Author Topic: ashWebSv.exe locking up browsing  (Read 8792 times)

0 Members and 1 Guest are viewing this topic.

trigger

  • Guest
ashWebSv.exe locking up browsing
« on: March 14, 2006, 10:33:20 AM »
Hi,

When I start my computer and start browsing, everything seems to be ok. Over time, some pages start to load corrupted and will eventually not load anymore. It took me a while to track it to ashWebSv.exe. Now I have that disabled and thing are ok.

More info: It appears with IE6, IE7beta2, Firefox, Opera, so apparently not browser related.
When things start to go bad, my sniffer finds more and more packets with invalid checksums.

Avast 4.6.763
Windows XP-Pro SP2, and all security fixes up to date
Kerio 4.2.1

Obviously, I would like the Webshield active though  ::)

Please advice.

Thanks, peter

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: ashWebSv.exe locking up browsing
« Reply #1 on: March 14, 2006, 11:51:06 AM »
Peter,
WebShield does really filter your connections during browsing - but it does that on Winsock level, as a regular Winsock application. It does not modify individual packets in any way. The packet checksums are filled into packet in the TCPIP layer, way beyond Winsock.

Do you have any filtering modules enabled in Kerio? Add-blocking or something like that?

Thanks.
Lukas.

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #2 on: March 14, 2006, 12:18:44 PM »
Do you have any filtering modules enabled in Kerio? Add-blocking or something like that?
No, no filtering. Maybe the invalid checksum have nothing really to do with the problem. I just noticed that. I traced the problem, bu looking at the traffic in kerio. I found out that the browser was having problems accessing post 12080, netstat -a gave a quadzillion other ports beeing redirected through 12080. tcpview from sysinternals revealed that ashWebSv.exe was doing that, so I disabled that part of avast and browsing was ok again. I'll sniff for some bad packets. I did not do that after disabling ashWebSv.

To be continued.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: ashWebSv.exe locking up browsing
« Reply #3 on: March 14, 2006, 12:33:13 PM »
Peter,
connections are redirected from the original host port 80 (eg.www.google.com:80) , to localhost, port 12080. On this port listens WeShield (ashWebSv.exe) which reconnect to the webserver the browser originaly intendet - (www.google.com:80).

Knowing this, you have to configure your firewall to allow:

1. browsers to connect to localhost:12080
2. webshield (ashwebsv.exe) to listen on localhost:12080
3. webshield (ashwebsv.exe) to accept the connections from localhost:anyport
4. webshield to connect to webservers port 80.

L.


trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #4 on: March 14, 2006, 12:59:30 PM »
Hi L,

I still get enough tcp errors and browsing is no problem at the moment, so it might be "normal" for my connection. Anyway, I don't really think it's a firewall problem because:

1 - it does not come immedeately, but only after a while, somtimes a couple of hours, browsing.
2 - there are no processes blocked in the firewall, I keep them on allow or ask, because I like to know what happens...
3 - I have had the firewall disabled completely to see if the problem was firewall related.

But to be sure I allowed webshield explicit to do whatever it wants. Have to reboot to get webshuidl active again though.  Until now, without webshield , no problems.

Thanks, Peter

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #5 on: March 14, 2006, 02:50:32 PM »
Is there some kind of loggin option that could possibly show what webshield is doing???

Thanks, Peter

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: ashWebSv.exe locking up browsing
« Reply #6 on: March 14, 2006, 05:33:43 PM »
kind of.

Edit avast4.ini, find the section [WebScanner] and add the line: EnableLogging=1

There will be a log file created in c:\program files\alwil software\avast4\data\log\ashwebsv.log

Lukas.

