Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Sgt.Schumann on February 20, 2005, 02:44:54 PM
-
Hi *,
the new WebShield runs fine, if I am just browsing.
But if I download larger files with Mozilla (1.7.5), I get the following error box just I few seconds before the end of the download:
"D:\Firefox Setup 1.0.exe.part could not be saved because the source file could not be read".
And the download is broken.
If I disable the WebShield, I do not get this error, and the download gets finished.
[EDIT]
I first thought that this a problem with Outpost Firewall but even with Outpost disabled, I ALSO got this error and the broken download.
If I enable the detailed information in WebShield, I can see that the error always occurs when the Shield writes, that it scans the file.
[/EDIT]
My OS: WinXP Prof SP1
Has anyone a similar problem and/or a solution?
-
Are you using a download manager or Mozilla 1.7.5 default downloader
The .exe.part shows that only a part of the file has been downloded, so you could try a resume.
-
Mozilla is my default downloader, because up to now it worked perfectly.
As I have written above, the error occurs exactly at the time when the WebShield is scanning the download.
[EDIT]
Now I tried downloading with Firefox 1.0.
Here the download freezes when the WebShield scans the file. Nothing is going on afterwards. I have to press "cancel" and the download is broken again.
[/EDIT]
-
I'm using firefox and have used both its default downloader and star downloader and no problems.
What is you firewall? is there anything in the logs to indicate some form of bloacking and/or has ashwebsv.exe been allowed access (a bit of a clutch at straws moment as you wouldn't be able to browser if it wasn't).
-
I use Outpost Free (1.0).
Mozilla and the Avast! WebShield are completely trusted applications. There are also no entries in the "blocked"-logs. Even when I disable or completely shutdown Outpost I have the same problems.
Very strange ???
BTW, I am sitting behind a SMC Barricade Router, but this shouldn't be the problem ???
-
That is very strange, are you using the latest avast version 4.6.603?
Have you tried downloading a smaller file, does this only happen with large downloads?
-
So this happens AFTER the file is scanned (as seen in the WebShield's info display)?
Very strange. It almost sounds like avast thinks that the file is actually infected and aborts the connection... :-\
BTW just for the sake of completeness, could you try downloading the file with IE?
BTW2 what is the URL, exactly?
BTW3 what if you disable HTTP scanning in the WebShield's settings, does that make any difference?
Thanks
Vlk
-
I am using Avast! Home 4.6.603.
The error message appears a bit later after the blue notification about scanning appears.
This error occures in Mozilla, Firefox and IE (tested 5 minutes ago).
The WebShield is not in silent mode.
If I disable "Web Scanning" in WebShield, the error does not occur. ("Intelligent Stream Scanning" still enabled).
The size of the files seems to play a role:
So bigger downloads produce the error, e.g.
http://dlc.sun.com/jdk/j2re-1_4_2_07-windows-i586-p.exe
or
http://dlc.sun.com/jdk/j2sdk-1_4_2_07-windows-i586-p.exe
or
http://download.mozilla.org/?product=firefox&os=win&lang=en-US
But not smaller downloads do not produce an error, e.g.
http://www.abisource.com/downloads/abiword/2.2.3/Windows/abiword-plugins-impexp-2.2.3.exe
Thanks in advance for your help ... strange problem ???
-
The size of the files seems to play a role:
So bigger downloads produce the error, e.g.
http://dlc.sun.com/jdk/j2re-1_4_2_07-windows-i586-p.exe
or
http://dlc.sun.com/jdk/j2sdk-1_4_2_07-windows-i586-p.exe
or
http://download.mozilla.org/?product=firefox&os=win&lang=en-US
But not smaller downloads do not produce an error, e.g.
http://www.abisource.com/downloads/abiword/2.2.3/Windows/abiword-plugins-impexp-2.2.3.exe
I was just able to download them all.
