Author Topic: ashWebSv.exe accessing tracking site(s)  (Read 5842 times)

0 Members and 1 Guest are viewing this topic.

exmixer

  • Guest
ashWebSv.exe accessing tracking site(s)
« on: November 19, 2005, 11:59:40 PM »
All,

I've been using version 4.6 pro (demo mode) with all current updates for several days now (Build Nov2005 4.6.731, Xtreme Toolkit 1.9.4.0, ActiveSkin 4.2.7.3)

Question: Why is ashWebSv.exe accessing the following sites:

interact.kefta.com 64.75.1.108
ehg-keftainc.hitbox.com 64.154.80.250

Not cool :-( What's up with accessing a visitor tracking site and its associated owner site?

An answer would be appreciated before I commit to purchasing.

Regards,

jb
« Last Edit: November 20, 2005, 12:04:54 AM by exmixer »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: ashWebSv.exe accessing tracking site(s)
« Reply #1 on: November 20, 2005, 12:21:24 AM »
Simple answer it isn't, the Web Shield is a transparent proxy that filters http content from programs wanting http port 80 access like your browser, that is the program making the connection request and web shield acts as the go between to filter traffic.

What is your firewall? are you getting the
Some aren't able to distinguish between localhost proxy and the program initiating the connection.

Quote
Not cool :-( What's up with accessing a visitor tracking site and its associated owner site?
Can you expand I don't understand are you getting any errors or warnings, if so what?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

exmixer

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #2 on: November 20, 2005, 01:02:02 AM »
My firewall is Sygate Pro ver 5.5, up to date. Below is a sample of my traffic log...(the formatting is wrong ;-)) I've also deleted the personal info (machine name, MAC's etc.). The ports are in the order noted in the first on this list, afterwards noted by R or L. The Application Name is the last bit.

11/19/2005 6:14:07 PM   Allowed      Outgoing   TCP   www.toplist.cz [82.208.4.95]
   MAC deleted   (Remote port) 80   192.168.1.xx   MAC deleted   (Local port)2134   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
-----
11/19/2005 5:56:32 PM   Allowed      Outgoing   TCP   www.toplist.cz [82.208.4.95]   MAC deleted   R 80   192.168.1.xx   MAC deleted   L 2072   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
------
11/19/2005 5:52:37 PM   Allowed      Outgoing   TCP   interact.kefta.com [64.75.1.108]   MAC deleted   R 80   192.168.1.xx   MAC deleted   L 2050   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
------   
11/19/2005 5:52:37 PM   Allowed      Outgoing   TCP   ehg-keftainc.hitbox.com    [64.154.80.250] MAC deleted   R 80   192.168.1.xx   MAC deleted   L 2052   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
-----   
11/19/2005 5:52:37 PM   Allowed      Outgoing   TCP   www.kefta.com [64.75.1.104]   MAC deleted   R 80   192.168.1.xx   MAC deleted   L 2048   C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
-----

>>Can you expand I don't understand are you getting any errors or warnings, if so what?<<

No errors, no warnings. Just looked at the Traffic log.  My experience with Sygate to date has been mixed, though they've fixed a few serious errors since I've been using it. Btw, I use it really just for the logging...I'm behind a router/hw firewall so rarely do I even activate it. Generally, only when I install new software ;-) One thing I've never seen it do is show a transaction in the log(s) that didn't occur.

Another edit:

Dimension 8300 Mobo: Dell 0W2562 i875P
XP Pro SP2
3.2 GHz P4/800MHz FSB HT (enabled)
4x256 PC3200 400MHz DDR-SDRAM (Crucial aka Micron)
ATI Radeon 9800 PRO 128MB Core-378/Memory-338
80GB WD800JB  8MB     
40GB  Seagate 2MB ST340014A (OEM) Both 7200/Ultra ATA/100
Hitachi CD-RW (OEM)
Plextor 716UF external USB2.0/FW DVD/CD burner
Viewcast Osprey 210 A/V capture card

jb
« Last Edit: November 20, 2005, 01:13:04 AM by exmixer »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: ashWebSv.exe accessing tracking site(s)
« Reply #3 on: November 20, 2005, 01:14:45 AM »
As DavidR said, ashWebSv.exe isn't accessing any site just by itself - some other application is connecting to the site and the request is redirected to ashWebSv.exe (and the transferred data is scanned for viruses).
If you stop the Web Shield provider temporarily, you should see the real process in the log.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: ashWebSv.exe accessing tracking site(s)
« Reply #4 on: November 20, 2005, 02:34:32 AM »
Sygate is one of those browser that can't tell what program is using the localhost proxy, this is a known fault (years) that it has a problem with localhost loopback.

With Sygate it is best not to use the localhost proxy of web shield as anything connecting to the internet using the http port will look like it is web shield and will not be challenged by the firewall, since all it see is an approved application web shield conecting.

Being behind a hardware firewall can still leave you vulnerable as that doesn't check/monitor outbound traffic.

