Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: logos on January 06, 2011, 12:28:17 PM

Title: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 12:28:17 PM
...not sure what ti think about that, here is (see screen shots) what happens when this firewall is on auto-decide mode >>> all connections allowed, meaning inbound as well. I can get it for Skype, but for the others...adding that it's not the case right now, but I'm seen the same happen with Firefox and Thunderbird.

 Will delete most rules now and switch back to ask mode ;)

edit: no screen shot but same for Secunia, Miranda, Windows Desktop Gadgets, Opera.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Pondus on January 06, 2011, 01:19:18 PM
are you saying there is full connection in/out when in automode ?

any difference from what network  home/work/puplic ?
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 02:00:55 PM
are you saying there is full connection in/out when in automode ?

yes

any difference from what network  home/work/puplic ?


these results are in work mode... didn't test on other modes.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Hexo on January 06, 2011, 04:35:11 PM
I got a question...
Where did get the avast! fw the rules in the automode, which programm is good or which is bad?
Is there anywhere a white list?
I know that the G Data Firewall a whitelist has, and a programm which is unknown, the firewall asked what to do.
But since i use the avast! Firewall in the automode... the firewall asked me nothing.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Charyb on January 06, 2011, 04:41:42 PM
Hexo, this is in the help file.

"Block" means that such connections will never be allowed.

"Auto-decide" means the connection will normally be allowed, however any suspicious connections will be automatically blocked. This will be based partly on a large white-list database of safe applications maintained by avast!

If "Ask" is selected, you will see a message asking you to confirm whether or not the connection should be allowed.

However, I was searching for malware and rogue antivirus. I ended up finding a rogue av and the firewall automatically created a rule for it allowing inbound and outbound connection. Wasn't real happy with this. I don't know that me allowing it to install also gave the green light to create a rule like that or not. This was using Auto Decide. I don't remember the exact rule but it certainly didn't block it.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 04:42:33 PM
I got a question...
Where did get the avast! fw the rules in the automode, which programm is good or which is bad?
Is there anywhere a white list?
I know that the G Data Firewall a whitelist has, and a programm which is unknown, the firewall asked what to do.
But since i use the avast! Firewall in the automode... the firewall asked me nothing.

don't worry about that, there's no white list. The auto-decide mode just allows what the program normally requires to connect. The problem is that it sometimes seem to allow more than needed ;D
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 04:47:56 PM
Quote
This will be based partly on a large white-list database of safe applications maintained by avast!

oh yeah, where's that list? you got a link? ... or anything stating officially that there's such a list...

 ... ok app sigs are verified, that's all I can tell... and if the program doesn't have any, auto-decide will still allow it to connect :)
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Charyb on January 06, 2011, 04:49:22 PM
go to application rules then click on help center at the top of the UI.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 04:52:54 PM
go to application rules then click on help center at the top of the UI.

okay I never noticed that but yes it's mentioned there... other things are mentioned that don't exist anyway ( "process control" or no app allowed to install in "public mode" etc...)
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Charyb on January 06, 2011, 04:57:34 PM
I still to this day do not understand how the rogue av I installed was allowed to connect inbound and outbound. By me allowing it to install did this give the OK in AutoDecide mode? The rogue is long gone but it still bugs me on how the rule was created. According to the help file it states that it monitors for suspicious behavior. If it is a rogue it is nothing but suspicious. I would like it to fully block any antivirus that is not on the whitelist.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 05:07:11 PM
I still to this day do not understand how the rogue av I installed made the white list. Did the firewall use me allowing it to install as the ok in AutoDecide mode? The rogue is long gone but it still bugs me on how the rule was created.

might be because as I said the auto-decide mode allows much more than it should anyway, and isn't very strict at all with outbound connections... that white list, if it exists, is a joke. As to your rogue , ask also why the AV didn't block the download and the install in the first place...
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Charyb on January 06, 2011, 05:17:06 PM
You do have a point there. After a clean install I just let the firewall run a few days in autodecide to make sure all the system rules and avast rules are created then switch it to ask.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 06, 2011, 05:23:06 PM
You do have a point there. After a clean install I just let the firewall run a few days in autodecide to make sure all the system rules and avast rules are created then switch it to ask.

another problem when you do that, is that switching to ask will only be relevant for new apps, as all apps already listed while you were on auto-decide mode will keep the auto-decide option  ;D (in the "otherwise..." setting.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Charyb on January 06, 2011, 05:31:12 PM
Another point well taken. I go through and delete anything that I don't recognize (with the exception of the system and avast rules). After that rogue installed and the rules were created I keep a close eye on the rules now. I don't trust that "suspicious" connections will automatically be blocked because Avast allowed a suspicious program to install and firewall rules allowing inbound and outbound connections for this suspicious program. I know that they want to keep it as transparent as they can but do think that the auto-decide rules need some tightening up.

