What's better - v4 minus web protection or v2.7 in full?

Discussion in 'ESET NOD32 Antivirus' started by ratty9000, Jun 17, 2010.

Thread Status:
Not open for further replies.
  1. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    As noted here I too have suffered from the failure of v4's web access protection, where the http proxy has mysteriously taken to blocking some time after booting.

    As a result I have backtracked to v2.7 (I'm on an older WinXP SP3 machine).

    I was wondering what the community thinks is better:
    - v2.7 in normal default operation
    - v4 with web access protection disabled
    - any other alternative?

    Thanks for any input.
     
  2. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Hey Ratty,

    It sounds like for some reason that your winsock might be compromised. You can reset them by clicking on Start -> Run and typing in CMD

    In the command prompt window, you will want to type:

    netsh int ip reset log.txt

    Then restart your computer. This will reset your winsock back to Microsoft defaults. This would mean that if you have virtual network adapters, such as a VPN client (checkpoint, cisco, etc.) you will need to reinstall them.

    Hope this helps.
     
  3. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I would be suspicious of a rootkit or trojan screwing around with your network stack. It would be worth making a rescue cd, booting to that, and doing a scan from that to check.
     
  4. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    Thanks for the input.

    The thing is that I've restored a partition image from 5 days before the problem first appeared and yet things still go wrong after a while with a clean reinstall of v4.

    When the web access proxy goes funny, TCPview shows loopback connections being attempted and immediately bouncing off (they go into TIME_WAIT state) *and* the NOD GUI stops allowing me to disable the web access protection or even EAV as a whole.

    In all other respects the TCP/IP stack seems fine. When the problem occurs I can use VNC to other machines, access network shares etc. I can also make HTTP requests if they're to a nonstandard port.

    I've already scanned for rootkits. I'll restore a system partition image onto another disk and scan it in a second machine - while it's non-live obviously - and see if that throws up anything.

    Thanks
     
  5. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    Okay I have:

    - done a clean re-install of v4.0.424
    - reset using NETSH as suggested and rebooted etc

    The problem recurs after a few minutes. Disable the HTTP port redirection and all is instantly well again. From here it looks like the NOD proxy is getting broken by something. A recent Windows Update??

    On SmackyTheFrog's point, for good measure I have used another machine to scan both disk partitions (incl the inactive system partition) to check for any possible hidden infections.

    I'm clearly not alone, as others have reported similar web protection problems (see the link in my OP).

    So, returning to my original question should I:
    - run v4 with web protection turned off and rely on file-access scans?
    or
    - run v2.7 with all bells and whistles?
     
  6. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    424 is an old build and there is a fix for HTTP scanning between there and the newest build of v4. Sorry, I should have asked first but I assumed you were running the latest build.
     
  7. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    Okay will give the latest version a try again. Yesterday when I did a clean install of 4.2.40 the problem recurred. This time I'll do it after resetting the stack as advised.
     
  8. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    Well a clean install of v4.2.40 - preceded by a TCP/IP stack reset (netsh int ip reset) for good measure - produced the same behaviour. After a few mins the HTTP scanner blocked. And on top of that attempts to modify settings (from an admin account obviously) were greeted with:

    "An error occurred while saving the configuration. Please make sure that you have permissions to change settings." :mad:

    FWIW I have now made 3 different rootkit scans. Plus I scanned the system partition whilst it's inactive by restoring an image onto an external drive and scanning on a different machine.

    HOWEVER, disabling Self Defence appears to fix the HTTP blocking problem. :eek: Quite why Self Defence has suddenly changed its effect I've no idea. Did some modules get updated or something? :doubt:
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    768
    Location:
    UK
    is sad that noone would answer your question because I am also curious.

    2.7 was a brilliant a/v.
     
  10. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    All these symptoms you mentioned above are very similar to active malware infection and / or protection software conflict.
    Try to collect some information about related problem. Use ESET SysInspector tool to create system state log and then send it to ESET Tech team.
     
  11. ratty9000

    ratty9000 Registered Member

    Joined:
    Mar 7, 2009
    Posts:
    12
    If it's malware it's doing a great job of hiding.

    I've deep-scanned using NOD (obviously), TrendMicro online, Symantec online, BitDefender online, MalwareBytes and SuperAntiSpyware. I've also done rootkit scans using Sophos, TrendMicro and RootkitRevealer. I also uninstalled NOD temporarily, installed Microsoft Security Essentials and deep-scanned with that.

    For good measure I took the disk images to another machine (so the system partition wasn't active) and deep-scanned them there with NOD and MalwareBytes.

    Nothing came up.

    I have to reckon it's the self-defence module playing up. Others have reported similar. The latest self-defence version is dated 20100404. I first noticed the problem on May 15, but that PC was off from 7 April till then.

    I'll see about the SysInpector thing, but I use Sysinternals Process Explorer and Autoruns all the time to monitor for system changes and there have been none.
     
    Last edited: Jun 21, 2010
  12. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    1. If you have any suspicion on rootkit infection you could run GMER anti-rootkit scan.
    2. Using 2 or more protection(antimalware) real-time scanners are not recommended at all. You should know that you will gain no better protection against emerging threats nor better cleansing ability at all, but you may gain a ton of conflicts on system level because of protection software architecture.
     
  13. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    This would have my vote (assuming latest version too)
     
    Last edited: Jun 21, 2010
  14. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    >> port 30606

    maybe a conflict with outpost or online armor or ad muncher?
    http://www.outpostfirewall.com/forum/showthread.php?t=21264
    http://support.tallemu.com/vbforum/showthread.php?t=6823

    port 30606 seems to be the working port for ekrn and its proxy!?

    did you installed ESS before (first try) and did only a "update"
    to EAV? In that case the proxy settings from ESS are still working
    but not accessable in EAV!
    (or that settings weren't cleaned up after uninstall)

    so it worked for some minutes?
    if so - whats happening that short time?

    >> would be suspicious of a rootkit or trojan screwing around with your network stack.

    possible, ofc

    >> Use ESET SysInspector tool to create system state log and then send it to ESET Tech team.

    agree.
     
Thread Status:
Not open for further replies.