Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: haertig on December 30, 2004, 09:02:33 PM

Title: avast programs needing firewall holes
Post by: haertig on December 30, 2004, 09:02:33 PM
Is there a comprehensive list of avast programs, modules, etc. that may need to connect outgoing?  I am setting up firewall rules before I ship this new computer I am configuring to someone else, and I would like to preconfigure all the avast stuff before delivering the computer.  Below is what I've found and configured thus far. POP3 email only.  I realize I can tighten up "any_address" to my ISP's pop/smtp servers for the port25/110 listings.  I may or may not do that.  Is there a suggested tightening of the address/ports for avast.setup (this program appears to be gone now, after initial setup)?  Are there other avast programs that I've missed?

avast.setup  any_address/any_port
ashmaisv.exe any_address/ports_25_and_110
ashserv.exe any_address/ports_25_and_110
ashquick.exe any_address/ports_25_and_110
Title: Re:avast programs needing firewall holes
Post by: RejZoR on December 30, 2004, 09:08:12 PM
avast.setup  any_address/any_port
ashmaisv.exe any_address/ports_25_and_110
ashserv.exe any_address/any_port
ashquick.exe NO_NEED_FOR_CONNECTION

This should do the trick. I also assume that avast.setup and ashserv.exe use standard HTTP port 80 or 8080 for its updates.
Title: Re:avast programs needing firewall holes
Post by: haertig on December 30, 2004, 09:38:15 PM
Thanks for the quick reply!  I step out to get a cup of coffee and you've already replied.   :o

I do think that ashquick.exe needs to connect outgoing.  I added that firewall rule after seeing a firewall popup saying this program wanted to connect outgoing.  That happened when I was doing a test with eicar.com and seeing if avast could successfully email me an alert notification.

One thing that is funny is that avast.setup program.  It comes and goes.  During update attempts, it will be created in avast's setup folder.  Then it disappears after the update has finished.  Not moved to a "hidden" or "system" file ... it actually disappears ... and is subsequently recreated (temporarily) during the next update.  But it must be recreated identically each time because my firewall lets it out with the existing rule, which checks not only the file name, but it's MD5 signature as well.

I am a little concerned about the dynamic nature of avast.setup.  It's being created identically NOW, but I wonder about the future.  If it's MD5 signature ever changes, the firewall will block it.  And I'm not sure that the person I'm delivering the computer to will understand the firewall popup that says "avast.setup has been replaced by another program.  Do you want to accept this?"  Programs that have been replaced should always generate suspicion and investigation.  This may be beyond the knowledge-scope of newbies.  So if anyone knows the details on the dynamic avast.setup program I would appreciate being clued in.  That way I can explain to the newbie what to expect from the firewall/avast combination (Kerio 2.1.5 is the firewall).

Thanks!
Title: Re:avast programs needing firewall holes
Post by: RejZoR on December 30, 2004, 10:06:14 PM
We try to be the fastest when it comes to support ;)

Strange,never saw ashQuick.exe requireing net connection ???
Yeah avast!.setup changes on program updates (or VPS maybe).
Almost all firewalls have option "Do not bug me again" ;)
I'm almost sure that Kerio should have it too (Kerio 4.x is really bugging user for each and every small change).
Last resort solution could be some other firewall...
Title: Re:avast programs needing firewall holes
Post by: Delta on December 30, 2004, 10:32:26 PM
Hi, I use Kerio 2.1.5 and love it. :) But I have something you perhaps may have to consider.
If you are setting up Kerio for a newbie then what would happen when they install a new piece of software which requires an internet connection. The user will have to write the rule for him/herself (or allow Kerio to create an appropriate rule and not ask again for that app). Can you be sure that doing this will not create a very weak rule? Some thing like:
Allow any application to any address via any port, both inbound and outbound.
(And, yes, I have seen that once or twice, as well as a rule blocking an app completely followed by a rule allowing it internet access, and the user not being able to figure out what is wrong.)
That would totally screw up any hope of the firewall working as it should.
I hope you understand what I mean.

Delta.

