Nod32 v3: Software firewall made useless b/c all connections are running through v3?

Discussion in 'ESET NOD32 Antivirus' started by veri, Nov 22, 2007.

Thread Status:
Not open for further replies.
  1. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    absolutely correct

    does CISSP count?

    Run that one by us one more time: IE you want to tie down to port 80 only, but svchost obviously needs 80 and 443 for updates, and the multitude of online games running http over ports other than 80, and well maybe you do want 80 and 443 but only using firefox? That's granularity.

    Other than using ESS, I'm struggling to see how to do that with EAV and any another firewall.

    regards
     
  2. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    491
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I would assume that if I were a developer for an AV only product I would expect that this product would be used with a firewall. That being the case I would not design in an esoteric scanning function that disables the function of most firewalls. Nor would I assume that the average user would spend loads of time learning how to set up my product. It needs to be running with good protection right out of the box & be compatable with firewalls. I am getting the impression form this thread that ESET assumed that most users of EAV would use it in conjunction with the windows firewall so they provided a scanning solution that would work nicely with the Windows firewall. Conversely if a user wanted a dedicated firewall they would use ESS which is an integrated solution and thus does not have any of the proxy problems that EAV has when used with the average firewall. What is disturbing is the fact that many users will tie EAV with the firewall of their choice & never be aware of the Proxy problem. I too do not think that there will be any easy solution to this problem when used with someone elses firewall. I have therefore gone back to 2.7 which works with any ones firewall & has none of these problems.
     
  3. MaVRiC

    MaVRiC Registered Member

    Joined:
    Dec 7, 2007
    Posts:
    25
    Possible fix.

    Ok having a real good look through the thread the mix is totally split on that it works or not. So I had a little play and found that the reason it worked for me and probably others is the windows DNS is client switched off in windows services.
    As a little experiment I reactivated the dns client removed firefox from the firewall rules ran fox and hey presto, fox connected no questions asked, as svhost had access to the net for certain functions including dns resolution and it went through it.
    Killed and disabled the windows dns client and firefox once again asked for access.
    So for the ppl out there having trouble, give this a go, it may be your fix. You will probably have to add a port 53 rule to your application allowed rules, but fixes it. Added bonus you just closed up a obvious DNS hole in windows as all net enabled applications don't need the client, they make their own dns requests that your firewall should intercept.

    Dissable this little sucker.
    services.png

    Well I hope it helps a few of you out there.
     
  4. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Hi MaVRiC

    DNS is a bit irrelevant and only going to confuse people even more.

    The proxy trap within EAV doesn't care about dns, so all applications will need lookup from somewhere - if the DNS client is not there (which would result in svchost doing dns lookups) then each application has to go and get it itself.

    The only real issue (and fair enough... only for those that care) is the lack of granularity through that ekrn proxy. DNS does not make any difference at all.

    cheers
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Well said! :) Exactly mirrors what I have been thinking... Unfortunately, this means I cannot recommend NOD32 Version 3 to everyone I know. Without customization (depending on a user's setup), it may leave them with less protection than what they started with. Too bad! :(
     
  6. capatt

    capatt Registered Member

    Joined:
    Jan 23, 2007
    Posts:
    84
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    ESET EAV works great with Online Armor, which is an awesome firewall, anyway. Just tick "Intercept Loopback Interface" in OA and all programs seeking internet access are detected. No worries.
     
  7. Bluenile

    Bluenile Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    122
    Location:
    UK
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I'm getting the same problem with Kaspersky 7 Anti-Virus and Comodo.
     
  8. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
  9. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    NO SOFTWARE FW will work as such with all the possibilities a firewall has with a efective NAV v3 proxy http/pop3 scanning. You can for example not forbid one applications (Opera) access to an IP-Range, etc., and an other application (Firefox) allow this IP range. The list goes on...
     
