Author Topic: Firewall Rule Problem  (Read 14913 times)

0 Members and 1 Guest are viewing this topic.

GloobyGoob

  • Guest
Re: Firewall Rule Problem
« Reply #15 on: November 04, 2010, 09:23:01 PM »
Don't create new rules for the same application; if you want to block something, modify the original rule.

Customization doesn't mean allowing me to edit its main groups by mistake or you will endanger your self to low protection.
This is customization, it is allowing you to modify something according to your personal specifications.

What I expect from afirewall ? am I forced to follow each application installation and block its toolbar one by one ? this is ridiculous . see attached picture after I installed many programs have the same toolbar and every application I prevent its toolbar from connecting and waiting for reply
This is auto-decide's purpose: to make its own decisions. The firewall's goal is to only block bad programs, it only makes rules for the good programs with a whitelist of over 50 thousand safe applications. If it's not on the whitelist, it verifies digital certificates, analyses them with its own heuristic module, and uses info from the behavior shield and PUP engine. If you feel like you need to monitor every application installation, then set the mode to ask. It is not the firewall's job to block installation of toolbars, they are not [all] malicious. If you don't want toolbars, untick them during installation.

Best regards

elkhole

  • Guest
Re: Firewall Rule Problem
« Reply #16 on: November 04, 2010, 09:50:43 PM »
I used in the past many security suite : norton,kaspersky,comodo,f-secure,avg,zonealarm ,outpost I NEVER found one of these to allow me to define the same application again and again or stuck with rules like this, I can't imagine that you don't see this is a serious bug, I recently tried norton internet security 2011 and make the same rules in firewall but it neve allow me to add any application more than one time and never it duplicates the rules like this .

CAN'T YOU SEE THIS IS A BIG BUG, I THINK YOU ARE IN A TROUBLE .

BEST WIHSES

ImWarm

  • Guest
Re: Firewall Rule Problem
« Reply #17 on: November 04, 2010, 10:45:29 PM »
Then why do you do it? You don't have to create more rules. To fix this, just reboot.

elkhole

  • Guest
Re: Firewall Rule Problem
« Reply #18 on: November 04, 2010, 10:53:28 PM »
I'll try to simplify it to you , suppose u had a virus , trojan , worm... any thing that avast didn't detect and that virus prevents you from deleting it , it copy it self to your system hundred times in different locations and it can connect to internet , you saw it connecting in firewall activities and want to block it until avast detects it and delete it, simply you edit the rule creating by avast to block instead of allowing it.

but in our case you should add arule for the SAME DAMN VIRUS hundred times because of different places , PLEASE Think for it a minute and I'm sure you will agree with me that it's abug.

thanx for your cooperation.
best wishes...

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: Firewall Rule Problem
« Reply #19 on: November 04, 2010, 11:07:35 PM »
I'll try to simplify it to you , suppose u had a virus , trojan , worm... any thing that avast didn't detect and that virus prevents you from deleting it , it copy it self to your system hundred times in different locations and it can connect to internet , you saw it connecting in firewall activities and want to block it until avast detects it and delete it, simply you edit the rule creating by avast to block instead of allowing it.

but in our case you should add arule for the SAME DAMN VIRUS hundred times because of different places , PLEASE Think for it a minute and I'm sure you will agree with me that it's abug.

thanx for your cooperation.
best wishes...

I see your point. No need to cuss about it. To me, it's not really a bug but maybe a minor inconvenience. Or a different way of doing things. This is probably a question left for the developers. Please contact Avast support http://support.avast.com/ so that they may be able to answer your question.
« Last Edit: November 04, 2010, 11:37:35 PM by Charyb »

elkhole

  • Guest
Re: Firewall Rule Problem
« Reply #20 on: November 04, 2010, 11:32:41 PM »
I sent them the problem details five minutes ago, thanx for support link ,and thanx all for help.

Best wishes...

GloobyGoob

  • Guest
Re: Firewall Rule Problem
« Reply #21 on: November 04, 2010, 11:36:07 PM »
I'll try to simplify it to you , suppose u had a virus , trojan , worm... any thing that avast didn't detect and that virus prevents you from deleting it , it copy it self to your system hundred times in different locations and it can connect to internet , you saw it connecting in firewall activities and want to block it until avast detects it and delete it, simply you edit the rule creating by avast to block instead of allowing it.

but in our case you should add arule for the SAME DAMN VIRUS hundred times because of different places , PLEASE Think for it a minute and I'm sure you will agree with me that it's abug.

Please read what I had said in my previous post. If it was a bad application, it wouldn't have a rule created for it. Only known, safe programs get added to the list of Application Rules. If the antivirus doesn't detect it, the firewall can still stop it, as it doesn't use signatures/virus definitions. It can use its heuristics module and data from the Behavior Shield and PUP detection to decide to limit its connection.

