Author Topic: AIS firewall: auto-decide mode question(s)  (Read 9230 times)

0 Members and 1 Guest are viewing this topic.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
AIS firewall: auto-decide mode question(s)
« on: January 06, 2011, 12:28:17 PM »
...not sure what ti think about that, here is (see screen shots) what happens when this firewall is on auto-decide mode >>> all connections allowed, meaning inbound as well. I can get it for Skype, but for the others...adding that it's not the case right now, but I'm seen the same happen with Firefox and Thunderbird.

 Will delete most rules now and switch back to ask mode ;)

edit: no screen shot but same for Secunia, Miranda, Windows Desktop Gadgets, Opera.
« Last Edit: January 06, 2011, 01:06:46 PM by Logos »
w7 - ais7

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37012
Re: AIS firewall: auto-decide mode question(s)
« Reply #1 on: January 06, 2011, 01:19:18 PM »
are you saying there is full connection in/out when in automode ?

any difference from what network  home/work/puplic ?

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: auto-decide mode question(s)
« Reply #2 on: January 06, 2011, 02:00:55 PM »
are you saying there is full connection in/out when in automode ?

yes

any difference from what network  home/work/puplic ?


these results are in work mode... didn't test on other modes.
w7 - ais7

Offline Hexo

  • Full Member
  • ***
  • Posts: 131
    • Blog
Re: AIS firewall: auto-decide mode question(s)
« Reply #3 on: January 06, 2011, 04:35:11 PM »
I got a question...
Where did get the avast! fw the rules in the automode, which programm is good or which is bad?
Is there anywhere a white list?
I know that the G Data Firewall a whitelist has, and a programm which is unknown, the firewall asked what to do.
But since i use the avast! Firewall in the automode... the firewall asked me nothing.
Main PC: Windows 7 64bit, Core I5 2500K, F-Secure IS2012
Notebook: Dell XPS 1530, Windows 7 64bit, Kaspersky IS 2012
Second PC: Windows XP 32bit, F-Secure IS2011 | Asus Eee PC 1000H: Windows XP 32bit, avast! IS

Offline Charyb

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2328
Re: AIS firewall: auto-decide mode question(s)
« Reply #4 on: January 06, 2011, 04:41:42 PM »
Hexo, this is in the help file.

"Block" means that such connections will never be allowed.

"Auto-decide" means the connection will normally be allowed, however any suspicious connections will be automatically blocked. This will be based partly on a large white-list database of safe applications maintained by avast!

If "Ask" is selected, you will see a message asking you to confirm whether or not the connection should be allowed.

However, I was searching for malware and rogue antivirus. I ended up finding a rogue av and the firewall automatically created a rule for it allowing inbound and outbound connection. Wasn't real happy with this. I don't know that me allowing it to install also gave the green light to create a rule like that or not. This was using Auto Decide. I don't remember the exact rule but it certainly didn't block it.
« Last Edit: January 07, 2011, 03:28:05 AM by Charyb »

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: auto-decide mode question(s)
« Reply #5 on: January 06, 2011, 04:42:33 PM »
I got a question...
Where did get the avast! fw the rules in the automode, which programm is good or which is bad?
Is there anywhere a white list?
I know that the G Data Firewall a whitelist has, and a programm which is unknown, the firewall asked what to do.
But since i use the avast! Firewall in the automode... the firewall asked me nothing.

don't worry about that, there's no white list. The auto-decide mode just allows what the program normally requires to connect. The problem is that it sometimes seem to allow more than needed ;D
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: auto-decide mode question(s)
« Reply #6 on: January 06, 2011, 04:47:56 PM »
Quote
This will be based partly on a large white-list database of safe applications maintained by avast!

oh yeah, where's that list? you got a link? ... or anything stating officially that there's such a list...

