KIS 2012 firewall fails GRC

@fax,

I must have mislead you on the sentence I used. Sorry there . What I meant is "you were right" in stating that I should have given a comparison for clarity.

re:

I was actually in a meeting and I was sneaking out just to post. the reason why I was not thinking straight for work was in my mind. I should have phrased it via a comparison as you stated. So the reply(which was to point out you were correct) re:

Now I am in the office and am working but not in a meeting. So here I am sneaking/posting. Manufacturing meetings take a toll on my mind that I forget to eat and just partake lots of coffee.

Thanks also for the explanation there. My friend is often connected via dial-up actually(for email and stuff that does not need speed etc --well that's what she says --I bet it's to control her kids). She often uses the router when she is downloading or as she says "when she needs speed etc etc..". Personally I do not mind and have explained that closed/stealth combo is fine. But not open.

Her router is shared with her brother who lives across the street and he is shared with 2 other. The danger is there. So she is concerned about her security. That's only for the moment until she gets her own hard line. She has gotten used to using Online Armor and Comodo that "this" phenomenon can't go by for her.

Along that line, are there any ideas tips that you may share about that "router sharing scenario"...?

About updates, I still have to check her system. I know that she is selective on it (mostly critical updates only as she said) after some not very nice experience with some updates that let her system in a sham(that was also where I introduced Macrium to her --now she can't live without it).

She had been a couple of times been infected due to the kids that is why she is asking(often) for help and trying to learn more. I told her to get Sanboxie lifetime license but opted first to use Safe Mode of KIS 2012. She really wants just one suite.

On a lighter side, she is closely monitoring this post and in fact been discussing it earlier around coffee break with those who also got Kaspersky. Some are comparing results now. I see that this perked up things about their new software acquisition. This is now an official-office topic!!!. (I bet some will join the forum now!). Even the IT tech guys are reading this. We use Norton 2012 in the office actually. Thanks there


@King Grub,

Thank you for the confirmation. Yes, as BoerenkoolMetWorst stated they really do not stealth all ports.The workaround I will try by weekend.

@bigc73542 / gerardwill,

Thanks for the reply and comparison to Windows firewall.

@Escalader,

Thanks for the comment and comparison. I have Outpost Pro 7.5 in one of my pc's. When will the new Outpost Pro firewall version come out?

---

I'll discuss this to my friend this weekend and be back here about the details/results. If she will let me, I'll try out Comodo and Outpost on an image I did and post the GRC results here also. Though she and 2 more were discussing possibilities of a refund with the agent, I think she'll stay with KIS 2012. (The software agent/distributor here will really have a "merry" Christmas...damn a lot bought software just this week!)

---

Thank you for the learning ideas here. This was the reason I joined here which is "to learn more". A lot started out like that with problems and asking for solutions/guidance from more experienced group of fellows. And true to others have stated(even in other forums) Wilder's learning is a step above the rest. Vast ideas here. My office co-workers and my staff personally have been interested now in security applications and combination because of Wilders(well through me and my boss really). They feel more safe now especially at home with their kids who used to wreck their laptops/pc system. From Norton Ghost, they are using a bunch of other freeware stuff now(Macrium, Paragon --favorites). Though they are not members, they read/print and study on their own. For some they ask my boss to post or sometimes me if I feel like it. Or we talk about it and try a solution based on what we/they learn here and from other sources.

They are reading this so I am pleased to say that a lot has been learned from Wilders.


Thanks guys

 

To stealth or not to stealth and I say to stealth. Kaspersky does seem to think that I will not be hurt if my system is not stealthed; then I say why not... Come on Kaspersky please let your firewall do so by default.


Thanks.

 

Yes I read that via the link that Barthez gave previously.

Which do you prefer...? (in your opinion). I personally prefer Stealth. Closed/stealth is good enough. False sense of security? I think not. Being stealth-ed is only a part of security from a gazillion other aspects. But it does not hurt to be stealth-ed, yes? There are far more/various details to take into consideration. Good pc habits + good AV + firewall + good hardware is tops for me.

