Kerio 4.2.3 and KAV 6

Discussion in 'other firewalls' started by adam777, Apr 15, 2006.

Thread Status:
Not open for further replies.
  1. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    Hello All,
    I'm using Kerio (free version) 4.2.3 and KAV 6 (build 299) for the past two weeks or so, and thought i had everything under control. Until...
    I did the most naive leak test (http://www.firewallleaktester.com/leaktest1.htm) and was really surprised to realize my firewall was basically not there.
    Took off Kaspersky, and WALLA, no leak...
    So... i've reinstalled BOTH programs and still the same results, they don't seem to play nice together.
    I guess it has something to do with the fact the web antivirus component of KAV basically direct all traffic to itself, so allowing Kaspersky to access the net leaves me pretty much on the open...
    Any help would be appriciated, Adam.

    PS. only complete shutdown of Kaspersky resolves the problem, not even pausing protection.
     
  2. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Not saying that someone here couldn't help you out but did you try posting this question at forum.kaspersky.com?
    I'm using KAV 6 with L n S firewall but I dont have any problems with leak tests
     
  3. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    Already there :)
     
  4. Source

    Source Registered Member

    Joined:
    Apr 22, 2006
    Posts:
    9
    Location:
    London, England.
    Adam, I use Tiny Personal Firewall and indeed, when KAV's Web Anti-Virus is installed/running, leak test passes through. Only disabling or uninstalling KAV solves the firewall leak. Have you heard back from Kaspersky on this matter?
     
  5. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    Well, KAV 6 way of work is acting like a proxy so that all the traffic in relevant ports is directed through that proxy, scanned by KAV and than move on.
    As for kerio, it seems that it's not smart enough to recognize what application tries to access that proxy and believes it's the same application all the time (that is the KAV executable, the proxy itself).
    So, no solution really available at this time.
    Changed to Jetico in here :)
     
  6. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Actually there is a solution -
    1. I would think that the application blocking of Kerio would notify you if you have it on. The application starting approval notification would usually allow you to block a program.
    2. The proxy for KAV6 is due to HTTP scanning in the web AV component. If this is a problem for you, stop monitoring with web av (disable port 80 monitoring in network settings) and you should be back to usual operating. The file AV will still notify on things hitting the hard disk. Also, the PDM feature of KAV6 should notify on some of these, leaving it up to you to select whether to allow or not.
    3. The web AV component affects most 3rd party firewalls from what I have seen. For example, if you block port 80 on the browser in LnS with KAV6 web AV monitoring port 80, the browser will still connect. The PDM of KAV does notify of injections to stop malware and with applicaiton integrity control on it would notify for applications starting, modifying or launching others.
     
  7. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    That's right, of course.
    But it's more of a "solution" than a solution ;)

    * EDIT *
    Anyway, bottom line is, Jeitco (as an example) manage to handle this work method just fine.
    No problems with outbound control.
     
    Last edited: Apr 24, 2006
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    KL appear to of changed the way KAV handles its proxy, even with HTTP scanning off, all traffic goes through KAV/Proxy. You could at one time, do as you say, and turn off HTTP/Mail scanning, and KAV would no longer need outbound connections in the firewall, but even with these off, kav still requires the connections. I have not done a lot of checking......but will load up later to confirm.
    KIS still has hard-coded rules for its own apps, so these rules do not show to the user in KIS
     
  9. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    You are right - the KAV6 proxy is different. One way to stop proxy behavior is to go to the Network Settings-> Port Settings and disable ports that KAV should not be monitoring and leave ports that you do want monitored if any, like mail. That's why I mentioned disabling port 80 above.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    As I mentioned in my last post,...even if you disable HTTP scanning, KAV will still intercept the network traffic and act as proxy.
     
