FWIW

Discussion in 'ESET NOD32 Antivirus' started by Hillsboro, Dec 6, 2007.

Thread Status:
Not open for further replies.
  1. Hillsboro

    Hillsboro Registered Member

    Joined:
    Jul 21, 2006
    Posts:
    86
    Location:
    CH/USA
    I have been a Eset subscriber since 1.0. My current license has about a year to go and, I am fairly computer literate.

    I am one of the users who has issues with the HTTP proxy for our and inbound traffic. I have read all the threads and regardless of the recommended configurations to solve the problem. 3.0's Http proxy sidestepping my firewall, Jetico. Yes, I know there are ways to block the outbound port, but it isn't worth the hassle with FF. That is the operative word for me; Hassle. So, I have gone back to 2.7.

    It looks like eset is going the way of other who did one things well until they tried to do many things well. It doesn't work. Not if you want total control of your internet access. Yes the learning curves for firewalls such as Jetico is steep but well worth it. especially if you are doing any business access over a vpn or financial transactions. May I am getting old, and paranoid but I don't see security reasons Eset running outbound HTTP and HTTPS traffic through Nod32. Inbound maybe for a poorly configured router, firewall and browser. But outboundo_O My router, firewall, and hips have that locked down solid. If I am venturing into areas that may pose a threat on the web. I can turn sandboxie on.

    Regrettably, Eset seems to feel they have a better way, and a well configured firewall and browser are superfluous with Nod32 3.0 watching over the web traffic.

    What I would like to see is the ability to simply turn the http proxy off and hand control back to the firewall.
     
  2. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    I totally agree. Although there is an adjustment you can make in the antivirus it may or may not work. It appears to do something but I don't know for sure. I second your motion for a way to turn HTTP scanning off. That however would negate some of the resident protection. 2.7 might have been better at this although I always g ot the feeling that adding hooks into WinSock was a little scary. Something tells me that ESET developed the Security Suite weren't sure if they would issue a version 3 standalone AV & then when so many customers demanded a standalone pulled the firewall out of the suite & left everything else. Unfortunately now we have the EAV 3 proxy problem. I think that I will use 2.7 for the duration of my license & then reevaluate if I should stick with ESET or move on to a security suite. I currently have both Fsecure suite & Zone Alarm SS installed in snapshots. Both work wonderfully.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Hillsboro,
    Which version of Jetico do you use?

    If you want to use NOD_V3 (with web AV) with Jetico 1(for example), then remove the loopback(localhost)127.0.0.1 from the trusted zone within Jetico.
    You will first need to ensure that "fwsetup.exe" cannot access the network (or the localhost will automatically be added).
    Once this is done, create a ruleset to allow localhost, then when, say firefox attempts access, simply "handle as" the loopback ruleset.
    This at first may appear to give less protection, but it does not,.. as this will allow NOD to filter the HTTP, plus allow Jetico to filter the packets.

    If you would like further info, then I will post my setup for this.

    Regards,
     
  4. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    33
    stem,
    please do post the specific rules for this.
    thanks!
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The Jetico 1 rule(set) I use?,... or the rules I would use for another firewall?

    If you have a firewall that NOD3 appears to give application bypass, then please name the firewall, then I can check to see if rules can be added.
     
  6. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    33
    sorry sten. i should have been more specific.
    rules for another firewall. outpost in my case.
    thanks
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Which version/build? 2008? or earlier release? I will install and look.
     
  8. Hillsboro

    Hillsboro Registered Member

    Joined:
    Jul 21, 2006
    Posts:
    86
    Location:
    CH/USA

    Hello Stem,

    I am using 1.0. I tried what you suggested and removed the 127.0.0.0/8 from the configuration file. FF seems to go happily but drops out Nod32 2.7 reading the inbound http traffic... 127.0.0.1 doesn't show up in the inbound application traffic window for FF.

    I would like to see the setup for this... I am using Paranoids browser setup recommendations in the web browser configuration... limits FF to specific ports and outbound only.

    Thanks for your offer of help

    Best regards
    Barry
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    For OP 2008, localhost is intercepted by default, so, it is a need of understanding.