- Yes, exactly as my friend asked. Why not?

 

FWIW:

"My one gripe with this firewall is its handling of the simplest firewall task – stealthing all ports. Windows Firewall manages to do this, as do almost all others. Kaspersky leaves some ports merely closed, not stealthed, and therefore fails tests like those from Gibson Research and PC Flank. My Kaspersky contacts explained that their firewall team turned their focus from stealthing all ports to preventing actual attacks. "

http://www.pcmag.com/article2/0,2817,2378962,00.asp

 

"'Keeping ports closed is enough to stop brute-force attacks, and putting all ports in stealth mode can cause problems for ordinary users,'according to Kaspersky engineer John Hogan. "

http://www.toptenantivirus.net/kaspersky-antivirus/


"Stealth-mode firewalls are considered harmful

In stealth mode, the firewall causes the PC just to ignore incoming connection attempts, rather than rejecting them, as would be normal for incoming connection attempts to closed ports. The result is that the PC appears to be switched off and absent from the network.

This approach to security causes some difficulties. Internet standard RFC 1112 states categorically about ICMP Echoes (ping):

3.2.2.6 Echo Request/Reply: RFC-79

"Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies."


Note the MUST rather than SHOULD. This means that any internet user, or ISP server, has a right to expect that all live PCs connected to the internet will respond to ICMP ping requests with an ICMP reply. If a firewall user chooses to stealth ICMP requests so that no response is sent, they have only themselves to blame if they start experiencing problems, because they are in breach of RFC 1122


The problems that might arise if you kill ICMP responses with stealth are:

Difficulties with DHCP lease acquisition or renewal in cases where the DHCP server checks on the availability of IP addresses, or your presence on the network, with ICMP ping requests [this doesn't actually happen on the original NTL network, but ICMP requests have been seen coming from the DHCP servers of digital TV set-top boxes. No problems seen with blueyonder];

Slowness of web connection setup in cases where the remote web server uses ICMP to determine the MTU of the response path;

Frustration at ISP help-desks (and with informal helpers) if your PC does not respond to pings and traceroutes, as it is difficult to distinguish this situation from a broken connection.


So you are strongly advised not to apply stealth techniques to the ICMP protocol."

http://www.avinashtech.net/tutorials-tips-tricks/2771.htm

 

I've always preferred to see my comps with Full Stealth, & have achieved this since as far back as the 98SE glory days

I've seen countless articles/posts etc both for & against, but i stick with Steve Gibsons reasons for, on GRC

Each to their own !

 

Although I have said many times that "stealth" does not actually hide you, there is another point of view to look at.
If we look at this for a packet filter firewall, should that firewall simply allow all unsolicited inbound? or should it block unsolicited inbound before it gets to the system?
When, for example, you run a scan from GRC, (as that is the topic), and the scan results show a "Closed" port, that means the system being scanned as allowed the inbound but there is no application to accept the packet(connection) and therefore the system sends back a RST/ACK. When the result shows "Stealth" (for a port or ports), then it means that the packet as been intercepted by the firewall and blocked from entering the system (although I have seen (in the past) a firewall that allowed all unsolicited inbound and then blocked the replies).
So a question can be, which would be considered more protective?. A firewall that allows all unsolicited inbound to the system/stack and lets the system deal with the packet(s)? or a firewall that stops unsolicited inbound to the system/stack? Personally I believe the latter.

- Stem

 

I was with Blueyonder for about 3 years, it then became Virgin media about 3/4 years ago which I still use. I have never seen the DHCP server send ICMP to its user nodes. Presence on the network was checked via ARP. ICMP going to the digital TV set-top boxes? Not sure what that has to do with a firewall blocking ICMP, the TV set-top boxes or on an embedded internal private LAN(10.*.*.*) and a user cannot firewall the TV set-top box.