And if you happen to need to block something, you only need to change one rule. The firewall does not make multiple rules for the same program, you are doing that.

Regards,
GloobyGoob

elkhole

  • Guest
Re: Firewall Rule Problem
« Reply #22 on: November 05, 2010, 12:00:11 AM »
Quote
Please read what I had said in my previous post. If it was a bad application, it wouldn't have a rule created for it. Only known, safe programs get added to the list of Application Rules. If the antivirus doesn't detect it, the firewall can still stop it, as it doesn't use signatures/virus definitions. It can use its heuristics module and data from the Behavior Shield and PUP detection to decide to limit its connection.

And if you happen to need to block something, you only need to change one rule. The firewall does not make multiple rules for the same program, you are doing that.

Regards,
GloobyGoob

1- Behaviour shield is usless as I know and if you searched the forum you will know that especially for x64 systems and this what I use now .

2- Firewall is fully depends on antivirus and hasn't a separated viruslist engine or heuristic engine as you said and again search the forum to belive me.

3- You can try yourself : open application rules and choose one of the rules automatically created by autodecide and change it to block all connections and then copy this blocked file to another folder and run it and make it connect to internet if it doesn't connect automatically and look again at the application rules and you will find it your self .

Best wishes...

GloobyGoob

  • Guest
Re: Firewall Rule Problem
« Reply #23 on: November 05, 2010, 12:33:29 AM »
1. The Firewall just recieves data from Behavior Shield to help in its decisions, it doesn't depend on it.

2. I believe you are referring to this thread. There was some confusion. The firewall does have its own heuristic module. It does not need an antivirus engine, that would be pointless, as avast already has one.

Hi guys,

Firewall is a part of the suite which includes an antivirus. During the process of allowing an unknown application it uses its own module, which does the heuristics checks, consults a whitelist and blacklist and then returns either allow or deny and the rule to be used. This module is independent on other avast! antivirus modules, is written especially for the firewall, and is currently used solely by firewall - even though I don't see any special benefit from that fact - and if similar features would be of any use to other components of the suite, they would surely be reused. On the other hand, this module does not check if the application in question is clean from viral infection or not.

As stated in the original post on this thread, there was a test done with some malware samples which avast! firewall let to connect. You would probably like to see some features in the firewall that would supplement the antivirus and provide 100% zero-day protection against such threat, but as I said in my reply, that there are no such features that would check for malware in the sample and if the antivirus had no objections - as it was turned off - was must assume that the application in question was clean from any infection and the firewall should decide accordingly. Also there is currently no such superhuge whitelist on which every allowed application must be found. Some other firewall suites use this approach but we thought that having indexed all available applications on the Internet is beyond our reach and that the number of unknown app popups would simply be to large. The whitelist is there, there are metadata and rules that can be retrieved from the list for many apps but the firewall allows connections for apps not on the whitelist as well.

The heuristics used during the decision process is part of the virus VPS package and can be improved during the time, and we will surely do that - but currently I believe that for most of the times unless the user wants to override the default behavior by his own decision and its not a malware, that most programs might need internet access for their normal activity and that is their normal state. Nothing that average user should be alerted about.

On the other hand I totally agree that there is a lot to improve in the automatic rule creation process. There is no doubt about that.

Lukas.



3. Ah, I see what you mean now. The way you put it in your previous posts was a bit unclear, my apologies. But this wouldn't be a big problem because A.) Programs do not usually copy themselves to other locations, and I do not see why users would need to copy them manually B.) Malware will not be listed in the Application Rules. If you want, you can contact Lukas and see what he has to say about it.

Regards.

elkhole

  • Guest
Re: Firewall Rule Problem
« Reply #24 on: November 05, 2010, 12:56:31 AM »
I'm sorry I didn't fully clear the problem as I'm new to security forums.

And yes I won't copy application to another folder but if you install many applications with for example ask toolbar or any adware , every application would first as you know extract its files to temp folders and then install to program files, of course every application has the same adware will extract itself to different directory in temp folder, so if I can't make one rule to this adware I'll be forced to follow every application extracted folder to prevent it from connecting to internet .

and the same case in portable programs as it's very common now if I copy it to another directory and this is common I should make anew rule for each folder even I change one letter from folder's name and I'm sure you agree with me that it's very annoying if I use much portable programs . this is my point.

best wishes...

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Firewall Rule Problem
« Reply #25 on: November 09, 2010, 12:25:44 PM »
Hi elkhole,
would you mind sending me your rules.xml file? I will look at it and see whats really in there.

thanks.
Lukas.