ESET NOD 32 Antivirus and Firewall Rules Security concern

Discussion in 'ESET NOD32 Antivirus' started by RockLobster, Mar 25, 2009.

Thread Status:
Not open for further replies.
  1. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    This is a security concern I have that everyone using ESET Antivirus should be aware of, I was setting up my firewall outbound packet filtering rules and discovered that, Internet explorer and some other interner applications wont access the interenet untill I create a rule to allow ESET NOD 32 Antivirus ekrn.exe to access the internet.
    I discovered this is becuase those applications along with a lot of others are listed in ESET's antivirus settings as web browser type applications, and therefore use the ESET local proxy server service to access the internet instead of establishing their own direct internet connection.
    My security concern is that when you introduce a firewall rule to allow the ESET antivirus ekrn.exe outbound internet access this automaticaly grants outbound internet access to every application listed in the ESET settings as a web browser application, including and by default, svchost.exe which according to windows vista's own firewall documentation, should not be given a firewall rule to explicitly allow it as the services it hosts should have their own individual rules and in fact to allow svchost unfettered internet access actually overrules some of microsofts own rules for those services that are pre written in Windows Firewall.
    This also means that any malware that gets registered in ESET as a web application blows a hole right through your firewall as soon as you grant ekrn.exe a firewall rule to allow it, and allow it you will, becuase untill you make a firewall rule to allow ekrn.exe outbound internet access your antivrus will not recieve updates.
    I hope someone will correct me if I am wrong on this but I believe this to be a huge security hole that many people who use firewalls that simply say "eset antivirus is requesting internet access, allow ? yes or no" will have no idea that by saying yes to this, they are allowing a multitude of other apploications full outbound internet access via the eset proxy service that also gets allowed as part of the antivirus program.
    I would also hope someone would repeat my methods to verify this, I turned on outbound packet filtering in Windows firewall by setting outbound to block, at this point no applications including internet explorer could access the interenet, I then created one rule, to allow ekrn.exe outbound internet access, from that point on , all the internet applications listed in ESET antivirus advanced settings had full and normal internet access including internet explorer messengers utorrent and a bunch of updaters and other apps that are listed in ESET as web browser type applications.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's actually a well known fact that the HTTP traffic is routed through ekrn.exe. If you have a problem with this, you can either disable HTTP checking, use a firewall that supports local proxies or use Win Vista SP1 which supports a new filtering method when the traffic is no longer routed through ekrn.
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I know http traffic is suposed to be routed through the antivirus proxy server, I also knew email was supposed to be routed through it but there is a lot more than just internet explorer and email getting routed through ekrn by default .
    Thats a rather sweeping statememnt to say oh everyone knows about this, cause if they did, there would be a lot more discussion about it, and if there has been, I could not find on this or any other forum, any post that warns people the huge amount of internet traffic that is routed through ekrn by default will bypass any rules you have in your firewall for those apps as soon as you allow ekrn.exe, and it is a huge amount.
    FYI I am currently running Vista SP1 I have outbound filtering enabled on the firewall and only one rule allowing ekrn.exe and there are alot of applications gaining full internet connectivity on my computer through that one rule, including bit torrent file sharing, instant messengers, all svc hosted services, internet explorer and java and others and that is all by default, I did not add any of those applications to the list to be routed through ekrn myself.

    I realise I can stop this by disallowing those apps to be routed through ekrn.
    My point is most people dont use Vista's firewall and manually apply their firewall rules like I did and therefore notice something unusual us going on, most people use a friendy GUI firewall which just asks them do they wanna allow this or that and they click yes to their antivirus program so it can get updates and they see everything seems to be working so they assume everything is great, while being completely unaware that a whole bunch of apps are totaly bypassing the firewall rules for them and routing through the antivirus program.
     
    Last edited: Mar 26, 2009
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So you must still be using v3. With v4, the http/pop3 traffic wouldn't be passed through a local proxy (ekrn).
     
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Yes I am using version 3, I believe version 4 was only released a couple of weeks ago, so they removed the local proxy server eh, maybe I wasnt the only one that realised the security implications of that, after all.
     
Thread Status:
Not open for further replies.