Nod32 v3: Software firewall made useless b/c all connections are running through v3?

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

This does appear to be working even with Firefox checked under HTTP>Web browsers. How this went over everyones head when posted by HiTech_Boy I don't know. Also, would have been nice for an ESET rep to comment/explain.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Yes,if you start on PC programs...SIC!...(The specified applications in NOD setup for a mode "redirect traffic for checking application marked is internet browsers and e-mail clients" and all applications for a mode "redirect traffic for checking for HTTP and POP3 ports" which wish to connect the Internet using ports which NOD looks through and in CFP it is created the rule resolving NOD to work with these ports. For others the applications you will see all their traffic in CFP.

If do not wish to use this property (viewing HTTP traffic) of NOD - don't use. Only in this case you will not have an AV shield for HTTP traffic.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Yes sir, IMHO - a 'Jack-of-all-trades' = 'King-of-none'

 

Unless I am missing the point, the issue some people have is that it is an "either or" situation. In V3, You cannot have NOD32 AV scanning HTTP traffic ***AND*** have your firewall (other than the ESS FW) looking for unexpected outbound connections like you could in V2.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

yes you can. Nod32 v3 listens to localhost 127.0.0.0 and sends packets to internet on HTTP. I have 3 rules in my firewall:
- one that blocks all access to localhost for all applications, unless I allow for a specific application (which will connect to internet via ekrn.exe picking up the packet running over localhost)
- one that blocks all outgoing HTTP for all applications unless I allow for specific application (like ekrn.exe)

of course if one application needs access to local host for good functioning... then it looks like there is no way in preventing it from accessing the internet through ekrn.exe


I'm using Tinysoftware TPF2005Pro.

Kind regards
Itsme

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

And it seems the ESET representative's comment went over , too - see the first page of this thread (post 11)

 

I'll give it a try and see how noisy/annoying it is. It would still be better to have the finer granularity.

Best,
Mark

 

HiTech boy,

Our posts crossed on the wires.

I did understand the post from Marcos when I first read it, but have to honestly say that I somewhat forgot about it after a couple of days reading the other posts. I use Outlook and POP exclusively for email and have it pull/send from/to multiple Internet accounts versus using Internet mail accounts directly or bothering with Exchange.

Thinking this through, as long as I only mark Outlook to be scanned/pass through the proxy (versus IE7), I'll get the combination I am looking for where email is scanned and everything else bypasses proxy.

The only attack vector left is a malicious application is using Outlook to access the internet, and theoretically, the HIPPS functionality in NOD32 should pick this up.

Do you agree with this logic?

My only other concern with NOD32 from a mail scanning perspective is its inability to scan email going through encrypted links like gmail. I’ll have to research this a bit when I have the time. I believe other vendors deal with this. From me this isn’t a big deal since I mostly use my oldest account (Yahoo).

 

Hey. ESET products have no HIPS in them (no behavious analysis) - however , there are Advanced heuristics

http://www.eset.com/images/DIAGRAM_ThreatSense_110706.png


Don't worry - it's quite unlikely if your machine is well protected

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

lol funny post, especially considering how we are NOT allowed to instal on servers anyway, (unless purchasing the Business edition)

i would imagine 80%+ of people posting here are using the standard "home" edition, so why exactly is it of benefit for servers, when we are not allowed to instal it on servers

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

This appears to be the fix. So why is the discussion continuing?

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I can understand why people are annoyed that their firewall doesn't have granular control over outbound connections but this shouldn't be an issue as there are two ways around it.

1) https://www.wilderssecurity.com/showpost.php?p=1124960&postcount=17 here the solution is to tell NOD to only scan applications specifically marked for checking. Then you can just not mark any programs at all.

2) Setup a global rule to ask for permission for any program to access localhost. That way, when any program is rerouted through the ekrn process, your firewall will pick it up.

However, why are people so resistant to the idea?

a) What NOD32 is doing is scanning everything that comes down the wire hence stopping (well as much a blacklisting program can do) drive by downloads. Yes you may lose some granularity (although you can still have per application control if you follow step 2). However, I would be much more worried with driveby downloads than a program connecting out of my computer. Stopping malware before they even get onto your computer is much better policy than trying to control its access to the internet after you are infected.

b) This is not a new, untested, risky idea. It has been around in Avast as the webscanner module. It is what happens to your traffic if your workplace has a UTM.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

i gotta problem with ESET NOD32 3.0.566.0 Antivirus when i intalled it my system having installed ISA 2006 proxy server. after installing ESET NOD32 3.0.566.0 Antivirus ISA 2006 proxy server stop working. i tried everything but i couldn't make it work. i read the all posts but i couldn't find any clue to solve this problem.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Here's a little test. NOD is supposed to proxy ports 80, 8080 and 3128 by default. I have no firewall rules for my browser. If I go to an HTTPS (port 443) site, like online banking, I receive no prompt for my browser, because ekrn still proxies the connection and also port 53 (DNS). Not liking this at all. Comodo won't even pass it's own CPIL leak tests because everything zips right through via ekrn.

I am not annoyed due to a loss of granularity... I am annoyed because NOD32 has created a hole in my system. Preventing malware from entering...blah blah blah.... crap, when NOD attains and maintains a 100% detection rate, then I will trust them to keep garbage off my computer. They don't and nobody ever will, so I have my firewall as a part of a layered defense, but now that is compromised by NOD32 itself.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

That's wrong. For NOD32 to proxy SSL connections, it will need sit in the middle on the connection between your browser and the bank website. To do that, Eset must provide their own certificate to decrypt your data and scan it. NOD32 will then need to establish a SSL connection your bank and re-encrypted it and send off the data. Thus a way to check if SSL is proxied, all you have to do is look at the certificate. For example I tried with gmail.



