Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ilker on September 23, 2010, 08:31:57 AM
-
Hello everybody,
Thanks to GakunGak ( http://www.youtube.com/watch?v=GxG1RwUeo38 ) for the special test ( you can download this test from: http://loombo.com/sy3ae3lc6fsz) that i requested, and he did it. He reviews softwares on Youtube. I wanted to see what will happen if we pause all shields except Behavior shield and firewall. As you will see in the test, there is no prompt from AIS Firewall and Behavior Shield during the test. Machnine was infected and i strongly believe that the infections was opening connection to outside. The firewall acted like Windows Firewall. I am not sure if the firewall protected or not. Please can you help me why AIS didn't show any firewall alert? (By the way i would like to have a behavior shield like ThreatFire and SONAR of Norton)
Thank you
ilker
-
I fail to see the validity of such tests where you cripple the security to run a test to prove a point in what is not a standard installation. The suite is integrated to provide overall protection, the firewall isn't designed to be a stand alone application.
If this tester user was also using a 64bit OS for this sudo-test, then currently the behaviour shield whilst running has no 64bit rules/filters, so if you are testing behavioural blocking it is as much use as a chocolate ashtray. Avast 5.1 is as far as I'm aware going to include 64bit rules and more for the 32bit OSes.
I don't use the suite, so I can't say how the outbound checking occurs in the firewall component of the suite.
-
I know, in normal installation i install everything and there is no reason to do the opposite. This was special test to see if avast will give firewall alert and how the alert looks like. If all the shields were enabled, avast would not let the pc infected. I didn't mean that it could not protected the pc because i already wanted this. I ask: Why avast didn't show any alert and gave automatic access to them. If you know the answer please write here instead of criticizing the test of validity.
-
If you want to see notifications of programs connecting to the web set the firewall to "Ask" and you¿ll see a ton of pop ups.
Of course you have to agree or deny to them.
Martin.-
-
The firewall in AIS is mainly to prevent identity theft I believe. It's main purpose is to block hacker attacks and prevent sensitive data from leaving your computer. It also blocks exploits. So I don't think it deals with malware. Network based attacks are blocked by the network shield. Normal malware is covered by the other shields (like file system shield and web shield). I'm not too sure about the behavior shield, it's in development.
-
If you want to see notifications of programs connecting to the web set the firewall to "Ask" and you¿ll see a ton of pop ups.
Of course you have to agree or deny to them.
Martin.-
Thank you for answer
The firewall in AIS is mainly to prevent identity theft I believe. It's main purpose is to block hacker attacks and prevent sensitive data from leaving your computer. It also blocks exploits. So I don't think it deals with malware. Network based attacks are blocked by the network shield. Normal malware is covered by the other shields (like file system shield and web shield). I'm not too sure about the behavior shield, it's in development.
I agree with you. I guess it is designed to stealth ports and block attacks coming from net. I would like to see reply from avast team if it is support forum.
-
Hi Ilker,
Avast Firewall is not a standalone product. It works in the team with antivirus and other shields. Yet, you are right, other shields can be turned off. Lets analyze the test then.
This is how I see it: you (the tester) deliberately downloaded some program from the Internet. Antivirus shields are off, so we must assume this is not a virus, also we can see that the user has downloaded the application by clicking on the link, it was not a browser hijack, exploit, drive-by-downlaod, etc., and then the user executed the downloaded program. Since it is not a virus and the firewall is configured not to ask, I assume it is pretty correct to let the program start and configure the rules for it. Next time, if the user is not satisfied, he can can modify the rules and limit the network access for this specific new software he has just downloaded, if wants.
If the user wants to be in control for every newly started program, there is an option to switch the firewall to the "ASK" mode, which might make sense after some time, when most of the frequently used programs are already configured and the potential hassle of being asked to much is smaller.
Lukas.
-
yeah, a firewall is not an anti-malware tool: there's a difference between something installed silently and attempting to connect and something you deliberately downloaded while the firewall was set on auto-decide, and will obviously allow an outbound connection later on for the application. Comodo does the same.
-
Hi Ilker,
Avast Firewall is not a standalone product. It works in the team with antivirus and other shields. Yet, you are right, other shields can be turned off. Lets analyze the test then.
