Help config certificates, protocol filtering, random error communicating with kernel

Discussion in 'ESET NOD32 Antivirus' started by Ghetto_Child, Nov 21, 2010.

Thread Status:
Not open for further replies.
  1. Ghetto_Child

    Ghetto_Child Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    29
    Location:
    Montreal, QC, Canada
    So I've been a loyal ESET NOD32 user since 2007. I have consistently been having trouble with these 3 areas and have never found a solution anywhere online or via random "guess & test".

    1) I don't have a clue how to properly use certificates. My understanding is NOD32 is capable of verifying authenticity and encryption of SSL browser connections using certificates. Can someone please give proper step by step instructions to configure this correctly for use with Internet Explorer 8, Firefox 3, Google Chrome 7, Safari 5, Opera 10? I use all of these 5 browsers on windows and none of them can use the SSL/Certificate authentication properly. It's so bad that some of the browsers are unable to use enhanced/secure encryption for logging in, online shop checkout process, etc. I'm using Vista Home Premium Service Pack 2

    2) Protocol Filtering, I have it enabled to scan all SSL activity but I don't know if I have configured/used something incorrectly. It's related to the first problem I listed. So help with this would be appreciated.

    3) I randomly at reboot/bootup get the prompt "Error Communicating with Kernel" and NOD32 does not load/startup. I then have to go into the start menu and launch the NOD32 program from the ESET group and then NOD32 loads and proceeds with startup scan. I did find a document from the eset knowledge base mentioning this issue but the solution given had zero effect on my situation.

    4) I'd like to know which programs should be selected in the "Active Mode" list and which programs should be selected in the "Excluded Applications" list in the advanced settings. I ask because several programs when not ticked in the excluded applications list cause my vista to slowdown/lockup/freeze or malfunction. Some parts even cause browsers to not work correctly on certain sites or protocols. I need help fixing this all together.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    SSL communication will not be scanned with recent versions of Chrome (v8 and the last two v7 builds) due to new SSL features they've implemented. Support for them will be added in some of the future versions of EAV/ESS.
    As for Mozilla products, scanning SSL will work for websites you visit but updates will fail as Mozilla doesn't consider other than built-in certificates trusted and thus will not allow to update their products unless the Mozilla certificate is excluded from scanning (read this KB).

    Try downloading the eicar test file from https://secure.eicar.org/eicar_com.zip. If it's detected, SSL scanning in your browser works fine.

    It sound like it takes long for ekrn to start, maybe due to dependencies on other network drivers (e.g. if it takes long for wireless network adapter drivers to start). If that's the case, the splash-screen should appear for about 2 minutes or even more during Windows startup.

    Until you experience issues, there's no reason to adjust these settings. If you experience a problem with a particular application, you can try excluding it from content filtering.
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    this recent thread provides a bit of insight on NOD's SSL protocol filtering and on a side note also incompatibilities with browsers. there are other programs like the media center updater in 7, filezilla ftp client, hitman pro b 117 and more not being compatible with NOD's SSL protocol filtering
     
  4. Ghetto_Child

    Ghetto_Child Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    29
    Location:
    Montreal, QC, Canada
    well for #4 if I don't put C:\Windows\System32\svchost.exe then I get assorted programs slowing down or locking up. Same lockups/slowdowns if svchost.exe is not ticked in active mode & not ticked in Excluded Applications.

    #3 yes sometimes it does take several minutes and it's random, whenever it does slowdown the splash screen stays up very long. What makes even less sense is my laptop is running off an Intel X25-M 160GB Gen2 SSD. Results differ a bit when I try different power modes but it's still always random regardless of the mode.

    #1 you say the attached photo should not happen? That's Chrome 7 and NOD32 SSL scanning working in the photo right?

    The scanning problems I have is for example in Chrome 7 NOD32 is blocking all the youtube videos it seems as that's the only browser that can't play the videos. Everything else on youtube functions correctly.

    In Safari 5 for windows I can't log into hotmail/windows live mail at all with enhanced security enabled. Alot of times even without enhanced security the site attempts to load and just stops at a blank page. Checking the activity windows shows 3 errors relating to certificate authentication of some sort.
     

    Attached Files:

    Last edited: Nov 21, 2010
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    perhaps it was a typo and should read the last 2 versions of Chrome v8 and the entire v9 trunk. there should be no problem on v7

    you did not state the OS NOD is running on, neither the NOD version. Just checked on a XP SP3 x86 with NOD 4.2.67.10 with SSL protocol filtering enabled and Chrome 7 - there is no trouble with playing the videos, could be anything on you machine, network (use fiddler2 to debug), missing/wrong codecs, Chrome extensions causing this
     
    Last edited: Nov 21, 2010
  6. Ghetto_Child

    Ghetto_Child Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    29
    Location:
    Montreal, QC, Canada
    There's a Chrome v8 & v9 for Vista? My Chrome is telling me v7 is the latest. You also lost me with the link you gave, I've never seen an encryption higher than 128-bit anywhere online. How did you get/set a higher one?