Never seen that.

As Blueyonder/NTL was previously mentioned:- They did not send ICMP to a users node(PC), they made checks against the modem(which had its own private external IP)

- Stem

 

Sorry, did not mean to offend. I have licenses for several products and don't consider myself a die hard fan of any of them. None of them are that incredible. But I do feel there is no difference in my opinion between a closed port and a stealthed one. You ain't getting in either one. Still if you find that unacceptable I hope you are able to find a product that makes you and your friend happy. It is something that is not a priority for me and it had not occurred to me that you would be offended by my post.

 

@ Stem

Thanks for posting

 

@CloneRanger,

Thank you for your opinion share.

@Stem,

Very nice point there on the TV-set top box and the "unsolicited inbound firewall block". Truly you are a firewall expert.

@xxJackxx,

Just got plain shocked because I was expecting some/more explanation from you(as I saw your explanations about KIS 2012 topics here and some other across the web). I was thinking for my frend and staff along with the officemates who as mentioned is closely watching this post. They like Wilders and I was afraid they'd loose confidence or something...

No worries really Let's move forward. Smile

And she decided to stay with KIS 2012. On a different side, an officemate has problems with KIS crashing on him lately but it's up to him.

Cheers!

---

I'll be trying it out again by tomorrow or the next day with her and will report back here results.

Thanks guys for the learning experience here. please wait 2 seconds for an uncompressed image, or press Ctrl+F5 for original quality page

 

Any details to go with that? Does it crash when starting a particular program? Is it random?

 

Hi xxJackxx,

Well I don't know the facts/details yet. He is currently talking to the boss(who's using Norton 2012 --quite nice actually). I'll ask him more and probably post or encourage him to post or the boss will in lieu of another friend(affected by crash).

Cheers

 

With no offense intended would it not be better if your office was standardized on a product.

I can't remember an employer I had having / allowing

" a tower of babaylon on software products" pardon my analogy but is hard to help fellow employees if everybody is on a different product and can make their own choices for what to use.

 

@Escalader,

The long post must have misled you. Sorry.

Our office uses Norton 2012(I think it's the Enterprise -Symantec, the Quality Control has Norton 360). It's one security for all and all branches. It's a 3 year subscription upgrade they say. It's been with Symantec for almost 7 years now.

The security apps that I mention was for "individual use". That's why I was stating that the agent will have a "Merry Christmas" because a lot have bought software from her"for home/individual use". Not for the office.

The talk about the applications maybe misled you that the KIS (or the one's who got Eset/Avast/Sandboxie..etc) was for a friend's office pc. No(sorry for that). All was for personal use at home. It was only that the agent who was working with the tech guys was also selling software. She(the agent) was not the one who bagged the deal with Symantec it was someone else. She in turn got the deal for Microsoft upgrades.

Office rules are strict. I think too much strictness....The office will not allow anything to be installed in a single pc without authorization from the superiors and advice/concurrence from IT tech people here. Even usb flash drives are prohibited and only "key personnel" are allowed usage BUT is still checked when you go home...even the memory sticks of mobile phones are checked here..(mobile phone possession inside the office is again for key personnel with certain levels. So if your not into level 3 --you leave your mobile in the locker) and a whole of a lot more...internet is only also for key personnel with access. For those who have access sites are still strictly monitored(facebook/social networking..etc are blocked. Fora non-key personnel with pc rights, you can't even see the Control Panel and change settings as you wish..even the screen saver.

The products that were mentioned and the KIS 2012 was for home use only.

Cheers

On a lighter note, when will the new Outpost Pro be out..? Any date yet..? I use one at home OP Pro v7.5.1(old desktop).

 

I'm surprised that all the talk in here is centered around the age old stealth vs. closed debate. I thought the problem here was that ports 1025-1030 are hanging wide open? That should be the cause for concern. Am I missing something?... I admit I didn't read every part of every post, so perhaps this issue was addressed and fixed. If so, disregard the rest of this post.

