Author Topic: Sygate and webshield...  (Read 41785 times)

0 Members and 1 Guest are viewing this topic.

AirCeej

  • Guest
Re: Sygate and webshield...
« Reply #15 on: March 18, 2005, 05:05:18 AM »
Yeah, I’m afraid in this case Technical - it does; and what you stated in your reply only mirrors what I found as the problem.  I certainly want Sygate checking traffic in both directions and working in concert with Avast so a rouge program/virus/other wont get through.  If I redirect through 80 then half of my Internet protection (all outbound traffic) through the firewall is lost.  So considering I still have protection with Avast’s other shields and all I/O is checked to and from the ‘net through Sygate w/80 blanked in WS; this is far better than having the use of the Web Shield, routing Firefox through it and getting the certain URL display problems I’ve cited - along with not having any outbound protection through the firewall.

As checking two-way traffic to and from the computer has my highest priority in conjunction with the other shields in Avast, then I currently have the level of protection I enjoyed before Alwil added the Web Shield, and none of the problems since its introduction.  Obviously it would be better if I could employ the use of the Web Shield, route Firefox through it without any display anomalies, AND have Sygate check traffic in both directions, but evidently that is not a current option.

AirCeej

  • Guest
Re: Sygate and webshield...
« Reply #16 on: March 18, 2005, 07:31:51 AM »
Update:

Wow! 

When version 4.6.603 was first downloaded on 4 different computers (3 running XP Home SP2 w/Sygate PFF 5.5 builds 2637 and 2710; 1 running XP Pro SP 1 w/Sygate PFF 5.5 Build 2710) I had the following problems:
·   Firefox wasn’t being checked by the Web Shield though it was running.
·   Programs that should’ve asked for rights through Sygate no longer did (which is what prompted me to write in the first place).

Interim Part 1:
·   Upon getting the initial fix (as it were) from Jarmo P, Sygate once again was checking outward-bound programs, but I was getting display anomalies in Firefox on certain URL’s.

Interim Part 2:
·   Some time on the 15th, I manually downloaded 4.6.623 and the same problems persisted (at least I think I tested for them anyway)  ;).

Now (3/18/2005) with the current version of Avast and the following default settings reinstated:
·   Web Shield redirected to Port 80
·   Firefox set for “Direct connection to the internet”

All the problems (with which I experimented a few different ways, before and after reboot on all 4 computers) have been corrected!  I presume Alwil downloaded a new version of 4.6.623 (mine is set for automatic), and this cleared it up!  If this is the case, WAY TO GO AVAST TEAM!!!!!

Regards,
= AirCeej =

kpfuser

  • Guest
Re: Sygate and webshield...
« Reply #17 on: March 18, 2005, 11:27:44 AM »
What an interesting topic! I do use Sygate PFPro and was unaware of the new developments till I saw this thread. So I had to run my own test. SPFPro is set to 'ask' and I utilize advanced rules to controll access to the internet.  This is what happened:

1. I disconnected from and reconnected to the internet. An SPF popup appeared asking whether to allow avast! Web Scanner to contact download.windowsupdate.com. Permission was given.

2. I directed FF to a site in my bookmarks for which no advanced rule exists in my ruleset. The connection was promptly made.

3. The traffic log shows that it was not FF that contacted the site but avast! Web Scanner (ashWebSv.exe).

It would be deeply appreciated if anyone can fill me in on the following:

1. Since security seems to have been breeched, what did the avast gurus have in mind when they came up with this new twist?

2. If FF can hitch a free ride to uncharted territory, shouldn't Mr Trojan claim (and enjoy) similar priviledges?

3. How exactly can one implement (idiot-style, i.e., click on... etc.) the redirections and direct connections of the last post?

4. What cause (if any) is there not to ditch avast at this point and go back to, let's say, Norton?

DukeNukem

  • Guest
Re: Sygate and webshield...
« Reply #18 on: March 18, 2005, 12:12:33 PM »
kpfuser,

untick the smart dns option in sygate pro security tab.

Now try your experiment again.

And report back  :P

« Last Edit: March 18, 2005, 12:15:37 PM by DukeNukem »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Sygate and webshield...
« Reply #19 on: March 18, 2005, 01:19:47 PM »
As checking two-way traffic to and from the computer has my highest priority in conjunction with the other shields in Avast, then I currently have the level of protection I enjoyed before Alwil added the Web Shield, and none of the problems since its introduction.  Obviously it would be better if I could employ the use of the Web Shield, route Firefox through it without any display anomalies, AND have Sygate check traffic in both directions, but evidently that is not a current option.

