NOD32 web access protection blocks HTTP traffic

Discussion in 'ESET NOD32 Antivirus' started by rpremuz, May 25, 2010.

Thread Status:
Not open for further replies.
  1. rpremuz

    rpremuz Registered Member

    Joined:
    Jan 18, 2005
    Posts:
    100
    Location:
    Croatia
    Hi!

    In a Windows domain I have about 60 MS Windows XP Pro. SP3 machines with ESET NOD32 AV Business Edition 4. All PCs have similar software configuration and the same NOD32 AV configuration.

    A few of the PCs have a problem with NOD32 AV web access protection. Mostly the web access protection works fine but occasionally the HTTP traffic gets totally blocked and no web browser is able to open web pages. At such occasions I notice the following:

    • ESET NOD32 AV GUI (egui.exe) says that antivirus and antispyware protection is active.
    • There is no errors or warnings in the Event Log.
    • The network connectivity is in order and other network protocols work fine (e.g. DNS resolving, file sharing, connection to the MS Exchange Server). So, I'd say the problem must be caused by NOD32 AV web access protection which filters HTTP traffic.

    All PCs have both Internet Explorer 8 and Mozilla Firefox 3.6 installed. The problem occurs regardless of the user's preferred browser.

    The problem first appeared with NOD32 AV v. 4.0.474. The upgrade to NOD32 AV v. 4.2.40 didn't make any difference. In versions 4.0.314 and 3.0.* there was no such problem.

    If the PC is restarted, the NOD32 AV Web access protection works well again but the problem may reoccur the same day, which annoys the users.

    The NOD32 configuration and system info are attached.

    Has anyone seen such a problem?
    Any suggestions on fixing it?

    -- rpr.
     

    Attached Files:

  2. rpremuz

    rpremuz Registered Member

    Joined:
    Jan 18, 2005
    Posts:
    100
    Location:
    Croatia
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Does disabling self-defense and restarting the computer make a difference?
     
  4. rpremuz

    rpremuz Registered Member

    Joined:
    Jan 18, 2005
    Posts:
    100
    Location:
    Croatia
    Why should I try disabling self-defense?
     
  5. kjz

    kjz Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    30
    Is disabling self-defence (in this situation) possible? I tried to disable web access protection but only got an error message: not enough rights.....

    - kjz
     
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    to make your system compatible with NOD. Most issues are advised like that by Eset, never mind that it lowers the protection to almost zero in the end
     
  7. thek

    thek Registered Member

    Joined:
    May 28, 2010
    Posts:
    1
    Location:
    France
    I've got exactly the same problem, i tryed to deactivate HTTP/Protocol Filtering but same issue. Works flawlessly when NOD32 uninstalled :D

    It does not apply to all computers, only some customers have this problem. :cautious:

    No solution for me at this time :'(
     
  8. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    I have to report the same problem (NOD32 v4 AV on WinXP SP3). This first manifested out of the blue 2 days ago on June 14th, and I've tried various options to resolve things:

    - a repair install on v4.0.424
    - uninstall and clean reinstall of v4.0.424
    - uninstall of v4.0.424 and install of v4.2.40

    In all cases, after a reboot all is well for a while. At some random time thereafter, it appears that the NOD http proxy stops accepting connections. TCPview shows loopback connections to port 30606 instantly dropping.

    A simple test script which makes an http call to a nonstandard port (i.e. not filtered by the proxy) makes a successful TCP connection. Repeat with port 80 and it fails.

    It's also the case that the NOD GUI gets into a funny state when the problem occurs. Settings, e.g. to disable web protection, are ignored. Attempts to uninstall while in the fault condition also fail with messages about insufficient rights to stop the service.

    What's puzzling is that another WinXP SP3 machine is fine.

    V4.0.424 has been trouble-free for over a year until now. I've had to go back to v2.7 for the time being. :mad:
     
  9. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    It would appear that disabling Self Defence does prevent the HTTP traffic from being blocked by the scanner.

    However if the HTTP traffic has already started being blocked, an attempt to change the Self Defence setting is met with a message: "An error occurred while saving the configuration. Please make sure that you have permissions to change settings."

