Once and for all - question re: proxy issue

Discussion in 'ESET NOD32 Antivirus' started by Nodrog, Dec 12, 2007.

Thread Status:
Not open for further replies.
  1. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    HiTech, or anybody for that matter, if I have missed something here then please point out the error of my ways:

    Simple firewall type question:
    1 - I want to AV check all http(80) traffic
    2 - I want to allow Internet explorer http(80) only
    3 - I need to allow svchost http(80), and https(443) for Microsoft Update

    I could do it with NOD32 v2.7 and Outpost any version.
    How do I do it with NOD32 v3 and Outpost or Comodo??

    The point, just in case we missed it, is I do not want to allow the kids to tunnel out through https (and this is something of an example so lets not go down any kind of discussion about why would you want to do that).

    TIA for any clarification/advice.

    [My day job involves looking after, amongst other things, a number of corporate Checkpoint NGX firewalls]
     
  2. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    33
    have you tried asking the question on the outpost or comodo forums? seems to me you might get more response.
     
  3. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
  4. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    33
    my bad.
    after reading all the problems with nod ver 3, i stayed away from it. still am using 2.7.
    good luck getting your answer!
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I am still working in the dark concerning this Web access protection(proxy) feature Nodrog, so bare with me as I ask a question concerning your question\s :doubt:

    In your Simple firewall type question: item 3 above, are you asking how to disable portions of Nod's proxy feature so that Outpost and\or Commodo would handle "svchost http(80), and https(443)".

    The Help file is informative but thru a better explanation of this proxy feature....I just know the light will finally come on.

    Sorry if I have intruded on your thread but I too would appreciate a little deeper understanding of the Web access protection(proxy) feature.

    Bubba
     
  6. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Hi Bubba

    No... I want the AV to filter any and all browser activity from any and all applications, on any and all ports that may be in use for browsing - this is just filling in the blanks and ticking boxes in EAV.

    The problem is, from an access to the Internet point of view, I want to allow svhost http and https, so:-

    Allow svchost -> localhost tcp30606
    Allow ekrn -> Internet tcp80 + tcp443

    to filter IE we now have to add
    Allow IE -> localhost tcp30606

    remember, ekrn is already allowed 80 and 443 so IE instantly gets this as well - but remember the question; I did not want to allow https from IE.

    That is complicated enough to show the issue, without starting to introduce ftp and other ports for online games etc.

    regards
    Gordon
     
  7. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    In a nutshell... (clear as mud... huh?)

    to AV filter a browsing application your access rule is

    application1 -> localhost tcp 30606
    application2 -> localhost tcp 30606
    application3 -> localhost tcp 30606
    ...
    there will be lots of these, 1 for each application.



    to actually get to the Internet you then have to allow

    ekrn -> Internet ports

    ...because ekrn is the only application actually going to the Internet, whatever access/ports you end up giving it (dictated by your list of applications and ports being AV filtered) - you effectively end up giving (by default) to each and every one of your applications.

    = no granularity
    = no individual application access control
    = an issue!

    (still clear as mud... huh?)

    regards
    Gordon
     
  8. gberns

    gberns Registered Member

    Joined:
    May 2, 2004
    Posts:
    131
    Nodrog: As I just asked in the original thread, does your example hold true for the Vista firewall or is it specific to Outpost?

    Many thanks.

    Gary
     
  9. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Every Software firewall has this problems. Even if you disable 127.0.0.1 (localhost) from trusted adresses and intercept local trafic to the NAV-Kernl, you can't control application as Nodrog already stated.
     
  10. MaVRiC

    MaVRiC Registered Member

    Joined:
    Dec 7, 2007
    Posts:
    25
    Ok here it is in picture form for those that want granularity control.
    As we all know https(443) and to my knowledge was never decrypted and scanned by IMON in 2.7 or what ever version, so lets work on that.

