Nod32 v3: Software firewall made useless b/c all connections are running through v3?

IMHO the best route will be to approach this from a feature standpoint. Possibly a method where firewalls can obtain original requestor information for whatever is riding through proxy. I would assume that the ESS firewall has access to this information.

I am open to using the ESS firewall at some point, but not while it is unproven. The integrated Kapersky firewall does well in leak tests and hopefully the ESS firewall will too.

 

I will be sticking with NOD32 version 2.7 also. My subscription lasts for another 18 months so I will decide then whether I will stick with Eset or not. I dont know why Eset decided to complicate matters with this new version 3. My guess is marketing....trying to make it look slicker and prettier rather than more functional in an attempt to sell more. I also have a subscription to Online Armor 2 for 2 years so Im not interested in Eset's ESS firewall.

 

Hi Folks

I read the first 6 pages of this thread and plan on reading the rest later, but I have to interject with a question I have.
Are we certain that ekrn.exe is actually circumventing the sware firewall's control over tcp and POP connections, or is it simply "listening in" on the data stream and scanning for maliscious behavior? From what I've read so far, (I think) that it's hard to prove that ESET's injection of the ekrn process isn't just a secondary stream capture and scan, or if it's actually used as a proxy to take over the connection responsibilities.
Correct me if I'm mistaken because at times I was distracted while reading and summarily skimmed thru some replies but I can't shake the thought that this may be off base here as to exactly what the ekrn.exe process is actually doing....is it taking over firewall duties or is it simply piggy-backing the the data and scanning it? It is somewhat suspicious (bad word maybe...let's say, undetermined) as it sits right now tho isn't it...

BTW, I put absolutely NO STOCK into GRC's LeakTest utility, it's the weakest and most easily fooled firewall test utility out there. In other words it's garbage code and shouldn't be used in serious f'wall testing. If you want some stout testing utilities, go to Matousec Test Utility Links page and pick up some other powerful test utilities.

I've been Beta testing Comodo V3 for awhile and see ratchet and Moirai's posts about this over there too. But I still wonder if this is being seen in the wrong context, and I really wish someone from ESET would post some clarification about the ekrn process and it's actual duties...and/or how it goes about doing them?

Thx for listening.
Dave

P.S. - In fact, I think I'll try contacting an ESET engineer I met while Beta testing ESS and see what he has to say about this....I hope the contact info is the same still.

 

No, it's not a split stream. NOD32 is a true local proxy. (Just run something like Sysinternals TCPView and watch what happens in real time.) Depending on how it is set, any traffic routed through NOD32 fully passes through. No bypasses. Which brings us to the issue raised by this thread...

 

Hi HAN

I would most certainly like to try and verify this. If it truly is acting as a Proxy then this would be somewhat troublesome, especially for users who expect perfection with default settings. I have just upgraded to V3 a few days ago, from 2.7.39, and found this discussion here.
I'm also a CFP V3 user and Beta tester and found the mirror thread question about this posted at Comodo forums, so I'll be following this closely and testing whatever I can. Of course I'll post whatever I can find in both forums and I certainly intend to put this question to an ESET engineer if I can get ahold of one. I'm surprised that this topic hasn't reached them yet and a reply or clarification posted by any ESET folk...that has me questioning things even more.

I have a number of SysInternal tools and other sniffers, I'm gonna start some up real soon here and see what the heck is going on for myself...

Dave

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

There is no doubt Ekrn us acting as a true local Proxy.-

 

Hi Dave

I'm rather new to both NOD and CFP but have been following this issue since installing both about a week ago. Although I have been successful in having NOD and CFP work together, I think. I for one would be most anxious to here about your findings.

I've made a few comments over at the Comodo forums under the post titled: "Can any of you knowledgeable folks please help us with nod32" under stanr.

While I'm not that "knowledgeable" if I can help in your research in any way let me know.

Stan

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I am no expert, but I ran most of the leaktests from the provided link above and whatever nod3 didn't kill 1st, my Outpost firewall popped up a message for any remaining to ask for web access, obviously I didn't allow it. Therfore all seems well if I understand this correctly as my av and firewall kicked in and did what I would hope for...

Furthermore, correct me if I'm wrong, but if I have protocol filtering set to 'applications marked as internet browsers or email clients' selected and only have those programs selected in 'web browsers' and 'email clients' then surely it's fine as they are the only programs using this feature, which is good right?

It seems to me that people are running around with their virtual hands in the air shouting the sky is falling and that nod 3 won't work with firewalls or circumvents them. In my experience of leaktests including the pathetic grc test I passed them all with flying colours.

Therefore this whole thread is a non issue? Just a question, please don't shoot me.

EDIT: I have anti-leak and active content prompts enabled in Outpost 4

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

ESS was never designed to pass leaktests. If you have Comodo FW and NOD32 3, Comodo should stop most of the leaktests especially with D+ (a full blown classical behavioral blocker) on.

