KIS 2012 firewall fails GRC

Discussion in 'other firewalls' started by constantine76, Dec 7, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Okay, but I did just want to scan kis with its defaults, only because I'm thinking the majority of its users are not going to know to set it to Public. I did, however, re-scan with it set to Public and the results are much better :)
     

    Attached Files:

  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The probability is that a user on a private network (such as 192.168.*.*) are on an home network and will want file sharing etc enabled. Well, that appears to be the logic of a number of 3rd party firewall default setups.

    - Stem
     
  3. wat0114

    wat0114 Guest

    Good point, Stem, which certainly would account for ports 135, 139, & 445 being open on the "Local" network setting. I'm not sure about 1110. Is that some sort of mail server port?

    *Edit* ...it looks like 5357 is Network discovery.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That port is opened by KIS(AVP.exe). I am not sure as to why KIS would open any port(s) to unsolicited inbound connections.

    Did you by chance read the EULA for the "Feedback" during installation? It states that (if you agree, which is set to "yes" by default, and probably most will just accept) that KIS can send back info on installed hardware, info of installed software, and info about any application(or its modules) being downloaded or run on the computer.

    I dont mind these vendors getting info about possible threats, but that is a bit too intrusive for my liking.

    You can find the information concerning that in "Advanced settings-> feedback."

    - Stem
     
  5. wat0114

    wat0114 Guest

    No, I didn't read the EULA. I was only interested in a few scans, and now the vm is reverted to the previous snapshot.
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    This is likely to become the norm for any newer suite with "cloud" technology. When Norton can tell you how many users have a program installed, the same thing is going on. Only mentioning them because I have seen the same complaints on their forum.

    KIS is much more effective if you uncheck the "Select action automatically" option in the settings. The Public, Local and Trusted firewall option work pretty much as I expect them to. Kaspersky is the only suite I have tested that blocks auditmypc.com from getting the local IP address from my machine. This does however require to have Java installed. I think the last version of Outpost also blocked it but previously it had not.

    The avp.exe open port 1101 seem to be open to ::%0. All of the open ports I have found on mine are loopback or for file and print sharing.
    -Also all of the online scanners I have tried find everything either stealth or closed. I am not concerned about either. Nothing was open.
     
    Last edited: Dec 11, 2011
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I dont quite understand your statement. You state the only open ports are loopback and file/print sharing, but then state all online scans show ports are closed/stealth. Are you not scanning file/printing ports? or are you behind a router?

    I presume you are on Win7 64(as shown in your sig). I have KIS on the same OS. The OS installation is from an image (of original installation) with only windows update disabled (I did not want windows constantly trying to connect out while running some tests) and nothing else installed. I left netbios/ default windows services active. This is a screen grab showing KIS network monitor which shows all current open(being listened on) ports.

    open_ports.jpg

    As KIS(by default) places the windows processes into the "Trusted group" then they are allowed all inbound/outbound that is not specifically denied within the "Packet rules". As those ports denied (in the packet rules) do not cover all the ports that are shown as open(listened on), then those ports not specifically denied will be open.

    - Stem
     
  8. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    Thank you very much for the responses. Really appreciate it guys. Seems the firewall is okay but setting it properly is still"unreachable" as of the moment. BUT do allow me to read it first.

    If I might add I typed some additional questions earlier at the office for this post.

    To add,

    the TruStealth results was again confirmed at a later time. She sent me an email with the results. So that setting works. A couple of questions also, is there a better way to close ports in the KIS firewall?

    Previously the open ports 1025-1030 I cannot close (successfully) or restrict to a certain process only. Well I am not yet familiar with it though.... The previous activity says it's "Listening" while open. Listening is not connected but it is visbly there (knows it's there and open)...right?

    Now the first attempt to manually close it or assign only a process that will use that ports I am at a loss. What may be your advice:

    Is it better to close it? or, just restrict certain process to use those ports?

    If "to close" is better, how may I do that in KIS firewall? Better yet how may i do both?

    Now if I see something connecting through that open port the next thing is how do I terminate that?

    I can't seem to set a restriction for that certain port (or block it's use) so there is "NO pop-up".

    Now if that port is open and something connects to it silently I will not know it due to the non-pop-up scenario.

    I see that there is a terminate process but then again how may I know that a process is "using" that open port if I cannot set a restriction for it..? Or if I can terminate it..it might be too late as I may discover that there's an existing open connection and data has been sent/exhanged already.

    This is all in the context of "when she(or her kids) is using it and there si something/someone connecting to it. No pop-up, no alert so you don't know...

    And oh, where can I see the her IP address in the network activity gui? The network monitor only shows Direction / External IP address / External port. I had to check her IP at IPVoid to see if GRC/PCFlank's IP id is the same.

    I attached the Network Monitor and Open ports image. Maybe to compare.

