Nod32 v3: Software firewall made useless b/c all connections are running through v3?

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

After this issue gets sorted can a knowledgeable few come up with settings that address the situation, i.e. configure Comodo and/or NOD32 so it satisfies all? That would be greatly appreciated! Also, not to complicate things, but I use and love Sandboxie, however, at the present time I am unable to even have Comodo v3 installed. Running Firefox or IE7 sandboxed slows them to almost a stall and mouse gestures and scrolling become totally erratic. Out of the sandbox they work perfectly. The really strange thing is that even with Comodo shutdown those browsers can not run sandboxed. The issue discussed on both the Comodo and Sandboxie forums basically comes down to the have's and have not's, i.e. some have no problem using both but no answers or help for those that do have problems. This leads me to ask, could the Comodo/NOD32 issue be the underlying factor in the Sandboxie issue and if so, how could I adjust either Comodo and/or NOD32 to to allow sanboxed browsing? Although I'm hard wired to a router, I feel kind of naked just using the XP firewall (did not feel like installing uninstalling Comodo v2.4 again). Thank You!

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

If you're referring to the NOD32 v3 proxy issue, then there is nothing to configure within Comodo. The proxy settings are all in NOD32, and that is the only configuration that need adjusting to suit.

As for a configuration to suit all... Not really possible. Everyone has their own requirements. If you wish to use a piece of software on your PC then it is only sensible to acquaint yourself with its functions so that you can configure it to suit your own personal needs.

If you're seeing the same issue with Comodo shutdown, then it sounds more to do with Sandboxie than Comodo. However, the only way to be sure though would be to uninstall Comodo completely and then see if you get the same problems.

The only way to clearly identify any issue of this nature is to try to isolate it. That means removing anything that may be causing an issue and seeing if the problem goes away.

It can be a bit longwinded doing so, but it's generally the only way to effectively narrow down issues like this. And that means, in order:

1) Running Sandboxie without Comodo FW or NOD32 installed.
2) Running Sandboxie with only Comodo FW installed.
3) Running Sandboxie with only NOD32 installed.

Obviously you need to note down the results of performing each step, and then taking things from there.

Of course, if it turns out that you're still seeing the same slowdowns without either NOD32 or Comodo installed, then your looking at an issue with Sandboxie and/or something else running on your system.

Mark

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

This is what I do know: Browsers not sandboxed work normally with Comodo v3 enabled. Sandboxed, even with Comodo disabled, the problem still exists. Uninstalled Comodo v3 no problems. I did not explore the possibility that NOD32 could be involved until I read on this forum that Comodo shows NOD using 99% CPU, which in my very non-techie mind associated with the NOD ekrn.exe/proxy situation.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Yeah i love it to

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

It's not just an issue of NOD32 settings.

I downloaded Leaktest from GRC.com and tried it with the combination of NOD32 3.0 and Comodo 3.0. Leaktest got through to the Internet every time, and every connection by Leaktest showed up in the Comodo log as ekrn.exe, not leaktest.exe.

I then uninstalled Comodo and installed ZoneAlarm, without changing any settings in NOD32. ZoneAlarm detected Leaktest as the application actually trying to access the Internet, popped up a warning, and I was able to tell ZoneAlarm to block the access. Comodo never even popped up a warning. So despite how ekrn.exe operates, it obviously is possible for a software firewall to distinguish between ekrn.exe and the other applications that it proxies.

And since one of the reasons we use firewalls (particularly firewalls that protect against outbound connections) is to prevent unknown, unwanted files (i.e., Trojans or other malware) from accessing the Internet, it wouldn't be very practical if we had to configure NOD32 "not to proxy those applications by configuring it appropriately" inasmuch as we don't know that those applications exist, or what they are, until after they have done their damage. Turning off the proxy behavior entirely would be doable, but that reduces the overall effectiveness of NOD32. So I think for the time being, the combination of CFP 3.0 and NOD32 3.0 should be avoided, and another firewall should be used with NOD32 3.0.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Okay. So you currently have the latest version of NOD32 v3 installed along with the latest version of Sandboxie, and Comodo FW is uninstalled..? True?

