Author Topic: Avast on-access firewall bypass (Read 6396 times)

fw_et_avast · « **on:** July 10, 2006, 09:24:50 PM »

Avast (4.7 Home Edition) on-access protection (default settings) let's new browser applications bypass my firewall (Sygate Personal Firewall). The firewall reported the outgoing application to be ashWebSv.exe for which I'd granted access earlier, and not the new browser application that I was using. Once I terminated the on-access protection the firewall reports the correct application that is trying to connect outside.

Can this kind of behaviour be disabled in some other way than terminating the on-access protection wholly?

Thanks!

(OS: Windows 2000 SP 4)

Jarmo P · « **Reply #1 on:** July 10, 2006, 09:34:28 PM »

No it cannot.
If you have a webshield protection configured to a browser, Sygate will pass browsing traffic http tcp 80 (all outbound connections) without asking the permissions for them.

If you dont use IE but instead alternative browsers, you can make a so called manual proxy connection to only your prefewrred browsers. Thus IE gets asked and malware that might launch it are not so big worry.

Many other firewalls gave also this behavior in their default configuration on as a default, only there is nothing that can be done to SPF to block it.
Avast webshield local proxy is though restricted to known browsers only.

RejZoR · « **Reply #2 on:** July 10, 2006, 09:37:42 PM »

Thats a known "issue" with Sygate Firewall. Nothing that Alwil can do about. Sygate is discontinued product anyway...

Jarmo P · « **Reply #3 on:** July 10, 2006, 09:38:23 PM »

RejZor, it is a firewall. Sygate free has no HIPS or IDS.
There is therefore no need to be worried that there is not coming any new version.

It is a basic packet filter disguised as an application based firewall. Has a few added features, but NONE that depend on updated knowledgebase like virus databases.

Many times especially new versions are maybe produced by commercial pressure to have updates, often causing various problems.

There is a tendency to adopt suite concept like latest kerio Comodo etc. are examples. They have their problems. Stability, memory usage ....

I am currently using kpf 2.1.5 and totally happy with it having my rules totally under my command.

As to Sygate 5.5, it is a good firewall for people not able to understand rule based firewalls. Keeps computer safe. I would not run other proxies though with Sygate except avast's ones.

DavidR · « **Reply #4 on:** July 10, 2006, 09:50:03 PM »

This is the Sygate localhost loopback vulnerability where it only recognises the proxy (which you have given permission for) and not the program using the localhost proxy.

How to disable transparent web shield proxy and allow only those browsers you want use it:
In avast! go to Web Shield provider, Customize..., Basic tab, blank the redirected HTTP port field (remove the 80). Now no browser can use webshield unless you manually configure it to use Web Shield.

For IE - broadband users: - Tutorial - Web Shield Proxy Set-up for IE
For IE - dialup users - Tutorial - Web Shield Proxy Set-up for IE (Dial-up)
For Firefox users - Tutorial - Web Shield Proxy Set-up for Firefox

fw_et_avast · « **Reply #5 on:** July 10, 2006, 10:17:08 PM »

Thanks all for your replies!

I guess I have to start looking for a new SW firewall (although I'm loath to as I like the advanced firewall rule setting features of SPF and its UI).

(accidentally posted part of this in a new thread which I've since edited)

DavidR · « **Reply #6 on:** July 10, 2006, 11:11:41 PM »

Glad we could help, welcome to the forums.

You can still use sygate, just make the modifications so the avast proxy only works for those browsers you want to use it (and manually set them up), anything else connecting to the internet, can't use the proxy so will be challenged by sygate.

Jarmo P · « **Reply #7 on:** July 11, 2006, 04:59:20 PM »

Great posts David. Thank you, just valued information and I could not post or willing any better than you

EDIT:
Sygate or many other older firewall builds, they dont offer as much "protection" against never leak test kind things. It is always though the main thing, inbound protection. Sygate 5.5 looses outbound control with proxies, but I still am not recommending to ditch it for firewall newbie programs with bloat, hehe. Decisions made, I leave it to guys who read all the forums thinking they are safer with newer ones without getting familiar how or why, hehe. Was a good thread this one.

RejZoR · « **Reply #8 on:** July 11, 2006, 05:20:00 PM »

No, firewalls indeed don't require such frequent updates as antiviruses, but outdated firewall can be far less secure than you think... Sygate is unfortunately one of such firewalls.

Jarmo P · « **Reply #9 on:** July 11, 2006, 06:00:35 PM »

ok, let me know how, email is sent to you.

Author Topic: Avast on-access firewall bypass (Read 6396 times)

fw_et_avast

Avast on-access firewall bypass

Jarmo P

Re: Avast on-access firewall bypass

RejZoR

Re: Avast on-access firewall bypass

Jarmo P

Re: Avast on-access firewall bypass

DavidR

Re: Avast on-access firewall bypass

fw_et_avast

Re: Avast on-access firewall bypass

DavidR

Re: Avast on-access firewall bypass

Jarmo P

Re: Avast on-access firewall bypass

RejZoR

Re: Avast on-access firewall bypass

Jarmo P

Re: Avast on-access firewall bypass