    Pardon for the dozen questions as I am finding it interesting to set. I told my friend that I need to have the desktop at home so when work is done I can tinker with it better and post what may I find here(this endeavor takes my weekend from me).

    Really appreciate it if someone using KIS or knows "how-to" on the scenarios/question stated will jump in.


    On a side note,

    as of now there's still ProcessHacker in her system to check it out but I see that it seems to have issues with Windows 7 or KIS for that matter even though it has been excluded/trusted. Hitting the "network" tab in ProcessHacker takes too long to display and seems to close to freezing the desktop".

    Now I don't know if there is a good replacement for ProcessHacker that has an ability to terminate a connection and do PING, Trace route etc so I hang on to it in the meantime. I don't have that issue with XP. My brother has this in Vista.

    I'll be printing this and will read later. I'll post again. I need to get ready for work.

    :thumb:
     

    Attached Files:

  9. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Yes, behind a router. Whenever possible. When not the public setting gets used.
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Brought the laptop to work. Conneted to local network. Set KIS to public firewall settings. Ran portscan from my desktop work machine. No open ports on the laptop. Ran portscan on our server and all expected open ports were displayed. I am still able to connect to network shares and copy files to/from them. As long as you are not wanting to have others access YOUR machine, public may be a good way to go.
     
  11. wat0114

    wat0114 Guest

    It would depend on whatever services are listening on the open ports, especially if there's an exploitable vulnerability in them. As seen in the nmap scan report, post #51, Ports 49152 - 49158 appear to have nothing listening on them, but 5357 has the WSDAPI service listening on it. A vulnerability has been found before on it, so just food for thought.

    "Public" really should mean no ports remain open. This is how it is in Windows firewall, at least. I do agree "closed" is fine, as opposed to stealth or filtered, the latter of which nmap reports on stealthed ports.
     
  12. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    It does, and it responds to a port scan on every machine on the network but mine when set to public. Anything looking for open ports is going to get no reply from my machine and will move on to an easier target.

    Also following that link and the security bulletin it links to says Windows 7 is not affected. For some odd reason it seem to only affect Vista and Server 2008, but not anything else from Windows 2000 SP4 forward. o_O
     
  13. wat0114

    wat0114 Guest

    In reality the Public setting in KIS2012 is more than likely going to keep out intruders. The only point I'm trying to make is that Public should mean all ports are closed or stealthed. Maybe it blew past me during the install of kis, but I didn't see any option or advise offered on the network setting, Local, Public, or Trusted, of the firewall component.
     
  14. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    In the office now.

    To continue,

    @Stem

    - I have tinkered with it yesterday but ran into some issues like I mentioned with the PDF to word conversion software. Setting it to "Block" blocks all other process' that the application wants to launch. But so does MSWord. Kindly see images below.

    While this suffices for now I was wondering......

    Isn't there a way to block just a specific application or make a group like say, "browsers" or "media players" and then block that particular group from being launched. Logical right?


    - Thanks. I'll check it when I get home. I requested the desktop to be picked up so I can tinker with it more. She's on a morning shift. I at night shift.


    - How can that be done. Sorry I am not at the desktop now. At the office. I'd like to see that pop-up in action and try it out with the ports that KIS uses --highlighted below via ProcessHacker.


    - Well that's a concern.

    - Kindly check the packet rules below. I do not remember seeing any Public there or I may be wrong...is that a concern?

    - Thanks for the reply and explanations.

    Where is that located..? Main settings (General --will check the pdf manual later) :)

    - I checked with GRC/PCFlank earlier prior going to work using the wireless router and its TruStealth also.

    @wat0114,

    Thanks for the comparison and reply there.
    - Can't remember seeing that option to select Local, Public or Trusted....I think none. Comodo, Avast IS and Outpost has that. Be back here. I have to go to the production line something's up.

    Cheers!
     

    Attached Files:

    Last edited: Dec 12, 2011
  15. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    I agree and I also installed KIS 2012 in my VM and I did not see any firewall options to choose from.

    Thanks.
     
    Last edited: Dec 12, 2011
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Misfortunate that it automatically selects options for you for any networks that are connected on installation. By default when installed any wireless adapters are set to public and wired set to local. If you connect to a new network after installation it will prompt. If you click on "Settings" and then the "Firewall" option on the left about 2/3 of the way down you will have a list of networks on the right side at the bottom. Their status will be displayed and a right click will allow you to change the settings.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I heard this is the case with more firewalls, isn't there a way to delay the creation of an internet connection after boot in windows so that the firewall is started before a connection is made?

    In the very first settings window of the Firewall(the tab in the main settings window) there is a list of networks and you can set it per individual network.

    Also with changing settings in general, make sure that you click OK on every settings window until you are back to the main settings window and then click Apply to be sure new settings are in effect before testing.
     
    Last edited: Dec 12, 2011
  18. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    It is a common thing, most firewalls don't get going for a few seconds.