It surprises me how long this thread has gone on for even though theres a way to turn the feature off.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Chappy, believe it or not, the only mention of this from an eset staff member is post #16, this after weeks of discussion. Also, and trust me, I'm only remotely understanding all of this, but every solution seems to include lowering or compromising (for a better word) NOD's protection settings. We all will be quite interested in what you discover. Have a great 2008!

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Daveiw

My findings exactly using Comodo. I'm glad you have confirmed that NOD will work with Outpost. It's my feeling that it works with Comodo as well as my test results are the same as yours.

Perhaps on some machines it will not work. Maybe we are just lucky. In any event I'm a happy camper using the best AV out there.

Stan

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

daveiw or anyone else, if NOD is set up like this as opposed to "Ports and Apps....." enabled and you only have Ff, IE and Outl Exss checked as Browsers and email Clients, does NOD stop protecting from other sources of malware e.g. auto updates for other applications?

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Well, as I understand it using my setup for any non browser/email program, the scanner will not kick in and scan the dowload until it has been created on local disk at which point the real time scanner should pick it up anyway. For anything else, my firewall should kick in and earn it's corn.

However, you can of course add programs other than ff/ie and email clients should you wish to the list of programs using ekrn and so have their web traffic scanned before they are saved locally. For example, I use WoWaceupdater for my WoW addons and have its http access scanned too.

I believe only certain ports are scanned via Nod anyway (eg http, pop ports etc) so an application using an alternative port 'could' download a rogue anyway in theory.

Also, I am not aware of anyone getting a virus etc via a game/application update directly (ie. via their own internal updater), not to say it hasn't happened or won't of course.

This may not be entirely accurate, perhaps someone more knowledgable can correct me?

 

1/ You can tell NOD to scan ports (you can even tell it what ports to scan)
2/ You can tell NOD to scan applications (whichever you tick, browser or/and email clients)
3/ You can tell NOD to scan both ports and apps.

Whatever you want... question: what do you want? (the answer will be up to you the individual)

4/ You can also tell NOD "NOT" to scan any browsers or email clients and/or ports and rely on the last line of defence, the on access scanner that catches the file as it is written to disc (thinking of a layered approach to AV protection may be a bit of a moot point here because you may end up arguing about if there is actually 2 layers, 1 download scanner, and the 2nd the on access - when they both effectively use the same engine anyway... but that's probably another topic altogether)

Anyway... the point of this thread, certainly as far as I read and understand the technology is this:

a/ NOD download scanner is an inline proxy
b/ "ANY" application "that you want to scan as it is downloading from the Internet" has to go through ekrn.exe - if you do this, the result is that your firewall sees your applications connecting to your localhost, and only ekrn.exe actually connecting to the Internet.

>>>> this results in loss of granularity/control because whatever one application (that you want to scan while downloading) needs connectivity/port wise to the Internet, you have to allow the ekrn.exe proxy [remember, it is ekrn that actually connects; not the app] >>>> this means that ALL apps that are going through the ekrn proxy get all of this conectivity/ports e.g. give IE port 443 and mediaplayer gets it too, and FF, and your ftp client and any applications updater program etc etc >>>> you lose any ability to control apps on a per port or per destination IP address basis <<<<

Unless you decide NOT to AV scan browser and email client downloads and just rely on the on-access scanner.

Games and IM have been malware targets for a while, they recently hit jpg and pdf files but some of the latest stuff is targeting streaming media. If you are half interested in keeping the bad stuff out you probably want to scan as much as you can and NOT just your browser and email client.

merry crimbo
Gordon

[one of these days I'll draw up a picture cos words just don't seem to be helping people]

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Thank you Gordon, Merry Christmas to you too.

So, the firewall has no say in this?

I'm intrigued though, how would I set Nod 3 to scan port 1512 and not ports 1511 and 1513 for example please?

You may need to draw that picture.

 

Hi daveiw

To scan some ports but not others then you would have to configure the ports in either

(in the advanced setup view)
a/ Antivirus and antispyware | Web access protection | HTTP = <list of ports you want to scan>[/COLOR]
or
b/ Antivirus and antispyware | Web access protection | Email protection | POP3 = <list of ports you want to scan>[/COLOR]

You would then have to ensure that Personal Firewall | Protocol filtering = HTTP and POP3 ports
(or Ports and applications marked as Internet browsers or email clients, but do not tick the application in Antivirus and antispyware | Web access protection | HTTP | Web browsers that you are trying to scan some, but not all ports of)

i.e. Personal Firewall | Protocol filtering
HTTP and POP3 ports => scan http or pop3 protocols on the ports you have configured
Applications marked as Internet browsers or email clients => scan all ports from the ticked applications (but only http or pop3 protocols - does this mean that IM and FTP are not scanned?)

