Author Topic: AIS firewall: auto-decide mode question(s)  (Read 10525 times)

0 Members and 1 Guest are viewing this topic.

Hermite15

  • Guest
AIS firewall: auto-decide mode question(s)
« on: January 06, 2011, 12:28:17 PM »
...not sure what ti think about that, here is (see screen shots) what happens when this firewall is on auto-decide mode >>> all connections allowed, meaning inbound as well. I can get it for Skype, but for the others...adding that it's not the case right now, but I'm seen the same happen with Firefox and Thunderbird.

 Will delete most rules now and switch back to ask mode ;)

edit: no screen shot but same for Secunia, Miranda, Windows Desktop Gadgets, Opera.
« Last Edit: January 06, 2011, 01:06:46 PM by Logos »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: AIS firewall: auto-decide mode question(s)
« Reply #1 on: January 06, 2011, 01:19:18 PM »
are you saying there is full connection in/out when in automode ?

any difference from what network  home/work/puplic ?

Hermite15

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #2 on: January 06, 2011, 02:00:55 PM »
are you saying there is full connection in/out when in automode ?

yes

any difference from what network  home/work/puplic ?


these results are in work mode... didn't test on other modes.

Hexo

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #3 on: January 06, 2011, 04:35:11 PM »
I got a question...
Where did get the avast! fw the rules in the automode, which programm is good or which is bad?
Is there anywhere a white list?
I know that the G Data Firewall a whitelist has, and a programm which is unknown, the firewall asked what to do.
But since i use the avast! Firewall in the automode... the firewall asked me nothing.

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: AIS firewall: auto-decide mode question(s)
« Reply #4 on: January 06, 2011, 04:41:42 PM »
Hexo, this is in the help file.

"Block" means that such connections will never be allowed.

"Auto-decide" means the connection will normally be allowed, however any suspicious connections will be automatically blocked. This will be based partly on a large white-list database of safe applications maintained by avast!

If "Ask" is selected, you will see a message asking you to confirm whether or not the connection should be allowed.

However, I was searching for malware and rogue antivirus. I ended up finding a rogue av and the firewall automatically created a rule for it allowing inbound and outbound connection. Wasn't real happy with this. I don't know that me allowing it to install also gave the green light to create a rule like that or not. This was using Auto Decide. I don't remember the exact rule but it certainly didn't block it.
« Last Edit: January 07, 2011, 03:28:05 AM by Charyb »

Hermite15

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #5 on: January 06, 2011, 04:42:33 PM »
I got a question...
Where did get the avast! fw the rules in the automode, which programm is good or which is bad?
Is there anywhere a white list?
I know that the G Data Firewall a whitelist has, and a programm which is unknown, the firewall asked what to do.
But since i use the avast! Firewall in the automode... the firewall asked me nothing.

don't worry about that, there's no white list. The auto-decide mode just allows what the program normally requires to connect. The problem is that it sometimes seem to allow more than needed ;D

Hermite15

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #6 on: January 06, 2011, 04:47:56 PM »
Quote
This will be based partly on a large white-list database of safe applications maintained by avast!

oh yeah, where's that list? you got a link? ... or anything stating officially that there's such a list...

 ... ok app sigs are verified, that's all I can tell... and if the program doesn't have any, auto-decide will still allow it to connect :)

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: AIS firewall: auto-decide mode question(s)
« Reply #7 on: January 06, 2011, 04:49:22 PM »
go to application rules then click on help center at the top of the UI.

Hermite15

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #8 on: January 06, 2011, 04:52:54 PM »
go to application rules then click on help center at the top of the UI.

okay I never noticed that but yes it's mentioned there... other things are mentioned that don't exist anyway ( "process control" or no app allowed to install in "public mode" etc...)

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: AIS firewall: auto-decide mode question(s)
« Reply #9 on: January 06, 2011, 04:57:34 PM »
I still to this day do not understand how the rogue av I installed was allowed to connect inbound and outbound. By me allowing it to install did this give the OK in AutoDecide mode? The rogue is long gone but it still bugs me on how the rule was created. According to the help file it states that it monitors for suspicious behavior. If it is a rogue it is nothing but suspicious. I would like it to fully block any antivirus that is not on the whitelist.
« Last Edit: January 06, 2011, 05:13:31 PM by Charyb »

Hermite15

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #10 on: January 06, 2011, 05:07:11 PM »
I still to this day do not understand how the rogue av I installed made the white list. Did the firewall use me allowing it to install as the ok in AutoDecide mode? The rogue is long gone but it still bugs me on how the rule was created.

might be because as I said the auto-decide mode allows much more than it should anyway, and isn't very strict at all with outbound connections... that white list, if it exists, is a joke. As to your rogue , ask also why the AV didn't block the download and the install in the first place...

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: AIS firewall: auto-decide mode question(s)
« Reply #11 on: January 06, 2011, 05:17:06 PM »
You do have a point there. After a clean install I just let the firewall run a few days in autodecide to make sure all the system rules and avast rules are created then switch it to ask.

Hermite15

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #12 on: January 06, 2011, 05:23:06 PM »
You do have a point there. After a clean install I just let the firewall run a few days in autodecide to make sure all the system rules and avast rules are created then switch it to ask.

another problem when you do that, is that switching to ask will only be relevant for new apps, as all apps already listed while you were on auto-decide mode will keep the auto-decide option  ;D (in the "otherwise..." setting.

Offline Charyb-0

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2508
Re: AIS firewall: auto-decide mode question(s)
« Reply #13 on: January 06, 2011, 05:31:12 PM »
Another point well taken. I go through and delete anything that I don't recognize (with the exception of the system and avast rules). After that rogue installed and the rules were created I keep a close eye on the rules now. I don't trust that "suspicious" connections will automatically be blocked because Avast allowed a suspicious program to install and firewall rules allowing inbound and outbound connections for this suspicious program. I know that they want to keep it as transparent as they can but do think that the auto-decide rules need some tightening up.

Like Hexo mentioned, I like autodecide but ask for unknowns better than allowing unknowns. Although this is different than what you mentioned in your first post.

Until there are any changes made to the firewall I will just keep it in "ask" mode.
« Last Edit: January 06, 2011, 06:20:10 PM by Charyb »

SteveStroage

  • Guest
Re: AIS firewall: auto-decide mode question(s)
« Reply #14 on: January 06, 2011, 10:49:44 PM »
okay I never noticed that but yes it's mentioned there... other things are mentioned that don't exist anyway ( "process control" or no app allowed to install in "public mode" etc...)

The "Don't allow new programs" might be added as a new feature. Below was from an email from Lukor.

Quote from: Lukas
2)      Don’t allow new programs – hmm, I am afraid we don’t fully implement what is written here. Sorry. At first we though that users would use the program mostly in Work/Medium Risk Zone, configure their apps there and switch to the two (Home and Airport) modes only for special cases for short periods of time. For such use, it would make sense to prevent any new program rules to be created in Airport mode (to prevent any accidents in risky environments) – however it turned out, that the airport mode is pretty usefull on its own, and it wouldn‘t be so cool to prevent creating new application rules in this mode, so actually I am afraid you have found a bug on this one – the description should be changed!

Thanks a lot! I’ll file a bug and decide what to do – either remove the description, or add such feature (probably by default off, but switchable in expert settings)

Lukas.