CPF 3 and Kaspersky 7 - again!

Hi everybody

I’ve recently installed CPF 3.0.14.276 on my main XP Pro SP2 computer which runs Kaspersky AntiVirus 7.0.0.125 (KAV was installed first and disabled during the CPF installation), Internet monitoring is enabled on KAV as well as Defense+ on CPF, and they seem to work happily together… but a closer examination shows that CPF’s application rules are ignored because KAV “steals” the traffic.

When I set KAV to monitor the traffic on all ports, every connection from every application is made by KAV and not by the application itself, so to speak. At least that’s what CPF believes, because the only connections that are listed when I use “View Active Connections” on CPF come from avp.exe (i.e. KAV’s main process) and applications that are blocked in CPF can access the Internet. Even worse, when I set CPF’s firewall security level to “Block All Mode”, CPF does not block anything at all. (KAV is set as a trusted application in CPF, by the way, and I have not messed with CPF’s default rules and settings).

If I want CPF’s firewall application rules (or security level) to be taken into account, I must disable KAV’s traffic monitoring on every port, which is obviously not something I’d like to do. So where’s the trick? How guys have you managed to have both KAV and CPF monitor Internet traffic and do their own jobs at the same time?

Thanks.

This is similar to a problem that NOD32 users have had. Try the following: click Firewall> Advanced>Firewall Behavior Settings. Click the Alert Settings tab and check the “Enable alerts for loopback requests”. That may fix the problem, depending on the method that Kaspersky uses to monitor the web connection requests. Otherwise, see:
https://forums.comodo.com/help_for_v3/can_you_knowledgeable_folks_please_help_us_with_nod32_v3-t16416.0.html
for ideas (I don’t know anything about either Kaspersky or NOD32 in detail).

Unfortunately, the “Enable alerts for loopback requests” setting was already checked, so I’ve read the topic you told me and then the 8-page topic on wilderssecurity.com that was mentioned in it, but to no avail.

It seems there is indeed an acceptable workaround for Nod32, because Nod32 lets users choose whether they’d like it to monitor the Internet traffic or not on an application basis - i.e. they can tell Nod32 to monitor their browser, email client or any other application they do use and not monitor anything else, so they’ll be spotted by CPF when they first attempt to connect. But there’s no such thing in KAV. The only option you have is on a port basis - i.e you can tell KAV to monitor port 80 (for instance), so you’ll be protected virus-wise, but any application can use that port to phone home and CPF won’t notice, or not monitor port 80, so CPF will check for connections but KAV won’t scan the traffic. On the other hand, KAV will spot the malware (if any) when the file gets written on the disk and I don’t know what kind of extra protection this traffic monitoring offers, so I’d rather have CPF do its job properly for the time being.

Both topics also led me to experiment with global rules to check for access to loopback zone or 127.0.0.1, but it does not seem to work on CPF either (as another search for topics that deal with localhost shows).

Bottom line, that doesn’t explain how those who run CPF (with Defense+) and KAV (with traffic monitoring) simultaneously have succeeded in doing so. Any other advice?

On the other hand, KAV will spot the malware (if any) when the file gets written on the disk
the main goal of this "traffic scanner" is to prevent mass virus mailing. but i can't seem to see the real sense of it since if you have malware and AV is silent - why would it detect emailing malware? i personally keep all this "web scanner" stuff disabled and have only on-create/on-modify and on-execute realtime scans (NO on-access scanning) and it works fine for me.

and hypothetic use could also be like this - you get an unknown malware, which acts like a virtual machine. it can hide itself from scanners and uses it’s own files subsystem - like virtual harddrive or something (just a single file on your C: drive, probably in system32 dir, but with loads of nasties inside). it can download files and store them inside without being detected by AV scanners, and the only way to catch downloading malware is to scan it’s traffic. Of course this means a user must be a complete idiot to get this concept to work.

but problem - CFP can`t block any program because he think that its KAV try to connect (((( (some problem if i set svchost “trust application” - CFP see only svchost inet connect but not any program - i use DSL in home local, gateway)

How to do that CFP see what program try to connect but not a KAV or system process?

sorry for english

Plain ans simple I say. KAV doesn’t get along with any other program. Comodo and NOD32 get along very well I might say so myself.

http://support.kaspersky.com/faq/?qid=208279367

Yes, plain and simple KAV/KIS can be installed along any program: (:WIN)
http://support.kaspersky.com/faq/?qid=208279498

BTW, Comodo runs very well here with KIS…

KIS cant do things like, phishing and pop up/banner filtering if it is disabled for scanning ports on which web page is loaded…