WinXp Home SP2
Avast 4.6.603
Outpost 2.5 Pro (trial)
Firefox 1.0
EDIT: Ok was just able to download the files in mozilla 1.7.5 and IE 6.0.2900.2180
--lee
-
Sgt.Schumann , please check the avast logs - especially the Error and Warning categories. Aren't there any related entries?
It seems to me that the scan is somehow failing and avast is aborting the connection.. :-\
Thanks
Vlk
-
I have checked the logs.
Last entries in warning.log:
19.02.2005 12:52:41 1108813961 SYSTEM 1524 Sign of "EICAR Test-NOT virus!!" has been found in "http://www.eicar.org/download/eicar.com" file.
19.02.2005 12:53:50 1108814030 SYSTEM 1524 Sign of "EICAR Test-NOT virus!!" has been found in "http://www.eicar.org/download/eicar.com" file.
19.02.2005 12:54:52 1108814092 SYSTEM 1524 Sign of "EICAR Test-NOT virus!!" has been found in "D:\eicar.com" file.
This was yesterday, when I checked the functionality of WebShield.
Last entries in error.log:
17.01.2005 20:20:13 1105989613 1556 AAVM - initialization error: Unhandled exception in AavmProviderStop, STANDARD.
19.02.2005 21:35:50 1108845350 1564 AAVM - initialization error: Unhandled exception in AavmProviderStop, STANDARD.
Hmm, seems not to be related to the problem, or?.
And in the other logs there is also nothing suspicious.
-
Just another guess - how much space do you have on your system partition?
-
Used: 12,3 GB
Free: 26,7 GB
-
OK, that's no problem then... :) The problem is perfectly reproducible? I mean, it happens every time you try it?
-
Yes it is reproducible, I tried it (too) often today.
In the meantime I tried it also on my girl friend's notebook (similar configuration but XP Home instead of Prof. and same inet-connection via my router) and I got the same results.
I am wondering if not my router is the bad guy in this problem. But I haven't configured something unusual on this machine (SMC 2804WBR ... not so new but with latest firmware 11/04) ... but I doubt that the router is the problem ???
-
I doubt it as well. :) Especially if disabling HTTP scanning solves the problem.
Maybe I could send you a version with some extended logging to find out where the problem is.
-
This would be fine.
I suppose you have my email-adress, otherwise please ask for it and i will send it to you.
Thanks for your help!!
-
What time do you go to bed? I'm now watching an interesting TV show and won't be able to prepare it till 10pm :P :)
Is that OK? ;)
-
No problem, Vlk!
The problem is not so important to destroy your spare time! (I really understand this, cause I am also workin' in IT-Business too ... and I am also "waiting for the weekend").
So, if you send me the version tomorrow ... I am in office the whole day ... so if you send me the version in the evening, it is really o.k.
Thanks in advance.
-
OK, here I am.
Please follow these steps:
1. Stop the WebShield provider in avast
2. Download http://cat.asw.cz/misc/ashwsftr.zip and extract its contents to the avast folder. Overwrite ashWsFtr.dll that's there (it shouldn't be locked because of 1.)
