Author Topic: Avast WebShield proxy breaks access to legitimate website  (Read 4995 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Avast WebShield proxy breaks access to legitimate website
« on: July 30, 2016, 05:24:39 PM »
Hi Avast Mac people

I noticed today that I could not access https://ssebuild.cased.de/nightly/soot/javadoc. Chrome gave me an ERR_CONNECTION_CLOSED, meaning that the connection was closed by the server. Safari gave me the same error. So I checked the domain via http://www.downforeveryoneorjustme.com/, which told me the domain is up. Therefore I was quite sure it is not an issue of the domain, but must be on my end. A check over a VPN convinced me that the problem is local to my machine. So I disabled my ad-blocker, that didn't help. Then I disabled and enabled the Avast shields, which allowed me to rule out WebShield as the culprit: With WebShield enabled, I could not access the domain; disabled, I could. As there was no notification from Avast, I inspected the system logs:

/var/log/system.log:
Code: [Select]
30/07/16 17:01:19.227 com.avast.proxy[352]: SecTrustEvaluate(): ssebuild.cased.de: 7
30/07/16 17:01:19.229 com.avast.proxy[352]: SSL_accept(): Broken pipe
30/07/16 17:01:19.287 com.avast.proxy[352]: SecTrustEvaluate(): ssebuild.cased.de: 7
30/07/16 17:01:19.289 com.avast.proxy[352]: SSL_accept(): Broken pipe
30/07/16 17:01:19.306 com.avast.proxy[352]: SSL_accept(): inappropriate fallback

OS:
Code: [Select]
OS X 10.11.5 (15F34)
Software:
Code: [Select]
Avast Mac Security 2015
Version: 11.16 (46730)
Virus definitions: 16073000

What's going on here?
I can work around the issue by adding the domain as an entry to the excluded servers in the WebShield settings. But it looks like something is broken in the WebShield proxy.

By the way, it was impossible to copy and paste the Avast version text from "About Avast", but instead I had to type it (possible error source). It would be nice if that text was selectable too.
« Last Edit: July 30, 2016, 05:28:09 PM by maenuleu »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #1 on: July 30, 2016, 05:26:36 PM »
Does it work if you disable SSL/TLS scanning ?
I'm not a MAC person but I take it the MAC version has that option as the Windows version does.

REDACTED

  • Guest
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #2 on: July 30, 2016, 05:40:30 PM »
Yes, it does work without the exclusion workaround if I disable the "Scan secured connections" option in the WebShield settings. But doesn't it mean that an infected page would not be detected if the connection is over HTTPS? That's not desirable.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #3 on: July 30, 2016, 05:55:12 PM »
I suggest to either wait till someone from avast respond here or to submit a ticket.
https://support.avast.com

REDACTED

  • Guest
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #4 on: July 30, 2016, 06:21:44 PM »
Thanks Eddy for having a look.
I filed ticket 438382.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #5 on: July 30, 2016, 06:30:00 PM »
You're welcome.
Have some patience now.
Normally you will get a response in +/- 2 days, but it is weekend ;)

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #6 on: August 01, 2016, 11:57:24 AM »
But doesn't it mean that an infected page would not be detected if the connection is over HTTPS?

It does. If you disable HTTPS scanning, than no HTTPS connections are scanned. Today, this is nearby equivalent to turning the web shield completely off.

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
Re: Avast WebShield proxy breaks access to legitimate website
« Reply #7 on: August 01, 2016, 12:08:03 PM »
Hi Avast Mac people

I noticed today that I could not access https://ssebuild.cased.de/nightly/soot/javadoc. Chrome gave me an ERR_CONNECTION_CLOSED, meaning that the connection was closed by the server. Safari gave me the same error. So I checked the domain via http://www.downforeveryoneorjustme.com/, which told me the domain is up. Therefore I was quite sure it is not an issue of the domain, but must be on my end. A check over a VPN convinced me that the problem is local to my machine. So I disabled my ad-blocker, that didn't help. Then I disabled and enabled the Avast shields, which allowed me to rule out WebShield as the culprit: With WebShield enabled, I could not access the domain; disabled, I could. As there was no notification from Avast, I inspected the system logs:

/var/log/system.log:
Code: [Select]
30/07/16 17:01:19.227 com.avast.proxy[352]: SecTrustEvaluate(): ssebuild.cased.de: 7
30/07/16 17:01:19.229 com.avast.proxy[352]: SSL_accept(): Broken pipe
30/07/16 17:01:19.287 com.avast.proxy[352]: SecTrustEvaluate(): ssebuild.cased.de: 7
30/07/16 17:01:19.289 com.avast.proxy[352]: SSL_accept(): Broken pipe
30/07/16 17:01:19.306 com.avast.proxy[352]: SSL_accept(): inappropriate fallback

OS:
Code: [Select]
OS X 10.11.5 (15F34)
Software:
Code: [Select]
Avast Mac Security 2015
Version: 11.16 (46730)
Virus definitions: 16073000

What's going on here?
I can work around the issue by adding the domain as an entry to the excluded servers in the WebShield settings. But it looks like something is broken in the WebShield proxy.

By the way, it was impossible to copy and paste the Avast version text from "About Avast", but instead I had to type it (possible error source). It would be nice if that text was selectable too.

The problem is clearly visible from the system log message. The system function used to verify the certificate chain - SecTrustEvaluate() - returns kSecTrustResultOtherError for ssebuild.cased.de. This means an error occurred during the certificate chain verification and thus the Avast web shield can not pass this connection. The reason for the error is however unclear for me at the moment - it may be some OS X bug or some restrictive settings applied by default (but not in Safari, that uses the same OS X framework to verify the certificates) together with a somehow broken certificate in the chain.

Anyway, the only solution for you at the moment is to add the web to the exclusions.