Thank-you from the link.
How does the update service work?
* At first, avast! tries to detect if the computer is connected to the Internet - it sends a 'packet' (message) to one of our servers and waits for reply.
* If the 'packet' is received, avast! "knows" that the computer is connected and the update may begin.
This is fine because the connection is initiated from the actual PC and would therefore traverse the firewall, unless when you say 'send a packet' you really meant send a ping, then it will never work for our computers. See notes below.
* If there´s no reply to the 'packet' sent, avast! will try to ping (connect to) the server again every 40 seconds.
* If the ping is successful, avast! connects to our server and checks if there´s any new updates available.
Ping will never be successful since the firewall drops all incoming and outgoing ICMP bar unreachable.
* If there is, avast! will download and install them. If not, avast! will wait for 4 hours and then try to connect and check for updates again.
* In short: avast! detects the connection to the Internet every 40 seconds and looks for new updates every 4 hours.
However, this fails to explain the ICMP echo-reply because ICMP echo is blocked by the Cisco PIX in the first place. Now I understand the rest I won't worry about it. I shall leave it alone because the client will update once every four hours anyway. Also, I see that I can disable this on the client.
Many thanks for your quick replies.
Mr.Qwerty.