Note: Straight out of the box, HTTP is only set to 80, 8080, and 3128 - this might be a bit basic if you are only going to scan ports and not applications, at least add 81 but even then, the malware downloaders do not necessarily stick to the standard ports (idealy your firewall should have every unused outbound port closed which should protect you from this - personally, my firewall only allows browsing on ports 80,81, and 8080 [and I scan all of these])

Note: The help says "It should be noted that encrypted traffic cannot be scanned for infiltrations and attacks" - this is presumably because of where they are patching in the Protocol filtering Proxy (er.. they call it a proxy in the Help too). If there was true integration with IE, for example, then it would be able to scan https as well because it would be looking at the end of the ssl tunnel, rather than ssl pass-thru in a proxy. Further, given that the only protocols listed are http and pop3 - does that mean that it can not scan IM?
[Lots of questions and loopholes - this is why people always talk about a layered approach to security]

cheers
Gordon

sorry for the pile of woffle... I'll go back to sleep in the corner now.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

The above explanation of the Proxy function finally seems a bit clearer. The adjustment to include ports seems to adequately explain how to set up this AV. Now, Imagine the field day some tester is gong to have when he discovers the complexity of safely using Ekrn proxy. I do not know how easy to use other AVs are but one of the knocks to Eset 2.7 was it was too complex to set up for the average user. Add on the above mentioned adjustment & imagine Grandma trying to set this up or for that matter your 16 year old grandson. What will result do you think? If this application does not work perfectly out of the box with almost any firewall made ESET will have a problem selling this application. I suspect Ekrn proxy was made with professionals in mind & not home owners. ESS seems to be a better solution. I really don't care if it leaks but it did not require great care in setting up although it could be complex if someone wanted to adjust a lot of functions & rules. To me it does not seem likely that any changes to EAV will be made by ESET. I suspect that for the average person you either accept what is give or move on. In fact many users will never even know about the firewall setup issue.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

The thing is, it does work well right out of the box (known bugs aside) and the firewall/nod 3 combination would still cover you. It is for people like us that like to try things and be at their most secure that will 'tinker' with it and change these things to suit.

As I've stated a few times in different threads, my setup passes the majority of the leaktests automatically, the others require intervention by me - selecting 'block' in an Outpost popup window to stop them.

The rest is safe surfing and common sense. These two things cannot be replaced by any av or security program.

Safe surfing and all the best for the New Year.

EDIT: Update, just tried the Comodo CPIL leak test too, and each test Outpost provided a popup, which I chose to block (temporarily for test purposes) and the system passed with flying colours, so it's not all gloom and doom.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

This may be our answer! I can only go on faith since I'm reasonably clueless about all of this.

 

The last posts are abnormal and the discussion has went to far. I have logged and register especially to let you my poor opinion as a poor nod32 user. nod32 v 2.7 is a great AV application, maybe the best. But i will tell you why is that. Because any newbie like me who likes to play with fire on net, having nothing to loose from his computer (just the work to reinstall all perhaps) could use it for safe. It was a great program not for finding the viruses you already got in your pc (i found that nod32 also doesnt't know about vundo threads) but to block threats you may experience clicking on surf. I mean the danger is on that page where you are going too. if the v3 protocol is that changing you can forget about a great succesfull application. people are simply, they even dont know what a port mean. and you are speaking about no big deal - you just have to configurate x port for x traffic. hellooo?! anybody?! people like me are not using firewall. me at least i am google it sometimes what different procesess runninig mean but the normal user will not make any difference between a real threat or a necessary process using firewalls. i met somebody (using firewall applications) who for every question if has to allow internet traffic he had answered YES. Definitely I would conclude that THAT change in v3 is a HUGE minus. Until now I cannot see something to balance that. Thanks and ..Happy New Year to all of you.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

OK -- I am no expert -- I ran TCPView with NOD32 v 3 and NOD32 v 2.7 and couldn't really tell the difference other than ekrn.exe wasn't present. I probably don't know what I am looking for which would account for why I couldn't see any difference. In version 3 I checked the second option under Protocol Filtering - Applications marked as Internet browsers and email clients and under Web Browsers did not have FireFox listed. Just like under post #17 in this thread. Referring to post #11 in this thread I infer that if I do not want FF to go through EKRN (the local proxy) this would be how I would set it up. EKRN is set up in my firewall (Comodo v 3) so that all traffic is allowed in / out. My question is: How can I prove (to myself at least) that all traffic is routed through ekrn regardless of how you configure NOD32 and your firewall?

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Here is a screen capture. Hopefully it will help to show how the proxy works...

 

HAN,

Thank you for the great screenshot. The last time I looked many of the SysInternals Utilities hadn’t been updated for Vista so I guess it is time to look again.

It also clearly shows why monitoring localhost can put some “teeth” back into the firewall you are using.

 

I just got back from a 3 week vacation.

I just finished reading all these posts albeit the last ones somewhat faster than the first.

My head hurts.

Can anyone tell me if all of these real and/or imagined issues apply if you are using a hardware firewall such as a PIX501?

thanks

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

3 weeks! Sounds like heaven!

Anyway, the issue revolves around version 3 setting up a local proxy on the PC itself. I don't see this affecting external appliances. (Eg., NOD32 filters/scans HTTP traffic on the local PC but when the traffic comes and goes from the PC, it's still HTTP.)