I am not a computer expert, so please excuse me if I am not technically correct in my question
The fact is that NOD32 EAV 4.27.67.10 uses ekrn.exe as a proxy “to check the data transmitted via the HTTP and POP3 protocols”
So if I set in NOD32 settings my Internet Explorer as a “Web Browser” all the traffic passes thru ekrn.exe
The first question is: What does it change for me? Do you mean that I was in this situation
Internet Explorer <–> [COMODO FW + “COMODO Web Browser policy”] <–> Outside
and now I am in this one?
Internet Explorer <–> ekrn.exe <–> [COMODO FW + ekrn “policy”] <–> Outside
If this is right, do you mean that in the latter case COMODO FW doesn’t use anymore (when IE is trying to connect to some site) the “IE Browser rules” but uses “ekrn rules”?
Do firewall rules (policies) apply only when an application tries to go outside my PC and don’t apply between an application and the proxy? (in this case between IE and ekrn.exe)
The second question is: Can the problem be solved setting appropriate rules for the proxy (=ekrn.exe) and do someone have the firewall rules/policy I should set for ekrn.exe?
Setting for ekrn.exe the “Web Browser policy” doesn’t seem the solution for me.
I know I can disable this protocol filtering (and in fact is what I did) but I am always sorry when I disable something that should protect me more
Maybe this is the most correct explanation (taken from wilderssecurity)
My understanding is that ekrn.exe doesn't open ports at all. What it does, as described by others in this thread, is to filter web and/or email traffic via a proxy for the sole purpose of checking it for malware, not to function as an outbound firewall. What gets filtered and what doesn't depends on how application filtering in the Protocol filtering section in NOD32 advanced settings is configured.
When an application tries to make an Internet connection, Comodo firewall will see the attempt, and will alert for any application that is not on the safe list (assuming the firewall is in Safe Mode) and for which a rule is not already defined. This does not mean that Comodo has been bypassed, as it is still Comodo that initially determines whether or not to allow the connection. You can check this by disabling or deleting the firewall rule(s) for the browser, switching to Paranoid Mode, then launching the browser to make an Internet connection. Comodo should immediately detect and alert you to the attempt. This will prove that the firewall is not being bypassed.
It does affect the way Internet traffic is reported within Comodo though once the connection has been allowed. If the connection is one that NOD32 has been configured to filter via its proxy, then Comodo will show the network connection as having come from the NOD32 proxy, and not the application. This is in a sense correct as it is the proxy that has made the Internet connection, not the application directly. Although unsatisfactory from a reporting point of view, it doesn’t represent a loss of control. The problem is that Comodo can’t see inside the NOD32 proxy to report the application that requested the connection. This is not specific to Comodo; it is true of all third-party firewalls and there is no solution.
You basically have three choices: (1) Live with the situation as it is; (2) Disable web filtering for applications that you want to see correctly reported by Comodo firewall (not recommended); (3) Upgrade to ESET Smart Security which includes a firewall that works with the proxy to report traffic correctly.
The other alternative would be to upgrade the operating system. I assume that you’re on Windows XP as I believe that NOD32 filtering is only done via a proxy on XP. On Vista and Windows 7, it is my understanding that filtering is done via WFP (not supported by Microsoft on XP).
So, no problem with security but only a little problem in visualization