3. Start the WebShield provider
4. Download and run the DebugView utility from http://www.sysinternals.com/files/dbgvnt.zip
5. Simulate the problem
6. Send me the contents of the DebugView window that gets generated.
Maybe it sounds complicated, but it shouldn't take you more than 5 minutes... :)
Thanks
Vlk
-
Here it is:
[1596] Open new addresses 81EA28A0 0.0.0.0:2700(6)
[1596] Conn=00000000 (81EA28A0), Prot 0, Process MOZILLA.EXE, Local 0.0.0.0:2700, Remote 0.0.0.0:0
[1596] Process connect to 2700 -> 127.0.0.1:12080 (outgoing)
[1596] Open new addresses 82233458 0.0.0.0:2701(6)
[1596] Conn=00000000 (82233458), Prot 0, Process ASHWEBSV.EXE, Local 0.0.0.0:2701, Remote 0.0.0.0:0
[1596] Process connect to 2701 -> 140.211.166.204:80 (outgoing)
[1032] *OnEndOfRequest for http://download.mozilla.org/?product=firefox&os=win&lang=en-US
[1032] No body sent so far, flushing all
[1032] *OnEndOfRequest - returning 134217730
[1596] Process ASHWEBSV.EXE disconnect from 140.211.166.204:80 (incoming)
[1596] Process ASHWEBSV.EXE disconnect from 127.0.0.1:2700 (incoming)
[1596] Process MOZILLA.EXE disconnect from 127.0.0.1:12080 (incoming)
[1596] TDI_MSG_CLOSE_CONNECTION 82246538
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 81EA28A0
[1596] -- unknown
[1596] TDI_MSG_CLOSE_CONNECTION 8221DC08
[1596] -- unknown
[1596] Address info 822FAC18(0) 0.0.0.0:0->127.0.0.1:12080 added
[1596] TDI_MSG_CLOSE_CONNECTION 81E65F90
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 82233458
[1596] -- unknown
[1596] Open new addresses 82233458 0.0.0.0:2702(6)
[1596] Conn=00000000 (82233458), Prot 0, Process MOZILLA.EXE, Local 0.0.0.0:2702, Remote 0.0.0.0:0
[1596] Process connect to 2702 -> 127.0.0.1:12080 (outgoing)
[1596] Open new addresses 82246538 0.0.0.0:2703(6)
[1596] Conn=00000000 (82246538), Prot 0, Process ASHWEBSV.EXE, Local 0.0.0.0:2703, Remote 0.0.0.0:0
[1596] Process connect to 2703 -> 64.202.105.103:80 (outgoing)
[1032] *OnEndOfRequest for http://mozilla.mirrors.hoobly.com/firefox/releases/1.0/win32/en-US/Firefox%20Setup%201.0.exe
[1032] Calling g_pfnAavmCheckFile
[1032] Object clean
[1032] File opened OK
[1032] xfer buffer allocated
[1032] Writing rest of data - body
[EEF94849] Bad MDL diagnostic 90: 1: 00040110-81654000-0003C09A-00000000 [81EA91B0]
[1032] Everything OK
[1032] Closing body file handle
[1032] *OnEndOfRequest - returning 134217730
[1596] [EEF94849] Bad MDL diagnostic 90: 1: 00040110-81654000-0003C09A-00000000 [81EA91B0]
[1596] Process MOZILLA.EXE disconnect from 127.0.0.1:12080 (incoming)
[1596] TDI_MSG_CLOSE_CONNECTION 81E65F90
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 82233458
[1596] -- unknown
[1596] Process ASHWEBSV.EXE disconnect from 127.0.0.1:2702 (incoming)
[1596] TDI_MSG_CLOSE_CONNECTION 81EA91B0
[1596] -- unknown
[1596] Address info 822FAC18(0) 0.0.0.0:0->127.0.0.1:12080 added
[1596] Process ASHWEBSV.EXE disconnect from 64.202.105.103:80 (incoming)
[1596] TDI_MSG_CLOSE_CONNECTION 8234E9C8
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 82246538
[1596] -- unknown
[1596] Process MOZILLA.EXE disconnect from 66.193.254.46:80 (incoming)
[1596] TDI_MSG_CLOSE_CONNECTION 81CE1168
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 81760130
[1596] -- unknown
[1596] Open new addresses 82221888 0.0.0.0:2704(6)
[1596] Conn=00000000 (82221888), Prot 0, Process MOZILLA.EXE, Local 0.0.0.0:2704, Remote 0.0.0.0:0
[1596] Process connect to 2704 -> 127.0.0.1:12080 (outgoing)
