Hi guys,
Firewall is a part of the suite which includes an antivirus. During the process of allowing an unknown application it uses its own module, which does the heuristics checks, consults a whitelist and blacklist and then returns either allow or deny and the rule to be used. This module is independent on other avast! antivirus modules, is written especially for the firewall, and is currently used solely by firewall - even though I don't see any special benefit from that fact - and if similar features would be of any use to other components of the suite, they would surely be reused. On the other hand, this module does not check if the application in question is clean from viral infection or not.
As stated in the original post on this thread, there was a test done with some malware samples which avast! firewall let to connect. You would probably like to see some features in the firewall that would supplement the antivirus and provide 100% zero-day protection against such threat, but as I said in my reply, that there are no such features that would check for malware in the sample and if the antivirus had no objections - as it was turned off - was must assume that the application in question was clean from any infection and the firewall should decide accordingly. Also there is currently no such superhuge whitelist on which every allowed application must be found. Some other firewall suites use this approach but we thought that having indexed all available applications on the Internet is beyond our reach and that the number of unknown app popups would simply be to large. The whitelist is there, there are metadata and rules that can be retrieved from the list for many apps but the firewall allows connections for apps not on the whitelist as well.
The heuristics used during the decision process is part of the virus VPS package and can be improved during the time, and we will surely do that - but currently I believe that for most of the times unless the user wants to override the default behavior by his own decision and its not a malware, that most programs might need internet access for their normal activity and that is their normal state. Nothing that average user should be alerted about.
On the other hand I totally agree that there is a lot to improve in the automatic rule creation process. There is no doubt about that.
Lukas.