Sygate and webshield...

[DukeNukem]

Sorry if this is getting confusing but it shouldnt make any difference if your behind a router or connected directly to the internet

as long as

DNS client is stopped/disabled (Windows XP / 2K)
Smart DNS is unticked

Sygate Pro will prompt you to allow FF or IE to access the internet if set to ask or if they are not in the trusted apps list. Also blocking both will prevent them from accessing the internet.

The reason I didnt pick this up is because being that I use a router i tend to disable non required services. So when I connected my modem directly to my network card I re-started the DNS client thinking that it would be needed in order to gain an ip from my isp. However this is not the case plus enabling it contibutes to the problem.

[kenwong]

Something discussed in this thread are too technical for me to understand.  Can anyone tell me:

1.  Am I now not safe enough as I am using Avast 4.6.623 together with Sygate 5.6 Built 2808?

2.  Is the work-around mentioned above not workable for me as my machine is running Win 98 (under which the re-direct feature is unavailable)?

3.  Are there any other work-arounds?

[kpfuser]

Lukor,

Under normal circumstances you give FF full access for outgoing connections? Or do you explicitly permit every access?

I explicitly permit every access (IP address range, protocol, traffic direction, application/service).

What prevents you from applying the same "security measures" to WebShield process?

Hmmmm!!! That's a worthwhile idea! And to avoid the tedium of constructing a whole bunch of new rules just add ashWebSv.exe as a second application in each advanced rule written for FF. A good start but there are still kinks to be ironed out.

Does you firewall prevents your apps to execute other apps or what stops your Mr Trojans from using FF or IE to access the web?

Indeed my firewall stops apps from piggybacking on other apps! In fact I will get a warning even if an app tries to send FF to a site that is explicitly allowed in my ruleset. The mere fact that the request is not initiated by me will trigger an alert. So this is then the problem with ashWebSv.exe: Unless one can explicitly cover every possible destination, protocol/direction, etc. via advanced rules (a near impossibility), sooner or later he will have to give ashWebSv.exe a one-time permission to connect somewhere and this will lead to loss of control thereafter as to who can connect to where for the remainder of the session. This is due to a peculiarity of Sygate which, once an app is allowed to connect somewhere via an 'allow'/'deny' request, it gets the green light subsequently to connect anywhere it wishes for the current session without raising an alert.

Oh man, we must be talking only about Trojans that run in the process of Internet Explorer or Firefox, otherwise WebShield wouldn't redirect them - so you after all cannot trust all firefox connections, cause some of these might be from the in-process Trojans

Do you mean to say that only FF can get out hitching a ride on Web Scanner and no other app? Sygate suffers from a known loopback vulnerability. If a local proxy is present, then any app can get out through the local proxy. So the problem here is not confined to FF.

So just to repeat an earlier request, how can one prevent the Web Scanner from starting rather than disabling it manually after it starts with every bootup?

[Lisandro]

So just to repeat an earlier request, how can one prevent the Web Scanner from starting rather than disabling it manually after it starts with every bootup?

1. Uninstalling the provider (through Control Panel)
or
2. Using msconfig and disabling the startup item + disabling the Windows Service

[kpfuser]

DukeNukem,

Thanks for the post. I will try disabling DNS Client. However, the problem as I see it is not so much whether FF will ask for permission to connect or not. What I am afraid of is that in the presence of WebShield other apps can get out using WebShield as their local proxy due to a known Sygate loopback vulnerability. If this is the case, whether FF asks for permission to connect or not may be a moot point. It could be that I am getting a bit paranoid about this point. However, I do recall reading enough about Sygate's vulnerability in the presence of a local proxy to get more than a little unnerved.

Technical,

Thanks for the info.

[Lisandro]

However, the problem as I see it is not so much whether FF will ask for permission to connect or not. What I am afraid of is that in the presence of WebShield other apps can get out using WebShield as their local proxy due to a known Sygate loopback vulnerability. If this is the case, whether FF asks for permission to connect or not may be a moot point. It could be that I am getting a bit paranoid about this point. However, I do recall reading enough about Sygate's vulnerability in the presence of a local proxy to get more than a little unnerved.

That's my problem too... Indeed, I have two, this one and another local proxy.
The effect is the same, tunnelling HTML traffic due to Sygate loopback vulnerability

[kpfuser]

Technical,

Look at the bright side of it. You got two local proxies for the price (to pay) of one!

Which other local proxy do you have? It seems that having avast antivirus is like having a wife. A lot of compromises and work-arounds are called for. It is most probably worth it but...

Arup,

Avast Web Sheild works fine with Kerio 2.15 with software proxy loopback rule set to exclude port 12080, all sites get scanned using either Opera, FF or IE.

I confirm that I've seen no problems with WebShield  in a Win98 pc with Kerio 2.1.5. In fact, I haven't even seen ashWebSv.exe at all despite setting every relevant rule to log. Everything else though shows that WebShield exists in my system. I guess I can live with it for now. As for your loopback rule, let me second Technical's request for a complete disclosure. Good to know that there are some folks like me out there still using good ol' kpf 2.1.5.

[rjbook]

well this answers the question...I am using the free version of sygate 5.6 build 2008 and webshield will not work, even with the patch for webshield.  I have XP sp1 and also running the spybot immunizations.  I suppose for now I shall just have to disable webshield until I find another firewall that I am happy with.
RJB

[Vlk]

Well what you could always do is disable the transparency of the WebShield proxy (e.g. by deleting the "80" from the list of redirected ports in webshield's settings) and manually set up your browser to use a proxy server, with the following parameters

proxy server name: localhost
proxy server port: 12080


This has been discussed in a bit more detail in other threads here on this forum...


