Windows 8.1 - Base Filtering Engine service disabled and access denied

[WhiteZero]

Using Windows 8.1 Pro
About a week ago I noticed my Windows Firewall was unable to start, which caused Windows 8 App updates to fail. I tracked it back to the Base Filtering Engine, which appeared to be Disabled. Trying to change it to Automatic was met with Access Denied. After a lot of Google-fu and playing with registry permissions, I simply could not get BFE to let me enable it. Today I decided I wanted to try out Avira Antivirus Free, after running Avast Free as my AV of choice for years. As soon as Avast was uninstalled I got my access to BFE again! This seems like a fairly serious bug.

[REDACTED]

Using Windows 8.1 Pro
I started having a problem with a specific service not being able to start that was dependant on the base filtering engine. After digging into the issue I noticed that I didn't have registry access to the BFE key. When I uninstalled Avast everything worked fine. Any word on why the BFE registry is locked by Avast or any workaround to allow programs that need access to make changes to the BFE registry key?

[REDACTED]

By the way, it's not a given that Avast will break the Base Filtering Engine service in Windows 8.1.  The service is running just fine on my system with Avast 2014.9.0.2021.

That being said, I have enabled only the three shields and the Software Updater tool.

It's not a bad idea, with basic malfunction type problems, to try a full clean uninstall (via the Avast avastclear tool) then reinstall the product.

-Noel

[lukor]

Hi guys,
indeed avast prevents from tampering with BFE service settings - its self-defense part blocks registry access to BFE service key. The reason for this is, as you can see, that disabled BFE also disables all sorts of network related services, such as Firewall or WebShield etc.

Avast here indeed was the reason why BFE could not be started (resp. why the registry for the service could not be changed back from disabled to automatic), it somehow assumed that whatever is in the registry should be protected - assuming that we protect correct state and not the incorrect one (with BFE disabled).

Two comments:
 - what caused previously running BFE to be "disabled"? I have no idea and would like to find out. There are known virus families that disable BFE.
 - avast could probably detect such state a warn as soon as BFE is stopped or disabled in the registry (or even change it back), not just "protect" the key in the registry

Thanks for reporting this,
we'll look into this.
Lukas

Edit: starting from Avast 2014 R4 we are checking the state of BFE service and warn during setup if BFE is not running.

[essexboy]

Lukor a quick question  ZA removes the BFE key data.  So if Avast was installed after the infection but before the BFE was repaired would it block me from repairing/adding that key  

[essexboy]

Me again Lukor...  As you are protecting system service keys could you add group policy to that list to stop the following or would that cause problems ?

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Alwil Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Spyware Terminator <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Alwil Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Spyware Terminator <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION