Firewall ports closed

[bearmstead]

I use Kerio personal firewal 2.1.5, I recently went to grc.com & used 'Shields Up' to scan my ports. I found ports 25,110 & 143 closed instead of stealthed. I was wondering if Avast does this to scan the email?

[Eddy]

Avast does not open or close ports. That is what your firewall is for.

[Delta]

Hi, I too have Kerio 2.1.5 and Avast! and on my computer ports 25,110,143 are stealthed rather than blocked (blocked or stealthed, don't worry because nothing's coming in). What I'm wondering is what rules you have set up for these three ports. Right click the Kerio icon and select admin followed by advanced to see these rules (sorry for explaining that if you already knew how to see them). Also double click the Kerio icon in the system tray and see which program is listening on those three ports, it should be ashmaisv.exe.

Where's Blitzenzeus? I've not seen him around here lately; he's the Kerio guru.

Delta.

[bearmstead]

Listening on the folowing local addresses is Avast Email Scanner Service: localhost:pop3, localhost:smtp & localhost:143. My rule for Avast Email scanner service is to allow TCP(both directions), any port, any address, and it is for the ashmaisv.exe program. This rule is below Outlook Express rules. I had no problem with stealth when I ran AVG.

[Lisandro]

I'm using Outpost Firewall (and used ZoneAlarm in the past) and never had a problem with stealthing the 110, 25 and 143 ports.
It's a matter of Kerio configuration and not avast. Like Eddy said, avast! is an antivirus and do not open/close ports, this work is for the firewall  

Maybe you can remove the rule and try to create them again  

[Delta]

Hi. Well I don't know if this will make your ports appear to be stealthed but it will make your computer more secure.
First, allow outlook express
Protocol: UDP/TCP
Local port:Any
Direction:Out
Remote address:127.0.0.1
Remote port:25,110

That is the loopback so that Avast and oe can communicate.

Then
Block oe
Protocol UDP/TCP
Local port:Any
Direction:Both
Remote Address:All
Remote Port:All

That stops oe connecting to the internet; with Avast installed it has no need to venture out onto the web.

Allow Email scanner
Protocol:TCP
Direction:Out
Local port:25,110
Remote Addresses:My isp's mail servers
Remote port:25,110

Followed by another rule:
Block email scanner
Protocol:UDP/TCP
Direction:Both
Local port:Any
Remote Addresses:Any
Remote port:Any

If I've forgotten any info please ask for it.

I'm sorry if I'm jumping to conclusions here, but it seems to me that you set Kerio to ask for each connection attempt and then clicked always remember this answer (or however it's phrased) and then clicked permit. This creates a very insecure ruleset, it would be best if you went to www.dslreports.com/forum/kerio and checked out Blitzenzeus's ruleset. Also go to www.blarp.com/home_security.htm?toc=kerio for the faqs for Kerio. The Kerio web site has a forum. www.pcflank.com has a database of rules for some applications which need to connect to the web, it isn't for Kerio but the programs require the same rules regardless.

HTH

Delta.

[DavidR]

I too had the same problem with ports 25 and 110, and no matter what I tried Avast and outpost, I couldn't stealth the ports. In the end I enabled XP's firewall as well as Outpost and now it passes the grc stealth and all other tests.

Don't use the XP firewall on its own as it doesn't provide outbound protection.

[Lisandro]

I too had the same problem with ports 25 and 110, and no matter what I tried Avast and outpost, I couldn't stealth the ports.

Strange David, I tried right now and the results are always the same: stealthed.
Only the known port 113: http://www.grc.com/port_113.htm
It's not a lack of protection as you can read there...  

[bearmstead]

I think I figured out my problem. I deleted my rule for avast email scanner, opened Outlook Express, made a rule when the pop up came. When I went to grc.com, to run 'Shields Up', I forgot to apply my deny all Rules at the bottom of my ruleset. So when I started the test, grc.com asked permission to connect to avast & I being stupid gave permission, therefore failing the stealth. I went back & deleted the newest Avast rule, applied the deny all rules & low a behold I am STEALTH again. I must have done this a while ago, saw 2 rules for avast email scanner, combined the 2 rules & made 1 bad rule. Thanks for all the posts gentlemen.

[inthewildteam]

Just a reminder for anyone using a router/switch etc to connect, Shields Up might report your "live" side connection and show some ports as stealthed.  This would be the outward side internet connection ip address, not the internal ip address of the machine you are connecting with.  It is checking the router/switch not the machine.

[Lisandro]

Just a reminder for anyone using a router/switch etc to connect, Shields Up might report your "live" side connection and show some ports as stealthed.  This would be the outward side internet connection ip address, not the internal ip address of the machine you are connecting with.  It is checking the router/switch not the machine.

So, is it the only way a 'direct' connection? Changing the cables and removing the router?  

[Delta]

Hi bearmstead, just out of curiosity what do your new rules say?

Delta.

[bearmstead]

Let's start with Outlook Express, TCP - outgoing, local endpoint - any, application - OE msimn.exe, remote endpoint-any, port type-list of ports 25,110,119,143, rule valid-always, permit. Then the very next rule for OE is TCP & UDP - both directions, any port, msimn.exe, any address, any port, always permit. That's it for Outlook Express. Now the Avast email scanner rule is TCP outgoing,any port, ashmaisv.exe, any address, any port, always, permit. That rule is below the Outlook rules. That's it for me and I am stealth. Hope you can decipher the post & I hope it helps.

[Delta]

Thanks for posting them, but there are a few problems
the rules for Outlook Express should read:

Rule name:Allow loopback for OE
Protocol:TCP/UDP
Direction:Both
Local port:Any
Application:msimn.exe
Remote endpoint address:127.0.0.1 (=your own computer)
Remote endpoint port:25,110
Rule valid:Always
Action:Permit

This rule allows oe and Avast to communicate.
Then you want to block oe from connecting with absolutely any address on the web.

Rule name:Block Outlook Express
Protocol:TCP/UDP
Direction:Both
Local endpoint port:Any
Application:msimn.exe
Remote end point:Any address
Remote endpoint port:Any
Rule valid:Always
Action:Block

These 2 rules ensures that oe can only ever connect to Avast!
Now the rules for Avast email scanner.

Rule name:Allow Email scanner
Protocol:TCP
Direction:Outgoing
Local endpoint port:Any
Application:ashmaisv.exe
Remote endpoint Address:my internet service providers mail servers. Your ISP should have the addresses you need to connect to on their web site.
Remote endpoint port:25,110
Rule valid:Always
Action:Permit

Followed by

Rule name:Block Email scanner
Protocol:TCP/UDP
Direction:Both
Local endpoint port:Any
Application:ashmaisv.exe
Remote endpoint address:Any
Remote endpoint port:Any
Rule valid:Always
Action:Block

Also before these rules I block port 143 completely because I don't need it.

These rules ensure that Avast and oe can only connect to remote addresses that I trust (ie my isp mail servers and, in the case of oe, my computer only).

HTH
Delta.