Kaspersky anti-virus undermines firewall

I have KAV installed, with everything enabled including scanning of http
traffic ("web anti-virus" as it terms it). The way it does this is to
act as a proxy process, and thus the firewall (which I'm using to
control outgoing connections) can't distinguish what app is making the
request. And since I allow KAV free access to fetch its updates I'm
essentially allowing any application outboud http.

I think my choices are:

1 - do nothing
On the basis that if the local application is a bad'un KAV will have
caught it anyway!

2 - install Kasperky's firewall product
I believe it's quite solid, but when I played with it I thought its UI
was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
destination, (application1 or application2),...}, combined with an
inability to copy rules. I could see me spending forever configuring
it). Actually bad UI seems to be quite a common feature amongst the
firewall & av products I've played with (including kav).

3 - disable KAV http scanning
I don't really have a clear view on what this is actually meant to be
doing and why it has to happen here rather than by controlling the app
that's receving the http stream. I suppose a browser could receive a
dodgy applet that takes advantage of an unpatched bug to retrieve user
data or some such?


I think that ramble pretty clearly spells out why I'd like some expert
opinion :)

[Ranting lunatics trying to pick fights need not apply].

Re: Kaspersky anti-virus undermines firewall

Are you going to "keep looking over your shoulder" the rest of your life?
Don't you know running an antivirus will slow down your computer? Sometimes
it's fun to access the internet with those zombie computers anyways. You see
if you can react quicker than the computer can you know like closing down
sites before they pop up. Like i said before why use something that always
tells you your serial number is blacklisted?

graham wrote:

> I have KAV installed, with everything enabled including scanning of http
> traffic ("web anti-virus" as it terms it). The way it does this is to
> act as a proxy process, and thus the firewall (which I'm using to
> control outgoing connections) can't distinguish what app is making the
> request. And since I allow KAV free access to fetch its updates I'm
> essentially allowing any application outboud http.
>
> I think my choices are:
>
> 1 - do nothing
> On the basis that if the local application is a bad'un KAV will have
> caught it anyway!
>
> 2 - install Kasperky's firewall product
> I believe it's quite solid, but when I played with it I thought its UI
> was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
> destination, (application1 or application2),...}, combined with an
> inability to copy rules. I could see me spending forever configuring
> it). Actually bad UI seems to be quite a common feature amongst the
> firewall & av products I've played with (including kav).
>
> 3 - disable KAV http scanning
> I don't really have a clear view on what this is actually meant to be
> doing and why it has to happen here rather than by controlling the app
> that's receving the http stream. I suppose a browser could receive a
> dodgy applet that takes advantage of an unpatched bug to retrieve user
> data or some such?
>
> I think that ramble pretty clearly spells out why I'd like some expert
> opinion :)
>
> [Ranting lunatics trying to pick fights need not apply].

Re: Kaspersky anti-virus undermines firewall

Post removed (X-No-Archive: yes)

Re: Kaspersky anti-virus undermines firewall

Sebastian Gottschalk wrote:
> graham wrote:
>
>> I have KAV installed, with everything enabled including scanning of http
>> traffic ("web anti-virus" as it terms it).
>
> That's bad.

why?


>
>> The way it does this is to
>> act as a proxy process, and thus the firewall (which I'm using to
>> control outgoing connections) can't distinguish what app is making the
>> request.
>
> Eh... so what?

eh.. so the "personal firewall" can't effectively be used to control
outbound connections.

>
>> And since I allow KAV free access to fetch its updates I'm
>> essentially allowing any application outboud http.
>
> Eh... where're the news?

whether it's news or not, it's something I wish to control.

>
>> I think my choices are:
>>
>> 1 - do nothing
>> On the basis that if the local application is a bad
>
> Well, that's the only option.
It's the only option labeled "1".

>
>> 'un KAV will have caught it anyway!
>
> Yeah, you wish...

exactly.

