Kerio 4.2.3 and KAV 6

Hello All,
I'm using Kerio (free version) 4.2.3 and KAV 6 (build 299) for the past two weeks or so, and thought i had everything under control. Until...
I did the most naive leak test (http://www.firewallleaktester.com/leaktest1.htm) and was really surprised to realize my firewall was basically not there.
Took off Kaspersky, and WALLA, no leak...
So... i've reinstalled BOTH programs and still the same results, they don't seem to play nice together.
I guess it has something to do with the fact the web antivirus component of KAV basically direct all traffic to itself, so allowing Kaspersky to access the net leaves me pretty much on the open...
Any help would be appriciated, Adam.

PS. only complete shutdown of Kaspersky resolves the problem, not even pausing protection.

 

Not saying that someone here couldn't help you out but did you try posting this question at forum.kaspersky.com?
I'm using KAV 6 with L n S firewall but I dont have any problems with leak tests

 

Already there

 

Adam, I use Tiny Personal Firewall and indeed, when KAV's Web Anti-Virus is installed/running, leak test passes through. Only disabling or uninstalling KAV solves the firewall leak. Have you heard back from Kaspersky on this matter?

 

Well, KAV 6 way of work is acting like a proxy so that all the traffic in relevant ports is directed through that proxy, scanned by KAV and than move on.
As for kerio, it seems that it's not smart enough to recognize what application tries to access that proxy and believes it's the same application all the time (that is the KAV executable, the proxy itself).
So, no solution really available at this time.
Changed to Jetico in here

 

Actually there is a solution -
1. I would think that the application blocking of Kerio would notify you if you have it on. The application starting approval notification would usually allow you to block a program.
2. The proxy for KAV6 is due to HTTP scanning in the web AV component. If this is a problem for you, stop monitoring with web av (disable port 80 monitoring in network settings) and you should be back to usual operating. The file AV will still notify on things hitting the hard disk. Also, the PDM feature of KAV6 should notify on some of these, leaving it up to you to select whether to allow or not.
3. The web AV component affects most 3rd party firewalls from what I have seen. For example, if you block port 80 on the browser in LnS with KAV6 web AV monitoring port 80, the browser will still connect. The PDM of KAV does notify of injections to stop malware and with applicaiton integrity control on it would notify for applications starting, modifying or launching others.

 

That's right, of course.
But it's more of a "solution" than a solution

* EDIT *
Anyway, bottom line is, Jeitco (as an example) manage to handle this work method just fine.
No problems with outbound control.

 

KL appear to of changed the way KAV handles its proxy, even with HTTP scanning off, all traffic goes through KAV/Proxy. You could at one time, do as you say, and turn off HTTP/Mail scanning, and KAV would no longer need outbound connections in the firewall, but even with these off, kav still requires the connections. I have not done a lot of checking......but will load up later to confirm.
KIS still has hard-coded rules for its own apps, so these rules do not show to the user in KIS

 

You are right - the KAV6 proxy is different. One way to stop proxy behavior is to go to the Network Settings-> Port Settings and disable ports that KAV should not be monitoring and leave ports that you do want monitored if any, like mail. That's why I mentioned disabling port 80 above.

 

As I mentioned in my last post,...even if you disable HTTP scanning, KAV will still intercept the network traffic and act as proxy.

 

As I mentioned in my posts, when I go to Settings-> Service-> Network Settings-> Port Settings and uncheck the ports, KAV 6 does not act as a proxy on my test PC.

We may be talking at cross purposes - I didn't address disabling web AV previously (Settings-> Web AV-> uncheck enable) but that didn't stop KAV 6 from acting on my PC as a proxy so I used the port settings instead.

 

O.K. I will check later. I did just install KAV (tech release) onto a test PC with Jetico installed, but was blocked from internet access while both KAV and Jetico where running. I will have more time later to test fully (and more correctly).

 

Works here

 

I have set up, and turned off all the ports for the "web AV" as mentioned by Mem, but have found that KAV is still performing proxy at the localhost which is causing all outbound packets to bypass Jetico`s IP filters (this can be checked by looking at the "Traffic monitor" within Jetico,...to re-check, I placed IP rules to block all outbound "Any" which is simply bypassed). This is causing all inbound packet to be incorrectly processed by the SPI within Jetico. This is on a test WinXP PC with only Jetico and KAV.299 installed.
I have not tested yet for any problems with the "Process attack filter" within Jetico.(for leak tests)

 

Hi Pete,
I must agree, this version was, I think, pushed out due to "Infosec in London at the end of April".

 

Hi Stem,
I'm in no way an expert in using Jetico and/or KAV 6.
What i can tell you, using this combination i get alerts from Jetico whenever an application with no rules tries to do anything network-related, including leak tests...
I'll be glad to do some testing with specific things that won't work on your machine.

 

Hi Adam777,
Have you checked the "network monitor" in jetico for outbound packets?. Have you placed a block all outbound in the IP table to check if outbound packets can be blocked?

EDIT
The attack filter does appear to work, but the outbound IP filter table is being bypassed (Just checked on a second PC), which is causing incorrectly processed inbound packets (Use this combination at your own risk)

 

I've just added a test rule to block all outgoing packets under "System IP Table" and could see nothing go through, which is good, i guess.
What exactly do you want me to check under the network monitor?

 

Does the "Block outbound" IP rule stop you connecting to the internet? (It should do)
In the Jetico "Traffic monitor" check the count on the outbound packets, this should increase with the outbound connections (while you are connected /surfing the internet).

 

It indeed put everything internet-related to a halt.
I did not unplugged and replugged the net cable if that what you mean, but it did won't allow anything to go outside (browser, IM) and i can see evidence in the log that packets were sent to the outside world but blocked by the rule i've created.
In the traffic monitor, everyhing adds up in the "blocked" section, no outgoing packet allowed.

 

Did you perform a full installation of KAV.299?

 

Yep, Web AV and Mail AV alive and kicking
I'm getting a feeling i'm being a bit lucky on this one...

* EDIT *
OK, this might solve the mystery.
it turns out my KAV isn't working as it should be...
Although evrything is listed as running, in fact the Mail AV (for example) does not scan anything (judging from the statistics info).
Will check it further and let you know the results.

* EDIT 2 *
Well, it's beyond me...
Just rebooted my PC - now Mail AV and Web AV works as they should and also all the outbound packets blocking thing, so i guess everything works as it should after all...
Anything further?

 

I am going to change my network cards on the test PC`s to see if the problem lies there. (but at this moment, blocked packets are passing through,...what joy)

EDIT
Have installed a new NIC card, and re-istalled Jetico, but the problem remains. (actually, Jetico appears to be going insane at the moment, logging the action as "go to another table", new one on me