Author Topic: Avast 4.6 Home Web Shield. (Read 8920 times)

Wulf · « **on:** October 03, 2005, 04:09:29 AM »

Hi,
Would anybody know about this? On Win 2000 Pro SP4 the web shield is enabled automatically to scan all traffic from the net. It co-operates brilliantly with my browsers (Opera 8.5, IE 6SP1,Avant). They all go out and in through port 1280.
I use Sygate 5.5 build 2710 and the log verifies it. However I am trying out a browser called Surf It, which you can dictate emails to while surfing and send from the browser interface. This browser bypasses the webshield completely(in and out) but the emails are still scan by the mail scanner, but are timed out before they are picked up by the smtp server. The Surf It is a freeware on Download.com.
Any help would be appreciated, especially regarding how it manages to bypass the web shield no matter how I configure the firewall. I also have Process Guard 3 and it's not picking up anything unusual about this browser.
Thanks.

Wulf

Eddy · « **Reply #1 on:** October 03, 2005, 04:36:03 AM »

For the mail, increase the timeout in Avast as well as in the mail client.

For the webshield, you may have yo set it up as in Windows 98(se)
http://www.avast.com/eng/webshield_issues.html

Wulf · « **Reply #2 on:** October 03, 2005, 06:49:12 AM »

OK Eddy, Tried the timeout in Avast for the mail, made no difference when sending from the interface. Increased it to 180, still timed out. When sending through the default mailer(Opera) no problem. The browser gives you the option to send from the Interface or use the Default mailer. There is no settings in the browser to increase the timeout. As far as I can tell it uses something called wind. exe and ms agent.exe to send the mail from the interface. I'll contact the program vendors for answers to this.
As for the webshield, tried your suggestion but that just locked me out of the net.
It's got me beat, as everything else goes through the shield but this program acts as if it dosn't exist!

Lisandro · « **Reply #3 on:** October 03, 2005, 03:53:44 PM »

Quote from: Wulf on October 03, 2005, 06:49:12 AM

There is no settings in the browser to increase the timeout.

I don't use Opera that much but, generally, this setting is on the email acount Advanced tab (at least into the email programs).

Wulf · « **Reply #4 on:** October 04, 2005, 01:25:00 AM »

Sorry mate, the browser I was talking about was (Surf It). The (Surf It) Browser is the one you can send voice dictated emails from the browsers interface while surfing the net. I've written to the vendors for some answers about the time out issue. But the main issue I'm trying to find out in the forum is --- How is this Browser leaving my computer bypassing the Avast WebShield as if it did not exist!
Everything else is scanned by the WebShield.

Lisandro · « **Reply #5 on:** October 04, 2005, 03:02:17 AM »

Quote from: Wulf on October 04, 2005, 01:25:00 AM

How is this Browser leaving my computer bypassing the Avast WebShield as if it did not exist! Everything else is scanned by the WebShield.

Which protocol does this browser use to send voice emails?
WebShield scans ONLY HTTP protocol.

Wulf · « **Reply #6 on:** October 04, 2005, 06:10:00 AM »

Thanks for the question about the protocol. This is what my firewall says about this browser.
Application-SurfIt. Protocol-UDP. Status-Connected. Local Port-3077. Remote Port-3077. IP Address-127.0.0.1->127.0.0.1.
I guess that is the reason why the shield can't scan it.
Thanks for your time. I really appreciate it as I think Avast is the Bomb, and have used it for over two years since I dumped Norton Anti Vir and never had a single problem with it! (I didn't consider this a problem, just a lack of understanding.)

Lisandro · « **Reply #7 on:** October 04, 2005, 01:56:32 PM »

Quote from: Wulf on October 04, 2005, 06:10:00 AM

Protocol-UDP

This protocol is used by P2P applications and traffic by it is not scanned by WebShield.
Maybe Alwil could consider a provider like Webshield that scans ALL UDP protocol traffic (and not only the P2P provider)

Is anybody from Alwil reading this? Is it possible or I am just posting non-senses?

Wulf · « **Reply #8 on:** October 04, 2005, 02:38:00 PM »

I must admit I've never seen a browser behave like this before. When it is started it establishes the UPD connection and holds it the whole time it is running. But when it goes to a webpage this is what my firewall says.
Application-SurfIt. Protocol-TPC. Status-Connected. Local-4752. Remote-80. IP Address-0.0.0.0->216.239.115.131. Notice how the protocol changes when it leaves the computer.When it has finished loading the page it still holds the UPD connection as CONNECTED. My other applications when finished loading revert back to LISTEN on TCP Protocol. Does anyone know why? Another question. Does the Webshield scan programs leaving the computer and if it does, can it pick up Trojan activity in the program going out?

