It’s a long thread but you’ll get the gist reading a few of the initial posts. I trust NOD32, especially its ability to recognize “new” malware, so I’m not interested in compromising it, however, I’m a long time Comodo user and want to take advantage of its firewall functionality and if I understanding this NOD issue, I’m not sure how to accomplish that. Basically, I need to know that if Firefox, Outlook Express and occasionally IE7 are tunneling through this ekrn.exe, is Comodo Firewall still capable of doing what it was designed to do? Please view this screenshot of my Network Security Policy and suggest changes to it or any other Comodo setting. Thank You!
http://xs322.xs.to/xs322/07486/ScreenShot001.png
On another thread, a user reports that the firewall can log connection attempts, but they are all logged as being from ekrn.exe, so the originating program is not being controlled by the firewall’s rules. This looks like a massive hole in the firewall and I am not sure that I would want to lose the ability to control different applications’ access rights. I don’t use NOD, but I would howl loudly about this design.
D*mn right!
Edit:
Read the article below thoroughly and you might find the answer.
I got mine sorted (I think), but I had to change the settings of both NOD32 and CPF.
Just my 2 cents.
actually they’re not going to fix that as it’s a feature, not a bug :-)))) why doesn’t anyone complain about KAV tunneling? or did i miss something?.. (haven’t used KAV for several years)
i personally have all these email/http scanners disabled
look guys, there was already another thread like this one with people being worried with Kaspersky or NOD32 allowing all traffic and CFP loosing application control on Firefox or Internet explorer. I’m using Avast that has a very similar feature with its WebShield proxy. So why not just apply to the webshield exactly the same rules as those who’d be originally applied to the browsers. That is just what I did, apply to Avast WebShield the Web Browser rules from Def+ and I can see no reason why this shouldn’t be as efficient.
adding: not to mention that I still have in my logs some outgoing traffic (to Akamai for instance) directly blocked on Firefox. I got the Web Browser rules applied to both Firefox and the WebShield.
[attachment deleted by admin]
Applying the browser policy to ekrn.exe would work when it is a browser connecting, but for other applications, different ports are generally used. Moreover, you cannot get warning when malware uses ekrn.exe to connect. The virtue of the firewall is that it allows you to review connection requests from unknown programs. When ekrn.exe is the only requesting program shown, you get no warning if the malware manages to evade recognition by ekrn.exe. It is admittedly a last ditch kind of protection, but it is the only way to - maybe - identify zero-day infections.
yeah I should have mentioned that Avast WebShield proxy is only active on HTTP traffic, so my post was only relevant in the case of a browser connection of course. Oh I’ve noticed that apps other than browsers using HTTP ports are not covered by this webshield, as their traffic still appears on a per application basis in the connection list.
I didn’t know that NOD32 ekrn.exe covered all connecting apps. That’s indeed an issue for firewall management that leaves apps connecting through different ports and protocols unprotected.
NOD32 proxy can be limited to browser and email client traffic only under “Protocol Filtering” > “Applications marked as Internet browsers and email clients” as opposed to “Ports and applications marked Internet browsers and email clients”.
I, however, leave the latter checked with CFP on “Train with safe mode” and D+ on “Train with safe mode”.
As stated in other threads, with these settings, I have tried several leak tests and they were stopped by D+ or CFP. On several occasions when I tried to download some of the tests from PCFlank they we’re either killed by NOD on arrival or on install by D+ or NOD. Those that I did manage to get installed and/or exectuted did not connect to the Internet as CFP and or D+ alerted me to the attempt and I clicked block and it did. I did not save the block settings in case I want to test the system in the future.
Perhaps I’m missing something, I’m not a tech, or just lucky, most likely, but that’s been my experience with NOD and CFP/D+.
For the moment I feel that bot apps are doing their jobs as designed. This may be totally wrong which I’m sure, hope, someone will point out to me.
Stan
OS-XP-sp2 … AV-NOD32 v3.0.621.0 … FW-CFP v3.0.14.276
so if NOD32 proxy can be limited to browsers and and email clients, CFP could protect it…hmm, doesn’t really make sense to apply both browser rules and email client rules to the same app though. Can’t tell what it would do (:LGH)
I’m not sure what you mean by applying the same rules to email clients and browsers. I have the browers set with the CFP “Predfined Browser Policies” and the email with “Predefined email client policies” and with custom polcies under D+ if that’s what you mean.
