Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: elkhole on November 03, 2010, 06:13:54 AM

Title: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 06:13:54 AM
Hi all , I'm new to avast and wish to continue with it for along time , I installed avast internet security trial 5.0.677 and let the firewall setting to autodecide mode for application but I have certain application I don't want it to connect to internet so I made a new group for it and add rules with block all connection for all instances of this application , suddenly after creating rules for them and run this application and to make sure it doesn't connect to internet I make alook at the "other" groub in firwall application rule and found avast firewall give it by autodecide internet access allow , I'm surprised so I went to my created group rules and found that this instance of application I add arule for blocking it disappear from my group and moved to "Other" groub with autodecide allowing rule .

I didn't understand how this could be done ? so I decided to test the rules again by adding the same application many more times and I expected the firewall notifies me that I added this application before but for my surprise it accepts all the rules for this application and I could also make the same name of group again and again,to made it clear look at the image attached for the application .
Title: Re: Firewall Rule Problem
Post by: Pondus on November 03, 2010, 08:04:12 AM
i have not fiddled with the firewall so much, i use it with default settings, but i think you can sett it to ask and then there should be a popup everytime something want`s out, and you can then make rules with yes/no
Title: Re: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 12:19:14 PM
Thank you for reply but I went to avast from other security suites because I need asilent one not to ask many questions and finally I found agood one ,good people to support them not claim to provide 100% protection because it's impossible and I don't believe them and won't support them , here it's more trustful so I want to stick with avast and send them bugs and of course this is abug , I can make unlimited number of rules for same application allow or block the same connection and unlimited number of same group name , If I ran the application now which rule firewall choose to apply, and more than that it ignored my rule completely and made a new one in another place with allow rule and deleted my rule, this is very annoying.

I can switch to ask mode but I don't want to have any popup not for my low knowledge to reply on them I can and it's simple for me, but if all your applications are legitmate and only one or two applications addware supported and I need to use them but not allowing them to phone home or such things I will of course choose autodecide mode and for this application I'll make a rule for it.

I think it's clear now.

thank you again for rapidly reply and I'm waiting for more replies .

best wishes...
Title: Re: Firewall Rule Problem
Post by: CBell on November 03, 2010, 12:29:25 PM
Just go to the rule that the firewall made and change it. See this (https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=482&nav=0,1,20#idt_02)
Title: Re: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 01:50:21 PM
I go to page you provide and I think the problem isn't clarified yet so I went to freinds and delete all ips in it then made again the rules as in attachment and waiting for replies again and thanks for help .


Title: Re: Firewall Rule Problem
Post by: Charyb on November 03, 2010, 02:10:06 PM
I don't know if this is what you are looking for but at the bottom of the Application Rules page open File Details and it will show you details of each rule created. Click on each rule and the details will be shown at the bottom. One rule may be for the executable and another for the updater, etc. I would delete all rules and groups of the program you are trying to block then allow Avast to auto-decide new rules, then go back into these rules and select "Block all Connections". After doing this then reboot. Not certain if a reboot is required on these rules but recommend it.
Title: Re: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 02:59:46 PM
thanks you all for good help and patience but the I think the problem isn't clarifyed yet so I create 2 groups and their names "Other" as the name of "Other" group created by default in firewall rules ............. and this is the first bug .

the second bug I added the same application in the same path 3 times with different rules and made 3 attachment pictures for them each time I take a snap shot to rule details of the three rules as avast doen't support expanding more than one rule detail in same time.

So view the pictures and give me opinions.
very appreciated to your help.

Title: Re: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 03:10:04 PM
And now I found another bug after I sent you the three attachments in the previous reply, I looked at summary screen of avast then rememberd I didn't remove the 3 rules I created to demonsrtate the bug to you yet so I returned to application rules again and found that all my rules are gone as I understood in beginning but I was wrong when I tried to delete the two groups I named them "Other" amessage box appeared to me :

"The directory is not empty"

I tried to expand it but there is no rules appeared and I can't delete both groups now , So any suggestions how I can rid of it or I'll be forced to uninstall/install it again? ???
Title: Re: Firewall Rule Problem
Post by: Charyb on November 03, 2010, 03:19:33 PM
Let me clarify this. You have manually created two new groups and manually created new rules for the application in these groups. Is your question, "Why does it allow me to create different sets of rules for the same program"? Try rebooting your computer to see if that will allow you to delete the group that is stuck.
Title: Re: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 04:01:29 PM
I rebooted my computer and found after reboot I found the two groups I named "Other" and the rules I created all dissappeared but found new rule for the same application firewall created it for me which is "internet out (otherwise auto-decide)and this rule placed in the two groups "Other" , so all my rules dissappeared ??? and firewall created a rule I don't want for application ??? .