This is how I see it: you (the tester) deliberately downloaded some program from the Internet. Antivirus shields are off, so we must assume this is not a virus, also we can see that the user has downloaded the application by clicking on the link, it was not a browser hijack, exploit, drive-by-downlaod, etc., and then the user executed the downloaded program. Since it is not a virus and the firewall is configured not to ask, I assume it is pretty correct to let the program start and configure the rules for it. Next time, if the user is not satisfied, he can can modify the rules and limit the network access for this specific new software he has just downloaded, if wants.
If the user wants to be in control for every newly started program, there is an option to switch the firewall to the "ASK" mode, which might make sense after some time, when most of the frequently used programs are already configured and the potential hassle of being asked to much is smaller.
Lukas.
Thank you very much for your explanation.
Best Regards,
ilker
-
Hello, forum.
It was me who did a test. I got a request to do a test with specific instructions.
And so I did. OS was Windows XP SP3 32bit W 512MB ram. I am NOT a professional tester but I do tests, just recently started recording them.... What I do is take default settings after install, try not to change anything, but because of request, I did disable components of Avast.
You have seen the video, and since avast was on automatic mode, how did avast handle requests to the internet? Did it automatically allow or reject from unknown program?
I did not put this video on youtube because the test is not fair to others and it's components got disabled. I will test avast very soon with default settings and all components enabled by default, and after rounds of default installations pass for all products, new round will begin with maximum settings possible.
My respect to all of you,
GakunGak :)
-
Antivirus shields are off, so we must assume this is not a virus, also we can see that the user has downloaded the application by clicking on the link, it was not a browser hijack, exploit, drive-by-downlaod, etc., and then the user executed the downloaded program. Since it is not a virus and the firewall is configured not to ask, I assume it is pretty correct to let the program start and configure the rules for it.
Hi, Tech brought up an interesting point in his other thread:
Seems that only 'infected' files are blocked (by the antivirus) and not by the firewall. Seems that outbound protection is decided by the antivirus and not by the firewall (or user).
Lukas, does this mean that the avast Firewall depends on the antivirus for outbound protection?
-
Lukas, does this mean that the avast Firewall depends on the antivirus for outbound protection?
Good point.
-
Lukas, does this mean that the avast Firewall depends on the antivirus for outbound protection?
Good point.
Hi, indeed, when checking if some specific executable is malware or not before allowing its traffic or blocking it, the firewall depends on the antivirus. Duplicating such features in the firewall itself wouldn't make any sense. However the firewall has also its own whitelist and blacklist that helps the "auto-decide" routine to create the rules.
-
As i understand let's say there is one file wants to connect to internet so avast firewall will check white/black list and consults to avast antivirus and behavioral shield. If everything is okay, it will create a rule and allow access. But if we discover that file is malicious we can block the access manually.
-
Duplicating such features in the firewall itself wouldn't make any sense.
You're supposing people are using the avast antivirus always, or, in other words, the firewall is not standalone.
-
[/quote]
Hi, indeed, when checking if some specific executable is malware or not before allowing its traffic or blocking it, the firewall depends on the antivirus. Duplicating such features in the firewall itself wouldn't make any sense. However the firewall has also its own whitelist and blacklist that helps the "auto-decide" routine to create the rules.
[/quote]
In which case, if the malware isn't detected by avast antivirus, isn't the AIS outbound firewall bound to let it connect (and so is there any point in having an outbound firewall unless it is set to "Ask")?
-
In which case, if the malware isn't detected by avast antivirus, isn't the AIS outbound firewall bound to let it connect (and so is there any point in having an outbound firewall unless it is set to "Ask")?
Very good point.
-
Avast documentation states that the firewall uses heuristics as well as the blacklist/whitelist. Is this true?
And also, what if the antivirus does not detect a malicious program? Isn't the purpose of a firewall to block a threat if the AV misses it? ??? (speaking about outbound protection, not inbound)
Edit: I read more carefully and found this:
Hi, indeed, when checking if some specific executable is malware or not before allowing its traffic or blocking it, the firewall depends on the antivirus.