 ... ok app sigs are verified, that's all I can tell... and if the program doesn't have any, auto-decide will still allow it to connect :)
w7 - ais7

Offline Charyb

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2328
Re: AIS firewall: auto-decide mode question(s)
« Reply #7 on: January 06, 2011, 04:49:22 PM »
go to application rules then click on help center at the top of the UI.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: auto-decide mode question(s)
« Reply #8 on: January 06, 2011, 04:52:54 PM »
go to application rules then click on help center at the top of the UI.

okay I never noticed that but yes it's mentioned there... other things are mentioned that don't exist anyway ( "process control" or no app allowed to install in "public mode" etc...)
w7 - ais7

Offline Charyb

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2328
Re: AIS firewall: auto-decide mode question(s)
« Reply #9 on: January 06, 2011, 04:57:34 PM »
I still to this day do not understand how the rogue av I installed was allowed to connect inbound and outbound. By me allowing it to install did this give the OK in AutoDecide mode? The rogue is long gone but it still bugs me on how the rule was created. According to the help file it states that it monitors for suspicious behavior. If it is a rogue it is nothing but suspicious. I would like it to fully block any antivirus that is not on the whitelist.
« Last Edit: January 06, 2011, 05:13:31 PM by Charyb »

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: auto-decide mode question(s)
« Reply #10 on: January 06, 2011, 05:07:11 PM »
I still to this day do not understand how the rogue av I installed made the white list. Did the firewall use me allowing it to install as the ok in AutoDecide mode? The rogue is long gone but it still bugs me on how the rule was created.

might be because as I said the auto-decide mode allows much more than it should anyway, and isn't very strict at all with outbound connections... that white list, if it exists, is a joke. As to your rogue , ask also why the AV didn't block the download and the install in the first place...
w7 - ais7

Offline Charyb

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2328
Re: AIS firewall: auto-decide mode question(s)
« Reply #11 on: January 06, 2011, 05:17:06 PM »
You do have a point there. After a clean install I just let the firewall run a few days in autodecide to make sure all the system rules and avast rules are created then switch it to ask.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9442
Re: AIS firewall: auto-decide mode question(s)
« Reply #12 on: January 06, 2011, 05:23:06 PM »
You do have a point there. After a clean install I just let the firewall run a few days in autodecide to make sure all the system rules and avast rules are created then switch it to ask.

another problem when you do that, is that switching to ask will only be relevant for new apps, as all apps already listed while you were on auto-decide mode will keep the auto-decide option  ;D (in the "otherwise..." setting.
w7 - ais7

Offline Charyb

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2328
Re: AIS firewall: auto-decide mode question(s)
« Reply #13 on: January 06, 2011, 05:31:12 PM »
Another point well taken. I go through and delete anything that I don't recognize (with the exception of the system and avast rules). After that rogue installed and the rules were created I keep a close eye on the rules now. I don't trust that "suspicious" connections will automatically be blocked because Avast allowed a suspicious program to install and firewall rules allowing inbound and outbound connections for this suspicious program. I know that they want to keep it as transparent as they can but do think that the auto-decide rules need some tightening up.

Like Hexo mentioned, I like autodecide but ask for unknowns better than allowing unknowns. Although this is different than what you mentioned in your first post.

Until there are any changes made to the firewall I will just keep it in "ask" mode.
« Last Edit: January 06, 2011, 06:20:10 PM by Charyb »

Offline SteveStroage

  • Newbie
  • *
  • Posts: 3
Re: AIS firewall: auto-decide mode question(s)
« Reply #14 on: January 06, 2011, 10:49:44 PM »
okay I never noticed that but yes it's mentioned there... other things are mentioned that don't exist anyway ( "process control" or no app allowed to install in "public mode" etc...)

The "Don't allow new programs" might be added as a new feature. Below was from an email from Lukor.

Quote from: Lukas
2)      Don’t allow new programs – hmm, I am afraid we don’t fully implement what is written here. Sorry. At first we though that users would use the program mostly in Work/Medium Risk Zone, configure their apps there and switch to the two (Home and Airport) modes only for special cases for short periods of time. For such use, it would make sense to prevent any new program rules to be created in Airport mode (to prevent any accidents in risky environments) – however it turned out, that the airport mode is pretty usefull on its own, and it wouldn‘t be so cool to prevent creating new application rules in this mode, so actually I am afraid you have found a bug on this one – the description should be changed!

Thanks a lot! I’ll file a bug and decide what to do – either remove the description, or add such feature (probably by default off, but switchable in expert settings)

Lukas.