Nod32 v3: Software firewall made useless b/c all connections are running through v3?

Discussion in 'ESET NOD32 Antivirus' started by veri, Nov 22, 2007.

Thread Status:
Not open for further replies.
  1. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    This does appear to be working even with Firefox checked under HTTP>Web browsers. How this went over everyones head when posted by HiTech_Boy I don't know. Also, would have been nice for an ESET rep to comment/explain.
     
  2. alf535

    alf535 Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    6
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Yes,if you start on PC programs...SIC!...(The specified applications in NOD setup for a mode "redirect traffic for checking application marked is internet browsers and e-mail clients" and all applications for a mode "redirect traffic for checking for HTTP and POP3 ports" which wish to connect the Internet using ports which NOD looks through and in CFP it is created the rule resolving NOD to work with these ports. For others the applications you will see all their traffic in CFP.

    If do not wish to use this property (viewing HTTP traffic) of NOD - don't use. Only in this case you will not have an AV shield for HTTP traffic.
     
  3. NodboN

    NodboN Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    139
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Yes sir, IMHO - a 'Jack-of-all-trades' = 'King-of-none' :cool:
     
  4. meschubert

    meschubert Registered Member

    Joined:
    May 29, 2007
    Posts:
    46
    Location:
    Manhattan Beach, CA
    Unless I am missing the point, the issue some people have is that it is an "either or" situation. In V3, You cannot have NOD32 AV scanning HTTP traffic ***AND*** have your firewall (other than the ESS FW) looking for unexpected outbound connections like you could in V2.
     
  5. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    yes you can. Nod32 v3 listens to localhost 127.0.0.0 and sends packets to internet on HTTP. I have 3 rules in my firewall:
    - one that blocks all access to localhost for all applications, unless I allow for a specific application (which will connect to internet via ekrn.exe picking up the packet running over localhost)
    - one that blocks all outgoing HTTP for all applications unless I allow for specific application (like ekrn.exe)

    of course if one application needs access to local host for good functioning... then it looks like there is no way in preventing it from accessing the internet through ekrn.exe


    I'm using Tinysoftware TPF2005Pro.

    Kind regards
    Itsme
     
  6. ASpace

    ASpace Guest

    Re: Nod32 v3: Software firewall made useless b/c all connections are running through


    And it seems the ESET representative's comment went over , too - see the first page of this thread (post 11) :blink:
     
  7. meschubert

    meschubert Registered Member

    Joined:
    May 29, 2007
    Posts:
    46
    Location:
    Manhattan Beach, CA
    I'll give it a try and see how noisy/annoying it is. It would still be better to have the finer granularity.

    Best,
    Mark
     
  8. meschubert

    meschubert Registered Member

    Joined:
    May 29, 2007
    Posts:
    46
    Location:
    Manhattan Beach, CA
    HiTech boy,

    Our posts crossed on the wires.

    I did understand the post from Marcos when I first read it, but have to honestly say that I somewhat forgot about it after a couple of days reading the other posts. I use Outlook and POP exclusively for email and have it pull/send from/to multiple Internet accounts versus using Internet mail accounts directly or bothering with Exchange.

    Thinking this through, as long as I only mark Outlook to be scanned/pass through the proxy (versus IE7), I'll get the combination I am looking for where email is scanned and everything else bypasses proxy.

    The only attack vector left is a malicious application is using Outlook to access the internet, and theoretically, the HIPPS functionality in NOD32 should pick this up.

    Do you agree with this logic?

    My only other concern with NOD32 from a mail scanning perspective is its inability to scan email going through encrypted links like gmail. I’ll have to research this a bit when I have the time. I believe other vendors deal with this. From me this isn’t a big deal since I mostly use my oldest account (Yahoo).
     
  9. ASpace

    ASpace Guest

    Hey. ESET products have no HIPS in them (no behavious analysis) - however , there are Advanced heuristics

    http://www.eset.com/images/DIAGRAM_ThreatSense_110706.png


    Don't worry - it's quite unlikely if your machine is well protected
     
    Last edited by a moderator: Dec 4, 2007
  10. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    501
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    lol funny post, especially considering how we are NOT allowed to instal on servers anyway, (unless purchasing the Business edition)

    i would imagine 80%+ of people posting here are using the standard "home" edition, so why exactly is it of benefit for servers, when we are not allowed to instal it on servers
     
  11. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    This appears to be the fix. So why is the discussion continuing?
     
  12. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I can understand why people are annoyed that their firewall doesn't have granular control over outbound connections but this shouldn't be an issue as there are two ways around it.

