I need a rule for the update service in my firewall

Discussion in 'NOD32 version 2 Forum' started by Rubi, Jul 24, 2006.

Thread Status:
Not open for further replies.
  1. Rubi

    Rubi Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    4
    Hello, I have installed deepfreeze, protecting my entire C unit, so what I need to know is where nod32 save the updates, I mean in which folder are made the changes to make a copy of it, and be able to copy later,

    I´d like to know too what are the files I have to watch, what are the more exposed to attacks folders, and if the update folder is attacked too? since I have seen that the update service connects to my computer by a range of ports between 1090 to 1115, I think it would be better just give permission to an unique port, not so many, these are the connections made by this service:

    local port 1097 remote 82.165.177.173
    local port 1096 remote 82.165.177.174
    local port 1095 remote 217.67.22.110
    local port 1094 remote 82.165.250.33
    local port 1093 remote 82.165.250.33
    local port 1092 remote 217.67.22.106
    local port 1091 remote 72.32.7.91
    local port 1090 remote 72.32.7.91
    local port 1103 remote 82.165.250.33
    local port 1102 remote 82.165.250.33
    local port 1104 remote 82.165.250.33
    local port 1105 remote 82.165.250.33
    local port 1106 remote 82.165.250.33
    local port 1107 remote 82.165.250.33
    local port 1108 remote 82.165.250.33
    local port kpop 1109 remote 82.165.250.33
    local port 1110 remote 82.165.250.33
    local port 1111 remote 82.165.250.33
    local port 1112 remote 82.165.250.33
    local port 1113 remote 82.165.177.173
    local port 1114 remote 194.213.194.29
    local port 1115 remote 213.215.116.226
    local port 1113 remote 82.165.177.173

    I need to make a rule in my firewall for nod32, the information needed is

    the service, (although I think is nod32krn.exe)
    protocol (just TCP, right?)
    local port this is what I need to know, can I give access just by one port, this service has full access to my computer
    remote port (the 80 would be enough?)
    remote ips (I´d like to know too if the ips are the ones I give above, or if not what are the ips by which this service connects, for more security)

    if anybody of you could give me this information it´d be very useful, I have no way of knowing it,

    thanks in advance, and best regards :)
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The local port is automatically assigned by the OS for the outgoing connection and will be the first available, different every time.

    Why not just make your rule to permit nod32krn.exe for locally initiated traffic since the IP's for update servers could easily change (as could their ports)?

    NOD32 for workstations doesn't need to accept inbound connections does it?

    Cheers :)
     
  3. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    For the remote IP addresses, you can go to Update --> Setup --> Location and then look at the "Server:" box to see the addresses of the update servers. I think the remote ports are TCP port 80.
     
  4. Rubi

    Rubi Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    4
    then I think I can tell the firewall where I want the update server enter in my system, since maybe anyone suplanting nod32 could access to my system for this port, by entering in a dangerous or trojan port?

    that´s the reason I want to make my rule more tightened......and yes, I did the update, and the rule I have just permit the outbound connections (dangerous too)

    thank you, I have looked in there and I have all names and just one ip address, it´s important to know the exacts ips from nod32, since if I´m not precise any ip could have access to my pc by entering for any address by any port, this is: 82.165.250.33

    so temporarily I´ll enter this address, and if anyone knows some others ips more to add, please let me know

    Thank you all and cheers ;)
     
  5. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    hi,

    from looking at my recent firewall logs i get these.. probably not complete but anyway...


    194.213.194.29 (194.213.194.0 - 194.213.194.63; GTS-CZ-HOSTING2-PPAHA)

    209.200.224.54 (209.200.224.0 - 209.200.239.255; ADDD2NET COM INC DBA LUNARPAGES)

    82.165.250.33 (82.165.240.0 - 82.165.255.255; SCHLUND-CUSTOMERS)

    213.215.116.226 (213.215.116.224 - 213.215.116.239; SK-ESET-SH)

    82.208.27.3 (82.208.27.0 - 82.208.27.255; CASABLANCAINT-CZ)


    greetings,
     
  6. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    I am using Outpost Firewall Pro 3.51.

    This is the rule (rule name: NOD32 Antivirus Control Centre HTTP connection) created automatically for NOD32KRN.EXE, you can use it as reference :

    Where the protocol is TCP
    and Where the direction is Outbound
    and Where the remote port is 80-83
    Allow it

    Of course you can still fine tune the setting (like specific the remote host, restrict access to remote HTTP port etc), but I am quite comfortable with it.

    This is what I gather from the firewall log & I hope they are useful to you:

    Remote Host IP
    U1.eset.com 62.168.97.102
    U2.eset.com 140.239.119.12
    U3.eset.com 82.208.27.3
    U4.eset.com 62.168.97.99
    U7.eset.com 213.215.116.226
    U8.eset.com 209.200.224.54
    U11.eset.com 82.165.177.173
    U12.eset.com 82.165.177.174
    U13.eset.com 217.67.22.110
    U14.eset.com 217.67.22.106
    U15.eset.com 217.67.22.97
     
    Last edited: Jul 25, 2006
  7. Rubi

    Rubi Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    4
    o.k, thank you, I´ll try with this addresses ;)
     
  8. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    759
    No problem :)
     
  9. echokoma

    echokoma Registered Member

    Joined:
    Jul 26, 2006
    Posts:
    1
    you could find that nod updates save in the forlder of --updfiles-- which path you have installed.
     
  10. Rubi

    Rubi Registered Member

    Joined:
    Jul 23, 2006
    Posts:
    4
    Hello Echokoma :)

    and thanks, I will watch and back up this folder everytime I do an update

    cheers
     
Thread Status:
Not open for further replies.