    Example:
    Nod V3 installed,.. installed OP 2008. Ran FF for first time,..

    Given popup for firefox (2 alerts)

    popup.gif

    This does not actually indicate was is actually going on, but this is localhost, if allowed, then OP allows all localhost for that application (to save all the popups), you then have an entry:


    in_place.gif

    This will then allow the localhost comms to NOD3(localproxy), so, it is not a bypass, more of a need of understanding on what as been allowed.
    I am seeing some slight problem, but need to look at this more
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    NOD 2.7(IMON) is different, as this works on LSP, not interception on localhost.
    Which version of NOD are we now looking at??
     
  11. Hillsboro

    Hillsboro Registered Member

    Joined:
    Jul 21, 2006
    Posts:
    86
    Location:
    CH/USA
    I have 3.0 and removed it because of the problems I outlined above. It would be easy enough to install again, if I could get Nod not to act as a web proxy. I would too, what if any gain there is to be had with 3.0 over 2.7?

    If you have the setup handy (I looked for it on the 1100+ Jetico post here but couldn't see any setup screens), I would like to give it a try. It is easy for me as I have it ghosted, so I can reinstall the system with 3.0 on it, and if it is a bust, I can go back to where I am now.

    BTW Does Jetico2.0.x intercept localhost activity? I am waiting for winxpsp3 to do a clean install and some housekeeping, but maybe I should look at it now. I only wish I could use blocklist on it but Peer Guardian does the job well enough.

    Thanks
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hillsboro,
    You are confusing me, which do you want. You first put forward the problem with Jetico and NOD3, which I have checked and can be resolved with correct interception of loopback, you then go back to NOD 2.7, then go back to NOD3 with the posibility of disable of web AV, For the later, just exclude the browser in the NOD3 settings, this will then make jetico give you popup/filtering without NOD localhost interception:

    web.gif





    Which setup do you want?
     
  13. Hillsboro

    Hillsboro Registered Member

    Joined:
    Jul 21, 2006
    Posts:
    86
    Location:
    CH/USA
    My original post was quite clear as to what the problems was, what I had done and what I wanted. You made a reply to my post offering a work around. I accepted your offer based on what I had said in my original post (ie I had gone back to 2.7...).

    I also mentioned I had tried the remedies offered in earlier posts regarding the HTTP issue and it had not worked for me as it had not worked for others. I could not place a red x in the box to exclude the browser. All I could do is put a green tick mark or leave it blank. Other have complained about this too. Some can exclude the browser and some can not. Marcos/Eset have been of no real help or offered an answer as to why some people can do the exclusion and other can't. I think it is safe to say all of us with this problem are not terminally stupid nor do we lack the ability to communicate the problem clearly as I did in my first message here. A failure to understand the problem by some does not mean the problem does not exist.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I think it is safe to say you did not correctly read my first reply, that was intended to help with your problem with NOD 3 HTTP filter. Please re-read my first post on thread(#3), does this mention NOD V2.7

    Follow my first post (#3), with NOD V3. Then post back your findings.
     
  15. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Hi, Stem did you get NOD32 v3 correct running with Jetico 2 by only excluding the browser,email client, etc. in the NOD3 settings configuration or did you further rulset configuration in Jetic 2? Does http/pop3 traffic still gets scanned by NOD32 with this configuration?
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tommy,

    I have not looked at this yet, but will do now. Give me (maybe) 30 minutes to setup and check (currently, this will have to be on VM)
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Tommy,

    To follow up,

    With removing the localhost from JPF2 trusted, I am seeing the same behaviour as with Jetico 1. I am given the usual alerts for Firefox (as APP example) for its localhost loopback, then given the alert for connection to NOD3 proxy (port 30606).

