There are these discussions going on the Eset support forum https://www.wilderssecurity.com/showthread.php?t=194363 https://www.wilderssecurity.com/showthread.php?t=192305 As it's all hebrew to me, does it somehow affect L'n'S firewall? Or are some people just fussing about trifles?
Hi swami, Can you give us a brief summary on the topic of this discussion, please? In my current pre-Christmas chaos I am way too busy to read through this links. But if you briefly tell me what it is about, maybe I am getting curious.... Thomas
Hi thomas As I told it all goes over my dandruff, so I can't explain it in few words. Ratchet put it this way: You are making it sound like there are some incompatibility or performance issues, which there aren't! The problem being discussed here, is the fact the new NOD v3 engine (specifically ekrn.exe) renders the the functionality of firewalls useless. This has been confirmed by a whole lot of folks that are much smarter than I am. There apparently is nothing to work out and people are venting their frustration, especially over the fact that eset doesn't even just come out and say "There is nothing can be done about it, you are just going to have to use v2.4." or "We are working on an option which will preserve the basic functionality of v3 but will also allow firewalls to perform their intended function."
Yes i tried to stop ekrn.exe. Can't access internet anymore. msrourke on Eset forum put it this way: "Can't be done in any firewall with the ekrn.exe proxy. ekrn is the sole connect point to the internet, the individual programs connect to ekrn locally. The only setting possible is to allow each program to connect to ekrn locally, ekrn then connects to the internet for the program. This setup makes it not possible to restrict individual program behavior, as they are not connecting to the internet. You can restrict ekrn, but that would have a global affect across all programs accessing the internet. This is main point/complaint of this thread." Does this mean firewalls are useless or what? Should I forget the whole thing because it still is beyond my comprehension? Or is Eset firewall the only one that works?
Maybe it means that by design the NOD v3.x engine doesn't work together with software firewalls (including LnS). But I would doubt that in general software firewalls are useless at all... Thomas
Since Look 'n' Stop detects applications at socket creation time, normally local connection (to a proxy server application) should be detected anyway and you can allow/block these applications even if they are connecting through a proxy. However I'm not sure this is the issue that is discussed here. Frederic
If You allow EKrn .exe from then on everything will route throough it. LNS might detect the initial Ekrn connection attempt & after that any other app will probably be detected once . Ekrn is a web proxy so goodby firewall control. Someone in the forum correct me If I,m wrong about LNS"behavior with proxys. The Gist of the discussion going on is that EKrn renders all firewalls useless unless you disable HTTP scanning for web & E mail & then what do you have. For complete control there are some who claim every products access should be limited with firewall rules specifically made but who wants to do that. To further complicate the issue some very respected firewall specialists at Wilders have serious doubts that any firewall can be rendered leakproof when useing the the new NOD EAV product. I would be very interested in hearing further as to whether LNS could be made to offer granular control of applications using the new version 3 AV.
Maybe so. But for a layman, I think L'n'S still controls all incoming traffic and that's what counts. If your system is clean it doesn't matter as there's nobody "calling home". Am I right or completely lost? Both of these products are working fine together on my system as far as I know.
Yes, the Internet Filtering (=Packet Filter) is still fully operational for incoming and outgoing packets. And you can still have a rule disabled if a specific application is not connected to internet. On the Application Filtering side, only the socket creation is detected and you have a prompt to allow or not the application to do so. Then the application uses port 30306 and IP 127.0.0.1 to connect to the proxy. This is for applications using ports like 80, 8080... (and it is configurable in Nod32). Frederic
Maybe it is possible to do something, but it has to be very specific. Here is a patch for LNSFW1.Sys (win32 only) which tries to bind the access to the right application instead of EKRN.EXE: http://looknstop.soft4ever.com/Beta/2.06p2/Nod32V3/ Consider this as very experimental, it is just a demo. Since it is based on several assumptions on how Node32V3 works (for instance this patch is specific to port 30606), it could sometimes perform a wrong re-binding, or sometimes still consider EKRN.EXE making the access. Not sure at all this patch will be supported in the future (especially if some of my assumptions are wrong). I was able with Look 'n' Stop and this patch to block a "telnet xxx 80" and to let iexplore still connecting on port 80: http://looknstop.soft4ever.com/Beta/2.06p2/Nod32V3/LnSnv3Test.JPG Frederic