EKRN.EXE - Unauthorised programs can connect to internet via it. :(

I am currently trialling Eset NOD32 Antivirus 3.0 & notice that unauthorised programs (I have Outpost Firewall on my PC, I have tested updating AVG Anti-Spyware without firewall rules) can proxy through EKEN.EXE to internet.

I think this could present a security threat - unauthorised programs can bypass firewall.

Any comment from ESET?

 

Hi

more details (for example how to replicate this issue) here or even better on betasupport@eset.sk will be great.

Cheers.

 

I thought I have already mentioned it in my post?

No firewall rules were created for avgas,exe (updater for AVG Anti-Spyware). When I click on the updater, it can tunnel through ekrn.exe (firewall rules created for it) to internet.

This is the firewall log:

11:21:44 AM avgas.exe OUT TCP localhost 30606 Allow local TCP connection

11:21:44 AM ekrn.exe IN TCP localhost 2306 Allow local TCP connection

11:21:44 AM ekrn.exe OUT TCP updateasfreeinfo.grisoft.com HTTP Browser HTTP connection

11:22:32 AM avgas.exe OUT TCP localhost 30606 Allow local TCP connection

11:22:32 AM ekrn.exe IN TCP localhost 2308 Allow local TCP connection

11:22:32 AM ekrn.exe OUT TCP updateasfreeinfo.grisoft.com HTTP Browser HTTP connection

 

Please note the same apply to other unauthorized programs.

You can do a test by not giving browser(IE7, Firefox or Opera) rights to connect to internet & yet it can bypass using ekrn.exe.

By the way, i have only tested for Eset NOD32 Antivirus 3.0, not sure about ESS.

 

Hi

just to be sure, check if you have Interactive mode selected.

Cheers.

 

Ehm, now I'm not sure if I understand...Eset Antivirus don't have firewall, so it can't prevent applications from accessing network...

 

How to check that?

I guess this problem lies with Web access protection.

 

May be, you can do a test.

As mentioned before, I am using Outpost Firewall.

 

Nope. Web access protection only scan for malicious code on pages you are accessing. Firewall mode can be checked via ESS main window - settings - personal firewall - switch to interactive mode (or automatic).

Cheers.

 

I would appreciate it if you could investigate. Let me know if you need more information.

You can reproduce the problem by running ESET NOD32 Antivirus 3.0 with a third party firewall, and unauthorized program without firewall rules.

ekrn.exe literally open a hole in the firewall for unauthorised program to go through.

 

Is this done via ekrn.exe?

The old way using IMON (NOD32 V2) doesn't cause any problem for firewall, & I am running it happily with Outpost Firewall.

 

It's working. I just installed Outpost Firewall and don't create any rule. Then I installed EA. Now, if I try to update EA -> Outpost message for allow/deny. The same for IE and Firefox...
Please, check your Outpost firewall settings.

Cheers.

 

I don't think it has anything to do with my firewall setting.

If you don't assign permanent rules for ekrn.exe (like what you mentioned in your above experiment).

Whenever you are surfing, you will keep getting prompt from the firewall asking whether to allow ekrn.exe accessing to internet or not (bare in mind that you were running Outpost Firewall in wizard mode, most users should be running it under Block Most mode after learning). Is this way productive?

How about you try surfing internet using Firefox or IE, even you have assigned firewall rules for them. The firewall rules will not be used.

As internet traffic still has to go through ekrn.exe as it acts like a proxy, the firewall will still asking whether to allow ekrn.exe to acccess internet or not.

As I mentioned before, I have no issue using NOD32 V2.7 (I paid for a three year license) with Outpost Firewall. How can it be a problem with my setting?

Trust me, it has something to do with HTTP scanning as I have encountered it while using AntiVirusKit 2006 and that's the reason I switched to NOD32.

 

I just did another test.

Without a permanent rule for ekrn.exe, you will need to answer 10 prompts in order to update. You will receive the same prompt even with browsing(16 prompts for ekrn.exe just to start up firefox).

With a permanent rule (Browser HTTP connection) for ekrn.exe, unauthorized program (I am still using the example of AVG Antispyware Updater) can access to internet tunneling through it.

A Rock and a Hard Place, which one will you choose?

Perhaps you may want to discuss with your colleagues on this?

 

Just an update:

I managed to overcome this issue by disabling this function in ESET NOD32 Antivirus 3.0:

Web access protection -> HTTP -> Enable HTTP filter.

With this action, everything go back to normal just like before (NOD32 2.7 with Outpost Firewall).

http://img408.imageshack.us/img408/1273/esetvy9.jpg

However the status for Web access protection becomes "Malfunctioning". Could it be a bug?

One more question - by doing this will it weaken the antivirus protection?

 

It is likely a bug.

Disabling HTTP filtering prevents malware coming through http from being scanned.

 

Thank you for the response.

I have a more serious one this morning.

http://img263.imageshack.us/img263/2154/nod32cs2.jpg

http://img293.imageshack.us/img293/9238/nod321ij0.jpg

The option for Web access protection becomes blank.

Please look into this bug.

 

Quick question for GhostMan,
is it necessary that there are 16 prompts for Firefox? Wouldn't be enough to have just 3 or 2 prompts? Thanks. Sorry for stealing the topic.

 

i have the same problem. but if i click on a scheduled scan (declick and click) the web access protection shows up again.

 

I am using ESET NOD32 3.0 Beta.

This problem is related to a third party firewall.

 

Thanks for the reply.

Nevertheless, I think it is still a bug Eset needs to tackle.

 

I experienced the same bug with EA . It appears after ekrn.exe is terminated by the Task Manager or when ekrn.exe is restarted (computer restart) . The web protection completely goes away from the GUI (Standart mode) or is blank in the Advanced Setup Tree . Even though it is gone/blank it appears to be working , blocking Eicar or other test files . I haven't seen this is ESS when I tried it on 23 August

Perhaps they'll fix it soon

 

Actually, I am not too concerned about it.

I am more worried about unauthorised programs bypassing firewall* through ekrn.exe(once granted internet access).

EDIT: Talking about the combo of NOD32 V3.0 & third party firewall.

 

I wouldn't be worried about EKRN at all, it's another form of IMON really. Instead of checking links for unsafe applications/scripts/malware/viruses etc... through port 80 (HTTP). EKRN also checks for applications that use port 80 (HTTP) through port 30606 (I use outpost firewall as well, and that's how I figured it out). It does the exact same thing as IMON just in a different way. So in other words EKRN just checks port 80 for browsers and forces other applications (except browsers) that also access port 80 to be used through port 30606 or some other random port. The only downfall to port 30606 (or whichever replaced port 80) is that if you run programs like WoW or Guild Wars, they use port 80 to connect to their servers and then be taken over by port 6112. Threat sense (EKRN) blocks all communication to these programs.... I've already e-mailed Eset about this.

P.S. I've checked my outpost and tried to block the access to Opera/FireFox/IE and EKRN didn't give them the bridge to connect. Check your config in outpost, maybe there's some anti-leak option that you haven't checked yet. To see what EKRN was really connected too, here's a picture of everything my EKRN was connected to. http://i129.photobucket.com/albums/p228/slimg00dy/untitled-2.jpg If you notice there EKRN closes a numerous amounts of ports (Still haven't figured out why) but keeps the ones active in my browser established (if it's anything like IMON it keeps it active for any changes on that server that could be harmful to anyone who visits or still browsing that site). Unlike IMON it keeps a constant active check on those sites you have open, basically. Although my theory could be wrong but I really don't think ESET could be dumb enough to set EKRN to recieve any other data than signatures.