For NOD32 (ekrn.exe) I have a custom FW rule - any, any ,any and a custom policy set under D+ as set during my “clean PC mode”. I have not changed this as I’m not sure what to change it to but I’m looking in to it. After 6 days of reading help files, setup and testing for both NOD and CFP v3 I’m taking a break to, hopefully, do some other work and safely surf the net .
Stan
On Edit
I would like to make it clear that contray to the subject of this post I do not consider myself “knowledgeable” of either app. But trying and learning as I go. I strongly feel it will be worth it in the end with a safer computer.
From what I’ve been reading NOD 2.7 isn’t inferior to 3.0, it’s just different. I run NOD default and as a trusted app with CFP.
Seems to be working. When NOD expires in June I plan on giving CAV a try. (B)
Your rules for NOD32 are fine - it is not going to make stray connections for applications that do not fit the NOD32 filter you have defined. Most programs have a limited internet connection defined within its own code and do not have the potential to provide internet connection to another program. The problem occurs when you have programs like Firefox and IE that can act as conduits for requests by other software. Having NOD32 scan the connections in real time is effective and the loss of the firewall control of such connections is only a problem for zero-day infections (or ones that NOD32 does not recognize) sending data out. You may feel that this loss is minor compared to the security of having NOD32 scan the connections in real time.
AnotherOne,
I think you are referring to my post regarding the settings I have in CFP for NOD32. If so thank you for the information, if not …OOPS!
Perhaps you can shed some light on a question I have, amongst many.
If NOD is routing the connections for web browsers, say from Opera, to the Internet is it not still passing through CFP first?
If I change my rule in CFP from “Web Browser” to “blocked application” for Opera it can not connect regardless of the state of NOD.
Based on the above I have it in my mind as follows:
Opera->CFP->NOD->Internet
Based on other posts I have read seem to indicate as follows:
Opera->NOD->Internet
Which does not explain why Opera, a “Blocked Application” in CFP, could not connect.
I may be way off base on how this all works but that’s what I’m trying to figure out.
Thanks,
Stan
Hey stanr,
BLOCKED APPLICATION means that it is prevented from executing. If the application can’t start, it can’t connect to the internet, regardless of whether NOD is going to try and stick its nose into the equation. The blocking occurs before any attempt at communications is possible.
Hope this helps,
Ewen 
Yes it did help. Thank you very much for your reply and the information.
Stan
There is not tunnel, it’s just a problem of incorrect configuration and rules.
I will see if I can install a trial of NOD32 and test it.
OK, good news and bad news.
Good News: Configuring comodo to control the “tunnel” is a PoC (Not a Proof of Concept but a Piece of Cake (:LGH))
First you have to enable Firewall → Advanced → Firewall Behaviour Settings → Alert Settings → Enable Alerts for loopback requests
I not sure if the port is the same on all computers, if you do the following please check that the communication is not allowed without prompt.
Now remove the rules for your browser (or another application that connects to Internet, e.g. an updater or leaktest) and try to access a HTTP web page with that program(HTTPS doesn’t use the proxy in the default configuration), you should receive a prompt similar to the first and second screenshot. Make sure that your Firewall Security Level is set to Custom.
Please provide feedback.
Bad News: I think I found a bug in Comodo while testing NOD32, the exclude checkbox in the destination port is not working!
[attachment deleted by admin]
Nice job! Note that people should NOT choose “Treat this application as…” and any of the Web Browser or Email Client options on the pop-up. Just clicking Allow would be fine.
ggf31416, thank you for all this work! Hopefully you’ve nailed it and I’ve entered your policies and rules correctly. Have a great new year!
p.s. I assume Comodo Firewall Security Level now needs to be set to “Custom Policy Mode”.
Did that worked? Can you download this program GRC | LeakTest -- Firewall Leakage Tester , it’s a very basic leaktest but it’s enough to know if the instructions work in your computer. Allow the defense+ warnings and select “test for leaks”. When you receive a prompt from the firewall select Block. Please post the results.
It’s not needed. You can use Train with Safe Mode if you want but (with or without the NOD32 Proxy) you won’t get prompts for programs in the comodo safelist and they can connect without your authorization.
[attachment deleted by admin]