Lisandro · « **Reply #9 on:** October 04, 2005, 02:49:43 PM »

UDP and TPC are protocols of P2P applications.
The local ports connected show the same behavior.

Webshield scans only HTTP protocol.
Trojan activity will be caught (if possible) by the Standard Shield.

lukor · « **Reply #10 on:** October 04, 2005, 05:40:11 PM »

Wulf, WebShield intercepts only communication directed to TCP port 80. If this is web browser it must of course connect to this port, unless it uses some kind of a proxy.

Web Shield intercepts only connection from certain limited set of applications. Internet Explorer and Firefox among them. If you want to extend this set to include your browser, you must edit avast4.ini.

(in c:\program files\alwil software\avast4\data folder).

Find the section [WebScanner] and add or edit the line OptinProcess= to include the name of the surfit browser. Multiple names must be separated by comma.

Eg.

[WebScanner]
OptinProcess=surfit.exe, something_different.exe

Restart webshield and try it.

If you'll experience any problems with the connectivity, please feel free to inform us, or send me an e-mail. We have not tested this browser and that is why it is not scanned by default, but there is no reason why it should not work - unless it uses some non standard communication patterns.

lukor · « **Reply #11 on:** October 04, 2005, 06:02:21 PM »

Quote from: Tech on October 04, 2005, 01:56:32 PM

Quote from: Wulf on October 04, 2005, 06:10:00 AM
Protocol-UDP
This protocol is used by P2P applications and traffic by it is not scanned by WebShield.
Maybe Alwil could consider a provider like Webshield that scans ALL UDP protocol traffic (and not only the P2P provider)
Is anybody from Alwil reading this? Is it possible or I am just posting non-senses?

Hello Tech,

in the world of internet most of the communication uses either TCP or UDP protocols. It might contain anything the application writer chooses. The meaning of the data transfered is usualy described by certain rules - protocols. If we know the protocol we might try to understand what data travels from one point to the other and perhaps perform some more advanced things - like perhaps assemble all those data bytes together to create a file that is being transferred and then scan this particular file for virues.

On the other hand when you don't know what do those bytes mean, it is fairly hard to perform any generic virus scanning on the data. Lets say we are looking for certain sequence of bytes and the certain position in the file (lets say at the beging). How do you know where does the begining begins? Or how do you know that this particular file encoding does not sends the files in reverse order, so the beging begins actualy at the end?

I think you got my point: generic UDP or TCP scanner is not possible. But we have Network shield, that scans UDP (and TCP) packets when they enter your PC and detects some known worms or exploits in them...it does not (usually) detects normal file based viruses, on contrary it detects viruses that are not stored in files and thus not possible to detect by traditional file-system based methods.

Cheers,
Lukas.

Lisandro · « **Reply #12 on:** October 04, 2005, 08:11:03 PM »

Quote from: lukor on October 04, 2005, 06:02:21 PM

I think you got my point: generic UDP or TCP scanner is not possible.

Thanks for the class... living and learning.
If it was easy or possible I think you would already implemented it

Wulf · « **Reply #13 on:** October 04, 2005, 11:17:23 PM »

:PThanks guys for your inpuy. This is what my Avast ini file now says
[WebScanner]
AutoRedirect=1
HttpRedirectPort=80
LoadIsapiFilters=1
ISAPIFilter1=ashWsFtr.dll
IgnoreAddress=
IgnoreLocalhost=0
OptinProcess=surfit.exe
I'm afraid it has made no difference. Surfit still bypasses the webshield on remote port 80. Any other ideas?

lukor · « **Reply #14 on:** October 05, 2005, 12:54:23 AM »

Quote from: Wulf on October 04, 2005, 11:17:23 PM

:PThanks guys for your inpuy. This is what my Avast ini file now says
[WebScanner]
AutoRedirect=1
HttpRedirectPort=80
LoadIsapiFilters=1
ISAPIFilter1=ashWsFtr.dll
IgnoreAddress=
IgnoreLocalhost=0
OptinProcess=surfit.exe
I'm afraid it has made no difference. Surfit still bypasses the webshield on remote port 80. Any other ideas?

Are you sure the file name is really correct? (i mean the surfit.exe?)

Place a link here, so someone can eventualy download and test the software.