Thanks
Vlk

[kpfuser]

Vlk,

Would you please give the details (i.e., go to ... click on ..., etc.) on how to adjust these settings?

Thanks

[kenwong]

Hi Vlk,

Please also tell me what work-arounds I can have with my machine running Window 98.  The setting of transparent web scanning and redirection in avast is dimmed for Win98.

[Jarmo P]

The solution that Avast team have made to Web Shield in 4.6.623  is satisfactory to me as a Sygate user.

Other applications besides FireFox and IE browsers are in control of the firewall. So no app checks for updates or sends info out, etc. without my acceptance.

What Vlk told is also possible to do and adds an added security level I think. It was really IMO needed only with build 4.6.603. Some sites did not work though with it, I mention one adult chat site that used port 9000 TCP for video or needed that connection otherwise.
Not going to give you link guys

I have no problem that Firefox don't get asked from the firewall. I would allow it anyways. It does get asked though with other ports than TCP 80.

This is due to a peculiarity of Sygate which, once an app is allowed to connect somewhere via an 'allow'/'deny' request, it gets the green light subsequently to connect anywhere it wishes for the current session without raising an alert.

That is not so. You have allowed all the client  remote tcp and udp ports by default. When Firefox first gets asked for connection, you permit it to use all those ports. You have also allowed the whole IP range in your browser application rule. That is why you dont get asked again.

[Vlk]

The step-by-step instructions on how to set up a proxy server depend on which browser you're using.

For IE, the procedure is described in the avast Help file. Here's an excerpt:

Proxy server setting when using the local area network (LAN):

1. Start Internet Explorer.
2. Select Tools -> Internet Options... from the main menu.
3. Switch to page Connections.
4. Click on the LAN Settings... button.
5. Check the option Use a proxy server for your LAN
6. Write localhost into the Adress field (alternatively, you can enter IP address 127.0.0.1, which is the same as localhost).
7. Enter 12080 into the Port field.
8. Confirm with OK button.

Proxy server setting when using dial-up connection (modem):

1. Start Internet Explorer.
2. Select Tools -> Internet Options... from the main menu.
3. Switch to page Connections.
4. Select your dial-up connection from the list and click on the Settings... button.
5. Check the option Use a proxy server for this connection.
6. Write localhost into the Adress field (alternatively, you can enter IP address 127.0.0.1, which is the same as localhost).
7. Enter 12080 into the Port field.
8. Confirm with OK button.

For FireFox, the procedure is similar except that the settings are in Tools -> Options -> Connection Settings -> Manual proxy configuration. Uncheck the "Use the same proxy for all protocols" box and fill in the boxes next to "HTTP proxy".


Hope this helps,
Vlk

[kpfuser]

Vlk,

Thank you very much.

Jarmo P,

My experience with Sygate PFPro does not coincide with yours but let's leave it at this. It is up to the individual user to check on his/her own what is what.

[AirCeej]

Other applications besides FireFox and IE browsers are in control of the firewall. So no app checks for updates or sends info out, etc. without my acceptance.

I have no problem that Firefox don't get asked from the firewall. I would allow it anyways. It does get asked though with other ports than TCP 80.

That is not so. You have allowed all the client  remote tcp and udp ports by default. When Firefox first gets asked for connection, you permit it to use all those ports. You have also allowed the whole IP range in your browser application rule. That is why you dont get asked again.

So no app checks for updates or sends info out, etc. without my acceptance.

This is unfortunately not true in the free version (in my current understanding) if those apps do it through IE or Firefox; even if you set-up an advanced rule to make the browsers ask for permission - once they do and it’s granted, then another program has free access through that browser without the browser having to ask for permission again (unless you reboot).  To substantiate this, I made a rule, made sure Firefox and Web Shield were flagged to ask for permission, fired-up Firefox and it asked for permission (through the Web Shield asking to get on the 'net); I then updated CCleaner (nice freeware for cleaning the registry among other things, which was also marked to “ask” for permission), and it went right to its website through Firefox without ever being flagged for rights. 

For those with the free version of the firewall wanting to experiment with this procedure, try it via:
·   Right-click on the Sygate System Tray Icon.
·   Click on Advanced Rules.
·   Click on the OK to acknowledge the message.
·   Click Add.
·   Type a description of what the rule will do.
·   Click on the Ports and Protocols Tab.
·   Select UDP.
·   Type 53 in the Remote Window.
·   Click OK.
·   Click OK.
Make sure you have the Web Shield marked to “ask” for permission as well as your browser and whatever programs you’re going to experiment with.

I think this needs to be done in conjunction with:
·   Click on Start in the “Start Bar”.
·   Select Control Panel.
·   Select Administrative Tools.
·   Select Services.
·   Right click on DNS Client.
·   Click on Stop.
·   In the pull-down window above that, make sure that Disabled is selected.
·   Click on Apply.
·   Click on OK.
·   X (close) out of Services.
·   X (close) out of Administrative Tools.

The problem with this is and Sygate in general (at my current knowledge level) - it’s only a one-shot approach: once the program is granted permission, it doesn’t have to do it again for the current runtime (if you will) of the computer.  Given that, it would be far better if Sygate updated their permission granting to provide the ability to grant or deny program access for:
·   Every time it asks
·   Until reboot
·   Always

If anyone knows how to write a rule to make sure a give program asks every time it wants the ‘net during the current session, would you please list that procedure here point-by-point?  That way Avast/Sygate users will have an excellent, stable, non-resource hogging, somewhat user-friendly mechanism for protecting them on a much more assured level.

Regards,
=AirCeej=