EKRN.EXE - Unauthorised programs can connect to internet via it. :(

Discussion in 'ESET Smart Security v3 Beta Forum' started by smith2006, Aug 23, 2007.

Thread Status:
Not open for further replies.
  1. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I am currently trialling Eset NOD32 Antivirus 3.0 & notice that unauthorised programs (I have Outpost Firewall on my PC, I have tested updating AVG Anti-Spyware without firewall rules) can proxy through EKEN.EXE to internet.

    I think this could present a security threat - unauthorised programs can bypass firewall. :thumbd:

    Any comment from ESET?
     
  2. GhostMan

    GhostMan Eset Staff Account

    Joined:
    Jun 8, 2007
    Posts:
    99
    Location:
    Bratislava
    Hi

    more details (for example how to replicate this issue) here or even better on betasupport@eset.sk will be great.

    Cheers.
     
  3. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I thought I have already mentioned it in my post?

    No firewall rules were created for avgas,exe (updater for AVG Anti-Spyware). When I click on the updater, it can tunnel through ekrn.exe (firewall rules created for it) to internet.

    This is the firewall log:

    11:21:44 AM avgas.exe OUT TCP localhost 30606 Allow local TCP connection

    11:21:44 AM ekrn.exe IN TCP localhost 2306 Allow local TCP connection

    11:21:44 AM ekrn.exe OUT TCP updateasfreeinfo.grisoft.com HTTP Browser HTTP connection

    11:22:32 AM avgas.exe OUT TCP localhost 30606 Allow local TCP connection

    11:22:32 AM ekrn.exe IN TCP localhost 2308 Allow local TCP connection

    11:22:32 AM ekrn.exe OUT TCP updateasfreeinfo.grisoft.com HTTP Browser HTTP connection
     
  4. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Please note the same apply to other unauthorized programs.

    You can do a test by not giving browser(IE7, Firefox or Opera) rights to connect to internet & yet it can bypass using ekrn.exe.

    By the way, i have only tested for Eset NOD32 Antivirus 3.0, not sure about ESS.
     
    Last edited: Aug 24, 2007
  5. GhostMan

    GhostMan Eset Staff Account

    Joined:
    Jun 8, 2007
    Posts:
    99
    Location:
    Bratislava
    Hi

    just to be sure, check if you have Interactive mode selected.

    Cheers.
     
  6. GhostMan

    GhostMan Eset Staff Account

    Joined:
    Jun 8, 2007
    Posts:
    99
    Location:
    Bratislava
    Ehm, now I'm not sure if I understand...Eset Antivirus don't have firewall, so it can't prevent applications from accessing network...
     
  7. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    How to check that?

    I guess this problem lies with Web access protection.
     
  8. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    May be, you can do a test.

    As mentioned before, I am using Outpost Firewall.
     
  9. GhostMan

    GhostMan Eset Staff Account

    Joined:
    Jun 8, 2007
    Posts:
    99
    Location:
    Bratislava
    Nope. Web access protection only scan for malicious code on pages you are accessing. Firewall mode can be checked via ESS main window - settings - personal firewall - switch to interactive mode (or automatic).

    Cheers.
     
  10. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I would appreciate it if you could investigate. Let me know if you need more information.

    You can reproduce the problem by running ESET NOD32 Antivirus 3.0 with a third party firewall, and unauthorized program without firewall rules.

    ekrn.exe literally open a hole in the firewall for unauthorised program to go through.
     
  11. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Is this done via ekrn.exe?

    The old way using IMON (NOD32 V2) doesn't cause any problem for firewall, & I am running it happily with Outpost Firewall.
     
  12. GhostMan

    GhostMan Eset Staff Account

    Joined:
    Jun 8, 2007
    Posts:
    99
    Location:
    Bratislava
    It's working. I just installed Outpost Firewall and don't create any rule. Then I installed EA. Now, if I try to update EA -> Outpost message for allow/deny. The same for IE and Firefox...
    Please, check your Outpost firewall settings.

    Cheers.
     
  13. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I don't think it has anything to do with my firewall setting.

    If you don't assign permanent rules for ekrn.exe (like what you mentioned in your above experiment).

    Whenever you are surfing, you will keep getting prompt from the firewall asking whether to allow ekrn.exe accessing to internet or not (bare in mind that you were running Outpost Firewall in wizard mode, most users should be running it under Block Most mode after learning). Is this way productive?

    How about you try surfing internet using Firefox or IE, even you have assigned firewall rules for them. The firewall rules will not be used.

    As internet traffic still has to go through ekrn.exe as it acts like a proxy, the firewall will still asking whether to allow ekrn.exe to acccess internet or not.