>
>> 2 - install Kasperky's firewall product
>> I believe it's quite solid, but when I played with it I thought its UI
>> was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
>> destination, (application1 or application2),...}, combined with an
>> inability to copy rules. I could see me spending forever configuring
>> it). Actually bad UI seems to be quite a common feature amongst the
>> firewall & av products I've played with (including kav).
>
> No, this is nonsense.

which bit exactly? and why?


>
>> 3 - disable KAV http scanning
>> I don't really have a clear view on what this is actually meant to be
>> doing and why it has to happen here rather than by controlling the app
>> that's receving the http stream. I suppose a browser could receive a
>> dodgy applet that takes advantage of an unpatched bug to retrieve user
>> data or some such?
>
> Well, you should do so. But not for your flawed reasoning.

Your responses suggest you have superior knowledge, which is encouraging
as that's obviously what I was looking for by posting here.
Unfortunately that's as far as they go. If you actually have
constructive comments I'd very much like to hear them.

Re: Kaspersky anti-virus undermines firewall

Post removed (X-No-Archive: yes)

Re: Kaspersky anti-virus undermines firewall

Sebastian Gottschalk wrote:
> graham wrote:
>
>>>> I have KAV installed, with everything enabled including scanning of http
>>>> traffic ("web anti-virus" as it terms it).
>>> That's bad.
>> why?
>
> It wastes resources, creates various problems, slows down the connection
> and is absolutely useless?


>
>> eh.. so the "personal firewall" can't effectively be used to control
>> outbound connections.
>
> It can't anyway. Thus, it's no loss at all.

Why can't it? Are you saying that all personal firewall products are
faking it? Or only detecting apps that "play nice" ?

>
>>>> And since I allow KAV free access to fetch its updates I'm
>>>> essentially allowing any application outboud http.
>>> Eh... where're the news?
>> whether it's news or not, it's something I wish to control.
>
> Reality doesn't care for your wishes. Such a control simply doesn't work,
> and you'd be better of not wasting resources on trying.

as above - y doesn't it work? It certainly appears to - after all I set
some rule in the personal firewall, and hey presto, when such and such
an app tries to make an outbound connection the firewall detects it (and
can potentially block it).

>
>>>> 1 - do nothing
>>>> On the basis that if the local application is a bad
>>> Well, that's the only option.
>> It's the only option labeled "1".
>
> And I don't care. If the application is malicious, then there's nothing you
> can do.

I guess there are degrees (some apps might not be considered malicious,
more privacy infringing, and I'd still want to be able to prevent their
constant dial-homes), but are you saying that if truly malicious then a
firewall simply can't prevent itself from being
subverted/bypassed/overcome in some way?

>
>>>> 'un KAV will have caught it anyway!
>>> Yeah, you wish...
>> exactly.
>
> So what? Wishes are exactly not what security is. And virusscanners can't
> protect against malicious applications, they can serve as intrusion
> detection system at best. In most cases, you really have to assume that the
> malicious application doesn't get detected, because no signature is
> available and the creator for sure checked it against existing signatures.

Yeah, that's what I meant (by the exclamation mark; not very obvious i
guess): that one can't completely rely on the AV. So my reasoning is
that in cases where the malicious app isn't detected by the AV, the
firewall is a second level of protection.

(And in case where it's not malicious as such, but possibly subjectively
undesirable, like say media player just playing the cd and not doing
goodness knows what; Or finding that a piece of software supposedly
uninstalled has left a remnant behind which is phoning home in the
background - mcaffee did this and I wouldn't have known about it without
a pfw).

On the aside of intrusion detection - seems to me that ultimately this
is what it comes down to - AVs, firewalls, etc all play a part in
prevention, but since it's not guaranteed one has to have detection.
Worst case is to "catch" something and not know - prevention is better;
knowing early is good; not knowing at all is bad.

