ekrn.exe as a proxy

Discussion in 'ESET NOD32 Antivirus' started by eitanc, Apr 22, 2008.

Thread Status:
Not open for further replies.
  1. eitanc

    eitanc Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    7
    Hello,

    I use NOD32 version 3.0.650.0 with the latest comdo fw.
    I have to allow, in comodo, for outlook to access tcp port 30606 on 127.0.0.1 for it to access ekrn.exe (by NOD32), for emails to go out.

    This is nice and OK.
    The problem is that I wish NOT to allow outlook to go out on any non-email ports, like HTTP, to avoid web threats and so, originating from email I receive.

    Now, with version 3 of NOD32, I can't do that since it is acting as a proxy, "outside" comodo, and I can't granularly make NOD32 NOT allowing outlook to go out in any non-email ports.
    Thus, NOD32 is creating a bypass to my fw, making it somehow useless... (unless it is a way to make us go for smart security... ;) ).

    I tried adding a specific comodo rule, before the one for ekrn.exe, blocking the access of outlook to http ports, but, of course, it didn't help since outlook redirects, in advance, http traffic via port 30606 to ekrn.exe and not by outlook itself via port 80...

    Now, outlook.exe is only marked only as an email client and not web browser.
    But this doesn't help since the advanced option of "protocol filtering" has no sub-option to defer between email traffic and web traffic - they are bundled.
    I tried the middle option, "applications marked..." but it didn't help.
    It looks like eset should give here more granular settings, separating email traffic from web traffic.

    Please advise how can overcome this issue.

    Thanks.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There will be a solution to this for Vista users in the version we're working on.
     
  3. eitanc

    eitanc Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    7
    Thanks, that's great to hear! :D ... but what if I use XP?... :(
    And when is it planned to be released (the XP supported version, of course)?

    Thanks!
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Only Vista supports a feature that we'll take advantage of instead of redirecting the traffic through a local proxy. The only options how to work around it are:
    1, disable protocol filtering -> files will be scanned by the real-time protection on file save
    2, use a firewall that supports local proxies
    3, use the firewall built in ESS
     
  5. eitanc

    eitanc Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    7
    Thanks.
    Sorry to hear it will be solved only for vista.

    Can you give me some names, from your knowledge, of FWs that support local proxies?

    Thanks.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Most firewalls support local proxies if you remove the localhost from the list of trusted network addresses. Of course, writing a ruleset will become harder.

    Marcos,
    What's that feature only present in Vista?
     
  7. eitanc

    eitanc Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    7
    Thanks lucas1985.

    The issue here is not really a networking one, but more of a process.
    I can, of course, with comodo, control what ekrn.exe can do towards the intrenet, but it masks to me the original application that initiated the session - and this is the real problem, since I care about the first app and I wish to control its networking behavior.

    I don't know of any FW that can give this to me, showing me and enabling me to control the whole chain of apps and their networkin behavior.

    If NOD32 had operated INSIDE of outlook, in a way that it controlled what outlook will do in the end and NOT being OUTSIDE of outlook - it could have been better.

    Thanks.
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I don't know about Comodo (don't use it) but in the Internet filtering rules it should have a rule to allow all comms to localhost/loopback or something that makes it trust the loopback adapter. Untick that rule and you'll see the pop-ups.
     
Thread Status:
Not open for further replies.