    As I mentioned before, I have no issue using NOD32 V2.7 (I paid for a three year license) with Outpost Firewall. How can it be a problem with my setting?

    Trust me, it has something to do with HTTP scanning as I have encountered it while using AntiVirusKit 2006 and that's the reason I switched to NOD32.
     
  14. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I just did another test.

    Without a permanent rule for ekrn.exe, you will need to answer 10 prompts in order to update. You will receive the same prompt even with browsing(16 prompts for ekrn.exe just to start up firefox).


    With a permanent rule (Browser HTTP connection) for ekrn.exe, unauthorized program (I am still using the example of AVG Antispyware Updater) can access to internet tunneling through it.

    A Rock and a Hard Place, which one will you choose?

    Perhaps you may want to discuss with your colleagues on this?
     
    Last edited: Aug 24, 2007
  15. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Just an update:

    I managed to overcome this issue by disabling this function in ESET NOD32 Antivirus 3.0:

    Web access protection -> HTTP -> Enable HTTP filter.

    With this action, everything go back to normal just like before (NOD32 2.7 with Outpost Firewall).

    http://img408.imageshack.us/img408/1273/esetvy9.jpg

    However the status for Web access protection becomes "Malfunctioning". :eek: Could it be a bug?

    One more question - by doing this will it weaken the antivirus protection?
     
    Last edited: Aug 24, 2007
  16. mayt

    mayt Eset Staff Account

    Joined:
    Mar 12, 2007
    Posts:
    84
    Location:
    Bratislava
    It is likely a bug.

    Disabling HTTP filtering prevents malware coming through http from being scanned.
     
  17. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Last edited: Aug 24, 2007
  18. polocanada

    polocanada Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    60
    Quick question for GhostMan,
    is it necessary that there are 16 prompts for Firefox? Wouldn't be enough to have just 3 or 2 prompts? Thanks. Sorry for stealing the topic.
     
  19. rolarocka

    rolarocka Guest

  20. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I am using ESET NOD32 3.0 Beta.

    This problem is related to a third party firewall.
     
  21. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Thanks for the reply.

    Nevertheless, I think it is still a bug Eset needs to tackle.
     
  22. ASpace

    ASpace Guest

    I experienced the same bug with EA . It appears after ekrn.exe is terminated by the Task Manager or when ekrn.exe is restarted (computer restart) . The web protection completely goes away from the GUI (Standart mode) or is blank in the Advanced Setup Tree . Even though it is gone/blank it appears to be working , blocking Eicar or other test files . I haven't seen this is ESS when I tried it on 23 August

    Perhaps they'll fix it soon :)
     
  23. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    Actually, I am not too concerned about it.

    I am more worried about unauthorised programs bypassing firewall* through ekrn.exe(once granted internet access).:'(

    EDIT: Talking about the combo of NOD32 V3.0 & third party firewall.
     
  24. slimg00dy

    slimg00dy Registered Member

    Joined:
    Sep 12, 2007
    Posts:
    2

    I wouldn't be worried about EKRN at all, it's another form of IMON really. Instead of checking links for unsafe applications/scripts/malware/viruses etc... through port 80 (HTTP). EKRN also checks for applications that use port 80 (HTTP) through port 30606 (I use outpost firewall as well, and that's how I figured it out). It does the exact same thing as IMON just in a different way. So in other words EKRN just checks port 80 for browsers and forces other applications (except browsers) that also access port 80 to be used through port 30606 or some other random port. The only downfall to port 30606 (or whichever replaced port 80) is that if you run programs like WoW or Guild Wars, they use port 80 to connect to their servers and then be taken over by port 6112. Threat sense (EKRN) blocks all communication to these programs.... I've already e-mailed Eset about this.

    P.S. I've checked my outpost and tried to block the access to Opera/FireFox/IE and EKRN didn't give them the bridge to connect. Check your config in outpost, maybe there's some anti-leak option that you haven't checked yet. To see what EKRN was really connected too, here's a picture of everything my EKRN was connected to. http://i129.photobucket.com/albums/p228/slimg00dy/untitled-2.jpg If you notice there EKRN closes a numerous amounts of ports (Still haven't figured out why) but keeps the ones active in my browser established (if it's anything like IMON it keeps it active for any changes on that server that could be harmful to anyone who visits or still browsing that site). Unlike IMON it keeps a constant active check on those sites you have open, basically. Although my theory could be wrong but I really don't think ESET could be dumb enough to set EKRN to recieve any other data than signatures.
     
    Last edited: Sep 12, 2007
Thread Status:
Not open for further replies.