Webshield Sygate problem

[FastGame]

I have my a2-Squared set for manual updates, I have Sygate set to ask if a2 wants to access the net.

If I have WebShield running and I update a2, Sygate doesn't ask permission, if i pause Webshield it still does the same. I can set Sygate to block a2 and if Webshield is running or paused Sygate still allows a2 access to the net and update.

All is fine with Sygate as long as Webshield is shutdown.

Win XP SP2

Sygate Pro 5.5 build 2710

Avast beta 4.6.586

[EDIT]= Sorry I posted in wrong section, had too many Firefox tabs running and forgot where I was

[Jarmo P]

 

If I have WebShield running and I update a2, Sygate doesn't ask permission, if i pause Webshield it still does the same. I can set Sygate to block a2 and if Webshield is running or paused Sygate still allows a2 access to the net and update.

All is fine with Sygate as long as Webshield is shutdown.

That is really bad news.
I suspected this to happen when the news about new avast beta's webshield was talked about.

Sygate is a fine firewall, with one big issue. The local proxy softwares allows programs to go to net without control from Sygate.
I already had this problem with Avast's email shield. My email clients were not even getting traffic log entries. And sure no outgoing permission prompts from SPF. Now the same will happen to newsgroup reading in that beta. But it is still tolerable, cause afftecting only email prgrams.

The new webshield seems to be also a local proxy process, the so called 'loopback issue' that you can ask more from the Sygate forum.

To me it remains to switch Avast or Sygate or to make a compromise and disable that webshield.  This is really bad news from you, but thx anyways.

[Jarmo P]

Hmmmm
I think I replied to this post in the general Avast forum, not beta.
This kind of cencorship makes cold sweat to run. 

So many really unnecessary posts around that I think this should have remained in the general section. Even though the original poster was talking about the new beta.

[Vlk]

Censorship?
We're discussing the beta aren't we?

[Jarmo P]

Ok, I have calmed down a bit.   
It was just that this forum had to found by Google. Got me mad.
First I thinked the thread was removed altogether.

You are right, FastGame's thread is about Avast beta and Sygate's local proxy issue.

[FastGame]

@Jarmo P, sorry about that. I did edit my post to reflect it should be in Beta section plus I listed the Beta build.

o me it remains to switch Avast or Sygate or to make a compromise and disable that webshield.  This is really bad news from you, but thx anyways.

Well I'm not giving up Avast!, its too good  its a simple task to disable Webshield and WebShield is an Option anyway isn't it ?

I tested WebShield thoroughly on the dark side of the net and it works excellent,  Sygate lets everything leave my PC even if I set to block.

[bob3160]

Jarmo P and FastGame
Maybe you should consider ZA?

[Max M.Wachtel III]

I just tested a2 and disabling web scan allowed sygate to ask-with web scan on I got no message. I will have to look for new firewall for win2000 and XP.I didn't like zone alarm.
-max

[Thorny]

Guys just to confirm what has already been reported:

I am running Sygate 5.6 build 2808 and Avast beta 4.6.588.
In Sygate applications rules I have set Gibson Fire wall Leak Test Utility to Block. With Avast webshield running, the firewall leak test utility is able to connect straight to the web! Terminating Avast webshield and repeating the firewall leak test, Sygate will successfully block the utility.  Wow, this appears to be a big problem not just confined to a2.

I believe that  because Avast webshield works as a local server and is set to allow in Sygate application rules, Sygate ignores any other application rules that might be set.  So although I had set the Firewall Leak Test Utility to Block, because avast was set to allow the utility was able to connect.  (Hmm and everything else!)

As a temporary solution I have terminated Avast webshield, hopefully the Avast team will be able to find a solution.

Regards,

Thorny
 

[FastGame]

Jarmo P and FastGame
Maybe you should consider ZA?

Well I might, seems like ZA is the only FW that works 100%.  I'm not giving up Avast! and WebShield works great.

I could be wrong but IMHO this isn't a Avast problem. Why isn't this a FW problem ? I mean if WebShield could do this & bypass FW's then what holding back some malicious program from using the same exploit ?

I'm not a security expert, maybe someone could explain why this isn't a FW weakness ?

[lukor]

Guys just to confirm what has already been reported:
I believe that  because Avast webshield works as a local server and is set to allow in Sygate application rules, Sygate ignores any other application rules that might be set. 