So my questions is :

1 - Why does it allow me to create different sets of rules for the same program ?

2 - Why does it allow me to create more than group with same name ?

3 - Why did it stucked in deleted those groups ?

4 - Why did it create a new rule for the program that I didn't create even in the three rules I create in demonstration ?

5 - And Why did it create this rule in the two groups ?

and thanx for help.
Title: Re: Firewall Rule Problem
Post by: elkhole on November 03, 2010, 11:10:42 PM
Still Waiting for help ???
Title: Re: Firewall Rule Problem
Post by: elkhole on November 04, 2010, 12:39:30 PM
UP
Title: Re: Firewall Rule Problem
Post by: Charyb on November 04, 2010, 06:03:07 PM
I rebooted my computer and found after reboot I found the two groups I named "Other" and the rules I created all dissappeared but found new rule for the same application firewall created it for me which is "internet out (otherwise auto-decide)and this rule placed in the two groups "Other" , so all my rules dissappeared ??? and firewall created a rule I don't want for application ??? .

So my questions is :

1 - Why does it allow me to create different sets of rules for the same program ?

2 - Why does it allow me to create more than group with same name ?

3 - Why did it stucked in deleted those groups ?

4 - Why did it create a new rule for the program that I didn't create even in the three rules I create in demonstration ?

5 - And Why did it create this rule in the two groups ?

and thanx for help.

1. It is customizable and by using auto-decide and then manually creating similar rules you have added redundancy to the rules. You may have 3 rules, but only 1 may trigger first leaving the other 2 unnecessary/redundant.
2. It's customizable and you have added even more redundancy. Keep it clean and organized and it will remain easier to maintain. Do you want a firewall that prevents you from customizing it?
3. Because you did not reboot. Many changes to firewall rules require a reboot.
4. It is doing what you instructed it to do. You have selected auto-decide so it is creating the appropriate rules.
5. Which two groups? The groups that you created?

Have you tried this yet?

I don't know if this is what you are looking for but at the bottom of the Application Rules page open File Details and it will show you details of each rule created. Click on each rule and the details will be shown at the bottom. One rule may be for the executable and another for the updater, etc. I would delete all rules and groups of the program you are trying to block then allow Avast to auto-decide new rules, then go back into these rules and select "Block all Connections". After doing this then reboot. Not certain if a reboot is required on these rules but recommend it.

Please read this.
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=482&nav=0,1

Title: Re: Firewall Rule Problem
Post by: elkhole on November 04, 2010, 07:10:04 PM
The link I read it and I don't look for this .

Customization doesn't mean allowing me to edit its main groups by mistake or you will endanger your self to low protection.

And more If I said it to auto decide and there is an application I want to prevent form internet
Just go to the rule that the firewall made and change it. See this (https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=482&nav=0,1,20#idt_02)

I made it for a toolbar installed by default in many free programs I try to install so I went to application rules to block it then after installing many other applications having same toolbar it recreate arule for same toolbar version and allow it to connect .

What I expect from afirewall ? am I forced to follow each application installation and block its toolbar one by one ? this is ridiculous . see attached picture after I installed many programs have the same toolbar and every application I prevent its toolbar from connecting and waiting for reply
Title: Re: Firewall Rule Problem
Post by: Charyb on November 04, 2010, 07:46:15 PM
The link I read it and I don't look for this .

Customization doesn't mean allowing me to edit its main groups by mistake or you will endanger your self to low protection.

And more If I said it to auto decide and there is an application I want to prevent form internet
Just go to the rule that the firewall made and change it. See this (https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=482&nav=0,1,20#idt_02)

I made it for a toolbar installed by default in many free programs I try to install so I went to application rules to block it then after installing many other applications having same toolbar it recreate arule for same toolbar version and allow it to connect .

What I expect from afirewall ? am I forced to follow each application installation and block its toolbar one by one ? this is ridiculous . see attached picture after I installed many programs have the same toolbar and every application I prevent its toolbar from connecting and waiting for reply

It adds a new rule because each has a different path. Each is installed in a different area on your hard drive. When you install this software doesn't it ask whether or not you want to install the toolbar? I don't know a way around each rule being created other than preventing the toolbar from being installed in the first place. Maybe another forum member can help with this. I recommend that you submit a ticket to see if you can find a solution from technical support. http://support.avast.com/

Sorry, but I can be of no further help.
Title: Re: Firewall Rule Problem
Post by: superhumanbean on November 04, 2010, 09:23:01 PM
Don't create new rules for the same application; if you want to block something, modify the original rule.