In which case, try the following:

1) Open NOD32's interface, click 'Setup' in the lefthand menu, and then click the link entitled 'Toggle Advanced mode' in the panel on the right.
2) Click 'Yes' on the dialog that pops up and then click the link entitled 'Enter entire advanced setup tree...' in the panel on the right.
3) In the 'Setup' dialog that comes up, navigate to the following entry:

http://www.lafpd.net/nod32v3setup.jpg

You should see an entry for Sbiectrl.exe, as shown in the above image. Clicking the box next to that entry will toggle it through three states; blank, checked and crossed out. Set Sbiectrl.exe to be crossed out, as above. Feel free to set everything to be crossed out if you like. This will stop NOD32 acting as a proxy in anyway for any of these programs and let your firewall monitor their connections.

4) Click 'OK' to save your changes and close the NOD32 interface.

Now try a reinstall of the lastest Comodo FW and see if the issue persists.

Mark

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I'll give it a try and thank you very much for your time and interest!

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

And I don't disagree with your findings.

My point was purely aimed at the notion that NOD32 itself is doing something very wrong - which I don't consider, at present, to be the case - and the suggestion that there was no way around the immediate issue.

But my intent obviously wasn't clear, and I apologise for that.

I can't comment of Zonealarm's behaviour, since I haven't tried that for sometime, but will now. Which version were you testing?

But, whatever Zonealarm is apparently doing firewall-wise is important, and Comodo could do with taking note.

However, I did find in testing that Comodo FW's HIPS protection, Defense+, prompted me when running Leaktest and complained that it displayed 'possible malware behaviour'. So in that instance, Leaktest never even got as far as running. Purely firewall-wise though; yes, it let Leaktest through.

From a personal perspective though, I don't have an immediate problem with NOD32's proxy being off. Even with NOD32 v2.7 I never ran IMON and had no infection issues due to doing so since on the rare occasion in the past that something malicious was downloaded, NOD32's on access scanning blocked it the moment it was written to the disk. But each person has their own requirements, naturally.

As an interesting aside, while testing, I also tried running a copy of Comodo's BOClean, and that stomped on the Leaktest executable the instant it was run...

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Just ran some tests.

Actually, what ZoneAlarm is flagging up is not Leaktest's connection to the Internet, but its internal localhost (127.0.0.1) connection to NOD32's proxy, i.e. a TCP connection to the 'trusted' local zone. Once that is allowed, ZoneAlarm sees no more of it than any other firewall, since it's then running through NOD32 and all connections from that are allowed.

But it makes a point. Comodo and other firewalls need to be watching localhost connections as well and flagging them up for each application.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

As an aside though, it's also worth mentioning that Leaktest appears to be a bit dumb.

If it has rights to talk to NOD32 via localhost, it assumes that because it has connected to something that it's breeched the firewall and reports as such.

And this was tested on a PC that was physically disconnected from the LAN, so no external connection was possible at all....

"Firewall Penetrated! LeakTest WAS ABLE to connect to the main GRC.COM Web Server!"

Er...sorry. I don't think so...

Still, the original point stands. Comodo should really be interrogating localhost connections from unknown apps as well to avoid these types of leaks.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Thanks for the last few posts Moirai and uesjd. They clarify the fact that local proxies can create circumstances that may (not necessarily will) nullify a software-based firewall's outound protection.

Several years ago, while using Kerio 2, I was running The Proxomitron (which runs under a local proxy) and had a legitimate program bypass the firewall. The rules I had in place should have prevented it but it didn't. I quickly learned that running local proxies require a user's special attention if one wishes to remain locked down. And IMO, I just don't think most users are willing (or able) to do this (and in most situations, I include myself in this list!)

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

You don't. NOD intercepts Firefox's request and routes it through the internal proxy so your firewall (say comodo) will only see ekrnel.exe. The advantage of comodo it's that if you enable it's HIPS you'll see the interprocess communication between Firefox and NOD, but that's where it ends, because the program connecting to the web will be NOD and not Firefox directly.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Yes, you can. If you set it up so every program needs a DNS rule instead of using a global DNS rule for everything, Firefox or any program that accesses the internet will ask for DNS and then the HTTP will route through ekrn.exe. I know some people don't like to mess with rules but that is one way the firewall will ask.

You can only give the program the right to access or deny and then the HTTP would be routed through ekrn.exe. This is just my example how I have some control over it for now.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I didn't see that at first because I had turned off Defense+ (there were enough glitches to make it more annoying than valuable) but when I turned it back on, it did note that Leaktest was naughty.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Since everybody is concerned about the GRC leaktest passing through ekrn.exe, I thought I'd share this post with everyone that I found at Comodo.

"It's also worth bearing in mind that Leaktest is a bit dumb.

