Author Topic: I need help understanding AIS Firewall working mechnaism  (Read 13519 times)

0 Members and 1 Guest are viewing this topic.

MAG

  • Guest
Re: I need help understanding AIS Firewall working mechnaism
« Reply #15 on: October 01, 2010, 05:35:00 PM »

[/quote]

Hi, indeed, when checking if some specific executable is malware or not before allowing its traffic or blocking it, the firewall depends on the antivirus. Duplicating such features in the firewall itself wouldn't make any sense. However the firewall has also its own whitelist and blacklist that helps the "auto-decide" routine to create the rules.
[/quote]

In which case, if the malware isn't detected by avast antivirus, isn't the AIS outbound firewall bound to let it connect (and so is there any point in having an outbound firewall unless it is set to "Ask")?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I need help understanding AIS Firewall working mechnaism
« Reply #16 on: October 01, 2010, 05:37:59 PM »
In which case, if the malware isn't detected by avast antivirus, isn't the AIS outbound firewall bound to let it connect (and so is there any point in having an outbound firewall unless it is set to "Ask")?
Very good point.
The best things in life are free.

ImWarm

  • Guest
Re: I need help understanding AIS Firewall working mechnaism
« Reply #17 on: October 02, 2010, 12:23:45 AM »
Avast documentation states that the firewall uses heuristics as well as the blacklist/whitelist. Is this true?

And also, what if the antivirus does not detect a malicious program? Isn't the purpose of a firewall to block a threat if the AV misses it? ??? (speaking about outbound protection, not inbound)

Edit: I read more carefully and found this:
Hi, indeed, when checking if some specific executable is malware or not before allowing its traffic or blocking it, the firewall depends on the antivirus.

By this do you mean that the antivirus checks it before the firewall analyzes it? Sorry, it is kind of unclear to me.
« Last Edit: October 02, 2010, 05:56:07 AM by ImWarm »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I need help understanding AIS Firewall working mechnaism
« Reply #18 on: October 02, 2010, 03:11:09 AM »
I'm very interested in this thread... Seems we're knowing better how the firewall works.
The best things in life are free.

MasterTB

  • Guest
Re: I need help understanding AIS Firewall working mechnaism
« Reply #19 on: October 02, 2010, 11:31:11 PM »
See?
All of these reasons are why I set the firewall to ask.
Because even if a file is declared "clean" by the AV and it is not on the firewalls black list that is not reason for it to connect to the internet, because, YOU -the user- might not want it to.
For instance: I use Opera to browse the web and as a mail client (Opera has M2) and it has the Unite services which right now I'm not using so why would I want the firewall to let Opera the broadest all connections status?
I wouldn't because om my PC it doesn't need it. That is why I set it to ask and grant only the access I want.
Of course that means dealing with pop ups and having to learn how the firewall works BUT if somehow I ever download malware and the AV misses it, It won't be able to automatically connect to the web.
Just a thought.

Martin.-

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I need help understanding AIS Firewall working mechnaism
« Reply #20 on: October 02, 2010, 11:42:43 PM »
I have my firewall on 'ask' too :)
The best things in life are free.

Jon_T

  • Guest
Re: I need help understanding AIS Firewall working mechnaism
« Reply #21 on: October 03, 2010, 01:20:10 AM »
I'm very interested in this thread... Seems we're knowing better how the firewall works.
Especially since the current available avast! documentation really does not provide detailed information on all the firewall's settings/options.

Comments here so far confirmed some of my thoughts/understandings on the avast! Firewall--i.e., the the avast! Firewall's "heuristic and behavioral analysis protection" is from avast! AV. Keeping in mind that AIS is a "suite", Lukas' comment "...the firewall depends on the antivirus. Duplicating such features in the firewall itself wouldn't make any sense" comes to me as no big surprise--and one of the reasons I've never been too keen on relying upon single "suite" security solution.  If some malicious malware should be able to shutdown or compromise the avast! AV engine, it could severely limit AIS protection. At my office there have been several times (different times/employees that a malware was able to shutdown, or severely limit avast! Pro 4.8 operations (i.e., run a scan, update, etc.)

Hence until I'm 100% confident in AIS Firewall's settings/options level of protection, I'll continue using the layered (separate AV/Spyware, Malware and Firewall) approach to protection as noted in my signature.

BTW would like to note that in the avast! AIS Features, as it is currently written I can see why one would read as if the Firewall has its own heuristic and behavioral analysis:
Additional protection

Silent Firewall
The firewall enables you to control incoming and outgoing traffic from your computer. Protection is based on heuristic and behavioral analysis, and a white list of known safe applications. There are three network settings which can be changed depending on the type of connection.


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I need help understanding AIS Firewall working mechnaism
« Reply #22 on: October 03, 2010, 04:12:14 AM »
Time to improve the firewall and get it a little bit more independent of the antivirus.
The best things in life are free.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: I need help understanding AIS Firewall working mechnaism
« Reply #23 on: October 10, 2010, 07:13:18 PM »
Hi guys,

Firewall is a part of the suite which includes an antivirus. During the process of allowing an unknown application it uses its own module, which does the heuristics checks, consults a whitelist and blacklist and then returns either allow or deny and the rule to be used. This module is independent on other avast! antivirus modules, is written especially for the firewall, and is currently used solely by firewall - even though I don't see any special benefit from that fact - and if similar features would be of any use to other components of the suite, they would surely be reused. On the other hand, this module does not check if the application in question is clean from viral infection or not.

As stated in the original post on this thread, there was a test done with some malware samples which avast! firewall let to connect. You would probably like to see some features in the firewall that would supplement the antivirus and provide 100% zero-day protection against such threat, but as I said in my reply, that there are no such features that would check for malware in the sample and if the antivirus had no objections - as it was turned off - was must assume that the application in question was clean from any infection and the firewall should decide accordingly. Also there is currently no such superhuge whitelist on which every allowed application must be found. Some other firewall suites use this approach but we thought that having indexed all available applications on the Internet is beyond our reach and that the number of unknown app popups would simply be to large. The whitelist is there, there are metadata and rules that can be retrieved from the list for many apps but the firewall allows connections for apps not on the whitelist as well.

The heuristics used during the decision process is part of the virus VPS package and can be improved during the time, and we will surely do that - but currently I believe that for most of the times unless the user wants to override the default behavior by his own decision and its not a malware, that most programs might need internet access for their normal activity and that is their normal state. Nothing that average user should be alerted about.

On the other hand I totally agree that there is a lot to improve in the automatic rule creation process. There is no doubt about that.

Lukas.


GloobyGoob

  • Guest
Re: I need help understanding AIS Firewall working mechnaism
« Reply #24 on: October 10, 2010, 08:27:40 PM »
Thanks Lukas, that's a bit clearer. The firewall has its own heuristic module, it just doesn't check for viruses. That makes sense. :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: I need help understanding AIS Firewall working mechnaism
« Reply #25 on: October 10, 2010, 08:30:11 PM »
Thanks for the explanations Lukas.
The best things in life are free.