The SSL certificate shows that it is google and signing authority Thawte. That means that NOD32 is NOT proxying SSL at all.

IMHO granular outbound protection is a poor 'layer'. It is more of a toy for security conscious consumer class users who like to have full control of what is happening in their system. On standard TCP connections, it stops some software from phoning home, which is arguably not maliciously. In fact allowing software to 'phone home' may be good security practice as it may alert users to security updates. The anti leaktest measures in firewalls are more behavior blocker roles than core firewall functionality.D+, DSA Prosecurity, SSM should catch these and this has NOTHING to do with http/pop3 proxying.

In my previous post, I mention that you can still have control if you set your firewall to monitor connections to localhost. Either that or you can turn it off buy following instructions in Hi Techboys thread.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

ESET does not provide a certificate to decrypt SSL no more than Mozilla or MS does with their browser. GMail provides the certificate and the browser validates it. See screenshot, ekrn is connected at 443, FF is doing nothing. I verified these connections with Ethereal, just to make sure the firewall wasn't mis-reporting.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

In the spirit of achieving 1K posts in this thread, I might add, I believe we all await Blackspear's setup recommendations!

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

the learning curve for this new version of nod32 seems pretty steep- at least for me, and it seems alot of the confusion could be easily avoided. most of us are laymen type users who really are not very sophisticated in technical matters of computer security.
in march of 2004, "paranoid2000" wrote a great guide for configuring outpost firewall. that guide was a simple and very complete roadmap that made it easy for all of us to enjoy and get the best benefit from the program. i for one really appreciated it. and i have to tell you, without that guide, i probably would have gone with another, more user friendly (but not as powerful) program. soooooo, why not write such a guide for the new nod32 program the cost in time would be minimal, and the benefits both to eset and its users would be substantial.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I had no issues with the Microsoft Firewall Client for ISA on workstations.

On SBS2003 with ISA 2004, I received a number of 14141 events followed by the ESET GUI hanging completely. I would expect the proxy chain loop errors are a good place to start your investigation. Reverting back to 2.7 resolved this issue for me.

ISA Server detected a proxy chain loop. There is a problem with the configuration of the ISA Server routing policy.

Hanging application egui.exe, version 3.0.566.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Thats strange. How does ekrn proxy ssl if it does not use a certificate?

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I think Comodo's Defense+ settings will provide the desired detection of applications seeking internet access through it's monitoring of the Loopback interface:
(From Comodo's Help) Loopback Networking - Loopback connections refer to the internal communcations within your PC. Any data transmitted by your computer through a loopback connection is immediately also received by it. This involves no connection outside your computer to the internet or a local network. The IP address of the loopback network is 127.0.0.1, which you may have heard referred to under its domain name of 'http://localhost' i.e. the address of your computer. Loopback channel attacks can be used to flood your computer with TCP and/or UDP requests which can smash your IP stack or crash your computer. Leaving this box checked means Defense+ will alert you every time a process attempts to communicate using the loopback channel.

 

As i have the same problems as discussed here with Jetico i have done some tests with different setting in Jetico and NOD32 v3. The result is disapointing.
There is NO way to get a effective protection like with Jetico and NOD32 2.7. For example disabling the proxy in NODv3 for browser etc. result nearly in a total loss of efective web traffic scanning as i have it with Imon (v.2.7), but control with Jetico. Same for email clients. Other settings result in full scan with NODv3 but loss of control with Jetico, etc. blabla.
Further a local scanning of sTunnel traffic (for Gmail in order to have decrypted local traffic for efective scanning) connection is NOT possible anymore as before with v2.7. The list goes on. I am very disapointed about NOD32 v3.
More, because of the proxy concept of v3 i don't see a efective solution in the future. All solutions mentioned in this thread are workarounds but nothing finaly efective.
Seams to be a politic that user switch to ESS. For now back to NOD 2.7.

P.S. I miss a competent statement of the ESET folks in this thread.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Well said. I expressed similar views in another thread as you did here. And, ESET has been conspicuous by their silence regarding this. Your observation that they are hoping people will move to the ESS is spot on too. Their firewall is pretty sad at best.

I also found that 3.0 proxy concept managed to circumvent my firewall (Jetico) IP and port rules for applications that run through port 80 or 443. A major blunder and I suspect they are hoping not too many users will notice this.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Personally i can not see the problem with detected applications riding on through the ekernal port for the average Joe user who is not using a 3rd party app control and rules based firewall, at least if some malware decides to run out on localhost it going to through ekernal and get scanned and hopefully detected & stopped.

As for the home grown self labeled security pros, hey the issue is simple and been mentioned many times, close of any global rule for localhost and create the rule individually for each application, it works it's that simple. If you can not close off localhost in your firewall then that product is not worth it and is at fault.

At the end of the day it is new software, it works totally different to 2.7, Just because it does not work the way you feel it should does not make it a bad product, go in and configure it and you will find it will work and work very well indeed, with minimal cpu time and memory usage.

Anyone who has 32 running as it should out of the box or configured to taste will agree, it works, it rocks.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Hi Huangker
There is no such thing as an app having a cert to decrypt an ssl tunnel - you need either the public or private key, depending on which end the packet came from, of the site itself, not an ESET or whatever certificate.

When you are browsing someone elses website the private key is at the far end, all you are doing, as was pointed out earlier, is validate THEIR cert and ssl the connection from your proxy (ekrn) to their website using their public key. You do not need to encrypt the backend connection between your proxy and the calling application, but even if you were to introduce that processing overhead, it would still be the public key from the website anyway.

Clear as mud I know, the best way to understand certificates and ssl is with pictures, and for proxies, read up on ssl bridging and tunneling.

Gordon