Like Hexo mentioned, I like autodecide but ask for unknowns better than allowing unknowns. Although this is different than what you mentioned in your first post.

Until there are any changes made to the firewall I will just keep it in "ask" mode.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: SteveStroage on January 06, 2011, 10:49:44 PM
okay I never noticed that but yes it's mentioned there... other things are mentioned that don't exist anyway ( "process control" or no app allowed to install in "public mode" etc...)

The "Don't allow new programs" might be added as a new feature. Below was from an email from Lukor.

Quote from: Lukas
2)      Don’t allow new programs – hmm, I am afraid we don’t fully implement what is written here. Sorry. At first we though that users would use the program mostly in Work/Medium Risk Zone, configure their apps there and switch to the two (Home and Airport) modes only for special cases for short periods of time. For such use, it would make sense to prevent any new program rules to be created in Airport mode (to prevent any accidents in risky environments) – however it turned out, that the airport mode is pretty usefull on its own, and it wouldn‘t be so cool to prevent creating new application rules in this mode, so actually I am afraid you have found a bug on this one – the description should be changed!

Thanks a lot! I’ll file a bug and decide what to do – either remove the description, or add such feature (probably by default off, but switchable in expert settings)

Lukas.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Hexo on January 07, 2011, 07:59:03 AM
There is no really whitlist?
Thats very bad.
So i have to change my firewallsettings to the "ask mode".
I thought, that the avast! FW is as good as the Gdata FW. But i see, that isn´t true.

I would be better to have an global "community" whitslist with trusted programms, and each other programm has to ask if it want to connect to the www.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: superhumanbean on January 07, 2011, 08:30:42 AM
There is no really whitlist?
Thats very bad.
So i have to change my firewallsettings to the "ask mode".
I thought, that the avast! FW is as good as the Gdata FW. But i see, that isn´t true.

I would be better to have an global "community" whitslist with trusted programms, and each other programm has to ask if it want to connect to the www.


There is a whitelist... Where did you hear that there wasn't? ??? I don't think that its a community whitelist though. As said, it is managed by avast.
On a side note, I found that Gdata's firewall service could be disabled at startup (either manually, or if a piece of malware gets through). I don't know if they fixed that.

GG
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Hexo on January 07, 2011, 08:54:37 AM
I looked up in the manuel and there is no information about a whitlist.
Did you ever notice a "Firewall" block?
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 07, 2011, 09:28:59 AM
Quote
Did you ever notice a "Firewall" block?

yeah once... recently, an unexplained inbound connection
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Hexo on January 07, 2011, 09:47:40 AM
LOL.
Any outbound blocks?
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: logos on January 07, 2011, 10:04:45 AM
LOL.
Any outbound blocks?

no, no reason to either, must download a trojan first before you see this happen...if it's intercepted by the fw, which as I saw in a recent case here may not be the case at all (not mentioning tha AV that doesn't always do its job either with rogues). And legit apps, unless infected or hacked, rarely attempt to establish forbidden connections.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: Hexo on January 07, 2011, 10:38:09 AM
[ironic]When a trojan try to connect... normaly it is the job of the antivirus to kill the trojan ^^
What is, when a trojan use a programm like a browser to connect the internet? The Firewall sees only the conection of the browser ^^ [/ironic]

Did someone test the Firewall with an infected system?
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: smage on January 08, 2011, 06:19:07 AM
To me it seems like this.

In auto decide mode, all programs which are detected by the AV will also be blocked by the firewall while all programs which are classified as clean by the AV will be automatically allowed.  Now there might also be some behavioral analysis to determine if files are performing malicious activities.

All suites do the same thing because users do not want to answer alerts.
For real protection, you have to switch to ask mode.
Title: Re: AIS firewall: auto-decide mode question(s)
Post by: CBell on January 08, 2011, 08:23:04 AM
I think this would help explain a bit better: http://forum.avast.com/index.php?topic=64233.msg548190#msg548190