[1596] Open new addresses 82262B18 0.0.0.0:2705(6)
[1596] Conn=00000000 (82262B18), Prot 0, Process ASHWEBSV.EXE, Local 0.0.0.0:2705, Remote 0.0.0.0:0
[1596] Process connect to 2705 -> 67.15.62.22:80 (outgoing)
[1032] *OnEndOfRequest for http://forum.avast.com/index.php?action=post;topic=11318.15;num_replies=19
[1032] Calling g_pfnAavmCheckFile
[1032] Object clean
[1032] File opened OK
[1032] xfer buffer allocated
[1032] Was check-encoded, sending the rest
[1032] Writing rest of data - body
[1032] Chunked encoded - writing last chunk
[1032] Everything OK
[1032] Closing body file handle
[1032] *OnEndOfRequest - returning 134217730
[1596] Process ASHWEBSV.EXE disconnect from 67.15.62.22:80 (incoming)
[1596] Process ASHWEBSV.EXE disconnect from 127.0.0.1:2704 (incoming)
[1596] Process MOZILLA.EXE disconnect from 127.0.0.1:12080 (incoming)
[1596] TDI_MSG_CLOSE_CONNECTION 82202B78
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 82221888
[1596] -- unknown
[1596] TDI_MSG_CLOSE_CONNECTION 8221DC08
[1596] -- unknown
[1596] Address info 822FAC18(0) 0.0.0.0:0->127.0.0.1:12080 added
[1596] TDI_MSG_CLOSE_CONNECTION 822FC518
[1596] -- unknown
[1596] TDI_MSG_CLOSE_ADDRESS 82262B18
[1596] -- unknown
-
Can you use the Processes tab of Task Manager to find out which process has the PID (process ID) value of 1596???
This column is not shown in Task Manager by default. Use the View -> Select Columns option to enable it.
Thanks!
Vlk
-
It is the Outpost Firewall "outpost.exe".
-
Hmm, this really looks like an Outpost problem... Outpost is reporting this:
[EEF94849] Bad MDL diagnostic 90: 1: 00040110-81654000-0003C09A-00000000 [81EA91B0]
which probably means it can't let the data thru. Maybe they're coming too fast? :-\
Anyway, if I were you, I'd try to uninstall (and possibly reinstall) Outpost and see if it helps (I'd bet my hat it will :)).
Maybe a clean install will resolve the issue...
BTW I'm SHOCKED that Outpost is dumping so much info in its release build - not really a common (neat) programming practice... :-\ ;D
Cheers
Vlk
-
Hi Vlk,
here is the "DebugView" with Shudown of Outpost:
[1032] *OnEndOfRequest for http://www.mozilla.org/
[1032] No body sent so far, flushing all
[1032] *OnEndOfRequest - returning 134217730
[1032] *OnEndOfRequest for http://download.mozilla.org/?product=firefox&os=win&lang=en-US
[1032] No body sent so far, flushing all
[1032] *OnEndOfRequest - returning 134217730
[1032] *OnEndOfRequest for http://ftp-mozilla.netscape.com/pub/mozilla.org/firefox/releases/1.0/win32/en-US/Firefox%20Setup%201.0.exe
[1032] Calling g_pfnAavmCheckFile
[1032] Object clean
[1032] File opened OK
[1032] xfer buffer allocated
[1032] Writing rest of data - body
!dbg no buffer: EEF93290<-EEF94849 ebp:EE2299B0
[1032] Everything OK
[1032] Closing body file handle
[1032] *OnEndOfRequest - returning 134217730
[1032] *OnEndOfRequest for http://forum.avast.com/index.php?action=post;topic=11318.15;num_replies=22
[1032] Calling g_pfnAavmCheckFile
[1032] Object clean
[1032] File opened OK
[1032] xfer buffer allocated
[1032] Was check-encoded, sending the rest
[1032] Writing rest of data - body
[1032] Chunked encoded - writing last chunk
[1032] Everything OK
[1032] Closing body file handle
[1032] *OnEndOfRequest - returning 134217730
All Outpost processes are killed, all services are killed and still that error!! I am hardly considered to reinstall this things again, but I don't really know if it would be the solution, what a mess ???