Customization doesn't mean allowing me to edit its main groups by mistake or you will endanger your self to low protection.
This is customization, it is allowing you to modify something according to your personal specifications.

What I expect from afirewall ? am I forced to follow each application installation and block its toolbar one by one ? this is ridiculous . see attached picture after I installed many programs have the same toolbar and every application I prevent its toolbar from connecting and waiting for reply
This is auto-decide's purpose: to make its own decisions. The firewall's goal is to only block bad programs, it only makes rules for the good programs with a whitelist of over 50 thousand safe applications. If it's not on the whitelist, it verifies digital certificates, analyses them with its own heuristic module, and uses info from the behavior shield and PUP engine. If you feel like you need to monitor every application installation, then set the mode to ask. It is not the firewall's job to block installation of toolbars, they are not [all] malicious. If you don't want toolbars, untick them during installation.

Best regards
Title: Re: Firewall Rule Problem
Post by: elkhole on November 04, 2010, 09:50:43 PM
I used in the past many security suite : norton,kaspersky,comodo,f-secure,avg,zonealarm ,outpost I NEVER found one of these to allow me to define the same application again and again or stuck with rules like this, I can't imagine that you don't see this is a serious bug, I recently tried norton internet security 2011 and make the same rules in firewall but it neve allow me to add any application more than one time and never it duplicates the rules like this .

CAN'T YOU SEE THIS IS A BIG BUG, I THINK YOU ARE IN A TROUBLE .

BEST WIHSES
Title: Re: Firewall Rule Problem
Post by: CBell on November 04, 2010, 10:45:29 PM
Then why do you do it? You don't have to create more rules. To fix this, just reboot.
Title: Re: Firewall Rule Problem
Post by: elkhole on November 04, 2010, 10:53:28 PM
I'll try to simplify it to you , suppose u had a virus , trojan , worm... any thing that avast didn't detect and that virus prevents you from deleting it , it copy it self to your system hundred times in different locations and it can connect to internet , you saw it connecting in firewall activities and want to block it until avast detects it and delete it, simply you edit the rule creating by avast to block instead of allowing it.

but in our case you should add arule for the SAME DAMN VIRUS hundred times because of different places , PLEASE Think for it a minute and I'm sure you will agree with me that it's abug.

thanx for your cooperation.
best wishes...
Title: Re: Firewall Rule Problem
Post by: Charyb on November 04, 2010, 11:07:35 PM
I'll try to simplify it to you , suppose u had a virus , trojan , worm... any thing that avast didn't detect and that virus prevents you from deleting it , it copy it self to your system hundred times in different locations and it can connect to internet , you saw it connecting in firewall activities and want to block it until avast detects it and delete it, simply you edit the rule creating by avast to block instead of allowing it.

but in our case you should add arule for the SAME DAMN VIRUS hundred times because of different places , PLEASE Think for it a minute and I'm sure you will agree with me that it's abug.

thanx for your cooperation.
best wishes...

I see your point. No need to cuss about it. To me, it's not really a bug but maybe a minor inconvenience. Or a different way of doing things. This is probably a question left for the developers. Please contact Avast support http://support.avast.com/ so that they may be able to answer your question.
Title: Re: Firewall Rule Problem
Post by: elkhole on November 04, 2010, 11:32:41 PM
I sent them the problem details five minutes ago, thanx for support link ,and thanx all for help.

Best wishes...
Title: Re: Firewall Rule Problem
Post by: superhumanbean on November 04, 2010, 11:36:07 PM
I'll try to simplify it to you , suppose u had a virus , trojan , worm... any thing that avast didn't detect and that virus prevents you from deleting it , it copy it self to your system hundred times in different locations and it can connect to internet , you saw it connecting in firewall activities and want to block it until avast detects it and delete it, simply you edit the rule creating by avast to block instead of allowing it.

but in our case you should add arule for the SAME DAMN VIRUS hundred times because of different places , PLEASE Think for it a minute and I'm sure you will agree with me that it's abug.

Please read what I had said in my previous post. If it was a bad application, it wouldn't have a rule created for it. Only known, safe programs get added to the list of Application Rules. If the antivirus doesn't detect it, the firewall can still stop it, as it doesn't use signatures/virus definitions. It can use its heuristics module and data from the Behavior Shield and PUP detection to decide to limit its connection.

And if you happen to need to block something, you only need to change one rule. The firewall does not make multiple rules for the same program, you are doing that.

