Author Topic: Emergency Update Annoyance  (Read 9639 times)

0 Members and 1 Guest are viewing this topic.

dolphins

  • Guest
Emergency Update Annoyance
« on: January 25, 2014, 09:20:56 PM »
OK, first thing I have reinstalled with only File System Shield enabled because of other problems Avast is causing with forums and email.

Also

Every day, sometimes 2 or 3 times per day I get prompted from my firewall to allow emergency updates from Avast. There are usually 5 to 7 prompts consecutively all wanting to connect through port 80 from multiple Avast servers. Even if I set a rule to allow them permanently I still get prompted. At one time I had over 15 permanent permissions just for the Emergency Update service in my firewall filter rules but still the prompts kept coming. This is not acceptable!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Emergency Update Annoyance
« Reply #1 on: January 25, 2014, 09:25:03 PM »
What exact version of avast are you using?

If you set the rule and Kerio is still asking you, you haven't set the rule correctly or there is a problem with Kerio.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Emergency Update Annoyance
« Reply #2 on: January 25, 2014, 09:30:06 PM »
remove the photo or edit it. Your IP is in the photo.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

AdrianH

  • Guest
Re: Emergency Update Annoyance
« Reply #3 on: January 25, 2014, 09:41:12 PM »
Personally I would find a better firewall.  Kerio was tired many years ago.

I use Private Firewall , the emergency updater runs as scheduled , it never bothers me .

If you only have file shield installed your system is at risk.

Give your system specs and what problems you have, maybe someone can help.

cooby

  • Guest
Re: Emergency Update Annoyance
« Reply #4 on: January 25, 2014, 11:22:31 PM »
Nothing wrong with Kerio, it's one of the finest firewalls.

@dolphins, when Kerio alerts, look at the bottom - you need to make a permanent rule for this application - but don't include the remote IP since the server changes.  Make sure your rules sequence is ok - it might not be since you say you allow the update and it still won't run. But I suspect your problem is with the child executables.

The main problem is what happens after when the new file comes in.
Outpost, OnlineArmor, Sunbelt, any GOOD firewall, sees a NEW EXECUTABLE. By design it must ask for permission.
Since Avast gives those new child executables  a different filename, such as
c:\Program Files\AVAST Software\Avast\Setup\fec4d8ce-99fb-4ea5-8a09-f19dcf12eb20.exe
c:\Program Files\AVAST Software\Avast\Setup\629ce6f5-9888-4934-b71d-7fbd07ed0dea.exe
the good firewalls must alert, even if something like trusted app (avastEmUpdate.exe parent) is permitted.

This has been discussed, and dismissed here as firewalls' fault. Few discussions worth reading (and there are many more on this forum)
http://forum.avast.com/index.php?topic=126731.0
http://www.outpostfirewall.com/forum/showthread.php?27540-Avast-9-emergency-update-exe-files

All we need is an invariant filename.
« Last Edit: January 25, 2014, 11:27:10 PM by cooby »

dolphins

  • Guest
Re: Emergency Update Annoyance
« Reply #5 on: January 26, 2014, 05:08:08 AM »
Kerio 2.1.5 is one of the best no nonsense rule based firewalls ever developed. But don't take my word for it, ask some security experts on some of the accredited security forums. I'll put it up against any of today's bloated firewalls. I don't need bells and whistles I just want strong protection which is what Kerio gives me.

That is not my IP address it is an Avast server's IP address. It wouldn't matter if it was my IP anyway.

@cooby I set the permanent rule and it works until Avast wants to phone home again. Like you said, Avast's executable changes its file name every time so I don't see any way to allow it with filter rules?


Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7170
  • When you think you know, Think Again
Re: Emergency Update Annoyance
« Reply #6 on: January 26, 2014, 05:19:23 AM »
I followed much about The Avast EMupdater discussions(Here and the Agnitum Forum) and Just adding I have NO Issues here using Outpost Pro on either xp or W8.1 with this Avast process or nagging popups. :)

cooby

  • Guest
Re: Emergency Update Annoyance
« Reply #7 on: January 26, 2014, 07:02:11 AM »
@dolphins,
Now, your screenshot doesn't show the full name of the .exe file you put there, I guess it's the same as in the rule name.
AvastEmUpdate needs a connection as you're coding it. Just put it in the right place.

