Author Topic: Scan secured connections blocks Dropbox  (Read 17862 times)

0 Members and 1 Guest are viewing this topic.

doom_laur

  • Guest
Scan secured connections blocks Dropbox
« on: March 11, 2013, 09:00:24 PM »
I noticed this problem since some time, but I hoped it would get fixed in an update. If I enable "Scan secured connections" under the Web Shield advanced settings, Dropbox refuses to connect. Since the beta I read that it needs to be added to the exclusions list, which didn't work. Then I read that avast will have a "whitelist" in the stable release, and even though "client.dropbox.com" has been automatically added to the exclusions list, with the https service, it still refuses to connect. Is there anything I can do to fix this?

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 724
Re: Scan secured connections blocks Dropbox
« Reply #1 on: March 12, 2013, 12:17:40 PM »
The problem with dropbox is, that it uses many different domains/IP addresses (furthermore depending on the location of the client). In your case, client.dropbox.com probably does not match the dropbox IP address you are connecting to.

The solution is to get the real address/domain name your dropbox client is connecting to (using wireshark or a similar tool) and add it to the exclusion list.

doom_laur

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #2 on: March 12, 2013, 02:21:02 PM »
Well, then I guess I'll just wait until the problem will be fixed, one way or another one. Or maybe, when I'll have some free time.. :)

Thanks for the answer tumic, and thank you and the avast! team for developing such an awesome product, and releasing it for free. Keep up the good work!

doom_laur

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #3 on: March 31, 2013, 12:24:43 AM »
Ok well, I have enough time now to try to solve the problem. I installed Wireshark which asked me to install XQuartz. From now on I had no idea what I was doing. So I selected en0 interface and there started to appear a bunch of IPs. I found one of them as being a secure connection request and searched about it and I found out it's from Dropbox: 199.47.219.160. I tried to add it as https service and it didn't make any difference, it still doesn't want to connect. Could you please tell me how I should use that program? I tried my best to figure out myself but I obviously failed :-[

doom_laur

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #4 on: April 01, 2013, 10:48:01 PM »
It seems that Origin gets blocked as well if I enable "Scan secured connections".

For those who don't know: http://en.wikipedia.org/wiki/Origin_(content_delivery)

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Scan secured connections blocks Dropbox
« Reply #5 on: April 02, 2013, 02:08:47 AM »
Although the extra sense of security is nice, the method of scanning secured connections is a sort of a hack if it's not supported by the OS or the applications themselves, there isn't much else avast can do to achieve the purpose of actively scanning secured connections, it's and clever method avast came up to do that, but the method circumvents what the OS and Apps consider secured connections, for these reasons I decided my self that it should be left turned off.

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 724
Re: Scan secured connections blocks Dropbox
« Reply #6 on: April 02, 2013, 12:35:36 PM »
It seems that Origin gets blocked as well if I enable "Scan secured connections".

For those who don't know: http://en.wikipedia.org/wiki/Origin_(content_delivery)

Every application that comes with a "hardcoded" SSL certificate will not work when SSL scanning is enabled unless you put the server (IP address) it is accesssing into the exclusion list in the preferences. you can find more info about it in the technical info at http://public.avast.com/~tuma/techinfo/.

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 724
Re: Scan secured connections blocks Dropbox
« Reply #7 on: April 02, 2013, 01:01:21 PM »
Although the extra sense of security is nice, the method of scanning secured connections is a sort of a hack

Well, all real time shields are technically a sort of a hack as they are all intercepting data on places that were initially not designed for such purposes.

if it's not supported by the OS or the applications themselves, there isn't much else avast can do to achieve the purpose of actively scanning secured connections

This is not true. For the most applications we are able to scan even SSL connections fully transparent and still secure for the user. There is generally no special support needed in the application or in the OS itself. The only exception are applications, that come with hardcoded SSL certificates with no possibility to add custom certificates to them like dropbox. A web browser can however by definition not come with a hardcoded list of SSL certificates, so the web shield should be always able do do it's job - to protect you against malware on web pages.