  11. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    As I mentioned in my posts, when I go to Settings-> Service-> Network Settings-> Port Settings and uncheck the ports, KAV 6 does not act as a proxy on my test PC. :)

    We may be talking at cross purposes - I didn't address disabling web AV previously (Settings-> Web AV-> uncheck enable) but that didn't stop KAV 6 from acting on my PC as a proxy so I used the port settings instead.
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    O.K. I will check later. I did just install KAV (tech release) onto a test PC with Jetico installed, but was blocked from internet access while both KAV and Jetico where running. I will have more time later to test fully (and more correctly).
     
  13. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    Works here :)
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have set up, and turned off all the ports for the "web AV" as mentioned by Mem, but have found that KAV is still performing proxy at the localhost which is causing all outbound packets to bypass Jetico`s IP filters (this can be checked by looking at the "Traffic monitor" within Jetico,...to re-check, I placed IP rules to block all outbound "Any" which is simply bypassed). This is causing all inbound packet to be incorrectly processed by the SPI within Jetico. This is on a test WinXP PC with only Jetico and KAV.299 installed.
    I have not tested yet for any problems with the "Process attack filter" within Jetico.(for leak tests)
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Hi Stem

    I had a different problem with the latest KAV builds including the technical release. On my laptop I lose all internet connectivity period. Disabling it doesn't matter. Only solution was to uninstall Web AV and Mail AV. From the persepective of my two computers this program isn't ready for prime time, and I reallly really wanted it to work. But.... not yet.

    Pete
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Pete,
    I must agree, this version was, I think, pushed out due to "Infosec in London at the end of April".
     
    Last edited: Apr 24, 2006
  17. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    Hi Stem,
    I'm in no way an expert in using Jetico and/or KAV 6.
    What i can tell you, using this combination i get alerts from Jetico whenever an application with no rules tries to do anything network-related, including leak tests...
    I'll be glad to do some testing with specific things that won't work on your machine.
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Adam777,
    Have you checked the "network monitor" in jetico for outbound packets?. Have you placed a block all outbound in the IP table to check if outbound packets can be blocked?

    EDIT
    The attack filter does appear to work, but the outbound IP filter table is being bypassed (Just checked on a second PC), which is causing incorrectly processed inbound packets (Use this combination at your own risk)
     
    Last edited: Apr 24, 2006
  19. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    I've just added a test rule to block all outgoing packets under "System IP Table" and could see nothing go through, which is good, i guess.
    What exactly do you want me to check under the network monitor?
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Does the "Block outbound" IP rule stop you connecting to the internet? (It should do)
    In the Jetico "Traffic monitor" check the count on the outbound packets, this should increase with the outbound connections (while you are connected /surfing the internet).
     
  21. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    It indeed put everything internet-related to a halt.
    I did not unplugged and replugged the net cable if that what you mean, but it did won't allow anything to go outside (browser, IM) and i can see evidence in the log that packets were sent to the outside world but blocked by the rule i've created.
    In the traffic monitor, everyhing adds up in the "blocked" section, no outgoing packet allowed.
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Did you perform a full installation of KAV.299?
     
  23. adam777

    adam777 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    48
    Yep, Web AV and Mail AV alive and kicking :)
    I'm getting a feeling i'm being a bit lucky on this one...

    * EDIT *
    OK, this might solve the mystery.
    it turns out my KAV isn't working as it should be...
    Although evrything is listed as running, in fact the Mail AV (for example) does not scan anything (judging from the statistics info).
    Will check it further and let you know the results.

    * EDIT 2 *
    Well, it's beyond me...
    Just rebooted my PC - now Mail AV and Web AV works as they should and also all the outbound packets blocking thing, so i guess everything works as it should after all...
    Anything further?
     
    Last edited: Apr 24, 2006
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I am going to change my network cards on the test PC`s to see if the problem lies there. (but at this moment, blocked packets are passing through,...what joy)

    EDIT
    Have installed a new NIC card, and re-istalled Jetico, but the problem remains. (actually, Jetico appears to be going insane at the moment, logging the action as "go to another table", new one on me
     
    Last edited: Apr 24, 2006
Loading...
Similar Threads
  1. Rules
    Replies:
    0
    Views:
    163
Thread Status:
Not open for further replies.