By this do you mean that the antivirus checks it before the firewall analyzes it? Sorry, it is kind of unclear to me.
-
I'm very interested in this thread... Seems we're knowing better how the firewall works.
-
See?
All of these reasons are why I set the firewall to ask.
Because even if a file is declared "clean" by the AV and it is not on the firewalls black list that is not reason for it to connect to the internet, because, YOU -the user- might not want it to.
For instance: I use Opera to browse the web and as a mail client (Opera has M2) and it has the Unite services which right now I'm not using so why would I want the firewall to let Opera the broadest all connections status?
I wouldn't because om my PC it doesn't need it. That is why I set it to ask and grant only the access I want.
Of course that means dealing with pop ups and having to learn how the firewall works BUT if somehow I ever download malware and the AV misses it, It won't be able to automatically connect to the web.
Just a thought.
Martin.-
-
I have my firewall on 'ask' too :)
-
I'm very interested in this thread... Seems we're knowing better how the firewall works.
Especially since the current available avast! documentation really does not provide detailed information on all the firewall's settings/options.
Comments here so far confirmed some of my thoughts/understandings on the avast! Firewall--i.e., the the avast! Firewall's "heuristic and behavioral analysis protection" is from avast! AV. Keeping in mind that AIS is a "suite", Lukas' comment "...the firewall depends on the antivirus. Duplicating such features in the firewall itself wouldn't make any sense" comes to me as no big surprise--and one of the reasons I've never been too keen on relying upon single "suite" security solution. If some malicious malware should be able to shutdown or compromise the avast! AV engine, it could severely limit AIS protection. At my office there have been several times (different times/employees that a malware was able to shutdown, or severely limit avast! Pro 4.8 operations (i.e., run a scan, update, etc.)
Hence until I'm 100% confident in AIS Firewall's settings/options level of protection, I'll continue using the layered (separate AV/Spyware, Malware and Firewall) approach to protection as noted in my signature.
BTW would like to note that in the avast! AIS Features (http://www.avast.com/internet-security#tab2), as it is currently written I can see why one would read as if the Firewall has its own heuristic and behavioral analysis:
Additional protection
Silent Firewall
The firewall enables you to control incoming and outgoing traffic from your computer. Protection is based on heuristic and behavioral analysis, and a white list of known safe applications. There are three network settings which can be changed depending on the type of connection.
-
Time to improve the firewall and get it a little bit more independent of the antivirus.
-
Hi guys,
Firewall is a part of the suite which includes an antivirus. During the process of allowing an unknown application it uses its own module, which does the heuristics checks, consults a whitelist and blacklist and then returns either allow or deny and the rule to be used. This module is independent on other avast! antivirus modules, is written especially for the firewall, and is currently used solely by firewall - even though I don't see any special benefit from that fact - and if similar features would be of any use to other components of the suite, they would surely be reused. On the other hand, this module does not check if the application in question is clean from viral infection or not.
As stated in the original post on this thread, there was a test done with some malware samples which avast! firewall let to connect. You would probably like to see some features in the firewall that would supplement the antivirus and provide 100% zero-day protection against such threat, but as I said in my reply, that there are no such features that would check for malware in the sample and if the antivirus had no objections - as it was turned off - was must assume that the application in question was clean from any infection and the firewall should decide accordingly. Also there is currently no such superhuge whitelist on which every allowed application must be found. Some other firewall suites use this approach but we thought that having indexed all available applications on the Internet is beyond our reach and that the number of unknown app popups would simply be to large. The whitelist is there, there are metadata and rules that can be retrieved from the list for many apps but the firewall allows connections for apps not on the whitelist as well.
The heuristics used during the decision process is part of the virus VPS package and can be improved during the time, and we will surely do that - but currently I believe that for most of the times unless the user wants to override the default behavior by his own decision and its not a malware, that most programs might need internet access for their normal activity and that is their normal state. Nothing that average user should be alerted about.
On the other hand I totally agree that there is a lot to improve in the automatic rule creation process. There is no doubt about that.
Lukas.
-
Thanks Lukas, that's a bit clearer. The firewall has its own heuristic module, it just doesn't check for viruses. That makes sense. :)
-
Thanks for the explanations Lukas.