    Last edited: Dec 10, 2007
  10. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through


    That's great if you are not using Vista. At last count, Online Armor is not Vista compatible.
     
  11. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    That's the same as deleting localhost (127.0.0.1) from trusted adresses in other firewalls, gives you control as you said but limited. See my post above.
     
  12. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I returned to 2.7. I hope ESET supports this version for the next 2 years as that's what I paid for! I did notice that my applications (Firefox and Thunderbird specifically) loaded must faster.
     
  13. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    My thoughts:

    Agnitum is in exactly the same boat - both these folks want to sell you their suite and take over the world. Well I'm sorry but I wouldn't have either.

    OK so I do have 3 licenses for ESS, but that is only because it is the most stable solution I can find for Vista at this point in time. [and that is very definitely most stable solution NOT by choice, or best of breed]

    On XP I have EAV 2.7 and Outpost 4 because they are the best I can find at the job they both do. ESET firewall is nowhere close to Outpost in terms of anti leak or hips [even McAfee Virusscan Enterprise without a firewall is way ahead of ESET] and Agnitum AV regardless of one VB100 is equally unproven.

    I do care about getting the best AV and the best firewall... if they were indeed in the same suite... well that would be very useful indeed... but, and I'm sorry, they are not!

    Whether you like it or not the ESET proxy is restrictive and limiting and completely the wrong design stance for the AV product. Get rid of it please!

    As for what any of the other vendors are doing, I really don't care... I thought NOD32 was brilliant when they did AV. If they only do a suite now then that gives us a big problem.

    regards
    Gordon
     
  14. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Confused further! Is this correct? "I'm not sure if this answers your question, as I don't use either of those products. However, you can try this and see if it makes a difference.

    CFP/Defense+/Advanced/Computer Security Policy

    Find the entry for your AV and select Edit.
    Select Use a Custom Policy the click Access Rights.
    Halfway down you should see Loopback Networking, set it to Allow, the select Apply." I'm wondering if it should be blocked.
    Admittedly this setting reduces ekrn.exe traffic in the Comodo Summary to less than 40% while browsing with Firefox. But is NOD32 still doing its job? Another interesting thing is the fact that I've never installed Defense+, just the firewall, yet it appears to function to this extent anyway.
     
  15. wat0114

    wat0114 Guest

    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Thank you Tommy and Gordon for confirming what I thought was true but was unable to fully determine on my own. I’ve reverted to 2.7. Hopefully Eset does get rid of it.
     
  16. Hiker

    Hiker Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    271
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I did everything I could to configure NOD32 v3 and Comodo FP to not fail the leaktest and brushed it off to user error. o_O Finally, I downgraded to NOD32 v2.7 and passed! :-*

    Next year, when my subscription expires, I'll be looking into Avast, AntiVir or CAV's... :p
     
  17. tanstaafl

    tanstaafl Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    207
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    What is amazing to me is all of the posts criticising NOD32 v3 + Comodo v3, when they know full well that BOTH of these programs are BRAND NEW, MAJOR UPGRADES.

    What the hell do you expecto_O?

    Go back to NOD32 v2.7 and Comodo v2.4 if you don't want to take part in working out all of the little issues that are BOUND to come up.

    Sheesh - get a grip people.
     
  18. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    tanstaafl,
    as frustrated as i am about the whole issue, i have to agree with you 100%.
    unfortunately, it's easy to forget that new versions are usually released to the public in beta stage and need some fine tuning. that' seems especially true of these two particular programs because both seem to involve a complete paradigm shift in their programming.
    that being said, i'm pretty disappointed in eset for their lack of communication with us. they seem to be hiding behind a curtain. no doubt they're hard at work at improving their new version, but it would be nice if they were a little more forthcoming with us.
    the good people at comodo don't have that problem. sded does a good job. he's straight-forward and honest.
     
