable web access protection but only got an error message: not enough rights.....

- kjz

[vtol]

Quote:

Originally Posted by rpremuz

Why should I try disabling self-defense?

to make your system compatible with NOD. Most issues are advised like that by Eset, never mind that it lowers the protection to almost zero in the end

[thek]

I've got exactly the same problem, i tryed to deactivate HTTP/Protocol Filtering but same issue. Works flawlessly when NOD32 uninstalled

It does not apply to all computers, only some customers have this problem.

No solution for me at this time

[ratty9000]

I have to report the same problem (NOD32 v4 AV on WinXP SP3). This first manifested out of the blue 2 days ago on June 14th, and I've tried various options to resolve things:

- a repair install on v4.0.424
- uninstall and clean reinstall of v4.0.424
- uninstall of v4.0.424 and install of v4.2.40

In all cases, after a reboot all is well for a while. At some random time thereafter, it appears that the NOD http proxy stops accepting connections. TCPview shows loopback connections to port 30606 instantly dropping.

A simple test script which makes an http call to a nonstandard port (i.e. not filtered by the proxy) makes a successful TCP connection. Repeat with port 80 and it fails.

It's also the case that the NOD GUI gets into a funny state when the problem occurs. Settings, e.g. to disable web protection, are ignored. Attempts to uninstall while in the fault condition also fail with messages about insufficient rights to stop the service.

What's puzzling is that another WinXP SP3 machine is fine.

V4.0.424 has been trouble-free for over a year until now. I've had to go back to v2.7 for the time being.

[ratty9000]

Quote:

Originally Posted by Marcos

Does disabling self-defense and restarting the computer make a difference?

It would appear that disabling Self Defence does prevent the HTTP traffic from being blocked by the scanner.

However if the HTTP traffic has already started being blocked, an attempt to change the Self Defence setting is met with a message: "An error occurred while saving the configuration. Please make sure that you have permissions to change settings."

Reboot, disable the Self Defence setting quickly, then reboot again.

Oh, and this is for the latest v4.2.40. Clean install.

Is there something strange about Self Defence? Has it changed recently?

[ratty9000]

FWIW I noticed that the OP and I have the same version of Self-Defence:

Self-defense support module : 1016 (20100404)

Seems to me that there's a problem with this - at least on XP SP3 (fully patched). It's almost as if the EKRN service partially cuts itself off from the world...

[kjz]

Same here. Self-defense modul is version 1016 (20100404).

[skeymer]

Just a quick note to say that we also have this same problem and have the same version of the Self Defence Module as others have listed.
Is there any sign of a solution yet?
Disabling Self Defence and therefore reducing your level of protection doesn't sound like such a good idea.

Stefan.

[skeymer]

An update on this problem.
I've just been informed by ESET Support that a new build of the software due for release during the first week of July should resolve this issue.

[ratty9000]

Quote:

Originally Posted by skeymer

An update on this problem.
I've just been informed by ESET Support that a new build of the software due for release during the first week of July should resolve this issue.

Ah so it was the 20100404 Self-Defence module after all. Many thanks for getting that confirmation.

Concerned about malware I scanned the disk every which way, including for user, kernel and MBR rootkits.

[rpremuz]

Is there any news regarding this issue after upgrade to NOD32 AV 4.2.58.3?
I can see that the self-defense module was not changed in the new NOD32:

Self-defense support module : 1016 (20100404)

-- rpr.

[Marcos]

Quote:

Originally Posted by rpremuz

Is there any news regarding this issue after upgrade to NOD32 AV 4.2.58.3?
I can see that the self-defense module was not changed in the new NOD32:
Self-defense support module : 1016 (20100404)

Does the problem persist with the latest build 4.2.58? If so, does disabling self-defense actually resolve the problem?

[skeymer]

Yes, the problem does persist with V 4.2.58
And Yes, if you disable the Self Defense module the problem goes away.
Stefan.

[ratty9000]

I found the problem apparently went away when I installed Online Armor, which also intermediates web traffic. I was able to re-enable NOD's self-defence.

[skeymer]

We have now discovered a curious way of fixing the problem.
We tried upgrading the client on some PCs to the latest version to see if it resolved the issue, but it didn't.
Except on one PC which had the Self Defense module switched off when upgraded. It was turned on again afterwards and has since been fine.
We have now tried this on a couple of other effected PCs and found that if the self defense module is off when upgraded then the problem gets resolved but if it is on when upgraded then the problem persists.
We will now use this as a workaround fix for any PCs that report the issue to us, but would still like to get a better long term fix at some point.

[Marcos]

Quote:

Originally Posted by skeymer

Except on one PC which had the Self Defense module switched off when upgraded. It was turned on again afterwards and has since been fine.
We have now tried this on a couple of other effected PCs and found that if the self defense module is off when upgraded then the problem gets resolved but if it is on when upgraded then the problem persists.

What OS is installed on those machines? HTTP scanning differs on Windows 2000/XP systems and Vista SP1 and newer. We would be interested in providing you a logging version of the self-defense module which might shed more light.

[ratty9000]

Quote:

Originally Posted by skeymer

We have now discovered a curious way of fixing the problem.
We tried upgrading the client on some PCs to the latest version to see if it resolved the issue, but it didn't.
Except on one PC which had the Self Defense module switched off when upgraded. It was turned on again afterwards and has since been fine.
We have now tried this on a couple of other effected PCs and found that if the self defense module is off when upgraded then the problem gets resolved but if it is on when upgraded then the problem persists.
We will now use this as a workaround fix for any PCs that report the issue to us, but would still like to get a better long term fix at some point.

Interesting, perhaps about as logical as the "solution" I found of using a web-filtering firewall.

Just to clarify, did you do a straight install of 4.2 over the top of 4.0 retaining all settings?

Thanks

[kjz]

Just a guess: maybe, an active self defense module during update blocks the installation of a component of NOD32 which therefore still will be from the old version?

[chrcol]

Quote:

Originally Posted by kjz

Just a guess: maybe, an active self defense module during update blocks the installation of a component of NOD32 which therefore still will be from the old version?

seems logical.

[skeymer]

Quote:

Originally Posted by Marcos

What OS is installed on those machines? HTTP scanning differs on Windows 2000/XP systems and Vista SP1 and newer. We would be interested in providing you a logging version of the self-defense module which might shed more light.

Many thanks for the offer of using a logging version of the module, we're already working with ESET support on this issue and have used the logging version to send back info.
Plus a version of the module that causes a BSOD crash and memory dump file, so far no solution as yet.

We're using XP, by the way.

Stefan.

[skeymer]

Quote:

Originally Posted by ratty9000

Interesting, perhaps about as logical as the "solution" I found of using a web-filtering firewall.

Just to clarify, did you do a straight install of 4.2 over the top of 4.0 retaining all settings?

Thanks

Yes, I believe the install was over the top of the existing installation.