    1) https://www.wilderssecurity.com/showpost.php?p=1124960&postcount=17 here the solution is to tell NOD to only scan applications specifically marked for checking. Then you can just not mark any programs at all.

    2) Setup a global rule to ask for permission for any program to access localhost. That way, when any program is rerouted through the ekrn process, your firewall will pick it up.

    However, why are people so resistant to the idea?

    a) What NOD32 is doing is scanning everything that comes down the wire hence stopping (well as much a blacklisting program can do) drive by downloads. Yes you may lose some granularity (although you can still have per application control if you follow step 2). However, I would be much more worried with driveby downloads than a program connecting out of my computer. Stopping malware before they even get onto your computer is much better policy than trying to control its access to the internet after you are infected.

    b) This is not a new, untested, risky idea. It has been around in Avast as the webscanner module. It is what happens to your traffic if your workplace has a UTM.
     
  13. nilupa

    nilupa Registered Member

    Joined:
    Dec 4, 2007
    Posts:
    19
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    i gotta problem with ESET NOD32 3.0.566.0 Antivirus when i intalled it my system having installed ISA 2006 proxy server. after installing ESET NOD32 3.0.566.0 Antivirus ISA 2006 proxy server stop working. i tried everything but i couldn't make it work. i read the all posts but i couldn't find any clue to solve this problem.
     
  14. msrourke

    msrourke Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    17
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Here's a little test. NOD is supposed to proxy ports 80, 8080 and 3128 by default. I have no firewall rules for my browser. If I go to an HTTPS (port 443) site, like online banking, I receive no prompt for my browser, because ekrn still proxies the connection and also port 53 (DNS). Not liking this at all. Comodo won't even pass it's own CPIL leak tests because everything zips right through via ekrn.

    I am not annoyed due to a loss of granularity... I am annoyed because NOD32 has created a hole in my system. Preventing malware from entering...blah blah blah.... crap, when NOD attains and maintains a 100% detection rate, then I will trust them to keep garbage off my computer. They don't and nobody ever will, so I have my firewall as a part of a layered defense, but now that is compromised by NOD32 itself.
     
  15. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    That's wrong. For NOD32 to proxy SSL connections, it will need sit in the middle on the connection between your browser and the bank website. To do that, Eset must provide their own certificate to decrypt your data and scan it. NOD32 will then need to establish a SSL connection your bank and re-encrypted it and send off the data. Thus a way to check if SSL is proxied, all you have to do is look at the certificate. For example I tried with gmail.

    nod32_sslcert.gif

    The SSL certificate shows that it is google and signing authority Thawte. That means that NOD32 is NOT proxying SSL at all.

    IMHO granular outbound protection is a poor 'layer'. It is more of a toy for security conscious consumer class users who like to have full control of what is happening in their system. On standard TCP connections, it stops some software from phoning home, which is arguably not maliciously. In fact allowing software to 'phone home' may be good security practice as it may alert users to security updates. The anti leaktest measures in firewalls are more behavior blocker roles than core firewall functionality.D+, DSA Prosecurity, SSM should catch these and this has NOTHING to do with http/pop3 proxying.

    In my previous post, I mention that you can still have control if you set your firewall to monitor connections to localhost. Either that or you can turn it off buy following instructions in Hi Techboys thread.
     
  16. msrourke

    msrourke Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    17
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    ESET does not provide a certificate to decrypt SSL no more than Mozilla or MS does with their browser. GMail provides the certificate and the browser validates it. See screenshot, ekrn is connected at 443, FF is doing nothing. I verified these connections with Ethereal, just to make sure the firewall wasn't mis-reporting.
     

    Attached Files:

  17. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    In the spirit of achieving 1K posts in this thread, I might add, I believe we all await Blackspear's setup recommendations!
     
  18. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    33
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    the learning curve for this new version of nod32 seems pretty steep- at least for me, and it seems alot of the confusion could be easily avoided. most of us are laymen type users who really are not very sophisticated in technical matters of computer security.
    in march of 2004, "paranoid2000" wrote a great guide for configuring outpost firewall. that guide was a simple and very complete roadmap that made it easy for all of us to enjoy and get the best benefit from the program. i for one really appreciated it. and i have to tell you, without that guide, i probably would have gone with another, more user friendly (but not as powerful) program. soooooo, why not write such a guide for the new nod32 programo_O the cost in time would be minimal, and the benefits both to eset and its users would be substantial.
     
  19. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I had no issues with the Microsoft Firewall Client for ISA on workstations.

