Is there a way/site to check applicaton -> proxy -> firewall -> web behaviour?

Is there a way (or a site) to check the firewall and see:

  • if it blocks outboud connections to a certain port (I mean… to see if it blocks the access to a certain port on the target site)
  • if it blocks inbound connections
  • what is the behaviour of a proxy redirecting the traffic from my PC to the target site (I have NOD32 EAV4 that proxies with its ekrn.exe my Internet Explorer traffic)

All this with TCP and UDP connections

Is there a way to do this?


For inbound tests you can use Shields UP!
For outbound protection you can use LeakTest

Depends where the proxy sits;
If it’s a local proxy on your PC like most intercepting AV proxies all it does is sit between your browser and the network interface and “inspect” the traffic before it goes on the waves/wire.

If it’s a remote proxy then your browser “tunnels” the HTTP requests to the proxy server, so all your outgoing traffic so your local FW will only see traffic from your browser(s) to the proxy.
The traffic enters the remote proxy and the remote proxy will do the web request for you to the site.
In between it could enter Headers like X-Forwarded-For which could contain your Internet IP you use to connect to the proxy.

Both tests are ok :-TU

So I think ekrn.exe acts as a local proxy

Yes so it’s Browser → ekrn.exe → PC Out → Internet → WebServer

At wilders they gave this reply

It works exactly like described in the link posted above ....(see pic). NOD goes out via TCP to localhost, post 30606. Browsers listed in NOD don't make a direct connection. NOD does. Important thing is to allow ekrn.exe to localhost:30606. But also important is to restrict EVERY application in the firewall from using that port. So rules which allow loopback for other applications needs to use at least two ranges in a way that excludes 30606 (1-30605, 30607-65535). To prevent tunneling behind your back.

For Avast it’s 12080, Avira’s is 44080. Same story.

Could someone kindly explain what “tunneling behind your back” means and if it is correct from COMODO’s point of view?

[attachment deleted by admin]

My understanding is that ekrn.exe doesn't open ports at all. What it does, as described by others in this thread, is to filter web and/or email traffic via a proxy for the sole purpose of checking it for malware, not to function as an outbound firewall. What gets filtered and what doesn't depends on how application filtering in the Protocol filtering section in NOD32 advanced settings is configured.

When an application tries to make an Internet connection, Comodo firewall will see the attempt, and will alert for any application that is not on the safe list (assuming the firewall is in Safe Mode) and for which a rule is not already defined. This does not mean that Comodo has been bypassed, as it is still Comodo that initially determines whether or not to allow the connection. You can check this by disabling or deleting the firewall rule(s) for the browser, switching to Paranoid Mode, then launching the browser to make an Internet connection. Comodo should immediately detect and alert you to the attempt. This will prove that the firewall is not being bypassed.

It does affect the way Internet traffic is reported within Comodo though once the connection has been allowed. If the connection is one that NOD32 has been configured to filter via its proxy, then Comodo will show the network connection as having come from the NOD32 proxy, and not the application. This is in a sense correct as it is the proxy that has made the Internet connection, not the application directly. Although unsatisfactory from a reporting point of view, it doesn’t represent a loss of control. The problem is that Comodo can’t see inside the NOD32 proxy to report the application that requested the connection. This is not specific to Comodo; it is true of all third-party firewalls and there is no solution.

You basically have three choices: (1) Live with the situation as it is; (2) Disable web filtering for applications that you want to see correctly reported by Comodo firewall (not recommended); (3) Upgrade to ESET Smart Security which includes a firewall that works with the proxy to report traffic correctly.

The other alternative would be to upgrade the operating system. I assume that you’re on Windows XP as I believe that NOD32 filtering is only done via a proxy on XP. On Vista and Windows 7, it is my understanding that filtering is done via WFP (not supported by Microsoft on XP).

Did they catch the point?

What they mean is the following.

Most software firewall monitors for applications that want to connect out of the system.
But on your local system there is also a lot of connection stuff going on.

If you don’t monitor those local connections a Firewall alone can’t make the difference between browser X, Y and malware Z connecting to the NOD proxy because that’s not what the firewall monitors (unless configured to do so). It only monitors the application that really goes out the computer to connect to the Internet (read all but traffic) and that’s the NOD proxy in this case.

So if malware connects to localhost:portofproxy (e.g. localhost:30606) it could connect to the Internet without you being alerted that it does so.

Well, apart from Internet Explorer and Outlook Express, I have no other application which is allowed to connect to the loopback zone, so everytime some application (for example “Free Download Manager”) tries to connect to the loopback zone I see a warning.
Is it enough to say that, from this point of view, I am protected against what you are describing?

Looks like it, you could test for example from a command-box

telnet localhost

e.g. “telnet localhost 30606”

A firewall warning pops up asking me if I want to allow/block :-TU