Can you knowledgeable folks please help us with NOD32 v3!

[Guest]

[ggf31416]

Based on the above I have it in my mind as follows:
Opera->CFP->NOD->Internet

Based on other posts I have read seem to indicate as follows:
Opera->NOD->Internet

There is not tunnel, it's just a problem of incorrect configuration and rules.
I will see if I can install a trial of NOD32 and test it.

[ggf31416]

OK, good news and bad news.
Good News: Configuring comodo to control the "tunnel" is a PoC (Not a Proof of Concept but a Piece of Cake )
First you have to enable Firewall -> Advanced -> Firewall Behaviour Settings -> Alert Settings -> Enable Alerts for loopback requests

I not sure if the port is the same on all computers, if you do the following please check that the communication is not allowed without prompt.

Now remove the rules for your browser (or another application that connects to Internet, e.g. an updater or leaktest) and try to access a HTTP web page with that program(HTTPS doesn't use the proxy in the default configuration), you should receive a prompt similar to the first and second screenshot. Make sure that your Firewall Security Level is set to Custom.

Please provide feedback.

Bad News: I think I found a bug in Comodo while testing NOD32, the exclude checkbox in the destination port is not working!

[AnotherOne]

Nice job!  Note that people should NOT choose "Treat this application as.." and any of the Web Browser or Email Client options on the pop-up.  Just clicking Allow would be fine.

[ratchet]

ggf31416, thank you for all this work!  Hopefully you've nailed it and I've entered your policies and rules correctly.  Have a great new year!

p.s.  I assume Comodo Firewall Security Level now needs to be set to "Custom Policy Mode".

[ggf31416]

ggf31416, thank you for all this work!  Hopefully you've nailed it and I've entered your policies and rules correctly.  Have a great new year!

Did that worked? Can you download this program http://www.grc.com/lt/leaktest.htm, it's a very basic leaktest but it's enough to know if the instructions work in your computer. Allow the defense+ warnings and select "test for leaks". When you receive a prompt from the firewall select Block. Please post the results.

p.s.  I assume Comodo Firewall Security Level now needs to be set to "Custom Policy Mode".

It's not needed. You can use Train with Safe Mode if you want but (with or without the NOD32 Proxy) you won't get prompts for programs in the comodo safelist and they can connect without your authorization.

[Burillo]

traffic goes as follows: APP -> CFP -> NOD32 -> Internet
the reason why CFP can't control outbound traffic with NOD32 proxy turned on is the fact that every app is connecting to localhost (127.0.0.1), not the real destination address. If malware tries to call home - you will be alerted only with localhost connection attempt, and the only way to get some idea about destination address is to log ekrn.exe. That means given the fact NOD scans http traffic - you can't ban Windows Media player from phoning home without banning the whole M$ IP range for ALL apps that use NOD proxy. Simple but oh so painful...

[ratchet]

Did that worked? Can you download this program http://www.grc.com/lt/leaktest.htm, it's a very basic leaktest but it's enough to know if the instructions work in your computer. Allow the defense+ warnings and select "test for leaks". When you receive a prompt from the firewall select Block. Please post the results.

It's not needed. You can use Train with Safe Mode if you want but (with or without the NOD32 Proxy) you won't get prompts for programs in the comodo safelist and they can connect without your authorization.

Well first of all, let me state I'm an idiot as you'll shortly discover!  Per your initial instructions (Reply #16), my browsers loaded undetected.  Not good I presume.  Then early this morning (like 4:00am) I mistakenly (idiot me!) gave the leak test file permission to doenload.  Comodo did warn me.  The file did damage Sandboxie, preventing it from opening Firefox.  Each attempt from the shortcut would list two Sb files that could not be accessed.  Everything is back to normal now after a system restore.  Thank You, ratchet

[Stanr]

ggf31416

Thanks for looking in to this and your hard work.

I have created the rules as you suggested and removed all preset rules for Opera and got the alerts as you describe.

I then removed the newly created rules and just tried to connect with Opera, just the app I'm using for this test, and still received the same alert as shown in proxy1.png. It seems as long as a permit rule has not been saved, for opera in this case, that you will get the popup as previously described. This leads me to believe that no matter what the program is if it has not been granted permission and the rule saved then an alert will be given if it tries to connect even if the NOD proxy is running. But, I'm not sure as my testing/knowledge is limited.