And I'm sure that regardless of Kaspersky's stance on stealth vs. closed ports that they don't intent to leave ports hanging wide open. There has to be a flaw either in your Kaspersky configuration, or some sort of conflict with another real-time security app. I saw you say she's tried out several different products lately. How well did she clean things up from the old installs before installing the new ones (clean out old registry keys, defragment)?

 

@luciddream,

Now I have just finished setting up her pc with KIS 2012 again from an image I did which had no AV/firewall installed. That image I created after I uninstalled all her security apps, defragmented via Puran Defrag and cleaned via CCleaner. All uninstallation/removal were done with the respective uninstall/removal tools for the security apps. Clean/defragmented/rebooted 2x and then as final -Boot-time - Restart-Defrag-Restart-Full Checkdisk by Puran.

I managed to close down the open ports. Found out that she has NetBIOS enabled so I disabled it. I am using it now actually but now with the wireless dsl connection. I'll post the screenshots when I am finished. Preliminary GRC test shows closed/stealth combination. No open ports. Still working at it and I have to catch time I have work later. Have not done PCFlank yet. When I am through maybe tomorrow or the next day I'll post about the developments.

She did not obliged to the re-installation of OA and Comodo so I can't show latest comparison and that is tiresome to do.

Thank you for the ideas and comments

PS,

Can't seem to find a way to terminate a connection here(KIS 2012). Apps are calling home as launched and upgraded so I had to use process Hacker to terminate it. Setting "Block" in/out to any network activity did not do. Still tinkering here. Maybe that's a second topic I'll open-up for her...


Cheers

 

Hi constantine76,

I had a quick look at the installation/default settings. I now have more questions myself, so will be taking a longer look (at KIS settings/rules) to find some answers. At the moment I do have some concerns.

- Stem

 

Hi,

I am in the office so I can't stay long to post. I am doing this from memory but I have some images.

In the image below the ports open are 1025-1030. One of which is used by a KIS process (avp.exe). I placed a block rule for the process involved on the specific ports, in the Application Rules/ Network rules/Add.

eg.

lsass.exe
Action: Block
Protocol: TCP
Direction: Inbound/Outbound
Local ports: 1028

Well it did not close except that of port 1029 which was beeing used by KIS avp.exe.

Found a thread with an image in the Kaspersky forums about stealthing ports. See below. I went to the KIS firewall packet rules and placed a block for Incoming/Outgoing TCP/UDP streams. BUT still got a "fail" because there was a PING request FAIL at GRC.

I checked the packet rules again and added a block for ICMP Reply(in). I have obtained TruStealth with GRC and with PCFlank.

Come to think of it when I read the first part of the post I saw BoerenkoolMetWorst already posted it in the bottom of his quote.

But this is only in dial-up as there was no time and I had to come t work.

A couple of more issues I had wa (as mentioned) in previous post:

1. I cannot find anything in the firewall setting that says, "terminate connection". You can find "terminate process" in Applications Activity>Right-click on the application and "Terminate Process". But a connection there is none. Do yuo guys know where it is...?

2. I cannot manage to place a block for applications that call home. I know some games do that. I upgraded some apps and after it finished launched Firefox. Now I remember I can set that one in Comodo D+ and place speficially Firefox to not be launched by an application. One thing I have observed is that in the Comodo Firewall even if you have to set the app as "blocked application" it will still launch the browser. It has to be in D+.

In Online Armor it also cannot block that behavior in the firewall settings. It ahs to be in the Programs>Right-click/ Advance/ Start application >choose Block all or allow except --add Firefox/IE/Chrome.

In Outpost I seem to remember you have to place it in the Application Rules/Anti-Leak. Just mere blocking the URL and IP doesn't work. I saw a thread in the Outpost forum about it and it seems to be a bug. Have not checked it though.