>
>>>> 2 - install Kasperky's firewall product
>>>> I believe it's quite solid, but when I played with it I thought its UI
>>>> was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
>>>> destination, (application1 or application2),...}, combined with an
>>>> inability to copy rules. I could see me spending forever configuring
>>>> it). Actually bad UI seems to be quite a common feature amongst the
>>>> firewall & av products I've played with (including kav).
>>> No, this is nonsense.
>> which bit exactly? and why?
>
> At first, matching for applications is superfluos nonsense.

how so? Surely all security comes down to determining trust, at some
level of granularity, in this case deciding which apps are to be
trusted? eg. If some app X tries to access the internet (or my ISP mail
server or whatever) then the fact that I've configured only http access
for mozilla, and smtp for whatever should assure its interception,
shouldn't it?


For the second,
> it's no firewall. At third, it's not solid, but known to be very
> error-prone.

Very interesting - could you point me at details?

> And for the obvious, there are various well-working host-based packet
> filters for Windows like par example Wipfw, which by using the IPFW1 rule
> definitions preprocessed by your favorite command shell (yes, cmd.exe also
> does a good job), the power of the ruleset is virtually unlimited. So you
> really shouldn't wonder why someone is laughing about these useless
> click-and-point UIs ...

agreed - such configuration is more flexible than the constraints often
imposed by a UI.
But as you say, ipfw doesn't take account of the source application - so
the granularity of control is either all applications or none; if I want
to allow, say, smtp from one particular application I have to allow it
for all.


>
>>>> 3 - disable KAV http scanning
>>>> I don't really have a clear view on what this is actually meant to be
>>>> doing and why it has to happen here rather than by controlling the app
>>>> that's receving the http stream. I suppose a browser could receive a
>>>> dodgy applet that takes advantage of an unpatched bug to retrieve user
>>>> data or some such?
>>> Well, you should do so. But not for your flawed reasoning.
>> Your responses suggest you have superior knowledge, which is encouraging
>> as that's obviously what I was looking for by posting here.
>> Unfortunately that's as far as they go. If you actually have
>> constructive comments I'd very much like to hear them.
>
> Well, how should someone create something constructive with such an
> obviously flawed concept and even more flawed software? Your problem is
> none, since it's not the software which has defects, but you want it to do
> something impossible.

I don't see why what I'm trying to achieve is a flawed concept - I want
to know, and be able to prevent, whcih application is making outbound
connection. How can the software both be flawed yet not have defects?

>
> Heck, you even believe that the creators of exploits wouldn't obfuscate
> them to make them undetectable.

of course they would try to do this - if they all waved little red flags
we wouldn't need detection software at all! To what extent
"undetectable" can be achieved I don't know.
Undetectable to me sitting in front of the PC - very easy to achieve.
Undetectable to the AV program - depends if one is unlucky to be one of
the first to be hit with something and therefore no signature yet; or if
the AV program can be subverted or brought down in some way; or if the
AV is plain rubbish; etc.
Undetectable to system intrusion detection? Depends - I guess hard to
hide from something run off separate bootable ro media, but this is
hardly a practical early warning mechanism! Something like osiris with
the server elsewhere - dunno how effective this would be for a pc, as
while it'll detect changes it's hard to determine which ones matter (and
then there's the small matter of the registry...)


> Or that an application could be controlled.

I'm under the impression that privileged processes can interpose
themselves in appropriate places to control some of what an application
might try to do - eg. intercept and allow/prevent registry changes;
intercept and allow/prevent network accesses, etc.
Is this untrue?
Because this seems to be the premise on which all the software we've
been talking about (including ipfw) is based.

> Or that a webbrowser with known security holes would be reasonably
> acceptable.

I don't think I said that. Anyway, I rather suspect that all web
browsers have security holes, it's just a question of whether anyone has
put the effort in to find them - a trust decision, and a problem for sure.
Isn't this the standard tradeoff (ie. if i don't run anything I'm really
secure but can't do anything useful; if I run this thing then I can do
more but I'm a bit less secure. And the point of security software is to
try and edge that balance to the more secure end of the spectrum?