Edit to add:
I have never seen ashquick require internet access. Also, I don't think Kerio can be set up to ignore the MD5's of a program.
Title: Re:avast programs needing firewall holes
Post by: lee20 on December 30, 2004, 10:39:01 PM
Quote
And I'm not sure that the person I'm delivering the computer to will understand the firewall popup that says "avast.setup has been replaced by another program.  Do you want to accept this?"

Taking into consideration what the others have said, why not just teach the user how to use a firewall?

--lee
Title: Re:avast programs needing firewall holes
Post by: haertig on December 30, 2004, 10:46:58 PM
Thanks once again for the quick reply.

Yes, Kerio 2.1.5 has the "don't bug me again" option (they call it "create a rule"), however you should tie your firewall holes to specific programs at minimum, and optimally tie these rules to specific IP addresses, ports, protocols, directions (incoming vs. outgoing), etc. for maximum security.

So while I can tie a rule to "avast.setup", it is blown out of the water if the MD5 signature of that program changes.  There is no way to override this MD5 checking in Kerio that I know of (I will look deeper into the config however).  This is exactly the way I'd want a firewall to behave.  Because if avast.setup's MD5 has changed, then it is no longer avast.setup as far as the firewall (and myself) are concerned.  It could have been replaced by a malicious program.  There are many examples of malware trying to sneak out piggybacked on well know programs that are often granted carte blanche access in firewalls (IE comes to mind...)

The only reasonably secure firewall config setting I can imagine in Kerio to allow for a changing avast.setup would be:

"Allow any_program to connect outgoing to <IP_addresse(s)> on <port(s)>"

... where IP_addresses would have to be tightly configured  to avast update server(s) and port(s) similarly tightly configured.  any_program is required because that's exactly what avast.setup is.  This is not as tight as I'd prefer, but I suppose it would be acceptable.

Do we know all the avast servers and ports?  I imagine this could change over time so creating a firewall rule by trial and error probably wouldn't do the trick.  It's probably impossible anyway, given that new servers might be added over time.

I imagine the best setup for a newbie would be to tell them to always accept an MD5 change on avast.setup, and pray that some malware does not start targeting this particular program.  I might suggest for a future avast upgrade that avast.setup does NOT change dynamically.  Whatever it requires that must be changed dynamically should be handled in an external config file or equivalent storage OUTSIDE of the executable itself.

Thanks again for your help!
Title: Re:avast programs needing firewall holes
Post by: haertig on December 30, 2004, 11:11:01 PM
Delta and Lee16 - I totally agree with your comments regarding firewall use.  People need to know how to use what is installed.

However, the particular newbie I am concerned about is very computer illiterate (and elderly).  The chances of teaching appropriate security measures are pretty much nil unfortunately.  They wouldn't even know how to install a new program in the first place.  I have to do that for them via a remote connection.  Through a tightly configured firewall hole, I might add!   ;)

The dillema is (1) All computer users should know what they're doing before going online, and (2) Some users are incapable of this.  I think that this class of users should not be thrown off the Internet if they have knowledgeable people willing to help support them.  I am willing to support in this case, so I'm basically setting up a computer to allow them to do only what I grant them and they must come to me for help for other situations.  The online activities that I'm granting are email, web browsing, remote support from me, and automatic updating of antivirus and WindowsUpdate.  I am a tad leerly of automatic WindowsUpdate given the history of some patches, so I'm still mulling over the best solution to that problem.  It goes without saying that I am also trying to lower them as a target by installing Thunderbird and Firefox instead of IE and outlook.  Same thinking goes for avast really.  Probably less targeted than norton or mcafee.  Other than the programs I have setup with firewall holes, everything else will be blocked.  Silently.  They will not be allowed to create new firewall rules.  They will surely be left wondering "what happened?" if I block something unexpected with the firewall ... which is why I asked my initial question about avast in the first place.

In playing with avast for this newbie's system, I think I have convinced myself to make the switch personally from my currently installed norton AV.  Avast really is a very nice program ... I'm glad I found it!

Thanks again for all the helpful replies.
Title: Re:avast programs needing firewall holes
Post by: DavidR on December 30, 2004, 11:29:34 PM
Just a thought (I could be wrong, often ;D), the mail provider may need access to the IMAP port depending on the users email program setup connects to an IMAP mail server.

ashmaisv.exe any_address/ports_25_110 and 143 ???

