Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Dinobot2 on October 28, 2021, 02:12:14 AM
-
Hi everyone, I was hoping I could get some insight on this peculiar setting with regards to Avast. It may not be something with Avast specifically but just Windows in general, but I thought I would ask here since I only see this happening with Avast. Also, any of the hyperlinks are just to imgur with relevant screenshots.
Background: I re-installed Avast recently, and after doing so I curiously checked to see if it was added to Allowed Apps (https://i.imgur.com/utvxmIk.png) to communicate through Windows Defender Firewall* and it was as you can see (I inadvertently removed it from this list somehow while messing around with Defender settings, which is why I re-installed to put it back in there). I also checked the Advanced Security settings to see the Inbound and Outbound rules, what I noticed was that Avast was added to the inbound rules, but it was set to Block (https://i.imgur.com/M8hnfGE.png). I set both TCP and UDP to Allow (https://i.imgur.com/XBBdQkq.png) so that it could match the other inbound rules that are already added.
Since it was set to 'Block' on its own, my question is was this something by design that Windows and/or Avast set upon install by default? Or was this an error somewhere that took place and it should have been set as "Allow" but wasn't?
I also assumed that it should be on "Allow" so that Avast can make inbound/outbound connections so that software and definition updates can take place, but during the two or three days it was set to "Block" in the advanced settings, it appeared to be working properly, and having set to "Allow" hasn't appear to have really changed much (yet). Does that mean I should keep it on 'Block', change to 'Allow', or does this not really make a difference in the end?
Any insight or feedback is appreciated!
-
Please attach your screenshot(s), some of us don't follow external links. ;)
-
I can't attach on a reply or even when I edit my previous message. Plus they're hyperlinked in the message so that the context makes sense, as opposed to attaching them seperately out of context.
I know that some people like cautious with external links, but it's Imgur, you will all be fine. You can even hover over the hyperlink before clicking it to make sure it's good.
-
How do you think Asyn attached his image to his reply ?
Below the text input Reply window, click the + Attachments and other options. This expands to allow the upload of images.
You can use the Attach: section
Use the Browse... button to browse your system for the image you created (presumably on your system).
Most won't visit unknown 3rd party site to view unknown content.
-
I'm stupid. Now attached, should be in order of where they're linked in my original post.
-
I'm stupid. Now attached, should be in order of where they're linked in my original post.
Just takes a little to get used to it :)
That said, I can't recall ever having made any changes to the default windows 10 firewall for Avast.
-
Would you be able to check and see what it's set to, since you haven't changed it?
-
I have checked and AvastUI is there, as are a few of my other programs that I haven't added. There are a number of other functions and or programs that I don't have or have used.
I had a very swift skim through and didn't notice any other Avast Executables, though there are some functions that might be related, but \i certainly didn't include them.
So it looks like it comes with default population of known programs/functions.
-
Oh that's not the part i'm talking about. If you search "Windows Defender Firewall with Advanced Security", in the Cortana search, open that up, and click "Inbound Rules" on the left side, and see "Avast UI" for both TCP and UDP (should be closer to the top since it's in alphabetical order), do you have green checkmarks with "Allow" under the Action column, or the Red prohibition circle with "Block" under the Action column?
-
Since I said I haven't made any changes to the Windows Defender Firewall and avast functions perfectly.
I disabled Cortana, very shortly after getting win10, I would love to have been able to completely get rid of it.
I can however get to the "Windows Defender Firewall with Advanced Security" and Inbound rules for aren't enabled (and it still manages to function). There are Zero entries for Avast in Outbound rules, and it too function
The Web Shield and the Mail Shield (plus other functions) have outbound and inbound function requirements and they don't use the AvastUI.exe to do that.
-
It's just weird because Avast is the only program that has an Inbound rule created with it being "Blocked", so I don't know what the purpose of even creating a rule would be, or how Avast is able to function with it being Blocked instead of Allowed. Perhaps Avast is able to open a port another way without creating a Windows Defender exception?
-
It's just weird because Avast is the only program that has an Inbound rule created with it being "Blocked", so I don't know what the purpose of even creating a rule would be, or how Avast is able to function with it being Blocked instead of Allowed. Perhaps Avast is able to open a port another way without creating a Windows Defender exception?
To start with those blocks are based on TCP and UDP I'm not entirely sure if the AvastUI uses those and why would this be blocked and not other Avast functions/connections. https://www.howtogeek.com/190014/htg-explains-what-is-the-difference-between-tcp-and-udp/
-
So I guess my question now is: is me manually allowing the UDP/TCP connections under those rules (Like I did, as per my screenshots) going to cause any problems? Or does it not make any difference?
Perhaps i'm misinterpreting what you said, but it sounds like what you're saying is that allowing those connections in the firewall rules won't make a difference since Avast UI wasn't using those protocols to communicate, get definitions updates, etc. because they are doing it another way. It would be like giving someone a key to the front door to get into my house when they previously didn't have one, but becuase they were already using the side door, giving them a key to the front door is useless. Am I correct, or am I way off?