    Step one:
    Enable your web access protection.

    step1copy.png


    Step 2:
    Select http and pop3 ports (forget about defining browsers, that gets ghosted with this option anyway)

    step2copy.png


    Step 3:
    Define your ports in the http filter (in your case only port 80) or any others you so desire.

    step3copy.png


    Step 4:
    Disable global local host rules in your firewall, and let each application call for the connection (thats that issue solved), define the custom (sudo port 80 rule for granularity control) 30606
    (remember you will be running without a global localhost rule so dont forget to run with the rules wizard for a while or manualy create them so other apps and system calls that need local loopback get access)

    step4-1copy.png


    The results:
    as you can see, https 443 is going out via firewall with no ekrn.exe(imon) intervention - therefore can be blocked by rule.
    Port 80 is going through the scanner proxy, just like mother (v2.7) used to make. but can also be blocked by deselecting the sudo port 80 rule. there is your granularity.................

    step5copy.png


    Damn straight. As said before, it's new software just because it does not work the way you are used too, does not make it useless or insecure - The forest is there, sometimes you just need to see past the trees...

    Hope this clears a few things up for some and give a bit of closure and granularity control to others.
     
    Last edited: Dec 13, 2007
  11. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    @MaVRiC
    Good posting for clearing some basic issues between NAV and a Firewall regarding 'generell' application control.
    I think that never was the problem. The problem is that you can't use a firewall anymore for 'Full' control of a application which seeks internet connection as with NOD 2.7.
    But this affects only control freaks like me and some others who for example want to limit IP ranges for one application and allow those for an other (more examples can be listed).

    The whole discussion is by the way useless. NAV is for itself a very good programm, but does not fit the needs of some control freaks like me. That's all. This won't change till the proxy concept of NAV is altered or changed.
     
  12. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland

    NAV or NOD?:D
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    (N)OD32 (A)nti-(V)irus!

    Cheers,

    TH
     
    Last edited: Dec 13, 2007
  14. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    DOH! Thanks.
     
  15. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    Thanks for the pics MaVRiC however, they don't answer the question.

    Actually, and all due respect (this is meant to be a discussion), all you've done in these configuration shots is show how to switch EAV to filter/proxy a specific list of ports rather than a list of applications which actually shoots your arguemnt a bit in the foot...

    If you filter http on 80-83 (as you show) but not IE itself as an application, then any browsing by IE on ports outside your range will NOT be AV checked. (remember I want to filter any/all traffic).
    [This could obviously start a discussion on the pros and cons of various EAV settings, but I don't want to get into that in this thread]

    What your config does, is NOT AV check port 443 (OK OK bad example - where is the end of the SSL tunnel; the OS, ekrn, or the application - the latter probably but regardless, remember I want to filter any/all traffic).

    Forget about 443, try 2 websites, one http on port 1080, the other http on port 2080.

    You want to allow IE access to the first but NOT to the second, and FF to the second but NOT to the first... oh, and you want to AV filter both sites.

    Or lets try Tommys requirement to only allow certain applications to certain websites by IP address rather than port number.

    I'm not saying that everybody cares about this, but a lot do - especially within the corporate infrastructure environment and it simply can not be done with EAV v3 and someone elses firewall!!

    Jump in here anyone actually from ESET and tell me I'm wrong.

    regards
    Gordon
     
  16. Shelty

    Shelty Registered Member

    Joined:
    Oct 28, 2007
    Posts:
    41
    As long as HTTP checking is checked, Nod will filter all HTTP traffic no matter what port.
    You would have to make a rule in your firewall for ekrn.exe not to allow traffic on a certain port that you do not want to use.
     
  17. Nodrog

    Nodrog Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    56
    Location:
    UK
    That's not quite the case... you do have to tell it which ports - see MaVRiCs screenshots above. It definitely doesnt do protocol checking on all ports looking for http. Or change the protocol checking option to check Applications or both applications and ports. That way it will check all outbound activity from any of the applications you then tick.

    regards
    Gordon
     
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yeah..can't confuse with NAV...

    EAV. ;)
     
Thread Status:
Not open for further replies.