-
Sgt.Schumann and Vlk,
Please excuse my jumping in here, but Sgt.Schumann , you're using a very old version of Outpost. That version was great for it's day, but had quite a few weird problems. In fact, IIRC, one of them was disabling it didn't really disable it.
I'd suggest upgrading to the new V2.5 version (it has a 30 free trial - then its pay up or give up ;) ) and see if your download will work. Since you're behind a router, if you feel safe enough you could "Exit and shutdown" Outpost and try the D/L. Just don't forget to restart OP.
If your girlfriend isn't using the same version of OP on her computer and she is getting the same problem, then I'm pretty sure that OP is not the problem.
NOTING THAT NEW POST MADE WHILE BABLING ABOVE
That extra info is another problem with the old Outpost.!
HTH
-
Again, Outpost was dumping this info
!dbg no buffer: EEF93290<-EEF94849 ebp:EE2299B0
(even though it should've been disabled). Well I'm guessing it's Outpost in this case (but who else? Do you have any other filter installed?).
Clearly, Outpost interferes with the communication stream even though it's turned off... not good for debugging ;)
-
I did already "Exit and shutdown" in Outpost (since I am behind a router and I have nothing to "fear") and the same problems still occur . There were no more outpost-task and no more servicea running, but I'am still having the same problems. So I suppose that Outpost is not the problem ...
the next step could "to deinstall the Outpost Firewall completely", but I do not want to do really that thing ... and actually I don't think that this is the problem (PLEASE correct me, if I am false!!!)
-
If the last debug dumps were captured with Outpost disabled, then yes, I still think Outpost is interfering with the HTTP traffic. Please see my previous post.
Even though you disable/kill all its processes, there's still the kernel-driver active and it cannot be "killed" - it can only be uninstalled (or deleted/renamed, if you can find it - it's a *.sys file).
Thanks
Vlk
-
Hi *,
seems like Outpost is the problem, even it is "shut down", whatis quite strange in my eyes :(
I'll try out tomorrow evening again (if I will have hopefully the time), since it is now time to go to bed, and I should be in office tomorrow.
Thanks for your help today!!
Greetings
Sgt. Schumann
-
Good night, and thanks for your help. Hopefully we'll find a solution. :)
Cheers Vlk
-
Sgt.Schumann,
I agree with Vlk on this one completely. I'd uninstall that old version of OP, reboot and give it another try. I expect that it will work then.
I highly reccommend the latest OutPost Pro v2.5. I use it with Avast v4.6.603 with no problems (actually better than v4.5!) If you can't flip the cash after 30 days, I'd suggest using some other free fire wall (sorry Agnitum :-[) since OP version 1.x just doesn't cut it in my book these days.
Have a good night and better luck tomorrow!
-
Thank you all,
indeed the old Outpost version is the problem, even it is "shut down" and no more processes "seem" to run (thanks Vlk).
The bad guy is the "FILNTNT.SYS". Apparently the kernel-driver.
When I rename this guy, I get an error message at startup, but when I "shutdown Ouptost" afterwards, the "download-problem" is not existing anymore. Nice to know!!
Thank you (especially Vlk)!!!
But still I have to now to consider to deinstall Outpost (WebShield enabled) or not (WebShield disabled)...
-
Well WebShield is a pretty standard network application so if your Outpost is having problems with this program, it may interfere with others as well... Hence, I'd probably recommend something else (there's a number of nice free alternatives).
Thanks
Vlk
-
Thank you for your great support.
Tomorrow I will propably kill that Ouptost-Thing...
-
Gute Nacht :)
-
Now I deinstalled Outpost from my machine.
No more errors occur with enabled WebShield. :)
Since the need of a Personal-Firewall behind a router is indeed questionable, I will now do without a PFW.
-
Since the need of a Personal-Firewall behind a router is indeed questionable, I will now do without a PFW.
Unless your router provides outbound protection, I would suggest that you still need some form of protection.
-
What do you recommend?