With NOD32 v3 running with its http proxy enabled, Leaktest naturally has to make a localhost connection to it to get out.

Now, even if Comodo blocks the outbound connection from NOD32, Leaktest will still report that it got out.

Why? Because Leaktest stupidly assumes that because it connected to 'something' - which, in this case, is NOD32's http proxy - that it bypassed your firewall.

Try the following. Disconnect your PC from the internet completely (removed network cable, etc) and try running Leaktest again. Yup, it still reports that it connected to grc.com... Roll Eyes."

Just a little info for thought.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

But you are only making it ask for DNS ... after that, if you allow the DNS request you are tost ... unless you set Comodo to ask for loopback connetcions, that way any program atemtping to make a localhost connection to NODs proxy will generate another popup from Comodo ... It will give you more control but eventually you won't controll HTTP unless you disable NODs shiny new proxy ...

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

As a general point, I guess I should clarify that 'Atropos' on Comodo's forums and 'Moirai' here are both me, just to avoid any potential amusement over the point that one maybe copying the other...

Mark

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I am also having similar issue. I do not want to downgrade my installtions .. can someone recommend me how to get both of these softwares working?

Can we turn off this proxy/tunnel effect? If yes, how? And what would be its effects?

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Configure your firewall to alert on connections to 127.0.0.1

If you are using Comodo v3 you should add your browsers and other programs that use the proxy to "My Pending Files" (Defense+ -> Common Tasks) and set Defense+ Security Level (Defense+ -> Advanced -> Defense+ Settings) to "Clean PC Mode" or higher. Also you may need to delete the rules for these files in Computer Security Policy.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I'm still highly confused about this issue. Another (seems simpler) solution given is: "I agree with you Han. I've left the filtering part to my specialist firewall program ZoneAlarm Pro 7.0.462.000 - consequently disabling the 'web access protection' as well as 'HTTP checking' features in the NOD V3. This boils down to individual preference - I've done it as I'm a firm believer in 'standalone' utilities & functions. Besides, I didn't want different programs to run into conflicts and/or consume limited CPU resources over the same function. BTW, my browsing speeds have improved a lot and images now load with zero failure." Relative to overall security, especially what NOD is intended to do, does the quoted solution kind of neutralize NOD's effectiveness or is this also a safe compromise? Also, my Linksys wireless router, which I'm hard wired to, has these settings enabled:
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)
Remote Management: Disabled
Because of an issue with Comodo v3 and Sandboxie I'm just using the XP firewall for the moment so as not to have to continually uninstall Comodo v2.4 before running v3 again. So how safe am I right now (never have had any malware since I don't surf on the dark side)? Hopefully all of this will get resolved to everyones satisfaction!

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Could you clarify this please? You said "put a cross next to the applications that you want to bypass the proxy", but surely this is wrong? Don't you mean "Set Protocol filtering to 'Applications marked as Internet browsers and email clients' and then select, by placing a tick next to, the applications that you want to go through the proxy"........?

And why are you, and the NOD32 interface (see screenshot below), talking about putting a crosses next to things? Look at the screenshot below, it tells the user two opposite things; 1) place a check (tick) next to an application in the list to have its traffic scanned, and then 2) below that it tells the user that they can exclude applications from filtering by placing a cross next to an application in the same list.


View attachment 195518

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Yeah, it is a bit confusing... Depending on how they are set, the Protocol Filtering tab and the Web Browser/Email Clients tabs do appear to have some overlap. An explanation would be helpful...

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

meaning ... >
of if you don't want it to be checked , simply don't put a check . But since the protocol filtering also scans all HTTP and POP3 communications on any port , if the application is not checked , this doesn't mean it is not scanned . That is why by putting a cross you tell the local proxy not to route this traffic.

However , if protocol filtering is set to "Applications marked as ..." then EA/ESS won't scan any HTTP/POP3 communication , won't scan any HTTP/POP3 ports but the one marked as browser/client , so there is a check , it is scanned . There is no check - it is not scanned.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

This is how I understood it to work. This makes sense.

This doesn't make sense to me (maybe I'm having a blonde moment!). There is no way of putting a 'cross' next to an application; it's either checked or unchecked.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Fear not my friend, I suspect many of us are having this blond moment! Also, I still want NOD to intercept any malware that might come this way, however, my blond moment leads me to view this whole proxy issue as making a firewall almost pointless if NOD tunnels everything through the firewall.