-
So I guess my question now is: is me manually allowing the UDP/TCP connections under those rules (Like I did, as per my screenshots) going to cause any problems? Or does it not make any difference?
Perhaps i'm misinterpreting what you said, but it sounds like what you're saying is that allowing those connections in the firewall rules won't make a difference since Avast UI wasn't using those protocols to communicate, get definitions updates, etc. because they are doing it another way. It would be like giving someone a key to the front door to get into my house when they previously didn't have one, but becuase they were already using the side door, giving them a key to the front door is useless. Am I correct, or am I way off?
1. Given as mine doesn't have any problem, it certainly shouldn't make any differences.
2. Not way off - Yes that is pretty much my thinking if they are currently blocked and no errors given for avast using UDP or TCP by the firewall. Yes don't give anyone a key who doesn't absolutely need one (front door or other). Even if they have a need they ring the bell (firewall notification) and you choose to allow entry or not.
More general information: The windows firewall is pretty basic, I guess it has a lot of default actions based on a so called white list of programs, and things they may be likely to do. But if you take a look in the Task Manager and see just how many different functions possibly requiring connections, there doesn't appear to be any other avast processes in the list.
-
I should be more specific: is there any detriment to allowing the TCP/UDP inbound connections. Yours isn't having any issues but yours is still on Block, as per the default. I want to make sure having it on Allow won't cause any issues, whether it is functional issues or other security issues. It seems like your answer in your second point means that giving Avast the Allow function in the advanced settings isn't dangerous or bad, it's just functionally useless (hence the giving a friend I trust a key to the door they don't need since they're already using the other door) and thus won't cause any problems.
You mentioned the taskbar processes, so I attached a screenshot of all the Avast-related task background processes for shits and gigs, if maybe this provides any other insight.
-
I should be more specific: is there any detriment to allowing the TCP/UDP inbound connections. Yours isn't having any issues but yours is still on Block, as per the default. I want to make sure having it on Allow won't cause any issues, whether it is functional issues or other security issues. It seems like your answer in your second point means that giving Avast the Allow function in the advanced settings isn't dangerous or bad, it's just functionally useless (hence the giving a friend I trust a key to the door they don't need since they're already using the other door) and thus won't cause any problems.
You mentioned the taskbar processes, so I attached a screenshot of all the Avast-related task background processes for shits and gigs, if maybe this provides any other insight.
I'd leave those alone even Windows Defender UI has those blocked by default.
-
By leave them alone, you mean change them back to Block? (currently on Allow. Nothing else in the settings for those were changed, however).
-
By leave them alone, you mean change them back to Block? (currently on Allow. Nothing else in the settings for those were changed, however).
Yep AvastUI doesn't use them and by having them on Allow could make you more vulnerable. The only time you ever change Firewall settings is when it's absolutely necessary.
-
Will do, Thanks!
Another stupid question though: if Avast doesn't use TCP or UDP, what do they use? Googling "what protocols does Avast use" didn't give me any answer.
-
Will do, Thanks!
Another stupid question though: if Avast doesn't use TCP or UDP, what do they use? Googling "what protocols does Avast use" didn't give me any answer.
Not sure but generally AV companies don't usually make the protocols they use public for obvious reasons. Or at least I haven't heard of any doing that.
But definitely some form of encrypted communication.
-
Someone on the WindowsHelp subreddit (I know I know, like saying "my friend's cousin's neighbour's coworker", so take with a grain of salt I guess) said that it's likely Avast is acting as a "service hooked deep into Windows" if it's able to function without TCP/UDP connections allowed. Does that mean it's basically being treated like a Windows service/process instead of a third party app? For example, Avast is recognized by Windows Security as the core antivirus software that overrides the Windows Defender Antivirus, so maybe it's being treated as "part of Windows" that connection through the firewall through TCP/UDP isn't necessary for that reason?
I admit this is all just speculation and banter on my end, but one piece of information leads to another set of questions, etc.
-
Someone on the WindowsHelp subreddit (I know I know, like saying "my friend's cousin's neighbour's coworker", so take with a grain of salt I guess) said that it's likely Avast is acting as a "service hooked deep into Windows" if it's able to function without TCP/UDP connections allowed. Does that mean it's basically being treated like a Windows service/process instead of a third party app? For example, Avast is recognized by Windows Security as the core antivirus software that overrides the Windows Defender Antivirus, so maybe it's being treated as "part of Windows" that connection through the firewall through TCP/UDP isn't necessary for that reason?
I admit this is all just speculation and banter on my end, but one piece of information leads to another set of questions, etc.
Or it's also possible it unblocks itself when it needs to and then puts the block back on when it's done doing what it had to do.
But yes it's possible it's using WSUS to get through the firewall.