Oops, welcome to the forums.
Title: Re:avast programs needing firewall holes
Post by: gbark on December 31, 2004, 01:10:55 AM
Boy, this is one terrific thread!

haertig,

FWIW, I use Outpost Pro v2.5 (OP) for my firewall and I've also noticed the phanthom Avast.Setup.exe app and had some difficulty configuring it to work with Avast 4.x.

OP also has a MD5 checksum checking module (called component controll (c-c)) however, with OP you can turn off c-c either altogether or for a particular app.

Here's my rulesets. Maybe you can see something you can use.

ASHMAISV.EXE
  TCP - outbound - Ports 25, 110, 995 (POPS if you need it.)
ASHSERV.EXE
  TCP - outbound - Port 80
  TCP - outbound - Port 80 - Loopback addy.
  No c-c
AVAST.SETUP.EXE
  TCP - outbound - Port 80
  TCP - outbound - Port 80- Loopback addy.
  No c-c

I had to add the loopback rules and turn off the c-c to finally get background and on-demand updates to get through.

You might want to check out Outpost. It's extremely configurable, works OOTB, and has that c-c per app option. It also fits in nicely with your (and my) preference for a slightly off-the-beaten-path firewall.  ;)

Hope this has been a help.

Quick update. I tried the email notification myself and it's ASHSERV.EXE that seems to need the SMTP rule.
Title: Re:avast programs needing firewall holes
Post by: Eddy on December 31, 2004, 01:13:57 AM
Welcome to this board gbark.

Not bad for a first post. :D
Title: Re:avast programs needing firewall holes
Post by: inthewildteam on December 31, 2004, 01:19:27 AM
@ gbark

another happy Outpost user!   ;)
Title: Re:avast programs needing firewall holes
Post by: gbark on December 31, 2004, 01:20:29 AM
Been lurking professionally for some time. Actually ever since version 4.5 blew up my OP firewall rules.  ::)

Lots of great posts and info hereabouts. Keep up the great work
Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 02:27:18 AM
Thanks for the Outpost pointer, gbark.  I have heard of that firewall, but never tried it.  It's cc-per-app capability sounds like just the ticket for the problem I am currently faced with.  I've never needed that functionality before running into avast.setup.  I will investigate Outpost.  I will have to decide if paying for it (not free, I don't think) is worth the benefit of not requiring the newbie to accept MD5 changes with Kerio.  Also, I am very familiar with Kerio and not so with Outpost.  That's something to consider in a remote-support situation.

I think I didn't pickup on the loopback requirement because I have a generic "LAN bypass" rule in all my firewalls.  This allows unfettered access amongst all my computers to 127.0.0.1 and 192.168.0.0/24  I know that this is technically not the safest thing to configure, but I did it anyway for the convenience.  I know how to keep my computers clean (maybe!) and nobody else is allowed to plug into my LAN (cat5, no wireless).  Any WAN-side bad guys would have to get their spoofed (LAN) IP address through my rules based router first, before being able to exploit my firewall's LAN-bypass rule anyway.  It's good that you brought up the loopback requirement, so that I don't forget about this and incorrectly wipe out 127.0.0.1 when I delete/modify the LAN-bypass rule prior to sending the computer on. It won't be on a LAN after I'm done with it, so it won't need LAN-bypass, but it should have unfettered loopback.

I've strayed way off topic here (as usual for me!)  But at least we are still on target for security related issues, of which avast is a key component!

Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 02:36:05 AM
Quick update. I tried the email notification myself and it's ASHSERV.EXE that seems to need the SMTP rule.
I don't know why I'm the only one who has run into ashquick.exe needing to get out.  That's strange.  I'll try to play around a little more to see exactly what triggered it.  I guess I'm only halfway assuming that it was my outgoing email test.  But that's what my firewall popup coincided with.  Generally when I see an unexpected, but assumedly benign popup, I create a (temporary) allow rule "for this app, for this IP address, for this port" and then go back later and inspect the created rule to see if it needs modification or deletion.  ashquick.exe is the app that popped up for me.
Title: Re:avast programs needing firewall holes
Post by: Lisandro on December 31, 2004, 02:36:08 AM
Weird?
I think not, but ashserv.exe never ask me for connection.

avast.setup and ashmaisv.exe should be enough...  ::)
Title: Re:avast programs needing firewall holes
Post by: gbark on December 31, 2004, 03:18:04 AM
haertig,

Quote
I don't know why I'm the only one who has run into ashquick.exe needing to get out.  That's strange.

