Nod32v3

Discussion in 'LnS English Forum' started by swami, Dec 14, 2007.

Thread Status:
Not open for further replies.
  1. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I agree I would like to know also?

    TH o_O
     
  3. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Hi swami,

    Can you give us a brief summary on the topic of this discussion, please? In my current pre-Christmas chaos I am way too busy to read through this links.

    But if you briefly tell me what it is about, maybe I am getting curious.... ;)

    Thomas :)
     
  4. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    Hi thomas
    As I told it all goes over my dandruff, so I can't explain it in few words.
    Ratchet put it this way:
    You are making it sound like there are some incompatibility or performance issues, which there aren't! The problem being discussed here, is the fact the new NOD v3 engine (specifically ekrn.exe) renders the the functionality of firewalls useless. This has been confirmed by a whole lot of folks that are much smarter than I am. There apparently is nothing to work out and people are venting their frustration, especially over the fact that eset doesn't even just come out and say "There is nothing can be done about it, you are just going to have to use v2.4." or "We are working on an option which will preserve the basic functionality of v3 but will also allow firewalls to perform their intended function."
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Has anyone just tried installing Look 'n' Stop and see if there's a problem?
     
  6. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    Yes i tried to stop ekrn.exe. Can't access internet anymore.
    msrourke on Eset forum put it this way:
    "Can't be done in any firewall with the ekrn.exe proxy. ekrn is the sole connect point to the internet, the individual programs connect to ekrn locally. The only setting possible is to allow each program to connect to ekrn locally, ekrn then connects to the internet for the program. This setup makes it not possible to restrict individual program behavior, as they are not connecting to the internet. You can restrict ekrn, but that would have a global affect across all programs accessing the internet. This is main point/complaint of this thread."

    Does this mean firewalls are useless or what? Should I forget the whole thing because it still is beyond my comprehension? Or is Eset firewall the only one that works?
     
  7. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Maybe it means that by design the NOD v3.x engine doesn't work together with software firewalls (including LnS). But I would doubt that in general software firewalls are useless at all...

    Thomas :doubt:
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Since Look 'n' Stop detects applications at socket creation time, normally local connection (to a proxy server application) should be detected anyway and you can allow/block these applications even if they are connecting through a proxy.
    However I'm not sure this is the issue that is discussed here.

    Frederic
     
  9. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    Thanks F
    Nice to hear these reassuring words.
     
  10. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    If You allow EKrn .exe from then on everything will route throough it. LNS might detect the initial Ekrn connection attempt & after that any other app will probably be detected once . Ekrn is a web proxy so goodby firewall control. Someone in the forum correct me If I,m wrong about LNS"behavior with proxys. The Gist of the discussion going on is that EKrn renders all firewalls useless unless you disable HTTP scanning for web & E mail & then what do you have. For complete control there are some who claim every products access should be limited with firewall rules specifically made but who wants to do that. To further complicate the issue some very respected firewall specialists at Wilders have serious doubts that any firewall can be rendered leakproof when useing the the new NOD EAV product. I would be very interested in hearing further as to whether LNS could be made to offer granular control of applications using the new version 3 AV.
     
  11. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    Maybe so. But for a layman, I think L'n'S still controls all incoming traffic and that's what counts. If your system is clean it doesn't matter as there's nobody "calling home". Am I right or completely lost?
    Both of these products are working fine together on my system as far as I know.
     
  12. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, the Internet Filtering (=Packet Filter) is still fully operational for incoming and outgoing packets.
    And you can still have a rule disabled if a specific application is not connected to internet.

    On the Application Filtering side, only the socket creation is detected and you have a prompt to allow or not the application to do so.
    Then the application uses port 30306 and IP 127.0.0.1 to connect to the proxy. This is for applications using ports like 80, 8080... (and it is configurable in Nod32).

    Frederic
     
  13. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Maybe it is possible to do something, but it has to be very specific. Here is a patch for LNSFW1.Sys (win32 only) which tries to bind the access to the right application instead of EKRN.EXE:
    http://looknstop.soft4ever.com/Beta/2.06p2/Nod32V3/

    Consider this as very experimental, it is just a demo. Since it is based on several assumptions on how Node32V3 works (for instance this patch is specific to port 30606), it could sometimes perform a wrong re-binding, or sometimes still consider EKRN.EXE making the access. Not sure at all this patch will be supported in the future (especially if some of my assumptions are wrong).
    I was able with Look 'n' Stop and this patch to block a "telnet xxx 80" and to let iexplore still connecting on port 80:
    http://looknstop.soft4ever.com/Beta/2.06p2/Nod32V3/LnSnv3Test.JPG

    Frederic
     
Thread Status:
Not open for further replies.