Re: Kaspersky anti-virus undermines firewall

Post removed (X-No-Archive: yes)

Re: Kaspersky anti-virus undermines firewall

Sebastian Gottschalk wrote:
> graham wrote:
>
>>>> eh.. so the "personal firewall" can't effectively be used to control
>>>> outbound connections.
>>> It can't anyway. Thus, it's no loss at all.
>> Why can't it? Are you saying that all personal firewall products are
>> faking it? Or only detecting apps that "play nice" ?
>
> A mixture of both. The latter being the general reason.
>
>> as above - y doesn't it work? It certainly appears to - after all I set
>> some rule in the personal firewall, and hey presto, when such and such
>> an app tries to make an outbound connection the firewall detects it (and
>> can potentially block it).
>
> After all, this is exactly why this stuff sells so well. Apparently it does
> work - and you won't recognize the cases where is fails. Well, such cases
> are so trivial to construct.
>
>>> And I don't care. If the application is malicious, then there's nothing you
>>> can do.
>> I guess there are degrees (some apps might not be considered malicious,
>> more privacy infringing, and I'd still want to be able to prevent their
>> constant dial-homes),
>
> So what? They are malicious.
>
>> but are you saying that if truly malicious then a firewall simply can't
>> prevent itself from being subverted/bypassed/overcome in some way?
>
> Yes, that's what I'm saying. Welcome to reality!
>
>>> So what? Wishes are exactly not what security is. And virusscanners can't
>>> protect against malicious applications, they can serve as intrusion
>>> detection system at best. In most cases, you really have to assume that the
>>> malicious application doesn't get detected, because no signature is
>>> available and the creator for sure checked it against existing signatures.
>> Yeah, that's what I meant (by the exclamation mark; not very obvious i
>> guess): that one can't completely rely on the AV. So my reasoning is
>> that in cases where the malicious app isn't detected by the AV, the
>> firewall is a second level of protection.
>
> Very very far away from the truth. Hey, virusscanner seem to have at least
> a little effect in reality, but "firewalls" fail so blatantly.
>
>> (And in case where it's not malicious as such, but possibly subjectively
>> undesirable, like say media player just playing the cd and not doing
>> goodness knows what;
>
> Then it's malicious. Or you're just too stupid to configure it correctly.
> After all, which media player does such a thing as you claim?
>
>> Or finding that a piece of software supposedly
>> uninstalled has left a remnant behind which is phoning home in the
>> background - mcaffee did this and I wouldn't have known about it without
>> a pfw).
>
> Then you're really a loser. Trying to achieve security through a host-based
> packet filter, but even too stupid for such simple commands as 'netstat'?
>
>> On the aside of intrusion detection - seems to me that ultimately this
>> is what it comes down to - AVs, firewalls, etc all play a part in
>> prevention, but since it's not guaranteed one has to have detection.
>
> Quite the contrary. None of these can protect, they can at best detect.
>
>> Worst case is to "catch" something and not know - prevention is better;
>> knowing early is good; not knowing at all is bad.
>
> Well, what about actually implementing prevention? You said you have some
> software spying on you? I wouldn't even have installed it in first place.
> Software didn't uninstall properly? Dude, my software doesn't need either
> installation or deinstallation, uninstalling is just a matter of deleting
> the application folder and that's it. WTF are you doing to your system?
>
>>> At first, matching for applications is superfluos nonsense.
>> how so? Surely all security comes down to determining trust, at some
>> level of granularity, in this case deciding which apps are to be
>> trusted? eg. If some app X tries to access the internet (or my ISP mail
>> server or whatever) then the fact that I've configured only http access
>> for mozilla, and smtp for whatever should assure its interception,
>> shouldn't it?
>
> Definitely not. What stops malicious software to remote control Mozilla to
> upload all your files to a certain software? Well, exactly nothing!
>
>>> For the second, it's no firewall. At third, it's not solid, but known
>>> to be very error-prone.
>> Very interesting - could you point me at details?
>
>
>
> For the latter, just keep reading this NG or read some forums - the number
> of people which come up and say "dude, my personal firewall makes problems"
> is overwhelming. KIS has it's part, too. The problem is usually solved with