  19. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Sheesh, you are missing the whole point! You are making it sound like there are some incompatibility or performance issues, which there aren't! The problem being discussed here, is the fact the new NOD v3 engine (specifically ekrn.exe) renders the the functionality of firewalls useless. This has been confirmed by a whole lot of folks that are much smarter than I am. There apparently is nothing to work out and people are venting their frustration, especially over the fact that eset doesn't even just come out and say "There is nothing can be done about it, you are just going to have to use v2.4." or "We are working on an option which will preserve the basic functionality of v3 but will also allow firewalls to perform their intended function." If this thread is bothering you don't read it!
     
    Last edited: Dec 16, 2007
  20. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    491
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I believe that ESET ought to recommend that if your are going to use the NOD3 engine with a firewall you simply use the Windows firewall. Since it makes most free or for pay firewalls superiflous they should state the the function of the firewall will now be performed by the NOD 3 engine. While these statements fly in the face of accepted security practice the NOD 3 engine in fact renders the function of Firewalls useless. If some one wants HIPS they should install one no need for a firewall with EAV3. At the very least if ESET is going to continue to market this product the firewall cancelling function of EAV 3 should be made clear to all purchasers of the product. There would still be a lot of customers some people could care less if they have a firewall or not.
     
  21. share98

    share98 Registered Member

    Joined:
    Dec 5, 2004
    Posts:
    36
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I understand that both Comodo and NOD32 are major upgrades. However, as evidenced by this particular forum topic, there seems to be a lack of clear documentation that explains how NOD32 works, the impact on firewalls in general, and how to configure it properly in order to achieve to achieve the maximum utility. I have no doubt ESET is reading these forums and working diligently to come up with fixes for the various issues. After all, this is their bread-and-butter. I do wish there was a little more transparency from their end to at least acknowledge that some folks are having problems and that they are working on resolving them. My issue is that this upgrade did not state that firewalls, in general, were rendered ineffective and that no matter how you configured NOD32 there was no way around this fact. I suppose shame on me for being an early adopter. I have always had faith in ESET and assumed the new version would be a continuation of their AV approach and not a major change in how their product interacted with other software - in particular firewalls. As a customer, I choose to have products that accomplish specific tasks installed. I do not necessarily want a suite or a product that purports to be all things to all people. My viewpoint is that ESET was not transparent in that regard and I am disappointed in them and I lament the fact it cost me $80+ to find this out.
     
  22. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    Sorry not to wade through 8 pages but can someone confirm that you can or can not disable the proxy for v3 yet? I went back to 2.7 because of this proxy.

    If not, why don't ESET just give the option?? So option to use proxy or option to switch it off and make NOD32 work like before. People didn't complain about how 2.7 worked so why not provide that option again...
     
  23. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Exactly! Someone else suggested the same thing in this mega thread. Of course, only eset knows if that is logistically possible and they aren't talking.
     
  24. capatt

    capatt Registered Member

    Joined:
    Jan 23, 2007
    Posts:
    84
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Version 3's method of http scanning through a proxy is more efficient than the way it was done in 2.7. Everyone should be taking advantage of this and routing all traffic this way.

    With regard to a firewall, you need to choose the right one. Online Armor handles this with ease, detecting all requests for internet access. It's a better firewall than Comodo, more stable, easier to use, and beats ALL the leaktests which Comodo does not. Online Armor is simply the BEST firewall out there, bar none, and it works beautifully with EAV.
     
  25. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I give you 10 points for the first statement in your posting, but only 1 for the second part :)
    The problem is not the detection of Internet access, that you can fix by deleting 'localhost' from 'trusted adresses' in the FW, so the FW will detect local traffic between for example IE and the NOD Proxy. That was never the problem if you read the last pages of this mega thread and others on Wilders.

    Just a simple challenge; please show me how you limit a spezific IP-Range for Opera on port 80 and allow the same IP-Range on port 80 for Firefox with your combination NOD 3.x <-> Online Armor while proxying all port 80 request with NOD-Proxy.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.