    Reboot, disable the Self Defence setting quickly, then reboot again.

    Oh, and this is for the latest v4.2.40. Clean install.

    Is there something strange about Self Defence? Has it changed recently?
     
  10. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    FWIW I noticed that the OP and I have the same version of Self-Defence:

    Self-defense support module : 1016 (20100404)

    Seems to me that there's a problem with this - at least on XP SP3 (fully patched). It's almost as if the EKRN service partially cuts itself off from the world...
     
  11. kjz

    kjz Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    30
    Same here. Self-defense modul is version 1016 (20100404).
     
  12. skeymer

    skeymer Registered Member

    Joined:
    Jun 24, 2010
    Posts:
    6
    Just a quick note to say that we also have this same problem and have the same version of the Self Defence Module as others have listed.
    Is there any sign of a solution yet?
    Disabling Self Defence and therefore reducing your level of protection doesn't sound like such a good idea.

    Stefan.
     
  13. skeymer

    skeymer Registered Member

    Joined:
    Jun 24, 2010
    Posts:
    6
    An update on this problem.
    I've just been informed by ESET Support that a new build of the software due for release during the first week of July should resolve this issue.
     
  14. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    Ah so it was the 20100404 Self-Defence module after all. Many thanks for getting that confirmation.

    Concerned about malware I scanned the disk every which way, including for user, kernel and MBR rootkits. :ouch:
     
  15. rpremuz

    rpremuz Registered Member

    Joined:
    Jan 18, 2005
    Posts:
    100
    Location:
    Croatia
    Is there any news regarding this issue after upgrade to NOD32 AV 4.2.58.3?
    I can see that the self-defense module was not changed in the new NOD32:

    Self-defense support module : 1016 (20100404)

    -- rpr.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Does the problem persist with the latest build 4.2.58? If so, does disabling self-defense actually resolve the problem?
     
  17. skeymer

    skeymer Registered Member

    Joined:
    Jun 24, 2010
    Posts:
    6
    Yes, the problem does persist with V 4.2.58
    And Yes, if you disable the Self Defense module the problem goes away.
    Stefan.
     
  18. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    I found the problem apparently went away when I installed Online Armor, which also intermediates web traffic. I was able to re-enable NOD's self-defence.
     
  19. skeymer

    skeymer Registered Member

    Joined:
    Jun 24, 2010
    Posts:
    6
    We have now discovered a curious way of fixing the problem.
    We tried upgrading the client on some PCs to the latest version to see if it resolved the issue, but it didn't.
    Except on one PC which had the Self Defense module switched off when upgraded. It was turned on again afterwards and has since been fine.
    We have now tried this on a couple of other effected PCs and found that if the self defense module is off when upgraded then the problem gets resolved but if it is on when upgraded then the problem persists.
    We will now use this as a workaround fix for any PCs that report the issue to us, but would still like to get a better long term fix at some point.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What OS is installed on those machines? HTTP scanning differs on Windows 2000/XP systems and Vista SP1 and newer. We would be interested in providing you a logging version of the self-defense module which might shed more light.
     
  21. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    Interesting, perhaps about as logical as the "solution" I found of using a web-filtering firewall.

    Just to clarify, did you do a straight install of 4.2 over the top of 4.0 retaining all settings?

    Thanks
     
  22. kjz

    kjz Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    30
    Just a guess: maybe, an active self defense module during update blocks the installation of a component of NOD32 which therefore still will be from the old version?
     
  23. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    seems logical.
     
  24. skeymer

    skeymer Registered Member

    Joined:
    Jun 24, 2010
    Posts:
    6
    Many thanks for the offer of using a logging version of the module, we're already working with ESET support on this issue and have used the logging version to send back info.
    Plus a version of the module that causes a BSOD crash and memory dump file, so far no solution as yet.

    We're using XP, by the way.

    Stefan.
     
  25. skeymer

    skeymer Registered Member

    Joined:
    Jun 24, 2010
    Posts:
    6
    Yes, I believe the install was over the top of the existing installation.
     
Thread Status:
Not open for further replies.