Nod32 v3: Software firewall made useless b/c all connections are running through v3?

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Well......... the fact is that Eset got its 47th VB100% Award ! Dont know if it is with v2.7 or v3 but they got it again !

http://www.eset.com/company/article/ESET-Secures-47th-Virus-Bulletin-Award-in-Nine-Years-%E2%80%93-Most-in-the-Industry/4196.php?contentID=4196

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Thanks Nodrog for your describing in post #189

So if I understand it correctly, the firewall loses control over the applications?
Is there a way to disable this feature in NOD32??

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

See post #11 at the start of this thread.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Thanks the answer. I've read it. But there is one more thing, I would like to make sure
So the browser doesn't connect directly to the internet, but throug the proxy of NOD32. But does my firewall still protect the browser and all the other internet application??

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I think it might dependi ng on the firewall.. I further believe that if you have a decent HIPS that that might help.. Firewall experts can modify this if they wish.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

It may not be a bug, but doing what you say in your original-picture-described-post does not stop applications from leaking information via the ekrn tunnel. (In fact, even when I shut down the Web Access and Email protection modules, I still had data leaks.)

For example, even with ALL entries unchecked as you instructed, playing a RealPlayer file on my desktop will cause a NO PROMPT internet connection through ekrn despite the fact that RealPlayer has no allowed access in the Online Armor Firewall. Even more interesting, with NOD32 uninstalled, no connection by RealPlayer is even attempted. My firewall doesn't prompt and Realplayer never connects.

When NOD32 is installed, the only fix I've been able to find (as has been already mentioned I believe) is to turn off the DNS client. Then the user gets prompted for port 53 for the specific application that wants access.

Ignoring all security concerns, this is horrible for privacy. the user has no control over applications that phone home. Despite the "DNS Client fix" I'd never use NOD32 with this. Too bad, I've used NOD32 AV for years. I'll have to find a new AV when my 2.7 subscription is up.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Intercepting loopback did not work for me (please see edit below). RealPlayer still connected out via 80 even with this feature of Online Armor active. The only thing that stopped RealPlayer in my tests was disabling the DNS Client.


***EDIT: Intercept Loopback in OA DOES catch this. I must amend my original post. You must restart your computer after selecting "Intercept Loopback" before it will start intercepting though (I didn't restart when I first tested it). So as long as your firewall can intercept loopback, this proxy issue shouldn't be a problem.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Hi, All. I'm new here but read the forum a lot.

Yes, I have the same problem

Regards

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Please look at my EDIT in the post above yours. Set yur OA to Intercept loopback and then set rules to intercept ports 1024-4999. then use endpoint restrictions to send only to following enpoints: 127.0.0.1/32.

this will intercept connection requests and control the proxy behavior. post again if you need more help.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Thanks Nmaynan. Problem solved

Regards

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

can i configure it somehow that it could work with Sygate Firewall??but i want that Nod can control web traffic!

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

It depends on the other firewall, some support local proxies.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Can you be a bit more specific about the steps required to set this up? I have OA. Does the rule to intercept ports 1024-4999 with the noted endpoint restriction apply to ekrn.exe? Can you furnish a step-by-step? Sorry for the bother.
Thanks

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

A known design shortcoming with the Sygate Firewall was that it did not support filtering of local proxies. Sygate had indicated that they were going to work on the issue but it never happened. And now, of course, the Sygate Firewall is no more... So no, there is no way for you to configure the Sygate Firewall using NOD32 v3 and have your normal firewall protection...

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

but i dont mind outgoing connections,could i still use sygate as inbound protection?or is it tunneled too??

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

AFAIK, inbound protection should be ok. So yes, you could but I'm confused as to why... If all you are filtering is inbound, then you may as well roll back to the Windows Firewall. If you uninstall Sygate, you gain some things and lose little to nothing. Items such as no additional processes running, no RAM or hard drive overhead, etc...

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I downgraded to v2 after all of the hassle with v3 proxy/tunnelling everything.

Havent check up on this in a while. . Is all web traffic still getting sent through proxies on the latest version?

 

Referring back to Post 131 on Dec 09, 2007 - and all the follow up, I need to revisit the issue of Online Armor Firewall v3 with NOD32 AV v3. I quote,

I am a novice user and I need this broken down into layman's English. Please bear with me. I have XP SP3. My security setup consists of the paid/full versions of the following:
1. NOD32 AV v3 (used blackspear's settings)
2. Online Armor v3
3. Malwarebytes
4. Prevx2.

All four have the most up to date patches and were installed on a virgin machine two days ago. As things stand today, I have two questions.
1. Is NOD32 essentially circumventing OA, permitting all outbound traffic via IE7 (my browser)?
2. Is there anything I can do with advanced settings of either NOD32 or OA to permit OA control of outbound traffic?

Remember, plain and simple if you please. I am not an IT guy, just a regular dude trying to harden up his system.

 

Well, can't imagine much more plain English instructions than "Just tick 'Intercept Loopback Interface' in OA". It doesn't work for you? Or you cannot find the option? Or... ?

 

Hello Mark,

no, NOD32 is not circumventing OA. It is acting as a local proxy for all web browsers, therefore the connection goes from IE to NOD32 to OA and then to the internet. The connection will use both Web Shields (from NOD32 and from OA). The drawback is that OA will not recognize that the connection is originally initiated by IE because it only sees NOD32 connecting. That way any OA firewall rules for IE will not trigger.

Ticking the "Intercept Loopback Interface" in OA (Options -> Firewall) will OA enable to recognize the connection between IE and NOD32 and it can trigger any firewall rules for IE. It will still use both Web Shields.

On the other hand you may disable the proxy functions of NOD32 using the instructions here and IE will connect directly to OA without using NOD32 as a proxy. This way firewall rules will be triggered, but only OA's Web Shield will be used.

 

Great clear response from Statler. I know that I appreciated it.

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

...On the contrary, Local proxy should not be filtered, 3rd. party FW should not be aware of local proxy to be able to filter pure application request and not inercepted NOD32 request, it should filter at highest level possible and not at lower...

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

I don't exactly understand what you're trying to say, but if one wishes to use a software firewall to control outbound traffic, and anything on the PC is using a local proxy to route any of the traffic, the firewall MUST examine the local proxy in order to report anything not already approved. Anything less means things can connect to the web completely unknown to the user.

Of course, many users, (especially business users) do not use outbound, software firewalls. So, the importance of outbound control (and the desire to have it) can vary a great deal. (For example, at work, we don't filter outbound traffic at all. But at home, I would not be without it.)

 

Re: Nod32 v3: Software firewall made useless b/c all connections are running through

Application request - NOD32 local proxy - firewall - (in this case firewall will filter NOD32 traffic)
Application request - firewall - NOD32 local proxy - (in this case firewall will catch application requests, not NOD32 local proxys "reused" request)

 

I recently started using the Comodo free firewall and could not find a simple guide to help me set up filtering for the NOD32 proxy. After asking over at the Comodo forums, I received the following answer (marked in the photos) which seems to do the job.

(Note that these settings can make the firewall have more pop-ups than normal. If you want to avoid the pop-ups, I'd recommend running a new CFP firewall setup in "Training Mode" for a while before switching to what is in the photos.)