I hope someone here will correct me if I'm wrong. (I thought I was wrong once before, but I was mistaken.) ::)

Ashquick.exe is the module that does on demand file/folder scans. If you used that method to test your email alerts, perhaps that's why Ashquick.exe was flagged as requesting an outbound SMTP connection.

I went to the Avast SMTP configuration dialog and hit the "test" button and that's when I got the OP popup requesting approval for Ashserv's connection. Perhaps each has their own SMTP connection capabilities. If so, and you only have Ashquick configured, a real-time A-V hit might not be able to get that email back to you. Try the "test" button on your present configuration and check the logs.

By the Way, Agnitum has a Christmas special until mid-Jan where if you buy OP for full price. $39.95, you get free upgrades for life! Such a deal. Here's the link: http://agnitum.com/christmas.html (http://agnitum.com/christmas.html)

Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 03:30:56 AM
I get the ashquick.exe popup when I right-click on a virus file and choose "Scan with avast" option from the context menu.
Title: Re:avast programs needing firewall holes
Post by: Delta on December 31, 2004, 09:23:26 AM
I get the ashquick.exe popup when I right-click on a virus file and choose "Scan with avast" option from the context menu.

Hi, I'm afraid I've just scanned the eicar file from the context menu and ashquick made no attempt to reach the internet.

Delta.
Title: Re:avast programs needing firewall holes
Post by: Lisandro on December 31, 2004, 11:52:28 AM
Ashquick.exe is the module that does on demand file/folder scans. If you used that method to test your email alerts, perhaps that's why Ashquick.exe was flagged as requesting an outbound SMTP connection.

I think not. ashserv.exe will take care of it.
ashquick.exe is the Quick avast scanner, used by the Explorer Extension and, if you set so, into your download manager, archive packer (winzip), etc..

I went to the Avast SMTP configuration dialog and hit the "test" button and that's when I got the OP popup requesting approval for Ashserv's connection. Perhaps each has their own SMTP connection capabilities.

This is the prove for what I posted before...

If so, and you only have Ashquick configured, a real-time A-V hit might not be able to get that email back to you. Try the "test" button on your present configuration and check the logs.

ashquick.exe could never be the on-line scanner...
Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 04:56:34 PM
I'm trying to attach a jpg showing ashquick.exe connecting outgoing.  After a couple of failed attempts to attach, maybe this one will work (?)  The attachment is a 50kb jpg
Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 05:16:15 PM
I just installed avast on a second computer to see if connecting programs change.  This computer is running W2kpro ... same as the first computer I was using.  ashquick.exe still connects outgoing from here as well.  Also, I found two MORE avast programs that connect outgoing (these did not appear on the first computer ... yet!)

ashdisp.exe
ashsimp2.exe

Both of these attempted to connect to my SMTP server. [edit] Oops - might have been my POP3 or IMAP server.  I had already made my firewall rules generic (non-IP specific) before I posted this message, but the fact that I generi-sized the rule to ports 25, 110, 143 means it was SOME email related server that these new guys attempted to connect to! [/edit]

I have no problem with all these avast programs connecting.  I'm just trying to nail them all down to configure firewall rules for a computer that will soon be out of my immediate control.  Maybe I should just search the avast directories for all executable files and give them all access?   :-\
Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 05:26:35 PM
Could this possibly be a bug in Kerio in that is is INCORRECTLY reporting which program is attempting to connect?  I've never run into that before, but with me being the only one finding these "other" programs connecting outgoing, it makes me wonder...
Title: Re:avast programs needing firewall holes
Post by: Lisandro on December 31, 2004, 07:25:41 PM
Could this possibly be a bug in Kerio in that is is INCORRECTLY reporting which program is attempting to connect?

Most probably not...
Are you in a home network?
Do you use a proxy server (or mail proxy server)?