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #7 on: March 15, 2006, 08:50:43 AM »
Well, no luck so far. With the wenshield disabled, no problems. This morning, after reactivating webshield I had 15 minutes of undisturbed browsing when things started to go bad again. The only probably interesting thing I could see in the log is:

15-3-2006 8:38:37,"http://www.cichlitopia.be/phpBB2/templates/Cichlitopia/images/icon_minipost.gif","","GET",304,0,0,568,1354,1354,568,\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe,PID: 3148, SEQ: 1
15-3-2006 8:38:37,"","","",0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,"","","",0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,"","","",0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,"","","",0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,"","","",0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,"","","",0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,"http://www.cichlid-forum.com/phpBB/templates/subSilver/images/folder.gif","","GET",0,0,0,0,695,695,0,\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe,PID: 3148, SEQ: 1

After stopping the webshield and hitting refresh on the browser windows, things were back to normal again....

Please advice, Peter

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #8 on: March 18, 2006, 07:49:33 PM »
Anyone?

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #9 on: March 20, 2006, 10:54:54 AM »
After a couple of days undisturbed, but webshield-less browsing, I decided to activate it again... Within the hour It started causing page load faillures again. IE says:

You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

After deactivating the webshield again things where back to normal...

Can anyone try to help me out on this, or do I need to search for another anti-virus program?

Peter

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #10 on: April 18, 2006, 11:31:59 AM »
Apparently more people are experiencing similar problems with the websv.exe... Is there any news on this issue? I've read aling the other problems and tried descibed sollutions, without effect though.

Thanks, Peter

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: ashWebSv.exe locking up browsing
« Reply #11 on: April 19, 2006, 01:00:13 PM »
Apparently more people are experiencing similar problems with the websv.exe... Is there any news on this issue? I've read aling the other problems and tried descibed sollutions, without effect though.

Thanks, Peter

Hello Peter,
Why do you think there is more people experiencing the same problem?

To further narrow down the possible cause we might try to eliminate the redirecting part of WebShield. WebShield has a low level support in driver, that monitors outgoing connection to port 80, and redirects them to localhost, port 12080. If you delete the "80" in the redirected ports in WebShield configuration, redirect will not be active. You must then configure you browser to use localhost:12080 (WebShield) as your HTTP proxy.

Is the problem reproducible even in this setup?

I will lookup what are the "unknown process" lines in your log in the meantime.

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #12 on: April 19, 2006, 01:21:56 PM »
Why do you think there is more people experiencing the same problem?
There are some threads about similar, not same, problems where bebshield apparently influences browsing. I can not describe it more general. It seems like I have the worst case there when after images and pages get corrupt, browsing stops completely.

To further narrow down the possible cause we might try to eliminate the redirecting part of WebShield. WebShield has a low level support in driver, that monitors outgoing connection to port 80, and redirects them to localhost, port 12080. If you delete the "80" in the redirected ports in WebShield configuration, redirect will not be active. You must then configure you browser to use localhost:12080 (WebShield) as your HTTP proxy.

Is the problem reproducible even in this setup?
Will do that and will keep you posted. Thanks for picking this up again!

Peter

trigger

  • Guest
Re: ashWebSv.exe locking up browsing
« Reply #13 on: April 20, 2006, 09:06:33 AM »
This method gave me no problems... Do I understand correctly that avast works as a proxy this way and the other way as transparent proxy???

Then I put the settings back and the problem stayed away ?!?!? I'll keep trying and when I get the problem back again, I'll try the proxy-way to see if that triggers the sollution... (hope this makes any sense)

Thanks so far!

Peter

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: ashWebSv.exe locking up browsing
« Reply #14 on: April 20, 2006, 12:34:50 PM »
Trigger,
in fact the functionality of the WebShield application is always the same. It works as a proxy. The only difference is how the connection is directed to the WebShield app.

But if the redirecting part is the problematic place, it is most probably some conflict with a networking software on your comp. The work than is done in our driver during redirect is rather simple, just the address is patched in the request - but it may (theoretically) confuse some other software that might have already checked the destination address.

Do you have some other security software besides Kerio Firewall? Something that might be running as a LSP hook?

(you may display the list of loaded LSP modules with LSPFIX, downloadable from here: http://www.cexx.org/lspfix.htm) Can you post the list of LSP dlls that is displayed?

What about kerio? Do you have "Web Filtering" enabled? (Block advertisements, popups, scripts) ? Allthough it should work correctly, this might be a potential source of some problems...

Thanks.
Lukas.