[RESOLVED] ABE and Kaspersky URL Advisor

Discussions about the Application Boundaries Enforcer (ABE) module
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

[RESOLVED] ABE and Kaspersky URL Advisor

Post by LuisFeps »

Hi all,

I'm using Kaspersky Internet Security 16.0.0.614(a) and NoScript 2.6.9.34. When the ABE is active, Kaspersky URL Advisor doesn't work properly, The "buttons" indicating the the site reputation don't appear.

Here is the console entry:

[ABE] <LOCAL> Deny on {GET https://ff.kis.scr.kaspersky-labs.com... <<< https://www.google.com.br/search?q=kasp...}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

I'm sorry for my ignorance, but i'm not sure how to create a rule to make it work... :oops: If anyone can help me, i would really appreciate it.
Last edited by LuisFeps on Mon Aug 10, 2015 4:47 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE and Kaspersky URL Advisor

Post by barbaz »

Can you please do a reverse DNS lookup of ff.kis.scr.kaspersky-labs.com and post here the result? (I think open a Command Prompt & type nslookup followed by that domain)

To answer your question, *if* it's determined to be safe to add an exception for it, here's how it would be done:
go to NoScript Options > Adavnced > ABE, and add above the default SYSTEM rule

Code: Select all

Site https://ff.kis.scr.kaspersky-labs.com/*
Accept
Note: At this point I have absolutely *no* idea how dangerous that is! So please don't add exception just yet, I think we all need some more information before deciding if it's safe.
*Always* check the changelogs BEFORE updating that important software!
-
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

Re: ABE and Kaspersky URL Advisor

Post by LuisFeps »

Thanks for your reply! I did it as you said. Here it is:

C:\>nslookup ff.kis.scr.kaspersky-labs.com
Server: Unknown
Adress:

***Unknown não encontrou ff.kis.scr.kaspersky-labs.com: No response from server

Note: "Unknown não encontrou" means "Unknown has not found"
Last edited by LuisFeps on Mon Aug 10, 2015 3:26 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE and Kaspersky URL Advisor

Post by barbaz »

Argh, I know basically nothing about IPv6 addresses and haven't yet found any documentation that explains them in a way I find clear & understandable :(

Thanks for posting that though, hopefully someone else can advise you whether adding exception is safe/reasonable.

Oh, and let's move this to the ABE forum (didn't catch it was posted in NS Support when I made my prior post).

** EDIT **
LuisFeps wrote:"Unknown has not found"
Wait... does this *always* happen? If not, if it only "sometimes" happens, this kind of thing could indicate that you're trying to use KIS when your computer/router is in the middle of a DHCP lease reset, and you don't have full Internet connectivity - see viewtopic.php?p=69123#p69123 for a better explanation.

If it happens always then never mind my edit, what I said before applies.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE and Kaspersky URL Advisor

Post by Giorgio Maone »

Unfortunately ff.kis.scr.kaspersky-labs.com basically resolves to localhost (it's probably a way for the URL advisor add-on to communicate with a locally installed Kaspersky executable).

You may want to insert the following rule in the beginning of the SYSTEM ruleset:

Code: Select all

Site ff.kis.scr.kaspersky-labs.com
Accept GET from https://www.google.com.br
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

Re: ABE and Kaspersky URL Advisor

Post by LuisFeps »

Thank you all guys for the help! :D
barbaz wrote: ** EDIT **
LuisFeps wrote:"Unknown has not found"
Wait... does this *always* happen? If not, if it only "sometimes" happens, this kind of thing could indicate that you're trying to use KIS when your computer/router is in the middle of a DHCP lease reset, and you don't have full Internet connectivity - see viewtopic.php?p=69123#p69123 for a better explanation.

If it happens always then never mind my edit, what I said before applies.
Yes, it always happens.
Giorgio Maone wrote:Unfortunately ff.kis.scr.kaspersky-labs.com basically resolves to localhost (it's probably a way for the URL advisor add-on to communicate with a locally installed Kaspersky executable).
So, the IPv6 Adress above is mine? Sorry, I'm very noob... :oops:
Mozilla/5.0 (Windows NT 5.1; rv:39.0) Gecko/20100101 Firefox/39.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: ABE and Kaspersky URL Advisor

Post by Giorgio Maone »

LuisFeps wrote: So, the IPv6 Adress above is mine? Sorry, I'm very noob... :oops:
I don't know, but

