under the hood

[electronikk]

Hi everyone!

I use a combination of WinXP SP2, Firefox, avast 4.6 beta and Kerio PF. I just noticed that when I use firefox and webshield is enabled Kerio doesn't report any traffic for firefox at all. All the traffic seems to be related to the webshield.  I know it makes sense that webshield causes traffic, because it's supposed to act like a proxy. (And I actually have a rough idea of how a proxy works.) But the fact that there doesn't seem to be any traffic for firefox confuses me a little.  Furthermore I just realized that i don't know what avast's resident protection actually does. So what I would love to see is some kind of documentation of what is going on "under the hood".  Some questions that popped into my mind were:

Which traffic is directed where?
How does redirection work?
If it's done by proxies: How do they work?
What causes firefox to connect to the webshield instead of directly connecting to the web? Is it done by registry settings?
and so on 

I know that the answers to some of these questions are hidden somewhere in the forums, but they are very scattered and it's quite difficult to find them.  And I do know the alwil team doesn't want to divulge all their secrets, but any kind of structured information would be highly appreciated. 
Hopefully I'm not the only one who has this kind of questions.
(And aren't we encouraged to ask any question about avast?...    )

[DavidR]

Outpost Pro is showing activity for both webserv.exe and firefox, however, firefox is shown as using localhost.

See the image clip of my log, I think it will make it a little clearer.

Well perhaps not, still no resolution to the uploading of images. ' The upload folder is full. Please try a smaller file and/or contact an administrator.'

Perhaps later

[DavidR]

This is the image I tried to upload earlier.

[Vlk]

As you figured, all outound HTTP connections are "routed" thru ashWebSv.exe. This is called "transparent proxying". There are no registry keys used to configure this. The magic is done by a kernel-mode avast component (a device driver) called  aswRdr.sys. Previous versions of avast had the same functionality (for the purpose of mail scanning) implemented inside aswTdi.sys which is now being used solely for the Network Shield.

Vlk

[DavidR]

That's strange as my outbound connections still appear to originate from firefox.

Could this be why Outpost wasn't picking up ashwebsrv.exe when it was connecting?

Although there are also outbound connections for ashwebsv.exe

[electronikk]

Thank you for your detailed replies! 

So it's done by tarnsparent proxies. (And Kerio has slight problems to display the local traffic correctly...)

btw Wikpedia tells me: "A proxy server is a computer network service which allows clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource, possibly by connecting to the specified server, or by serving it from a cache. [...]
A transparent proxy or transproxy combines a proxy server with NAT so that connections are routed into the proxy without client-side configuration."

I think this would be my addition to the wishlist of new features: More information on what each 'provider' does. That's because malware protection obviously has grown beyond scanning files on my hdd and I'm always curious about what's going on in my machine...  But I guess after all for avast it's more important to protect than to explain how. 

[Vlk]

DavidR, what's wrong with the screenshot you posted? Firefox is connecting to "remote host" localhost (not really remote in this case , and ashWebSv.exe, on behalf of firefox, is connecting to the outside world.

[DavidR]

There is nothing wrong, they were used as an example for 'electronikk' to show that outpost is recognising both firefox and ashwebsv.exe and not just ashwebsv.exe and what ports, etc. that are used.

Sorry for any misunderstanding.