In fact, this is not a WebShield leak. It's a Sygate (at least the free version) problem.
My problem - which will be of anyone who uses an IP annonimizer, Proxomitron, MultiProxy, etc.) - is the local proxy. Sygate has a problem/bug and cannot handle the connections.

All the problems (with which I experimented a few different ways, before and after reboot on all 4 computers) have been corrected!  I presume Alwil downloaded a new version of 4.6.623 (mine is set for automatic), and this cleared it up!  If this is the case, WAY TO GO AVAST TEAM!!!!!

Built 623 updated to a new WebShield behavior. This is well known: http://forum.avast.com/index.php?topic=1647.msg100190#msg100190
Only allowed browser are automatic added to the white list of WebShield.

Until now, nobody proves me that we're not losing the DDD authentication features of the firewalls. If a DLL uses the browser for connection, WebShield will serve as a tunnel (proxy) and the firewalls (at least Sygate free) won't detect this. WebShield is making us lose this firewall feature.
Of course, if I'm wrong, I have no doubt to regret  8)
The best things in life are free.

stevejrc

  • Guest
Re: Sygate and webshield...
« Reply #20 on: March 18, 2005, 01:48:18 PM »
I have realplayer, windows media player, ad-aware, spywareblaster etc set to ask and sygate does ask me. Which it didnt with the previous avast version. Only crap cleaner (temp cleaner update) doesnt ask, this uses an IE window. So it has helped a bit and enough for me.

NB. I dont have use any other proxies - like proximatron etc.
« Last Edit: March 18, 2005, 01:52:38 PM by stevejrc »

AirCeej

  • Guest
Re: Sygate and webshield...
« Reply #21 on: March 18, 2005, 03:14:47 PM »
In fact, this is not a WebShield leak. It's a Sygate (at least the free version) problem.
My problem - which will be of anyone who uses an IP annonimizer, Proxomitron, MultiProxy, etc.) - is the local proxy. Sygate has a problem/bug and cannot handle the connections.

Technical,

Thank you for your responses.  If you’ve kept track of my posts, then you’ll realize that I’ve been aware of this for quite some time.  My concern (and that of many others) is not necessarily what development team dropped the ball (Sygate in this instance), but that it all works together seamlessly on my computer without the need for putting out additional fires – let alone taking valuable time to research them (already a vast commodity in a day in the life).  That the good folks at Team Alwil provided a solution where everything works together in the utilities I use (and recommended to a few hundred people) – in such a relatively short time – only further raises the bar of class in an industry sorely needing such a good example.


Built 623 updated to a new WebShield behavior. This is well known: http://forum.avast.com/index.php?topic=1647.msg100190#msg100190
Only allowed browser are automatic added to the white list of WebShield.

Uh no.  The notion that Michael Jackson is a sexually deviated, surgically altered, androgynous byproduct of an ill-gotten youth - is relatively “well known”.  The very idea of the one heading the US as a loose canon has certainly gained notoriety; however,  “Built 623 updated to a new WebShield behavior” is so far off the radar for the general populace (let alone the tiny fraction of those whom I represent) as to be totally unaware of its existence (save for some in this forum and others on it’s periphery).

kpfuser

  • Guest
Re: Sygate and webshield...
« Reply #22 on: March 18, 2005, 03:30:09 PM »
Quote
untick the smart dns option in sygate pro security tab.

Now try your experiment again.

And report back

After unticking 'Smart DNS,' I had to allow svchost.exe access  my ISP's DNS servers via an advanced rule for things to work. Without doing this, FF could not connect anywhere.

When I tried to connect to the same site as earlier, it was ashWebSv.exe who requested permission to connect and not FF. Thereafter, a 'deny' sellection makes any connection impossible while an 'allow' one channels all traffic through the Avast Web Scanner. As if to underscore the point, the traffic log recorded outgoing TCP traffic to an unknown Akamai IP address.

All this brings me to the questions

1. how do I disable ashWebSv.exe and

2. what do I lose by doing so.

DukeNukem

  • Guest
Re: Sygate and webshield...
« Reply #23 on: March 18, 2005, 03:46:50 PM »
I am behind a router, I think this is why i get different results.

Did you set FF to ask or delete FF from your apps lists?

The websheild is a great feature in avast as it prevents a virus from being downloaded to your PC.



