McAfee-Firewall-settings for WebShield

[Horsto]

Hi everybody,

I use "avast! 4 home Build 4.6.691", my computer runs Windows XP, SP1; AMD Athlon 1800+, 256MB RAM.
I connect to the Internet via dial-up and have McAfee Internet Security 5.02 including Firewall 4.02 (I deinstalled VirusScan before I installed avast).
I don't use an E-Mail-Client but E-Mail via WWW.
Browser is Firefox 1.0.7.
I am in great doubt, how to configure my McAfee-firewall regarding WebShield (ashWebSv.exe) and the other avast-programs!
As I read in the FAQs, Section "Updates" following the question "What should I know about using avast in combination with a firewall": "The components of avast! 4 that should be allowed to connect:..." => I granted ashWebSv.exe full and unfiltered access in my firewall. Was that dangerous??
When I read the section "WebShield Issues" it says that "WebShield needs the same access rights as Your browser"; so I became afraid that full rights were maybe too much and changed the rights from unfiltered access to filtered access and activated a "learning mode" for the communication of WebShield.
At the moment it (asHWebSv.exe) has the following filtering rules (translated to English):
"allow outgoing communication
if the protocol is TCP/IP
and the remote port is 80"

"allow incoming communication
if the protocol is TCP/IP
and the remote-port is
3006, 3008, 3010-3015, 3017, 3019-3038, 3040-3080, 3082-3087, 3089-3146, 3148-3156, 3158-3176, 3178, 3180-3182, 3186-3195, 3199-3200, 3202, 3204-3208, 3210-3213, 3216, 3219, 3221-3223, 3225, 3227, 3229-3232, 3235, 3237-3239, 3241, 3243,3
and the local-port is 12080."

Then I compared that to the firewall-rights of my browser Firefox:
"allow outgoing communication
if the protocol is TCP/IP
and the remote port is 21, 80, 443, 3003, 3005 or 3013-3014"

"allow incoming communication
if the protocol is TCP/IP
and the remote-port is 3004, 3006 or 3014-3015".

As You see, the rights differ between WebShield and Firefox! And WebShield has much more ports open on the incoming side! Are the restrictions regarding Firefox still in effect or are they being overridden by the more liberal rights for WebShield?

If I switch off the learning mode of my firewall, it asks from time to time whether I would allow incoming traffic to WebShield on ports in the range of 3???. If I answer "No", then sometimes everything seems to be alright, and sometimes Firefox says "document contains no data" and something misses in the browser-window or some operation doesn't work.

I don't understand exactly, how the components "Internet", "Firewall", "Browser" and "WebShield" interact. Is it possible, that my Firewall-Settings open doors for malware to bypass the firewall through WebShield, because WebShield is a "transparent proxy", and may programs that I didn't allow to access the internet in the firewall mask themselves by accessing the internet via WebShield?

Please tell me, how I should configure the avast-Programs in the firewall to have the maximum protection by each of these components! What is necessary, what is irrelevant and what is dangerous?

Many questions, I know...

Thank You in advance,

Horst Schneider

[Eddy]

Start with getting your system up-to-date. It is now vulnarable to many things. Goto http://update.microsoft.com and keep going there till ALL security patches/updates are installed.

[Lisandro]

I granted ashWebSv.exe full and unfiltered access in my firewall. Was that dangerous??

No. It's WebShield, it will scan all your HTTP traffic as a local proxy.

So I became afraid that full rights were maybe too much and changed the rights from unfiltered access to filtered access and activated a "learning mode" for the communication of WebShield.

The server rights are necessary as it works like a local proxy server.

As You see, the rights differ between WebShield and Firefox! And WebShield has much more ports open on the incoming side! Are the restrictions regarding Firefox still in effect or are they being overridden by the more liberal rights for WebShield?

Leave the remote ports to all.
It must scan ALL your HTTP traffic regardless the port it is coming from.

Is it possible, that my Firewall-Settings open doors for malware to bypass the firewall through WebShield, because WebShield is a "transparent proxy", and may programs that I didn't allow to access the internet in the firewall mask themselves by accessing the internet via WebShield?

WebShield does not act as a firewall in no circunstance.
It does not block or tunnel anything.
It just scans the traffic your firewall is allowing to pass.

[DavidR]

Is it possible, that my Firewall-Settings open doors for malware to bypass the firewall through WebShield, because WebShield is a "transparent proxy", and may programs that I didn't allow to access the internet in the firewall mask themselves by accessing the internet via WebShield?

Sygate was known to have this local proxy (loopback) issue that didn't detect the program rather the proxy program this is a weakness of the firewall and I wasn't aware of this being an issue with McAfee, but I haven't used it so I could be wrong.

There was/is a work around so that this didn't happen and this was I believe to manually set-up the browsers to use the web shield proxy so that it isn't working transparently, that way programs that aren't set-up to use web shields proxy are intercepted by your firewall.

[Lisandro]

Is it possible, that my Firewall-Settings open doors for malware to bypass the firewall through WebShield, because WebShield is a "transparent proxy", and may programs that I didn't allow to access the internet in the firewall mask themselves by accessing the internet via WebShield?

Sygate was known to have this local proxy (loopback) issue that didn't detect the program rather the proxy program this is a weakness of the firewall and I wasn't aware of this being an issue with McAfee, but I haven't used it so I could be wrong.

Sorry, I did not answer first time...
David is right (as usual  ). The loopback issue with local proxies only occurs with Sygate. ZA, Outpost and Kerio (I've not tested any other) do not have problems and the traffic is not tunneled by WebShield  I mean, you'll be asked for outbound connection of each program. Into Sygate, only WebShield will ask for permition.