Some backround information:
I am only using Mozilla and Firefox as browser.
Mozilla is also my mail-client.
IE is "disabled" cause I told him to use an non-existent proxy (localhost, port 4711).
I am sitting behind a router.
Outpost (now deinstalled) was only configurated for looking at outbound traffic (because of the router).
-
If you want it free, I'd suggest Kerio Personal Firewall http://www.kerio.com/kpf_home.html .
Not only that I know the folks that programmed it (they're based over here in Pilsen) but it's also quite stable fw IMHO...
Cheers
Vlk
-
Thanks for the recommendation.
I am currently asking myself, if I really need a Personal-Firewall, because I am behind a router. Of course, the outbound connections are not "controlled" (as good as a software running on the -to be protected- system can do that) but since I am quite familiar with things going on on my machine and I do not doubleclick anything that is not fast enough to take flight, IMHO I can do without a PFW.
Please correct me, if I am wrong!!
For my girl friends machine, I hardly have to reconsider what I am doing ;)
-
You don't have to double click on something to have it loaded in the background, there are methods say downloading a useful tool, etc. and get an unknown present and since you authorised the initial download, it too will get a free ride through - now it wants to call home - what is to stop it?
Simply visiting some pages could be enough to get an unwelcome present. Trojans get past firewalls as is proven by the detection of many, those that are undetected (1st day ,etc.) could then be free to call home with your details taken from a keylogger, etc.
The overhead of having a software firewall and router is negligible but the additional protection IMO easily outweighs this overhead.
-
Not only that I know the folks that programmed it (they're based over here in Pilsen) but it's also quite stable fw IMHO...
*****ignore my comedic - but true break*****
Pilsen .... The best beer on Earth is made there ;D
(you'll have to guess)
*****
Kerio has been working fine and dandy for me - before and after Avast 4.6
-
If I can add anything to this topic: when I have WebShield on, I can't access the internet at all in either IE or Firefox, BUT I can use AIM and a few other apps.
And I'm using the latest version of Outpost.
-
Pilsen .... The best beer on Earth is made there
Really, they're based in Pilsen. It's a city about 60 miles from Prague :)
And sure, the beer is named after the city (and is very good :)) http://www.pilsnerurquell.us/
But some people here prefere Budweiser (not the American one - the original one :)) which is brewed in Budweis - about 70 miles from Pilsen. :) http://www.budvar.cz
rdf3,
If I can add anything to this topic: when I have WebShield on, I can't access the internet at all in either IE or Firefox, BUT I can use AIM and a few other apps.
And I'm using the latest version of Outpost.
Has Outpost asked you for permissions for ashWebSv.exe? If not, something's wrong. You need to tell Outpost to allow this process outbound HTTP (port 80) access to the Internet. Strangely enough, Outpost sometimes fails to ask... :-\
Thanks
Vlk
-
Pilsen .... The best beer on Earth is made there
Really, they're based in Pilsen. It's a city about 60 miles from Prague :)
And sure, the beer is named after the city (and is very good :)) http://www.pilsnerurquell.us/
But some people here prefere Budweiser (not the American one - the original one :)) which is brewed in Budweis - about 70 miles from Pilsen. :) http://www.budvar.cz
So that was real challenging ;D :P Pilsner Urquell is one of my top beers. ;)
-
And you're not alone! PilsenU. is favourite among the whole AV community ;D
See http://www2.asw.cz/akce/02/mvi/mvi2.htm , picture p7140033.jpg for a proof ;D
-
I going to assume everyone had their own personal recycling crate like that... right ? ::) :D
-
Sure, sure, that one was my personal... and the evening hasn't even started yet! ;D
-
And you're not alone! PilsenU. is favourite among the whole AV community ;D
See http://www2.asw.cz/akce/02/mvi/mvi2.htm , picture p7140033.jpg for a proof ;D
Visit the region where I live (highest density of breweries worldwide) and you will probably reconsider 8)