« Last Edit: March 18, 2005, 03:48:28 PM by DukeNukem »

kpfuser

  • Guest
Re: Sygate and webshield...
« Reply #24 on: March 18, 2005, 04:18:49 PM »
Quote
Did you set FF to ask or delete FF from your apps lists?

FF is set to 'ask.'

Quote
The websheild is a great feature in avast as it prevents a virus from being downloaded to your PC.

Maybe, but this must be weighed against allowing trojans and spyware to call home with impunity. In my opinion, it breaks more than it fixes.

Anyway, how can I disable it for now?


Arup

  • Guest
Re: Sygate and webshield...
« Reply #25 on: March 18, 2005, 04:35:50 PM »
Avast Web Sheild works fine with Kerio 2.15 with software proxy loopback rule set to exclude port 12080, all sites get scanned using either Opera, FF or IE.

Web Shield also works fine wth Jatico, Kerio 4 as well as Zone Alarm Free.

In case you dont want the extra protection, turn it off in the control panel: right click taskbar>On Acess Protection Control and terminate Web Shield.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Sygate and webshield...
« Reply #26 on: March 18, 2005, 04:45:23 PM »
Arup, can you post details of your advanced rule for proxy loopback?
Ports (remote/local), IP (remote/local), traffic (income/outcome/both), protocols, etc.
Thanks.  8)
The best things in life are free.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Sygate and webshield...
« Reply #27 on: March 18, 2005, 05:09:16 PM »
It would be deeply appreciated if anyone can fill me in on the following:

1. Since security seems to have been breeched, what did the avast gurus have in mind when they came up with this new twist?

2. If FF can hitch a free ride to uncharted territory, shouldn't Mr Trojan claim (and enjoy) similar priviledges?

3. How exactly can one implement (idiot-style, i.e., click on... etc.) the redirections and direct connections of the last post?

4. What cause (if any) is there not to ditch avast at this point and go back to, let's say, Norton?

ad 2.) Under normal circumstances you give FF full access for outgoing connections? Or do you explicitly permit every access? What prevents you from applying the same "security measures" to WebShield process? Does you firewall prevents your apps to execute other apps or what stops your Mr Trojans from using FF or IE to access the web? Oh man, we must be talking only about Trojans that run in the process of Internet Explorer or Firefox, otherwise WebShield wouldn't redirect them - so you after all cannot trust all firefox connections, cause some of these might be from the in-process Trojans. And if your Trojans cannot hijack your browser (as of some other reason) then WebShield does not change the behavior - Trojan accessing the net would get caught by Sygate.

Explain this to me please!


DukeNukem

  • Guest
Re: Sygate and webshield...
« Reply #28 on: March 18, 2005, 05:27:31 PM »
I connected my cable modem to my pc network card.

And unticking the smart dns option has no effect. FF or IE can access the internet even if they are blocked and if set to ask sygate does not ask.

EDIT

I have got it to work, I terminated the following windows service, DNS client

Now sygate will always ask to allow FF or IE to access the internet, and if i block them both they do not work.

KPFuser, i am quite sure that if you have sygate pro and

untick smart dns
stop/disable the windows service DNS client

FF or IE wont be able to access the internet if blocked or set to ask sygate will prompt you.

BTW i didnt have to create any special rules for svhost. Im am not sure if disabling the DNS client is a good idea as some isps may need it on but it works for me.

ANOTHER EDIT - regarding the DNS client service
http://www.theeldergeek.com/dns_client.htm

Seems safe to disable.
« Last Edit: March 18, 2005, 06:10:57 PM by DukeNukem »

sded

  • Guest
Re: Sygate and webshield...
« Reply #29 on: March 18, 2005, 05:49:42 PM »
Yet another Sygate setup variation.  I am not an IE user and consider it the "most popular hijackee" for lots of malware.  So I went back to the use of browser proxies in .623.  I have set up Opera and Firefox to use 127.0.0.1 port 1280 for http proxy, removed port 80 from the avast! redirect, and set IE to "ask".  So there are two trusted browsers and one untrusted browser now, with virus scanning on the trusted and disuse of the untrusted, except where Microsoft (or other) forces me to use it on trusted sites.  So if it pops up in Sygate, I will pay attention.  Also watch for the avast! ball to be spinning unexpectedly.  And use a longer Sygate  traffic log. ::)
« Last Edit: March 18, 2005, 06:04:10 PM by sded »