You should manually set your browsers or programs to use the web shield proxy then any potential malicious program trying to get an internet connection will be challenged by Sygate.

A forum search for "Sygate avast web shield" or "sygate webshield" without the quotes should return a lot of information on how to di this as it has been discussed previously. Sorry I've never used Sygate.

This link is one of them http://forum.avast.com/index.php?topic=16531.0
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: ashWebSv.exe accessing tracking site(s)
« Reply #5 on: November 20, 2005, 01:12:21 PM »
If you stop the Web Shield provider temporarily, you should see the real process in the log.

Sygate is one of those browser that can't tell what program is using the localhost proxy, this is a known fault (years) that it has a problem with localhost loopback. With Sygate it is best not to use the localhost proxy of web shield as anything connecting to the internet using the http port will look like it is web shield and will not be challenged by the firewall, since all it see is an approved application web shield conecting.

Yeah... Maybe the solution will be using Kerio, ZoneAlarm, Comodo, Outpost.
The best things in life are free.

exmixer

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #6 on: November 20, 2005, 02:27:00 PM »
Igor, DavidR, Tech,

Finally got it sorted out, thanks for the help. If I was half as smart as I think I am I would've read the Help files more thoroughly ;-) Btw, I use Sygate primarily because of its outbound logging. In any event, I understand how things work now and everyone's playing nice with each other :-)

Thanks again,

jb
« Last Edit: November 20, 2005, 02:30:35 PM by exmixer »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: ashWebSv.exe accessing tracking site(s)
« Reply #7 on: November 20, 2005, 02:30:43 PM »
Glad we could help, welcome to the forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jarmo P

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #8 on: November 20, 2005, 03:06:37 PM »
It sure is your browser directed to some website. Cookies, javascripts there, even RSS feeds of a browser.
The connections are just shown as ashWebsv.exe entries instead browser entries.

I think you can set your trusted browsers that are anyways allowed to web making a manual proxy configuration. I think Sygate firewall words great with Avast, and user happy with should not be given such unnecessary remarks as DavidR said. Then again I am not as paranoid as some others. Sygate still has the logs. And we still have the first hand protection, Avast Antivirus and Sygate stealth inbound.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: ashWebSv.exe accessing tracking site(s)
« Reply #9 on: November 20, 2005, 03:43:56 PM »
What unnecessary remarks? It is a fact sygate doesn't handle localhost loopback and if you don't do anything to compensate for this, e.g. not using web shield by default and manually setting up the browser/s to use the web shield proxy, then you could be vulnerable to that flaw.

I haven't said Sygate is rubbish, just pointed out the facts, paranoia or not it is up to the user to decide what they want to do about it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jarmo P

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #10 on: November 20, 2005, 03:48:30 PM »
Well, maybe this helped someone to realize manual browser connection proxy is a good idea. I use it with Kerio too.
Nothing personal DavidR, I just wanted to make an opposing statement to this issue.   ::)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: ashWebSv.exe accessing tracking site(s)
« Reply #11 on: November 20, 2005, 04:04:35 PM »
I didn't take it personally and am happy if someone has an opposing statement, but I'm still waiting for it.

The opposing statement to what I said would be to leave web shield's localhost proxy to be enabled by default and don't bother with manually setting the browser/s to use the web shield proxy. Hell I even gave the link to the thread were you explain how to achieve this, so you would in effect be opposing yourself.

You stated 'un-necessary remarks' I still haven seen what you felt were unnecessary remarks. However, this really isn't helping, the information is there for the 'exmixer' to use as he sees fit.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jarmo P

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #12 on: November 20, 2005, 04:14:59 PM »
Yeah, main thing the necessary information was given, thanks DavidR.
No comments but you sure understand that messages can be misunderstood.
You I guess said it all correct, but I am not so sure the message was maybe transmitted clear.
Now it is ;)

exmixer

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #13 on: November 20, 2005, 04:26:44 PM »
 DavidR,

>>However, this really isn't helping, the information is there for the 'exmixer' to use as he sees fit.<<

I used it, it worked :-) As to my username,  I used to mix music, then TV for many years.

Two off topic Q's: I believe I deleted from the Startup folder whatever does the Startup memory scan when I installed Avast!. Any way to get that back, or I am missing something in settings?

Also, in the Simple User Interface there's the checkbox to enable scanning of all compressed files. Is that on by default with Standard and  Web Shield by default? The Help mentions a Packers tab, no such thing though. Scan all files maybe?

jb
« Last Edit: November 20, 2005, 04:42:58 PM by exmixer »

exmixer

  • Guest
Re: ashWebSv.exe accessing tracking site(s)
« Reply #14 on: November 20, 2005, 04:28:55 PM »
Jarmo P,

Yeah, main thing the necessary information was given, thanks DavidR.
No comments but you sure understand that messages can be misunderstood.
You I guess said it all correct, but I am not so sure the message was maybe transmitted clear.
Now it is ;)

All's well that ends well :-)

jb