Possible conflict with CFP v 3 and NOD32 v 3?

Sorry if it’s been brought up before…

Even though I haven’t tried again today to rectify the problem, I’m concerned about and CFP v 3 not passing the leaktest. I’m running NOD32 v3 and noticed this thread on Wilder’s.

What say you? :smiley:

We suspect that most of these problems have stemmed from the use CFP 3’s Defense+ Security Level of Clean PC Mode. In this mode any previously downloaded leaktest (ie. present before CFP 3 was installed or set to this mode) will be accepted as “trusted” by CFP 3.

No, it really is an incompatibility between CFP 3.0 and NOD32 3.0.

The problem is that NOD32 acts as some kind of proxy for Internet access, so that access by other applications is funneled through NOD32; therefore, when another application tries to access the Internet, that attempt shows up in the CFP logs as an attempt by ekrn.exe (the NOD32 kernel) to access the Internet; the actual application that is trying to access the Internet does not show up in the logs, and CFP apparently can’t tell that the actual access attempt is coming from another application.

Therefore, CFP treats all those attempts at Internet access as if they were attempts by ekrn.exe – and whatever rule applies to NOD32 is applied to all those other attempts.

Specifically, Leaktest from GRC shows up in the CFP logs as c:\program files\eset\ekrn.exe (and the destination IP is the IP of GRC), and since ekrn.exe is allowed access to the Internet, Leaktest is allowed access to the Internet. If I click the Test button on Leaktest 10 times in a row, I get 10 entries in the CFP log showing that c:\program files\eset\ekrn.exe has connected to the GRC server 10 times.

This problem is not limited to Leaktest – if I surf with Firefox, each connection to each web site I visit shows up in the CFP logs as c:\program files\eset\ekrn.exe, not as firefox.exe.

I don’t know whether CFP or NOD32 is to blame, but clearly the two should not be used together.

I uninstalled CFP and installed ZoneAlarm just to see how ZoneAlarm behaves with NOD32 – and ZoneAlarm does better in this instance: it treats access attempts by Leaktest as Leaktest, not as ekrn.exe.

Well, isn’t this just great… Two of my favorite security software programs (NOD32 v3.0 and Comodo v3.0) jointly creating a security risk… I hope that one or the other gets this squared away soon. I’m not going to pretend to know which company needs to make changes, but that said, if the proxy approach by NOD32 is the norm or standard now for many AV programs (so I heard somewhere on Wilders…), then it would seem that Comodo needs to do something. CHUCK

Just replied over there as well.

As I posted…


Just ran some tests.

Actually, what ZoneAlarm is flagging up is not Leaktest’s connection to the Internet, but its internal localhost (127.0.0.1) connection to NOD32’s proxy, i.e. a TCP connection to the ‘trusted’ local zone. Once that is allowed, ZoneAlarm sees no more of it than any other firewall, since it’s then running through NOD32 and all connections from that are allowed.

But it makes a point. Comodo and other firewalls need to be watching localhost connections as well and flagging them up for each application.

Mark

As an aside though, it’s also worth mentioning that Leaktest appears to be a bit dumb.

If it has rights to talk to NOD32 via localhost, it assumes that because it has connected to something that it’s breeched the firewall and reports as such.

And this was tested on a PC that was physically disconnected from the LAN, so no external connection was possible at all…

“Firewall Penetrated! LeakTest WAS ABLE to connect to the main GRC.COM Web Server!”

Er…sorry. I don’t think so… :wink:

Still, the original point stands. Comodo should really be interrogating localhost connections from unknown apps as well to avoid these types of leaks.

I am new user of CFP and NOD32 v3 … I think I like both of these, but what to do with all this incompatibility issue? Any recommendations?

I do not want to downgrade my installation. Any configuration changes which tells NOD32 not to use proxy?

Answered over on Wilders!

what’s the big deal? disable NOD32 proxy and that’s it! in fact i never use traffic monitoring, it only slows down my connection. To me it’s like “our antivirus is better 'cos it can monitor web traffic, while other’s can’t!”… Of course, many modern antiviruses monitor traffic and email, but i can’t imagine the real use of this feature except slowing down broadband connection. I never open an unknown attachment (AND use Thunderbird), i’ve got on-access scanner enabled, i’ve got brilliant Comodo Firewall 3.0 - why should i monitor my traffic when i handpick FW rules to make sure not a single byte leaves my computer without my permission?