    2007-12-08_182421.gif

    I will now check for exclusions with NOD3~

    Looking at default within NOD3, I see that FF has been added, but it is currently with no checkmark. I am allowed (on this setup) to place a red-checkmark:- this then gives rise to popups for FF to connect:-

    ff.gif

    This is actually slow with popup, I am seeing a lot of blocked packets (but not logged due to Jetico2 default installation). Let me look at what is being blocked (possibly internals)

    Edit (again)

    The blocked (I see from the red inbound indicator) is from Jetico2 inability to conform to its own rules, these are DHCP broadcasts~replies, so are not related to NOD3



    Tommy: I see no problem on my setup.
     
    Last edited: Dec 8, 2007
  18. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Seams to work, little problem is with email clients as i have to do inbound and outbound rules for 127.0.0.1 as inbound traffic reaction time is very long and for that SPI does not work correctly.

    But there is one big Problem. You cant block an IP adress for one web application and allow it for an other. More you can't limit applications to IP Ranges with Jetico with this kind of Eset Proxy. This will efect also ALL other FW's i think. I see for now no efective solution to get control like Jetico in combination NOD32 2.7.

    That's nothing for a normal user as this kind of configurations are far to complicated for them.
     
    Last edited: Dec 8, 2007
  19. Hillsboro

    Hillsboro Registered Member

    Joined:
    Jul 21, 2006
    Posts:
    86
    Location:
    CH/USA
    I replied to you in post #8. I said I would like to see the config and thanked you for your help.

    In post #11 you asked for a clarification on the version I was talking about. In #11 I replied as to the options I wanted to pursue if you wanted to post the config info. In post #12 you attached the screen of FF red x'd out as the answer to my problem. Something I could not do as I alluded to in my thread start post. And as Tommy has confirmed, along with many others.

    For me now, as with Tommy, it is not worth trying to cobble together a fix to use Nod3.0 because it doesn't offer any advantages over 2.7. Something I wasn't sure of until reading the posts today yesterday.

    So again, thank you for you time...
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Well, I only tried to help with config. I am sorry for trying to help.

    I agree that a forced proxy is not welcome, this should be an option.

    I leave with thought of not to post again.
     
  21. tiinkka

    tiinkka Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    24
    @ Stem please dont be put off posting because of a misunderstanding , there are many who benefit from reading of the complexities of firewalls and appreciate the efforts you have gone to ;) .
     
  22. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    @Stem
    Keep on posting you are agreat help for 99% of FW useres here. Post are realy apriciated from me and most others :thumb:
    As for NAV, if there is no possibility there is no, no miracles can be made not even you :)
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I only ment posting to this thread.


    Let me be candid,

    I do not care for forced proxy, any proxy should be as option.

    I have looked at NOD3, in my setups I see possible options to disable the Proxy as I mentioned,.. now if this is not available on certain setups, then that is a problem.

    I have seen this before with Kaspersky,


    Now, down to actual:

    I am certainly no "AV" expert, but I do have a good memory, and remember well the interactions on forums. So let me say:-

    I remember how at one time, there was issues on what packed files where "unpacked" by an AV, the more the better it was said,.. but then it was also said that a packed(example zipped) file could not cause problems, as when unpacked, the file AV would catch this. So, from that, was there a care of what an AV could unpack?
    From "HTTP filtering", are we saying that without this, that files in catch can cause problems? Would/will the AV not protect from these files?

    For me, this is just more "",
    Should I think that without an HTTP filter I will become compromised, will realtime file protection from AV not protect anymore, or was it not protecting me before?

    Such as Proxy, IMHO, needs to be an installation option, as with IMON.
     
  24. xheffalumpx

    xheffalumpx Registered Member

    Joined:
    Dec 12, 2007
    Posts:
    62
    You know, you really shouldn't have to be going messing with your own setups that you may have happily been using for a long time just to accomodate the way NOD32 v3 does things now. It's not unreasonable to request ESET provide the option to have the proxy or NOT to have it (so you don't have to do all this to begin with). I bet a lot of people rolled back to 2.7 because of this. I know I did!
     
  25. NodboN

    NodboN Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    139
    Hi Stem!!!
    Firstly, thanks for coming back - your inputs shared here are appreciated by most of us.

    I agree that the proxy feature could have been an option built-in the installer for Users to decide at the time of installation whether to go with proxy or not.
     
Thread Status:
Not open for further replies.