Indeed. That's how WebShield works. I haven't time to test Sygate FW yet, so I don't know what possibilities of controlling local access it gives to user, but the same rules as for ANY OTHER local proxy apply. That is, your browser (in this case the dreaded Gibson's test) connects to localhost, port 12080, and the real web connection is realized by the webshield process (ashWebSv.exe). That's how it was designed, not a mystery.

So if you want to be protected more strictly, setup a rule asking for permition on every connect to port 12080 on localhost (127.0.0.1).

I remember someone noting that Sygate has certain problems with localhost access control and perhaps there is a fix for this. Search the forum please.

Lukas.

[Zarro]

Kerio 2.1.5 Firewall (Yes it works .....) and Webshield working fine for me, Firewall Test passed. It needs just a little bit Work for the FW Rules, but it works fine and very carefully with Resources.  I've already tried Sygate and I've had big Problems with the System Shutdown and Performance every Time.

[Thorny]

HI Fastgame,

Thanks for raising this issue in the first place as I had no idea that my computer was wide open until I read your email and carried out the leak test.

I am no expert either, but I believe that Sygate is a rule based firewall , that way you have to allow each application access to the internet via three rules, block, ask or  allow.  Everything else trying to connect to the internet Sygate will prompt you with a pop up permission box, which allows you to grant or deny access once only or add the application to your set of rules by ticking the remember this answer box.

With the Beta version of Avast, the application rules (for Avast webshield) are set to allow because it should be a trusted application.  But I believe that this is where the problem lies, because every internet connection is now routed though a single application (webshield) and Sygate application rules are set to always allow webshield access to the internet.   Therefore because of the changes in Avast 4.6, Sygate no longer sees individual applications requesting access to the internet, only webshield, result open door.

I think that it is worth remembering at this point that we are running a Beta version of Avast, so we can expect that there may be a few glitches. I have checked the inward security of Sygate with Avast webshield either running or terminated and my system is still completely stealthed to the outside world, confirming Sygate is working normally with regard to inward protection.  Again, I believe that you will still be well protected using Avast with the webshield terminated as this is an added feature to 4.5 which recently received an VB100 award.   

Again it is worth noting that other antivirus programs have been developed using a webshield type of scanning, these other programs see the individual application rules set in Sygate. As this Avast 4.6 is currently under development, and it is Avast that has changed, surely it would be more helpful at this stage if you were to just terminate webshield and stay with Sygate and help the software guys to resolve the Beta problem  

To satisfy yourself that you are not in any real danger from terminating the webshield, you might like to visit the following site http://grc.com/default.htm where you will find the firewall leak test and "shields up" which checks your inward security. Note,  if you fail the Ping test in shield up this is nothing to do with Avast, but you will have to set an advance rule in Sygate to stop this happening. Best at this point, if you search in Sygate forums on the word ping, there are detailed instructions on the settings required. 

[Vlk]

Outbound HTTP access will generally be seen by a firewall as a connection to localhost:12080. You still have the possibility to deny/allow this (once you know what it means - that it's the WebShield redirecting the HTTP connection to its own process).

BTW Thorny I saw your reference to the recent VB100% award. Please be asured that VB doesn't test anything like WebShield, mail scanners etc. They simply test the ability to detect (itw) viruses. In this sense, the VB tests are pretty weak (the results don't reflect the real probability of getting infected etc). Also, outbreak reaction times are not measured (the time it takes for a vendor to release a definition update in case of a new outbreak).


Cheers
Vlk

[Thorny]

Hi Vlk,

Okay, I don't  think I completely understand what you are saying here?

If a program wants to access the Net, this is intercepted by Webshield through a local host connection. Are you saying that at this point I can set a Sygate rule so that Webshield sees the individual application rules set in Sygate  or are you saying that the rule set is only for webshield, for instance ask every time?

I for one have no idea how to set such a rule, hopefully looking for guidance from you Guys

You may have read my posts in another forum, if so, you will realise I have been using Trend Internet Security 11 with the Trend Firewall uninstalled, just  the antivrus program running through Sygate.  Although Trend has a web scanner it ran on loading with no rules to set in Sygate, hmm, surely this should be the objective here also?   

With reference to the VB100 award I only mentioned that because I felt that the guys had missed the point that they were testing a Beta, therefore no need to load Zone Alarm  just turn off webshield ..... What I was trying to say is look you are still well protected