NOD AV3 has a possibility of filter in active mode all http and pop3 traffic managed by internet explorers and e-mail clients.
When I use this option, in application traffic window of Comodo Firewall appears that all this type of communications, usualy OUT, are managed by NOD antivirus trought “ekrn.exe”.
The question: If i trust “ekrn.exe” in Comodo security policy, and allow all communications for this
executable trusting it IN & OUT requests, what about the security if an INBOUND
request is send to primary application, ex: Mozilla Firefox, Internet Explorer, Office
Outlook, and others?
I really don’t know how this would work exactly, but there may be a conflict between the NOD scanner and CFP. That said, you should try giving the NOD scanner Trusted Application status in both Firewall and Defense+. Defense+ is the more important one here, because it controls access to RAM processes. Click Defense+>Common Tasks>My Own Safe Files. On that window, click Add and either select “Browse Running Processes” and select the eSet NOD process (sorry I don’t know the name to Add) or Browse Files to the eSet NOD directory and add the program that does the scanning from there.
The Firewall page is similar:Click - Firewall>Common Tasks>Define a New Trusted Application. From the small window, click on Select and choose the NOD file from Browse Running Process or Browse Files. This may not be necessary - I don’t know if the scanner ever accesses the internet or if it just scans incoming data.
Sorry for my english. i hope you understand my post
i read a lot of information about NOD v3 and firewall. The subject is problem. The technology is use in NOD v3 for perlustration HTTP traffic (and which was named best by ESET and Microsoft) make big hole in security. Because NOD is use self proxy process (ekrn.exe).
of course whole traffic pass through firewall, but… it’s impossible to identified owner (source) for traffic passed through NOD after that. And any firewall (not only Comodo) don’t know who send information and can’t block or use other rule (for exapmle by application) for this traffic if NOD is added to trust zone.
You can try writing a rule in the Firewall to test whether ekrn.exe has the connection passed to it from the firewall or if it steals the data stream from the firewall before the firewall can see it. Click Firewall>Advanced>Network Security Policy. On this page, scroll down to see if ekrn.exe has an entry. If it does, select the entry and click “Edit”. On the Edit page, select the “Allow IP in” (or "IP in/out) rule and click “Edit” on the second drop-down box, change “Allow” to “Ask”. Then click “Apply” on that window and all other windows that have an “Apply” button. Then try using your browser and if it is CFP that has first ■■■■■ at the internet traffic, it will “Ask” you to Allow ekrn.exe. This is only a test to see if the firewall can log the traffic that ekrn.exe monitors.
If there is no entry for ekrn.exe, you would have to Add one and then write rules to monitor the internet traffic. From the Firewall>Advanced>Network Security Policy page, click Add and click the Select button and then choose either “Running Processes” or Browse. The first will identify the processes in RAM memory and let you choose the ekrn.exe process - the second choice lets you browse to the directory on your hard drive where ekrn.exe resides. After the process is Added, then you should define rules for it. It would need rules similar to a “Trusted” program, but you would have to change the rule for “Allow IP…” to “Ask IP…” as described above.
If you do not generate alerts when ekrn.exe works on your browsing, it avoids the firewall and there is no log of connections.
of course CFP can show this traffic. but CPF don’t show and i don’t know genuine applications that send this traffic. always for CPF and for me it will be the '‘ekrn.exe’.
if i create rule ‘ask’ for ‘ekrn.exe’ i will be bat around answer on it. it isn’t acceptably.
I did not understand the problem. This is a problem for outbound traffic especially. If the connection is passed from ekrn.exe it would show as the source of the connection, if I understand you now. I don’t see how this can be fixed from CFP, short of creating an “Ask” rule in the Defense+ module, but the connection would be hard to relate with the Ask pop-up without you checking each one as it happens. I would complain to NOD about the problem - they should be able to inspect the connection attempt without taking it over entirely. Or if they do, they should provide connection logs themselves.
It may be a bit off topic but do we really need http scanning? I never understood what real benefit it gives besides slowing down my browsing speed. I know that it should catch nasties before they reach my HDD but what if it is written to my hard disk? The filemonitor modules of av’s check for read and write actions as well so if http scanning is off it will be still intercepted before it can run itself. And if it is not in the virus database than http scanning is also useless (just an additional system hog) if this is the case cfp will still be there to save your day. (B)
This is just from my novice point of view feel free to correct me.
Blas, here is my take on the situation. Just this week my wife, who is a Physicians Assistant, was doing some research online, when she opened a search result that contained a virus. NOD32 immediately quarantined it and I was able to remove it. Although this has only happened twice in the past 12 months and probably only four or five times in the past three years, legitimate looking search results can be a virus waiting to happen. Even though this event happened in a sandboxed (Sandboxie) environment, it still makes me leery running without an anti-virus monitoring, especially when my wife is online, since she isn’t in to this security thing. Us NOD users are very frustrated with ESET right now. Although we could go back to their v2.7, their v3 is a nice peace of work, with the exception of the ekrn.exe proxy issue.
I understand it but if the threat was quarantined it it means that it was written to the hard disk thus making the webscan useless. I tried the beta version of nod3 and if the http scanning is working correctly it should intercept the malware on the go and block the connection before anything is written to the hard disk (I downloaded virus samples for testing and of course sent the ones that I was able to download to eset and comodo /downloading a sample doesn’t mean a real threat if you dont run the thing/)
My point is that if the malware is intercepted when written to the disk with the web monitor turned off (all the other monitoring is still on) then the http scanning function is just only an outer perimeter protection which is good indeed but for me than its not strictly necessary. I may add that my theory is not proved so Im not 100% sure about it, I will test it out in the future.