The randomName.exe file does not need the internet connection, at least not for me. It gets downloaded when emergency update sees one is required. It is then run.
It causes some firewalls to alert because its name changes so HIPS or behavior blocking sections of a firewall respond, not the packet rules.

On the other hand, if you look into the Outpost forum thread I posted, you will see that there was an alert for both behavior and connection for the randomName.exe. So I guess every firewall alerts slightly differently or sees different events, and also it may well be related to what sort of HIPS/behavior settings one has. I don't have that option, so every new .exe causes a prompt.

Are you sure the alert you get from Kerio is for the randomNamed.exe? The one you posted originally is just for the emergency update.

This is off-topic: You may want to put port 80 into the remote port, also limit your local ports to 1029-5000 if on XP, some other range for newer Windows.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Emergency Update Annoyance
« Reply #8 on: January 26, 2014, 07:24:44 AM »
Last time i checked, "best firewall" and "being heavely outdated" doesn't go together at all. Kerio is not being updated for years, so why are you even relying on it?
Visit my webpage Angry Sheep Blog

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Emergency Update Annoyance
« Reply #9 on: January 26, 2014, 07:46:15 AM »
Best firewall is still a hardware firewall.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Emergency Update Annoyance
« Reply #10 on: January 26, 2014, 12:45:33 PM »
It isn't. Hardware firewall is a dumb firewall that just filters packets, but has no clue what's going on on a system level. Hardware firewall is only useful if you want to prevent access in or out for specific ports and IP addresses.
Visit my webpage Angry Sheep Blog

dolphins

  • Guest
Re: Emergency Update Annoyance
« Reply #11 on: January 26, 2014, 02:37:43 PM »
@cooby The filter rule is for the Emergency Update exe not one of the random file names. I deleted all the old filter rules for Avast so I'm starting fresh to see if I can get this straightened out?

Oddly this has been happening for the last 2 weeks but today it has not happened yet. It usually happens right after I boot up in the morning but so far nothing. I will make screen captures of each one and post them here if and when they pop up again? If you're familiar with Kerio you already know it will always use the first rule in the list which overrides the lower priority filters. So maybe one of the old rules was the problem? Since this is an ongoing problem with other firewalls also, I will post any new results here that may or may not help you.

Thank you for staying on topic and not joining the pissing contest about firewalls.  :)   

cooby

  • Guest
Re: Emergency Update Annoyance
« Reply #12 on: January 26, 2014, 08:19:57 PM »
There haven't been new emergency files since Jan23, so it has to be quiet if your packet filtering rules are now ok and in correct sequence.
When one arrives, Kerio will alert you if you check for new or changed executables.
I just dusted off an XP box that had Avast on it. In the log of MD5 items in Kerio is at least one of the randomName.exe jobs - see picture.
So, like I said, for me it's on the behavior side and not the packet filtering side of the firewall.

Now, as I think about it some more, even if the fileName didn't change, a firewall will alert to the change of contents. So yes, we do need to live with it if we want a firewall to monitor what runs, rather important protection method in my opinion :)

Sorry about that copied post#8, I meant to edit something, messed up and gave up.

dolphins

  • Guest
Re: Emergency Update Annoyance
« Reply #13 on: January 27, 2014, 07:44:21 PM »
@cooby That explains why it just started happening all of a sudden. So I can expect more of this nonsense on the next update unless they issue a fix.

I always delete all MD5 signatures when I delete filter rules so I'm currently running with a clean slate, so to speak.

As for the random file name change, I would think that most firewalls would alert users of this?

dolphins

  • Guest
Re: Emergency Update Annoyance
« Reply #14 on: January 29, 2014, 05:05:45 PM »
First thing this morning after boot up it started again only this time the 'New found Hardware' wizard opened when I allowed the update.  I have not installed any new hardware in this machine in the last year.

The MD5 signatures stay the same but the file name changes (See Attachment).