    On SBS2003 with ISA 2004, I received a number of 14141 events followed by the ESET GUI hanging completely. I would expect the proxy chain loop errors are a good place to start your investigation. Reverting back to 2.7 resolved this issue for me.

    ISA Server detected a proxy chain loop. There is a problem with the configuration of the ISA Server routing policy.

    Hanging application egui.exe, version 3.0.566.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
     
    Last edited: Dec 5, 2007
  20. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Thats strange. How does ekrn proxy ssl if it does not use a certificate?
     
  21. capatt

    capatt Registered Member

    Joined:
    Jan 23, 2007
    Posts:
    84
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    I think Comodo's Defense+ settings will provide the desired detection of applications seeking internet access through it's monitoring of the Loopback interface:
    (From Comodo's Help) Loopback Networking - Loopback connections refer to the internal communcations within your PC. Any data transmitted by your computer through a loopback connection is immediately also received by it. This involves no connection outside your computer to the internet or a local network. The IP address of the loopback network is 127.0.0.1, which you may have heard referred to under its domain name of 'http://localhost' i.e. the address of your computer. Loopback channel attacks can be used to flood your computer with TCP and/or UDP requests which can smash your IP stack or crash your computer. Leaving this box checked means Defense+ will alert you every time a process attempts to communicate using the loopback channel.
     
    Last edited by a moderator: Dec 6, 2007
  22. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    As i have the same problems as discussed here with Jetico i have done some tests with different setting in Jetico and NOD32 v3. The result is disapointing.
    There is NO way to get a effective protection like with Jetico and NOD32 2.7. For example disabling the proxy in NODv3 for browser etc. result nearly in a total loss of efective web traffic scanning as i have it with Imon (v.2.7), but control with Jetico. Same for email clients. Other settings result in full scan with NODv3 but loss of control with Jetico, etc. blabla.
    Further a local scanning of sTunnel traffic (for Gmail in order to have decrypted local traffic for efective scanning) connection is NOT possible anymore as before with v2.7. The list goes on. I am very disapointed about NOD32 v3.
    More, because of the proxy concept of v3 i don't see a efective solution in the future. All solutions mentioned in this thread are workarounds but nothing finaly efective.
    Seams to be a politic that user switch to ESS. For now back to NOD 2.7.

    P.S. I miss a competent statement of the ESET folks in this thread.
     
    Last edited: Dec 6, 2007
  23. Hillsboro

    Hillsboro Registered Member

    Joined:
    Jul 21, 2006
    Posts:
    86
    Location:
    CH/USA
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through


    Well said. I expressed similar views in another thread as you did here. And, ESET has been conspicuous by their silence regarding this. Your observation that they are hoping people will move to the ESS is spot on too. Their firewall is pretty sad at best.

    I also found that 3.0 proxy concept managed to circumvent my firewall (Jetico) IP and port rules for applications that run through port 80 or 443. A major blunder and I suspect they are hoping not too many users will notice this.
     
  24. MaVRiC

    MaVRiC Registered Member

    Joined:
    Dec 7, 2007
    Posts:
    25
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Personally i can not see the problem with detected applications riding on through the ekernal port for the average Joe user who is not using a 3rd party app control and rules based firewall, at least if some malware decides to run out on localhost it going to through ekernal and get scanned and hopefully detected & stopped.

    As for the home grown self labeled security pros, hey the issue is simple and been mentioned many times, close of any global rule for localhost and create the rule individually for each application, it works it's that simple. If you can not close off localhost in your firewall then that product is not worth it and is at fault.

    At the end of the day it is new software, it works totally different to 2.7, Just because it does not work the way you feel it should does not make it a bad product, go in and configure it and you will find it will work and work very well indeed, with minimal cpu time and memory usage.

    Anyone who has 32 running as it should out of the box or configured to taste will agree, it works, it rocks.
     
  25. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Re: Nod32 v3: Software firewall made useless b/c all connections are running through

    Hi Huangker
    There is no such thing as an app having a cert to decrypt an ssl tunnel - you need either the public or private key, depending on which end the packet came from, of the site itself, not an ESET or whatever certificate.

    When you are browsing someone elses website the private key is at the far end, all you are doing, as was pointed out earlier, is validate THEIR cert and ssl the connection from your proxy (ekrn) to their website using their public key. You do not need to encrypt the backend connection between your proxy and the calling application, but even if you were to introduce that processing overhead, it would still be the public key from the website anyway.

    Clear as mud I know, the best way to understand certificates and ssl is with pictures, and for proxies, read up on ssl bridging and tunneling.

    Gordon
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.