So how can I place a block rule for an application to "not start" a specific application like a browser...?

I see there is a Application Rules/Rights Function there that can be used. Placing a block in Process control/Starting other process but it will "block all". Now it can't be used for some applications that need another one say, a PDF to word conversion program. You cannot use that rule as it needs MSWord. But if the PDF-word conversion program calls home often using the browser how can you block that action in KIS firewall...?

That is needed because I see that some of her kids games launch the browser as soon as they hit "exit".

Anyone?

3. Along with that, how can I block a URL /IP address in KIS?

Okay this is all I remember for now. I am in the office as mentioned. Thanks

@Stem,

Please do have a look at it as I am no firewall expert and the KIS firewall seems confusing to me unlike Comodo, OA, Privatefirewall and Outpost. Hope xxJackxx can take a stab at it also. Have more questions but I can't remember it all but I took notes at home.

Thanks!

 

Hi constantine76,

I have had a bit of time to have another look.

In the application rules. One way to get to those:- "Settings-> Application controls-> Applications" Find the application in the list, then double left click(on the application) or, right click(on the application) and select "Application rules". In the pop-up window, you select the "Rights" tab, there is a list of "Rights", which include "Starting other process" (I have not checked to see if it functions correctly)

For a global(all applications), I do not see a way to block a url(by name), but you can block an IP(or list of IPs) in the firewall-> packet filter rules. Just add a new rule to block, select the protocol/direction, then in the "Address" select "Addresses from the list". You can then add an IP(or list of IPs to block).
If you want to just block a single application from an IP, then go into the application rules-> network rules, and set a rule to block the IP
(NOTE: make sure you move the new blocking rule to the top of the list for high priority)

I did notice on my setup(Win7 64) that KIS does not by default block inbound connections to local port range 49152-49156 (ports opened by system, although local port 49155 is opened by KIS(AVP.exe), so, I changed the default configuration, so as to make the firewall alert to any application attempting outbound/inbound. I found the outbound notification appears to work as expected, but the inbound does not. When an inbound is made to (for this example) any port in range 49152-49156 I am given a popup from the firewall, however, the connection as already been allowed and data transfer is also allowed. On selecting "Block" in the popup, it did terminate the connection, but I would say that is a little late.
(eidt: Note: For the inbound connections to the system on those ports, they do show in the KIS network monitor. AVP.exe also allows inbound connections to itself on local port 49155 but that is not shown in the KIS network monitor. I also noted, that even though I am allowed to change the network rules for AVP.exe to "Alert" for outbound/inbound, there is no alert for that process)

- Stem

 

With KIS2012, all defaults, including firewall, untouched, installed in a Win7x64 vmware guest, I've scanned using nmap v5.51 from the host, and three scans in a row result in several open ports. I stopped short on the UDP scan because it takes so long, but there is at least one open port with that protocol as well.

 

"Intense scan" (TCP only) with results saved to .xml file...

it indicates 954 unshown ports are "closed" and 35 unshown ports are "filtered" (stealthed, I believe).

 

Hi wat0114,

Port 1110 and 49155 are opened/used by KIS(AVP.exe), the other higher ports used by system/LSASS/WININIT, non of which are blocked by default.
The netbios ports you show open, those are set as blocked, but maybe it is your NIC setting in KIS that is making them open. Can you check your NIC setting in KIS-> settings-> Firewall. On the right there will be a list of networks, what is your NIC(network) set to? (Trusted/ local or Public).

You will also find if you check, that there is no boot protection. So for approx 7 seconds all (running services) service ports are open and connectible, and with all the broadcasts from netbios during that time, that can be a bit of a problem.

-Stem

 

Hi Stem,

it is set as Local.

Thanks for the info! I had the vm guest already booted to the desktop several minutes before I did the scans.

 

Hi wat0114

Set as "Local" over-rides the netbios blocks/filtering. The Lan needs to be set to "Public"

- Stem