    I also have trouble getting TLS security to remain enabled in Internet Explorer 8. It randomly winds up unticked, same for SSL3.

    This is why I need some guidance, I really don't understand what should be set vs unset so what I do is tick all the boxes that says all the different SSL and TLS levels in each browser (turning everything on I guess) and in NOD32 see attached photos.
     

    Attached Files:

  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    Safari 5 is incompatible with NOD's SSL protocol filtering. As Google is pushing Chrome version upgrades every 6 weeks they have currently v8 and v9 in the testing. when v8 gets released in 3 - 4 weeks it will most likely be incompatible with NOD's SSL protocol filtering. Also Mozilla is currently testing FF 4, which at this stage is incompatible with NOD's SSL protocol filtering. Opera is currently testing v 11, which causes also all sorts of trouble with NOD's SSL protocol filtering.

    what do you want to achieve with NOD's SSL protocol filtering? I am not aware of any malware being delivered so far through httpS, though it probably will become a black hat concept at some point. hence for the time being it might be more convenient to stay off NOD's SSL protocol filtering. if not you may exclude those incompatible browsers from NOD's protocol filtering, however then also the normal http data stream will not be scanned and thereby significantly dropping protection. there is no fine grain/tune in between, it is either or

    hard to say what is causing your trouble with IE8, however it is not an anomaly by NOD. do you ever perform a full NOD scan of the machine or frequent second opinion scans with cloud based tools like Hitman Pro? if not it may now the time to see if anything suspicious comes up
     
    Last edited: Nov 21, 2010
  8. loverboy

    loverboy Registered Member

    Joined:
    Mar 25, 2009
    Posts:
    59
    Why SSL filtering is not set by default?

    I have not checked SSL filtering and the "https eicar zip file" is downloaded regularly on my desktop.
    What is worse is that the "zip" file can be moved into other disks or folders without any warning.
    Shouldn't a warning appear when that file is accessed or copied/moved or whatever operation the OS does on it?
     
    Last edited: Nov 21, 2010
  9. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    that is off this thread's topic
     
  10. loverboy

    loverboy Registered Member

    Joined:
    Mar 25, 2009
    Posts:
    59
    Created new topic :thumb:
     
  11. Ghetto_Child

    Ghetto_Child Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    29
    Location:
    Montreal, QC, Canada
    I did state the OS version in the very first post. Vista Home Premium SP2, also to add I'm using the 32bit version. NOD32 is v4.2.58.3

    As for doing a system scan, I am irregular about full system scans but I always have real-time file system protection running with everything enable or on most thorough.

    I use the protocol filtering because it makes sure the SSL is secure, blocks obsolete SSL, assures that I'm connected to the intended site with encryption for sensitive info transactions. At least that's what I thought all this was for. I don't believe I have any malware causing this because it's the same symptom I get on several PCs and even right after a fresh format using OEM recovery discs. I don't do any P2P file sharing and I block ALL advertising domains, and all cookies, activeX, and flash so that I have to manually click the control or confirm the prompt to run the script/cookie/flash control.

    So can I get help for the 2 biggest issues first, how do I configure/use certificates correctly? Some of my existing browsers are only able to authenticate certificates halfway. The dialog box I pull up tells me that ESET was unable to verify the certificate or other similar messages

    How do I fix the "error communicating with kernel"?

    Why do I have to put C:\Windows\System32\svchost.exe into the "Excluded Applications" list just to prevent some of my programs (browsers included) from freezing/locking up/crashing?

    Why does ekrn.exe load up several hundred MB of ram and ramp up to 70-100% cpu usage for no visible reason? As in no definition updates are happening, no system scanning or virus scanning operating running at all.
     
  12. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    me bad. try using the latest version 4.2.67.10 and see whether some of your trouble gets solved.

    nothing of that is being achieved by the NOD SSL protocol filtering, it scans the data stream for malicious code.

    well, it was a suggestion for a second opinion, but if you are confident that perhaps won't be necessary
     
  13. Ghetto_Child

    Ghetto_Child Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    29
    Location:
    Montreal, QC, Canada
    here's another result. Opera 10 is telling me the SSL connection to NCIX login is insecure and the certificate is supposed to be issue by ESET. Is this supposed to happen on Vista Home Premium SP2?
     

    Attached Files:

  14. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    yes, it is - independent of the OS - the functionality of NOD's SSL protocol filtering is pretty much explained in the thread already mentioned above - that including the trouble with various recent web browsers. it seems that you keep NOD's SSL protocol filtering enabled despite it is not performing any function you imagined?
     