    If we are calling the 7 seconds accurate, someone or some running process would have 7 seconds to determine that you have booted, the service they wanted to exploit would have to start, be running and ready to accept connections, and have an exploit that you could get past in those very few seconds. Possible, yes. Worried about it, nope.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I noticed in at least one of the screenies, Port # 1 was listed. Does that seem odd to Anybody ? By the way, i don't mean the GRC scans ;)
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    It would seem odd. I have never seen it used. Accordking to wikipedia:
    http://en.wikipedia.org/wiki/TCP_Port_Service_Multiplexer
     
  21. wat0114

    wat0114 Guest

    Maybe nmap scans that port in an effort to detect the O/S being used? just hazarding a guess :)

    True enough, 7 seconds seems a small window of opportunity for a network-borne exploit to acheive a foothold. However, from my point of view, if I were to use a 3rd party firewall and I could find a product that does block the ports during boot, and it had at least the essential features I was seeking, it's likely the one I would settle on . BTW, if I tested correctly, maybe Stem can verify, it appears windows fw filters (stealths) all ports during boot and the login process. nmap actually shows host as "down" up until just a few seconds before the login screen.

    In no way am I trying to disregard KIS2012 - it's no doubt a "solid" product - but based on some testing, especially the efforts of constantine, it appears there could be some sloppy coding in it.
     
    Last edited by a moderator: Dec 12, 2011
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Actually now that you mention it I am reminded that I have heard that before. Now I remember why I am not overly worried about it. :D

    I wasn't being defensive of them, I know there is some sloppy code in it. Just that in this instance it behaves like most of the others I have tested. I think most IS suites are in a pretty sad state. This is just the one that gives me the least problems, at the moment.
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    At the risk of being jumped on by the "Kaspersky supporters club", I am finding KIS to be buggy and/or poorly implemented. I will try and find some time later to re-check (I currently have quite a bit of work to do).

    Windows firewall and numerous other 3rd party firewalls will block all unsolicited inbound during boot/login. Nmap will detect the fact that the Host is up due to ARP.

    - Stem
     
  24. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    Back now but I can't stay and post long. We have lasermarking problems at the production line and I have to supervise the corrective actions being done. Allow me to print and read later again.

    Thank you for the replies guys. I am getting email and text messages from co-workers and even my boss about this thread. Even the IT guys are reading it now. They are very happy and thankful to all of you. Very good learning here.:thumb: :thumb: :thumb:

    PS,

    Getting interested here and I plan to try it for 30days. I have a spare hdd and will use that for KIS 2012 so I can compare her set-up to mine. xxJackxx, wat0114, CloneRanger, Stem and BoerenkoolMetWorst I will check you ideas and will post back. Thanks again :thumb:

    Constantine
     
  25. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    Had checked the settings and behavior with:

    General Protection settings-> Select actions automatically --unchecked.

    and,

    General Protection settings-> Select actions automatically --checked/selected.

    Kindly see images below.

    On,

    General Protection settings-> Select actions automatically --unchecked.

    Application Rules->Rights->Process control-> Starting other processes-> Block
    Application Rules->Rights->Process control -> Starting other processes-> Prompt for action
    Result : KIS 2012 firewall prompts for action(even when "Block" is in place).



    When you set:

    General Protection settings-> Select actions automatically --checked/selected.

    Application Rules->Rights->Process control-> Starting other processes-> Block
    Result: KIS firewall blocks the starting process attempt. No Prompt/pop-up seen.

    Application Rules->Rights->Process control-> Starting other processes-> Prompt for action
    Result: KIS firewall allows the connection and NO PROMPT / POP-UP is seen.

    So in KIS firewall pop-up/alert prompt are ONLY seen when you set "Select actions automatically" are unchecked. But "Block" setting is not functioning correctly because even if you have set "block" for "Starting other processes" you STILL get an alert prompt asking for your decision. When you set,
    "Select actions automatically" --checked/selected,

    -No alert prompts /pop-up are seen.
    - Application is ALLOWED to start a process even when you have set "Prompt for action" for "Starting other processes". That "Prompt for action" setting is not functioning because there is NO PROMPT / POP-UP at all. Seems to be a bug or something...

    All tested were "outbound connections" / outbound attempts. Have not yet tested inbound lie the ones Stem posted. Same PDF-to-Word conversion program. Connection is on dial-up(have not tested yet for wireless router using above settings).

    Kindly compare images posted in Reply # 64 (The images are with "Select actions automatically" --checked/selected )

    -- How is "Starting other process" setting working for you..? Is it functioning correctly?


    -- That delay may be a good idea. Might anyone know how to do that? Individual networks settings seen. See image below.

    -- Where is that located I may have missed that...?


    PCFlank result with full stealth. Will be back again when I have checked the other settings and also post images using wireless dsl on GRC Stealth test(can't seem to go to GRC lately I get a "Problem loading page").

    Thanks again :)
     

    Attached Files:

    Last edited: Dec 13, 2011
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.