If you run applications that download some data "encrypted" by private SSL certificates and you do not care what is being downloaded (i.e. you fully trust such applications), you can always exclude the host they are connecting to in the avast! preferences. Nevertheless, this can be very complicated for services that use a huge number of IP addresses (the reason is explained in some other post here).

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Scan secured connections blocks Dropbox
« Reply #8 on: April 02, 2013, 02:50:37 PM »
Although the extra sense of security is nice, the method of scanning secured connections is a sort of a hack

Well, all real time shields are technically a sort of a hack as they are all intercepting data on places that were initially not designed for such purposes.

if it's not supported by the OS or the applications themselves, there isn't much else avast can do to achieve the purpose of actively scanning secured connections

This is not true. For the most applications we are able to scan even SSL connections fully transparent and still secure for the user. There is generally no special support needed in the application or in the OS itself. The only exception are applications, that come with hardcoded SSL certificates with no possibility to add custom certificates to them like dropbox. A web browser can however by definition not come with a hardcoded list of SSL certificates, so the web shield should be always able do do it's job - to protect you against malware on web pages.

If you run applications that download some data "encrypted" by private SSL certificates and you do not care what is being downloaded (i.e. you fully trust such applications), you can always exclude the host they are connecting to in the avast! preferences. Nevertheless, this can be very complicated for services that use a huge number of IP addresses (the reason is explained in some other post here).

Yes, I agree that any scanning itself is a 'hack'. I guess the only good solution to this is to be able to exclude by process/app.

ilikenukes

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #9 on: July 16, 2013, 09:39:55 AM »
Sorry to bring up an old thread, but it seems like this problem hasn't been resolved... does anybody have a fix for this yet?  I'm running into this problem at the moment.  Right now, I have client.dropbox.com listed as an https server under exclusions as the original poster had, but it doesn't seem to help.  Everything was working fine (Dropbox was syncing) right up until about an hour ago... not sure what changed.

cit

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #10 on: November 01, 2013, 11:38:05 PM »
Sorry to bring up an old thread, but it seems like this problem hasn't been resolved... does anybody have a fix for this yet?  I'm running into this problem at the moment.  Right now, I have client.dropbox.com listed as an https server under exclusions as the original poster had, but it doesn't seem to help.  Everything was working fine (Dropbox was syncing) right up until about an hour ago... not sure what changed.
Also affected by the issue  :(

maap55

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #11 on: November 03, 2013, 02:34:45 PM »
Just wanted to add that this is also a problem with Airmail.  When you create a gmail account within Airmail it, of course attempts a connection.  If you get "Unable to parse response from server", disable the "scan secure connections" in Mail Shield.

mcdregister

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #12 on: November 08, 2013, 06:57:21 PM »
Same problem.  If I turn off Web Shield, scan secured connections, Dropbox works fine.  If I have it on the connection in Dropbox does not work.

Mark_43

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #13 on: January 09, 2014, 06:14:37 PM »
I have the exact same issue with 2014.

Funny thing is Google Drive works just fine.

REDACTED

  • Guest
Re: Scan secured connections blocks Dropbox
« Reply #14 on: October 04, 2014, 04:03:48 PM »
This is still an issue and the thing I see that could finally put this to rest is a simple change that allows a wildcard entry for domains on the secure web scanning preferences (and all the preferences frankly).  Right now you HAVE to put in a "valid" link i.e. client.dropbox.com, whereas if you could simply put *.dropbox.com and permit any variation prior to the root domain you should be fine. Trying to enter *.dropbox.com it freaks out and says invalid, it's silly.

And beyond the folks on this thread who's gonna take the time to wireshark their correct dropbox???  I did a netstat and got a www-5b.v.dropbox.com the last connection I had so entered that and now I am blocked again, it's a waste of a neat option for this AV.  As for now i have to open Avast, go to preferences and turn off web scan every time I want to use Dropbox (it also blocks crashplan.com data backup secure connections so off it goes for that too), just gonna leave it off at this point.

Rant - The folks on this thread seem techie but a normal customer isnt going to bother and that's the rub.  We've got a new mac botnet out, macs are still and will be more targeted as they grow in use, and we have to turn around folks who buy a mac simply to "not get viruses" and work them on getting a decent AV and if they get Avast they are gonna toss it and run without one.  /rant