ashWebSv.exe spamming my firewall logs

[Garryck]

To protect my home network of 3-5 computers (depends on the day) I use an IPCop firewall which is set up so as to only allow authorised outbound connections in addition to blocking inbound traffic. After Avast was installed to one machine on the network, I rapidly learned how Avast pings home at regular intervals, and I adjusted my firewall to permit this.

However, since installing Avast on my own PC, I have been seeing hundreds of firewall log entries every day (every few minutes) which, with irrelevant details omitted,  look like this:

NEW not SYN?  TCP   800(MDBS_DAEMON)

So far as I can determine, these are not direct connection attempts to the internet, but are attempts to connect to a (non-existent) database service on the firewall itself. Or it simply happens to be using that port for some reason, as despite extensive googling, I have not been able to find any explanation of just what a MDBS_DAEMON actually IS.

Regardless, after some checking with Microsoft's PortReporter tool, I found that the offending process turned out to be ashWebSv.exe which was listed as the avast! Web Scanner service. From what I see in the PortReporter logs, this same service has no problem establishing other connections to the internet, so what I want to know is: Why is ashWebSv.exe so determined to connect to port 800 on my firewall?

[Sesame]

To protect my home network of 3-5 computers (depends on the day) I use an IPCop firewall which is set up so as to only allow authorised outbound connections in addition to blocking inbound traffic. After Avast was installed to one machine on the network, I rapidly learned how Avast pings home at regular intervals, and I adjusted my firewall to permit this.

This one is normal activity of the auto-update function.

However, since installing Avast on my own PC, I have been seeing hundreds of firewall log entries every day (every few minutes) which, with irrelevant details omitted,  look like this:

NEW not SYN?  TCP   800(MDBS_DAEMON)

So far as I can determine, these are not direct connection attempts to the internet, but are attempts to connect to a (non-existent) database service on the firewall itself. Or it simply happens to be using that port for some reason, as despite extensive googling, I have not been able to find any explanation of just what a MDBS_DAEMON actually IS.

Regardless, after some checking with Microsoft's PortReporter tool, I found that the offending process turned out to be ashWebSv.exe which was listed as the avast! Web Scanner service. From what I see in the PortReporter logs, this same service has no problem establishing other connections to the internet, so what I want to know is: Why is ashWebSv.exe so determined to connect to port 800 on my firewall?

I don't have knowledge about your firewall app but what the web scanner, or Web Shield, does is to monitor HTTP connections of other registered applications at registered port.  An odd thing is, although I don't know what application's connection Web Shield is monitoring, port 800 is not a registered port at least by default.  So, I'm beating around the bush here but how about checking if the port is registered somehow?

1. Right click the avast (a) icon in the taskbar.
2. Choose "On-Access Protection Control"
3. Find Web Shield in the provider list and click Customize.
4. In the line "Redirected HTTP ports" see if there is the port 800.

If there is, deleting it would make it clear what application is originally accessing to your firewall at port 800.  Alternatively, though, you can check what app is accessing local port 12080 on the computer on which Avast! is installed while the connection in question at port 800 is occurring.

[Garryck]

I don't have knowledge about your firewall app but what the web scanner, or Web Shield, does is to monitor HTTP connections of other registered applications at registered port.  An odd thing is, although I don't know what application's connection Web Shield is monitoring, port 800 is not a registered port at least by default.  So, I'm beating around the bush here but how about checking if the port is registered somehow?

1. Right click the avast (a) icon in the taskbar.
2. Choose "On-Access Protection Control"
3. Find Web Shield in the provider list and click Customize.
4. In the line "Redirected HTTP ports" see if there is the port 800.

If there is, deleting it would make it clear what application is originally accessing to your firewall at port 800.  Alternatively, though, you can check what app is accessing local port 12080 on the computer on which Avast! is installed while the connection in question at port 800 is occurring.

Ok.. the only port listed in "Redirected HTTP ports" is port 80, so everything seems fine there..  when the port 800 stuff happens, local port 12080 is being accessed by Firefox. The only problem there is that usually there are 10 to 20 tabs open on my FF at any given time..  I guess it's time for some testing/experimentation to see if I can narrow this down.

Many thanks for your response.. 

[lukor]

There is no reason why would avast WebShield connect to port 800 by its own. It migh be either some DLL hosted there or some other service running on your system.