Code: Select all

$ dig ff.kis.scr.kaspersky-labs.com

; <<>> DiG 9.9.6 <<>> ff.kis.scr.kaspersky-labs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ff.kis.scr.kaspersky-labs.com. IN      A

;; ANSWER SECTION:
ff.kis.scr.kaspersky-labs.com. 234 IN   A       127.245.107.154

;; Query time: 32 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: lun ago 10 16:22:39 CEST 2015
;; MSG SIZE  rcvd: 74
127.245.107.154 is in the 127.0.0.0/8 address block, reserved for loopback by the IPv4 standard.
This alone suffices for ABE to consider it local, no matter if it resolves also to other (IPv4 or IPv6) addresses.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

Re: ABE and Kaspersky URL Advisor

Post by LuisFeps »

Giorgio, your rule is not working.

Image

Am I doing it wrong?

barbaz, your rule works, but is it safe to use?
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE and Kaspersky URL Advisor

Post by barbaz »

LuisFeps wrote:barbaz, your rule works, but is it safe to use?
Well, at this point it's pretty clear that address is a part of KIS (and likely just for KIS, not your whole machine), so it's probably safe to add exception.

Does my suggested exception work if you put Accept GET instead of just Accept? If so that's more safer.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: ABE and Kaspersky URL Advisor

Post by Thrawn »

There's probably some other (Google?) site getting involved. LuisFeps, can you post the Browser Console messages after applying Giorgio's rule?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

Re: ABE and Kaspersky URL Advisor

Post by LuisFeps »

barbaz wrote:Does my suggested exception work if you put Accept GET instead of just Accept? If so that's more safer.
No it doesn't. It only works if I put just Accept.

Thrawn wrote:There's probably some other (Google?) site getting involved. LuisFeps, can you post the Browser Console messages after applying Giorgio's rule?
Here it is:

[ABE] <LOCAL> Deny on {POST https://ff.kis.scr.kaspersky-labs.com/. ... categorize <<< https://www.google.com.br/search?q=uol& ... wATGhq-wDg - 11}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
https://www.google.com.br/search?q=uol& ... =kaspersky : Unable to run script because scripts are blocked internally.
[ABE] <LOCAL> Deny on {GET https://ff.kis.scr.kaspersky-labs.com/...9E1052A0EC <<< posting.php?mode=reply&f=23&t=21139 - 2}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

I cut off some parts of the URL's because they're too big.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE and Kaspersky URL Advisor

Post by barbaz »

So it needs POST as well as GET, so try Accept GET POST and see if that works?
LuisFeps wrote:[ABE] <LOCAL> Deny on {GET https://ff.kis.scr.kaspersky-labs.com/...9E1052A0EC <<< https://forums.informaction.com/posting.php?mode=reply&f=23&t=21139 - 2}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Given this console message, I don't think it's possible to restrict sites to Accept from in this case, best that can be done is limit the methods to only what's needed.
*Always* check the changelogs BEFORE updating that important software!
-
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

Re: ABE and Kaspersky URL Advisor

Post by LuisFeps »

barbaz wrote:So it needs POST as well as GET, so try Accept GET POST and see if that works?
Yes! Now it's working. No messages with Google URL in the Browser Console.
barbaz wrote:Given this console message, I don't think it's possible to restrict sites to Accept from in this case, best that can be done is limit the methods to only what's needed.
So it means, in this case, with that rule, the URL Advisor will only work with a Google search?
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE and Kaspersky URL Advisor

Post by barbaz »

LuisFeps wrote:So it means, in this case, with that rule, the URL Advisor will only work with a Google search?
If you only have "Accept GET POST", and *not* "Accept GET POST from [...]", then it's set up to work everywhere. If you want it to only work on specified sites, you would add a "from [...]" to your Accept rule as shown in Giorgio's example.
*Always* check the changelogs BEFORE updating that important software!
-
LuisFeps
Posts: 8
Joined: Sun Aug 09, 2015 11:15 pm
Location: Brazil

Re: ABE and Kaspersky URL Advisor

Post by LuisFeps »

barbaz wrote:If you only have "Accept GET POST", and *not* "Accept GET POST from [...]", then it's set up to work everywhere. If you want it to only work on specified sites, you would add a "from [...]" to your Accept rule as shown in Giorgio's example.
Ok! Thank you very very much! :D
Thank you everyone for such great support!
You guys are the best!
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Post Reply