I tried the leak test from GRC as well as many as I could from PCFlank and none got to the Internet, sans the rules you described. Some of the leak tests on PCFlank were stopped on download by NOD and some requiring install were stopped by NOD or Comodo at the time of install. I have Comodo firewall is set to "Custom policy Mode" and D+ set to "Train with safe mode" .

I'm sure I'm missing something here but it seems that Comodo/D+ is stopping these from getting through with the NOD proxy operating and with the Protocol filtering set to "Ports and applications marked as Internet browsers and email clients".

Does the above indicate that if a unknown malware tries to connect and has not been previously granted permission in Comodo/D+ an alert will pop up?

Also, if a malware attempts to alter a previously permitted app to connect would Comodo/D+ alert me to the attempt even if NOD is filtering as I previously described? I would like to test this if such a test exists.

I stress that I'm a real novice at all this so I'm not sure what this means other then the leak tests failed and I got the alerts. For all I know my computer butt may be hanging out with a welcome sign for the world to kick.

Thanks again for your interest and efforts to help us less informed, it is greatly appreciated.

Stan

[ggf31416]

Well first of all, let me state I'm an idiot as you'll shortly discover!  Per your initial instructions (Reply #16), my browsers loaded undetected.  Not good I presume.  Then early this morning (like 4:00am) I mistakenly (idiot me!) gave the leak test file permission to doenload.  Comodo did warn me.  The file did damage Sandboxie, preventing it from opening Firefox.  Each attempt from the shortcut would list two Sb files that could not be accessed.  Everything is back to normal now after a system restore.  Thank You, ratchet

Sorry for your problems with the leaktest but I really don't understand how that could happen. The only thing that leaktest.exe do is create an outbound connection, so it's impossible that it damaged sandboxie. Maybe it was some rare conflict or you mistankenly blocked something needed for sandboxie.

With respect to the browsers not being detected, can you enable again the "Enable Alerts for loopback requests" option, set firewall security level to Custom, remove the rules for internet explorer, run internet explorer, access the google page (or any other safe HTTP page), and post a screenshot of the firewall alert  (or write the port number)?

[ratchet]

ggf31416, between setting up my wife's webcam and Skype (so we can view our new granddaughter between 600mi visits), my wife's iPod, and my Canon S5 IS Camera (the kids got me that for xmas), I'm kind of fiddled out.  I'm even considering reverting back to v2.7 of NOD and trying the Online-Armor free firewall since it isn't quite as feature rich as Comodo.  Of course that would require more fiddling, so for the time being I may just stay the course since I know I'm not going to get into any malware anyway.  ratchet

[Bizarre™]

Here.
http://www.wilderssecurity.com/showpost.php?p=1124960&postcount=17

Problem Solved.

[perigee]

Correct me if I am wrong, but as I see it there are two options:

option 1: If you don't want to use or be bothered with NOD v3's proxy then the link that
               Bizarre just gave is the way to go.

option 2: If you want to filter internet data transfers for virus and malware before
               it gets on your computer (where it is then up to your resident av/malware programs
               to detect) then ggf31416's post #16 seems to be the way to go.

I am using option 2 for the extra protection I get using NOD v3's internet data filtering
capabilities and CFP's  program access capabilities. This seems to be the best of both worlds
for these two applications at the moment. I may be wrong but it won't be the first or
the last time.

thanks for all the helpful posts.........................

[ggf31416]

I edited my post as I not sure if NOD32 uses the same port on all computers.
Enabling the "Enable Alerts for loopback requests" option should guarantee that connections passing through the NOD32 proxy are intercepted, if there are no rules allowing those connections.

[ratchet]

ggf31416, I did pass the test last night with the "default" settings, although  "Alerts for Loopback Requests" was already enabled.  I put your policies and rules back in place today.  Also, there is already a Global Rule "Block And Log IP IN Any To IP Any Where Protocol Is Any".  Not sure that is by default or I put it there upon some other recommendation.  How does it effect, if at all, your rules?

[ratchet]

I totally failed the leak test!  I download the file, open it and Comodo asks, I say block.  Then the leak test box opens, I hit test and I fail.  I delete the file, go through the whole thing one more time, only this time the file opens without even a whimper from Comodo.  I hit test and I failed.  Now what?

[Tags:]