Author Topic: AVAST home vs CISCO ACL  (Read 4267 times)

0 Members and 1 Guest are viewing this topic.

Offline jrrich

  • Newbie
  • *
  • Posts: 4
AVAST home vs CISCO ACL
« on: May 23, 2007, 10:35:39 PM »
I run a cisco soho router with an ACL to prevent my Daughter from surfing the web on my Home Theater PC.  The access list blocks all port 80 and port 443 by default, then I poke holes in it to allow the access I want (MS update, time sync, etc).  Problem is, Avast does not want to play nice with my ACL-- it seems to try to connect to a different server every time it updates.

Is there a way to limit the places Avast goes for its updates?  I found the server.def list, but no way am I poking 125 holes in my ACL (by IP address, since ACLs don't take URL)...


Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83940
  • No support PMs thanks
Re: AVAST home vs CISCO ACL
« Reply #1 on: May 23, 2007, 11:49:02 PM »
avast! has over one hundred update servers as you have found to spread the load so the users don't experience servers timing out or being unable to connect to a busy server. Is it possible to allow access to avast.setup port 80 access, which does the update ?

Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.566/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline jrrich

  • Newbie
  • *
  • Posts: 4
Re: AVAST home vs CISCO ACL
« Reply #2 on: May 23, 2007, 11:52:33 PM »
Difficult.  Unfortunately, the Cisco ACL model works on a different model than a firewall per se.  Basically, I need to allow traffic from a specific IP or range to a specific IP or range. 

On the other hand, I can always write a script to download the manual update and run it...

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83940
  • No support PMs thanks
Re: AVAST home vs CISCO ACL
« Reply #3 on: May 24, 2007, 12:05:23 AM »
That would probably be easier that trying to find the 125 IPs and then trying to get an idea of an IP range, which would be subject to change.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.566/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline jrrich

  • Newbie
  • *
  • Posts: 4
Re: AVAST home vs CISCO ACL
« Reply #4 on: May 24, 2007, 12:41:21 AM »
OK, well that pretty much back up my thinking.  Thanks for taking the time to respond.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: AVAST home vs CISCO ACL
« Reply #5 on: May 24, 2007, 12:49:59 AM »
I found the server.def list, but no way am I poking 125 holes in my ACL (by IP address, since ACLs don't take URL)...
This is when a software firewall makes the difference and it's easier to configure...
Ok, it takes some resources...
The best things in life are free.

Offline jrrich

  • Newbie
  • *
  • Posts: 4
Re: AVAST home vs CISCO ACL
« Reply #6 on: May 24, 2007, 01:24:46 AM »
Software firewall is good for some things but IMO does not touch a hardware ACL on the router for my application.  The application permissions model is fine for most things, but what if, as in my situation, you want to block all traffic on port 80/443, and only allow certain exceptions?  The application permissions model does not serve this purpose very well.  You can elect to block IE (or whatever) from accessing the network or not.  Maybe if you have a good firewall, you can employ a whitelist/blacklist of URLS.  Then when traffic hits the stack on your desktop your CPU has to make lookups/decisions about the traffic.  I want this traffic blocked BEFORE it hits my desktop, especially on my HTPC.  I don't want the decision cycle taking up resources on a box like that.  Additionally, a windows exploit that never touches a windows system is no threat at all.

Avast is the first application I have run into this problem with-- most solutions use a reverse proxy server or server farm to distribute load rather than doing it via a list of servers like Avast does.  So you hit the one URL/IP on your download and it assigns your request to one of it's subsidiary servers.  Not sure why they chose the solution they did, but it's my problem to deal with, not theirs. 

Scripting, here we come.