    Last edited: Nov 22, 2010
  15. Ghetto_Child

    Ghetto_Child Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    29
    Location:
    Montreal, QC, Canada
    well if I disable it then I'll have no protection right? so I figured malfunctioning SSL scans are better than none?

    If SSL scanning has nothing to do with Certificate authentication then how can I make sure certificates are being use correctly? My previous understanding was that SSL and certificate authentication was causing each other to malfunction. So how do I isolate and correct the problems I listed in the first place? I am asking for help/guidance so who or what section of this forum do I need to go to solve the problems I listed.

    Certificates: I have no real understanding of them, just that they're the only guarantee I'm encryptedly connected to a site right? It verifies the site I'm trying to do transactions with is the intended safe one? So how can I make sure I have set this appropriately to the best each browser is capable? Which settings in NOD32's SSL menu & sub menus should I have selected?

    You have pointed me to a lot of threads but none of them explain how to set this, what it is I'm actually setting, and what options are recommended, or why?

    Here's another, "Active Mode". Am I supposed to checkmark EVERY application that shows up in that list including C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe ? Where's the guide to configuring this? The help file is good at explaining some options but many settings are left vague with no examples of what each option will do. How am I to know if adding a program to the "Active Mode" list will hinder the system? I have 60 programs in my list which is far far too many to test 1 by 1. I'd have to go through so many usage patterns per app added to the list.
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    it sounds that you have a bit of misconception about NOD's SSL protocol filtering - which only filters - and the authentication of certificates between webserver and webbrowser. afaik I pointed you to one thread not to many. as several times stated the existing problems with NOD's SSL protocol filtering and various recent browsers cannot be circumvented with settings in NOD or any of the browsers. Either use only IE for HTTPS, which at this point still works, or live with the annoyances or turn off NOD's SSL protocol filtering.
    your are not supposed to, unless there is a problem with a particular program, which may or not be solved with Active Mode
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm not getting this warning on https://secure1.ncix.com/login neither on WinXP, Vista or Win7 32 nor 64-bit. Just to make sure SSL checking works fine, I've tested downloading eicar via https using Opera 10 and it was blocked fine. Could you provide step-by-step instructions how to reproduce it?
     
  18. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Interestingly, I've enabled SSL checking in ESET EAVBE 4.2.64 today, and in FireFox 3.6.12 I get the "insecure certificate" warning when visiting that site. No idea about Opera.


    Jim

    PS Win 7 x64

    Edit: It's actually ESET, not the browser, telling me that it's not secure. Firefox, IE8 and Opera-USB all say the same. Yet clicking on the certificate link in the ESET warning window suggests that the cert is okay.
     
    Last edited: Nov 22, 2010
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Really weird, EAV 4.2.67 on Win 7 x64:
     

    Attached Files:

    • ncix.png
      ncix.png
      File size:
      48.6 KB
      Views:
      384
  20. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    From FireFox 3.6.12 on Win 7 x64 with EAVBE 4.2.58.3. Sorry I haven't updated to the very latest version yet as I'm worried about the Outlook 2010 thread. I can do so if you think this certificate issue is fixed in the latest release.

    Happy to help debug/diagnose.


    Jim

    Virus signature database: 5639 (20101122)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1293 (20101110)
    Advanced heuristics module: 1114 (20100827)
    Archive support module: 1122 (20100826)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1021 (20100811)
    SysInspector module: 1217 (20100907)
    Self-defense support module : 1016 (20100404)
    Real-time file system protection module: 1004 (20100727)
     

    Attached Files:

  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is okay, just click "Yes, always" to always trust the "secure1.ncix.com" certificate.
    The first thing one should try to fix problems with scanning SSL is as follows:
    - with all web browsers closed, disable SSL scanning and click OK
    - re-enable SSL scanning. A root certificate will be generated and imported to web browsers.
    - open a browser and make sure that SSL scanning works fine by downloading the eicar test file from here
     
  22. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I've installed 4.2.67.10 over the top of 4.2.58 and this site is now working correctly in FF.

    In opera I'm told that the server's certificate key chain is incomplete.


    Jim

    PS SSL Scanning is working - the EICAR file was blocked.
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you use Opera 10 or 11?
     
  24. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Neither, I hate it :) I've just downloaded 10.63 from here. It's kicking up errors with every SSL site I visit.

    This might be because it's a "USB friendly" version of Opera, I don't know. It might not store certificates/cookies/history etc.
     

    Attached Files:

  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Sure, since portable versions can be located virtually anywhere and there's no record about the location in the registry either, it'd be necessary to import the ESET root certificate as a certification authority.
     
Thread Status:
Not open for further replies.