Regards,
GloobyGoob
Title: Re: Firewall Rule Problem
Post by: elkhole on November 05, 2010, 12:00:11 AM
Quote
Please read what I had said in my previous post. If it was a bad application, it wouldn't have a rule created for it. Only known, safe programs get added to the list of Application Rules. If the antivirus doesn't detect it, the firewall can still stop it, as it doesn't use signatures/virus definitions. It can use its heuristics module and data from the Behavior Shield and PUP detection to decide to limit its connection.

And if you happen to need to block something, you only need to change one rule. The firewall does not make multiple rules for the same program, you are doing that.

Regards,
GloobyGoob

1- Behaviour shield is usless as I know and if you searched the forum you will know that especially for x64 systems and this what I use now .

2- Firewall is fully depends on antivirus and hasn't a separated viruslist engine or heuristic engine as you said and again search the forum to belive me.

3- You can try yourself : open application rules and choose one of the rules automatically created by autodecide and change it to block all connections and then copy this blocked file to another folder and run it and make it connect to internet if it doesn't connect automatically and look again at the application rules and you will find it your self .

Best wishes...
Title: Re: Firewall Rule Problem
Post by: superhumanbean on November 05, 2010, 12:33:29 AM
1. The Firewall just recieves data from Behavior Shield to help in its decisions, it doesn't depend on it.

2. I believe you are referring to this (http://forum.avast.com/index.php?topic=64233.msg548190#msg548190) thread. There was some confusion. The firewall does have its own heuristic module. It does not need an antivirus engine, that would be pointless, as avast already has one.

Hi guys,

Firewall is a part of the suite which includes an antivirus. During the process of allowing an unknown application it uses its own module, which does the heuristics checks, consults a whitelist and blacklist and then returns either allow or deny and the rule to be used. This module is independent on other avast! antivirus modules, is written especially for the firewall, and is currently used solely by firewall - even though I don't see any special benefit from that fact - and if similar features would be of any use to other components of the suite, they would surely be reused. On the other hand, this module does not check if the application in question is clean from viral infection or not.

As stated in the original post on this thread, there was a test done with some malware samples which avast! firewall let to connect. You would probably like to see some features in the firewall that would supplement the antivirus and provide 100% zero-day protection against such threat, but as I said in my reply, that there are no such features that would check for malware in the sample and if the antivirus had no objections - as it was turned off - was must assume that the application in question was clean from any infection and the firewall should decide accordingly. Also there is currently no such superhuge whitelist on which every allowed application must be found. Some other firewall suites use this approach but we thought that having indexed all available applications on the Internet is beyond our reach and that the number of unknown app popups would simply be to large. The whitelist is there, there are metadata and rules that can be retrieved from the list for many apps but the firewall allows connections for apps not on the whitelist as well.

The heuristics used during the decision process is part of the virus VPS package and can be improved during the time, and we will surely do that - but currently I believe that for most of the times unless the user wants to override the default behavior by his own decision and its not a malware, that most programs might need internet access for their normal activity and that is their normal state. Nothing that average user should be alerted about.

On the other hand I totally agree that there is a lot to improve in the automatic rule creation process. There is no doubt about that.

Lukas.



3. Ah, I see what you mean now. The way you put it in your previous posts was a bit unclear, my apologies. But this wouldn't be a big problem because A.) Programs do not usually copy themselves to other locations, and I do not see why users would need to copy them manually B.) Malware will not be listed in the Application Rules. If you want, you can contact Lukas (http://forum.avast.com/index.php?action=profile;u=589) and see what he has to say about it.

Regards.
Title: Re: Firewall Rule Problem
Post by: elkhole on November 05, 2010, 12:56:31 AM
I'm sorry I didn't fully clear the problem as I'm new to security forums.

And yes I won't copy application to another folder but if you install many applications with for example ask toolbar or any adware , every application would first as you know extract its files to temp folders and then install to program files, of course every application has the same adware will extract itself to different directory in temp folder, so if I can't make one rule to this adware I'll be forced to follow every application extracted folder to prevent it from connecting to internet .

and the same case in portable programs as it's very common now if I copy it to another directory and this is common I should make anew rule for each folder even I change one letter from folder's name and I'm sure you agree with me that it's very annoying if I use much portable programs . this is my point.

best wishes...
Title: Re: Firewall Rule Problem
Post by: lukor on November 09, 2010, 12:25:44 PM
Hi elkhole,
would you mind sending me your rules.xml file? I will look at it and see whats really in there.

thanks.
Lukas.