If you disable Kerio, is avast working properly? Does it scan emails?
Title: Re:avast programs needing firewall holes
Post by: haertig on December 31, 2004, 08:01:39 PM
Are you in a home network?
Yes
Quote
Do you use a proxy server (or mail proxy server)?
No.  Well, not for email.  I do use a local proxy for web access (Proxomitron)
Quote
If you disable Kerio, is avast working properly? Does it scan emails?
There is no problem with avast working.  It has always worked fine, scanning emails, etc.  My original question was simply which avast programs need access to the Internet.  I have identified several, but I suspect there may be even more that need Internet access that I simply haven't discovered yet, having not hit the right sequence of events to trigger them. I was hoping to find a comprehensive list of ALL avast programs that may ever require Internet access, under whatever circumstances, so I could preconfigure them ALL in firewall rules before sending this computer off to it's new (newbie) owner.  Once in it's new home, the computer will not be on a home network anymore.
Title: Re:avast programs needing firewall holes
Post by: Lisandro on December 31, 2004, 10:18:22 PM
Proxomitron could be the 'bad guy' here.
Is this program redirecting the traffic to a local proxy (127.0.0.1 for instance)?
The problem is, why Kerio is asking for this access if no other firewall do?

I was hoping to find a comprehensive list of ALL avast programs that may ever require Internet access, under whatever circumstances, so I could preconfigure them ALL in firewall rules before sending this computer off to it's new (newbie) owner.  Once in it's new home, the computer will not be on a home network anymore.

Whatever circunstances is the problem here... your configuration could be different that the default ones. I've already said that I use avast fore almost 2 years and only avast.setup for updates and ashMaiSv.exe the avast email scanner have asked for Internet connection.
Title: Re:avast programs needing firewall holes
Post by: gbark on December 31, 2004, 10:38:29 PM
haertig,

Things just get confuseder and confuseder don't they? :o ??? ::)
I noticed that, in your Kerio popup dialog that the description refers to aswquick.exe and the application refers to ashquick.exe. This had me thinking that, perhaps, you had a trojan copy, but when I examined ashquick.exe I see references to aswquick.exe throughout. I guess Alwil must have done a last-minute name change or something. Still, I have no idea why you're seeing these additional apps looking for internet access.

Technical,

I probably wasn't as clear as I could have been about ashquick.exe vs ashserv.exe. What I meant was that if an on-demand scan (which uses ashquick.exe, I believe) finds a virus, perhaps ashquick.exe would attempt the email connection itself thereby triggering Kerio's popup. I doubt it, but could ashquick's calling of ashserv.exe for the email processing somehow be read by Kerio as an attempt by ashquick?  Anyway, my thought was that if Kerio is configured for ashquick.exe and ashserv.exe is not, then the standard shield and other providers might not be able to get ashserv to send the alert via email. (Wow, I think may be even less clear than my first post!  :-\

I suppose that haertig could go for the safest/surest option and, as he suggested, configure all the Avast *.exe's for SMTP access. What could it hurt, as they say?

I love a mystery.
Title: Re:avast programs needing firewall holes
Post by: Lisandro on December 31, 2004, 10:45:25 PM
gbark
I'm leaving to wait the New Year... I'll come back tomorrow  8)
Title: Re:avast programs needing firewall holes
Post by: gbark on January 01, 2005, 02:04:54 AM
Technical,

Enjoy the wait! I suspect it'll come soon enough.  ;) Today's my B'day so I always have lots to celebrate on New Year's Eve.  ;D

I couldn't stand to wait for haertig to post his latest discoveries (I suspect that he will continue digging into this mystery.) so I went into Avast's setup dialog and did the "Test" for email alert notification. Then I downloaded the EICAR text "virus) to a local folder and did an on-demand scan. Guess what? Ashserv.exe phoned home (well, to my work addy, actually) when I hit the "test" button, but, just as haertig first noted, ashquick.exe phoned home when the on-demand scan found the Eicar file.

Well, it's 8:00p.m. here in Michigan so I guess I'll go watch out the east windows for the new year myself.