> uninstalling it, whereas not even deactivating it worked - that's a typical
> eye-opener for those who think that such software is not a big piece of
> crap just because it sells so well.
>
>> But as you say, ipfw doesn't take account of the source application - so
>> the granularity of control is either all applications or none; if I want
>> to allow, say, smtp from one particular application I have to allow it
>> for all.
>
> And that's what it bogs down to anyway, since there's no chance that such
> an application control could even particularly work in any reliable way.
> And legitimate applications don't require such granularity, since they
> don't do such stuff by definition.
>
>> I don't see why what I'm trying to achieve is a flawed concept - I want
>> to know, and be able to prevent, whcih application is making outbound
>> connection.
>
> Then you have to cut out every interprocess communication. No more copy &
> paste, no drag & drop, no remote controlling, no OLE, no DDE, no local
> loopback NIC, and all application data have to be fully separated in
> filesystem and configuration data. And your system becomes unusable. Not to
> mention this would be impossible on Windows and pretty hard on Unix.
>
> And this is why you're lacking a concept: your wishes are not even
> particularly fulfillable in reality.
>
> And that's where you should take the consequences: These things don't work,
> thus you have to address the more fundamental issue - not running malicious
> applications in first place. And getting a good concept how to evaluate the
> trustworthyness of software.
>
>> How can the software both be flawed yet not have defects?
>
> I just said that your problem is not related to the flaws in the software.
> Thus, even if the software would be flawless and perfect and complete, your
> problem would be unsolvable.
>
>>> Heck, you even believe that the creators of exploits wouldn't obfuscate
>>> them to make them undetectable.
>> of course they would try to do this - if they all waved little red flags
>> we wouldn't need detection software at all! To what extent
>> "undetectable" can be achieved I don't know.
>
> eval(AES_decrypt("longAESencryptedexploit",document.location "));
>
> Until the software emulates an entire JavaScript engine and captures all
> relevant data, it won't work.
>
> And actually you can encode the every step of an exploit into pure side
> effects. And then it's even theoretically impossible to verify what's
> actually going on.
>
>>> Or that an application could be controlled.
>> I'm under the impression that privileged processes can interpose
>> themselves in appropriate places to control some of what an application
>> might try to do - eg. intercept and allow/prevent registry changes;
>> intercept and allow/prevent network accesses, etc.
>> Is this untrue?
>
> No. But it's trivially circumvented if you allow just one little legitimate
> application.
>
>> Because this seems to be the premise on which all the software we've
>> been talking about (including ipfw) is based.
>
> That's what the entire security concept of most Oses is based on. But
> they're making clear all-or-nothing decisions based on security contexts.
> And that's why most don't even care for controlling network access.
>
>>> Or that a webbrowser with known security holes would be reasonably
>>> acceptable.
>> I don't think I said that. Anyway, I rather suspect that all web
>> browsers have security holes, it's just a question of whether anyone has
>> put the effort in to find them - a trust decision, and a problem for sure.
>
> Known security holes == the public knows about the security hole, there has
> been an updated version of the browser, but the hole was not fixed. And I
> know only one where this applies: IE, where the oldest security now
> celebrates the third year, and currently more than 20 being known. Well, if
> you even call it a webbrowser, since it's officially documented to be
> unsuitable for being used on the WWW.
>
>> And the point of security software is to try and edge that balance to the
>> more secure end of the spectrum?
>
> The point of serious security software is to provide tools for the
> competent administrator to help implementing security strategies.
> Technology is not a panacea. Without any clue and without any concept,
> you'll just achieve the contrary or at best nothing at all.

Look, folks, the bottom line is, leave computers to the experts. Throw
out your home PC. Let's go back to the 60's. Us nerds were happy then
in a world where there was no interference from that ignoramus Joe
Public ;-)

--
Wilf

Re: Kaspersky anti-virus undermines firewall

Post removed (X-No-Archive: yes)