OutPost and Kaspersky 5.0 Question

Discussion in 'other firewalls' started by PikeDude, May 7, 2004.

Thread Status:
Not open for further replies.
  1. PikeDude

    PikeDude Registered Member

    Joined:
    Aug 3, 2003
    Posts:
    45
    Hi All,

    Since installing Kaspersky 5.0, whenever I click on update or with Kav updating itself every three hours, I always get an alert from Outpost that an attack was detected from xxx.xxx.xxx.xxx (the Kav servers) and then it blocks it for the time limit that is set in the attack detection plug-in.

    The only way that it can update without an attack alert is if I leave the attack plug-in set on Normal instead of Maximum. I really would like to set it to Maximum and I've tried adding the servers to the kavsvc.exe in the application rules but I still get this alert.

    Is there a rule that needs to be created in the global rules? or just better set up in the application rules for Kav? I have used Outpost for a while now and really like it and have learned how to create rules but sometimes they are a little beyond me so I need some help. Has anyone experienced this with either Outpost or any other firewall with Kav 5.0?

    Thanks for any and all help.
     

    Attached Files:

  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Are you running OP in in block most mode?

    You'll have to create an application rule. The rule assistent will let you do that easiest.
     
  3. PikeDude

    PikeDude Registered Member

    Joined:
    Aug 3, 2003
    Posts:
    45
    Hi meneer, at first I ran it in "Rules Wizard" and when the wizard detected Kav, it's suggestion was to use the browser preset, so I chose it.

    If I leave the attack plug-in in Normal mode then it works well whether I'm in "Rules Wizard" or in "Block Most" mode. It only happens when the attack plug-in is set to Maximum.
     
  4. StephB

    StephB Guest

    Hello PikeDude !
    My attack detection plugin is set to high and with the rules below, i can update KAV 5.0 every three hours without any problem:

    Protocol:
    TCP

    Destination:
    Out

    distant host (sorry for the translation, i've got french version):
    downloads0.kaspersky-labs.com,downloads1.kaspersky-labs.com,
    downloads2.kaspersky-labs.com,downloads3.kaspersky-labs.com,
    downloads4.kaspersky-labs.com

    distant port:
    HTTP, FTP

    Politic:
    available

    Hope it cant help ...
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    PikeDude,

    Check that your rule for Kaspersky Update does include FTP (File Transfer Protocol - mentioned in StephB's post) - if it does and you still get the problem then Activate Stateful Inspection for that rule (this will allow all network connections between your PC and the Kaspersky server while the initial connection is up).

    FTP works by having multiple network connections - a "control" connection (FTP) down which commands are sent and one or more "data" connections (FTPDATA) which handle the file transfers. However with normal FTP, it is the server that opens the data connections so Outpost will see these as incoming connections. It should allow them if you have FTP specified but if it isn't, specifying SPI should solve the problem.

    For more details on Outpost's Stateful Inspection feature, check the FAQ forums at the Outpostfirewall.com forum (when it is back up - currently down for an upgrade :( ).
     
  6. PikeDude

    PikeDude Registered Member

    Joined:
    Aug 3, 2003
    Posts:
    45
    Hi StephB and Paranoid2000,

    Thanks for helping, I just read the post and will be creating those rules and do some updating and will be reporting back soon if all is well. :)
     
  7. PikeDude

    PikeDude Registered Member

    Joined:
    Aug 3, 2003
    Posts:
    45
    Hi again, well I created the rule and applied it but I still would get the attack warning from Outpost once I put it in Maximum mode. I had tried all the various ways that was mentioned here, SPI turned on then off, specifying some local ports because they were always happening on ports 5001-5010 but I would still get the attacks.

    Then I deleted the kavsvc.exe rule, recreated as per StephB's and Paranoid2000 advise, put the attack plug-in in Maximum mode and Outpost in Block Most mode. I tried updating Kav and got the attack warning, but instead of changing anything this time, I simply rebooted the computer.

    Once back up, I verfied the settings in Outpost and everything was as I had left them (the Kav rule, attack plug-in in Maximum mode). I then clicked on the update for Kav and it went through without the attack warning from Outpost. I repeated this several times and always without a glitch. I verified the logs in Outpost and sure enough the connection were allowed through.

    All Outpost needed was a reboot to apply the new setting, don't know why though as all the other rules created were applied by Outpost on the fly. Doesn't really matter though as long as it works now, although I did learn that when changing a rule if it doesn't seem to work when it should, the most simple thing to do is reboot and verify.

    Thanks for all the help. I really appreciate it. :)
     
  8. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    168
    With the help of MegaHertz on the official Outpost forum I was able to create a updater preset for KAV 5 so if anyone else has problems with KAV 5 updating you can add this to your Outpost's Preset.lst file.:

    [KAV Update]
    VisibleState: 1
    Exe:
    KAV Updater, kavsvc.exe
    DefaultState: 1
    RuleName: KAV Updater HTTP,FTP connection
    Protocol: TCP
    RemotePort: HTTP,FTP
    Direction: Outbound
    RemoteHost: 212.5.80.19, 195.218.139.150, 81.176.69.89, 195.170.248.15, 81.176.69.86
    AllowIt
     
Loading...
Thread Status:
Not open for further replies.