Here's a Happy New Year wish for everybody! :)

Here's a copy of the appropriate Outpost firewall logs:

7:30:52 PM   ashquick.exe   mail.gl.centurytel.net   OUT    SMTP
7:29:26 PM   ashserv.exe    mail.gl.centurytel.net   OUT    SMTP
7:29:03 PM   ashserv.exe    mail.gl.centurytel.net   OUT    SMTP

Apparently, ashquick.exe does, in fact have email capabilities built-in and handles the on-demand alert, while ashserv.exe handles the standard shield. I tried to have several of the Eicar files emailed to me, unfortunately (fortunately?  ???) my ISP has A-V filters  that have aparently blocked the emails so I can't verify which Avast module would handle emailing alerts found by the internet mail A-V module
Title: Re:avast programs needing firewall holes
Post by: haertig on January 01, 2005, 03:34:44 AM
Proxomitron could be the 'bad guy' here.
Is this program redirecting the traffic to a local proxy (127.0.0.1 for instance)?
No, I do not think Proxomitron is the problem.  The first computer I noted ashquick.exe connecting does not have proxomitron installed.  My second testing computer does.  But Proxomitron is a local web proxy only.  No email capabilities.  I doubt that avast went out and just found this local proxy sitting there on port 8999 all by itself, and taught it how to handle SMTP protocol, without any help on my part.  ;-) And even if it did, I would not have experienced any firewall popups since Kerio is configured to allow Proxomitron out to any address, any port.  Sorry, just playing around a little here.  :-) Bottom line - the initial computer that alerted on ashquick.exe did not have Proxomitron installed.  I probably shouldn't have even mentioned Proxomitron in the first place since it's only installed on one computer and I now have two exhibiting the same behavior.
Quote
The problem is, why Kerio is asking for this access if no other firewall do?
That's the million dollar question.  But Kerio is not asking for any access.  It's just alerting me that ashquick.exe is asking for access.  I think it's all related to the way I'm starting my scanning.  Right-click on the file eicar.com, and select "scan with avast" from the popup context menu.  I believe it's that right-click triggered single file scan that runs ashquick instead of ashserv.
Quote
Whatever circunstances is the problem here... your configuration could be different that the default ones. I've already said that I use avast fore almost 2 years and only avast.setup for updates and ashMaiSv.exe the avast email scanner have asked for Internet connection.
I guess my config may very well be different, although this is a brand new computer with a clean W2k install and very few other programs in place.  avast works well in my config.  I think I've decided on my planned course of action to handle the firewall rules, so this thread is more becoming an intellectual exercise in fine tuning our understanding of how avast works.  Which is great, by the way.  So continuing on in the discussion...

Do you have email alerting set up?  That's what I believe is triggering the access.  avast finds a virus (eicar), and is trying to send me an email telling me about it's discovery.  This is a seperate thing from scanning of normal incoming and outgoing email.  This is avast CREATING an email on it's own (per my configuration).
Title: Re:avast programs needing firewall holes
Post by: Lisandro on January 01, 2005, 02:41:00 PM
Here's a copy of the appropriate Outpost firewall logs:

7:30:52 PM   ashquick.exe   mail.gl.centurytel.net   OUT    SMTP
7:29:26 PM   ashserv.exe    mail.gl.centurytel.net   OUT    SMTP
7:29:03 PM   ashserv.exe    mail.gl.centurytel.net   OUT    SMTP

Apparently, ashquick.exe does, in fact have email capabilities built-in and handles the on-demand alert, while ashserv.exe handles the standard shield.

I believe you, I hope you believe me too...
This is my Outpost firewall log... All email activity on ports 110 and 120 (and smtp on 25) is related to my spamkiller (spamihilator), email client and avast (ashMaiSv.exe).

ashQuich.exe never ask for connection in my system...  :-\
Title: Re:avast programs needing firewall holes
Post by: Lisandro on January 01, 2005, 02:44:05 PM
Do you have email alerting set up?  That's what I believe is triggering the access.  avast finds a virus (eicar), and is trying to send me an email telling me about it's discovery.  This is a seperate thing from scanning of normal incoming and outgoing email.  This is avast CREATING an email on it's own (per my configuration).

I think you found the reason...
I do not use this feature but I'll try to see what I get.  ;)