Author Topic: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?  (Read 14000 times)

0 Members and 1 Guest are viewing this topic.

DonZ63

  • Guest
Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« on: September 26, 2011, 11:08:58 PM »
I ask this because I have seen in my event logs that avastsrv.exe being blocked at boot time.

I have also reset the Win 7 firewall to default settings since installing Avast.

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #1 on: September 26, 2011, 11:39:11 PM »
Yes it does. The Avast service requires incoming to be allowed.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #2 on: September 27, 2011, 02:02:46 AM »
Thanks.

BTW - I tried the paid ver. of Sphinx Win 7 Firewall Control. Didn't care for it. When I get time, I am going to try out this new freebie: http://www.neowin.net/news/windows-firewall-notifier-130

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #3 on: September 28, 2011, 01:12:43 AM »
That new one looks interesting but since it's very new, I expect it to have a few updates so I'll wait a while before trying it. I like that it just uses the default firewall and doesn't use a completely different one in conjunction with the built in one. That should make it much lighter weight.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #4 on: September 28, 2011, 01:29:38 AM »
Quote
uses the default firewall and doesn't use a completely different one in conjunction with the built in one

From what I have gleaned from the minimal documentation for it, not exactly. It appears it is designed primarily to alert you to an oubound connection and then allow/block it. It then creates its own allow/block rule which cannot be modified. What is unclear is if you create your own detailed firewall rule for an outbound alert, it will create a WIN 7 firewall outbound rule.

As the "firewall notifier" name implies, I think all the software is designed to do is alert you to an outbound connection, you specify allow or block, and then later set up your own WIN 7 firewall rule and delete the rule Firewall Notifier generated.

At least it should provide good leak protection.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #5 on: September 28, 2011, 07:11:05 AM »
There should be no need to add or remove anything to the windows firewall in default settings for avast.
Uninstall avast then reset your firewall and reinstall avast and things should work as they are supposed to, no exclusions neccessary unless you enable outbound protection in the windows firewall.

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #6 on: September 28, 2011, 10:22:46 AM »
Yes, but if you enable outbound protection in the built in firewall, it is very complicated to manually set up rules allowing it for apps since it will then block everything, including things like Windows Update. From what I read about the firewall notifier is that it greatly simplifies the process by first enabling the outbound protection and then alerting you when attempts are made and letting you decide what to do from there. It then creates rules in the Windows firewall based on your decisions. The Win7 Firewall Control is actually another firewall built on top of the existing one and using the same API's but it does a pretty good job, even in the free version, which is what I'm currently using.

Like I said, the notifier app looks interesting and I may try it out when it matures a little more.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #7 on: September 29, 2011, 12:55:02 AM »
Quote
There should be no need to add or remove anything to the windows firewall in default settings for avast.

I agree that Avastsvc.exe does not require an inbound exception in the WIN 7 firewall since the WIN 7 firewall automatically handles inbound localhost which is needed for avastsvc.exe to function. In fact allowing avastsvc.exe inbound access is dangerous since any external inbound TCP port 80 activity should be the result of a oubound connection under stateful inspection criteria.

Exceptions to the above would be P2P activity.

There is the question about browser activity since outbound TCP port 80 activity from the browser should be blocked since that activity is being done by avastsvc.exe. I think I saw occasional TCP port 80 leakage from IE8 when I was using Comodo as my firewall which caused me to block TCP port 80 outbound from IE8.   

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #8 on: September 29, 2011, 02:27:49 AM »
Quote
There should be no need to add or remove anything to the windows firewall in default settings for avast.

I agree that Avastsvc.exe does not require an inbound exception in the WIN 7 firewall since the WIN 7 firewall automatically handles inbound localhost which is needed for avastsvc.exe to function. In fact allowing avastsvc.exe inbound access is dangerous since any external inbound TCP port 80 activity should be the result of a oubound connection under stateful inspection criteria.

Exceptions to the above would be P2P activity.

There is the question about browser activity since outbound TCP port 80 activity from the browser should be blocked since that activity is being done by avastsvc.exe. I think I saw occasional TCP port 80 leakage from IE8 when I was using Comodo as my firewall which caused me to block TCP port 80 outbound from IE8.  
It doesn't seem to require an exception in the Windows Firewall but it certainly does in any other firewall you use. I had to allow incoming for the Avast service in both the PC Tools firewall and in Win 7 Firewall Control. I see no reason to block browser activity though.

I have uninstalled Win 7 Firewall Control and I'm trying the Firewall Notifier. There have been a few glitches so far. It did not recognize connection attempts by Ventrilo, a popular voice chat program used by gamers in particular, and I had to manually create an outgoing rule. It also is not allowing Windows Update to connect so I'll have to find the solution for that.

UPDATE: For some reason the Firewall Notifier app does not automatically allow Windows services like Windows Update, Windows Time, etc. to connect and does not give a notification when they attempt to. I fixed it by creating a rule to allow outbound for C:\Windows\System32\svchost.exe and now everything works as it should. The author of the program says that he has a new version almost ready to release that should fix the problems.
« Last Edit: September 29, 2011, 04:12:34 AM by Dch48 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #9 on: September 29, 2011, 01:51:33 PM »
This for me is somewhat strange, as inbound connections that are associated with the outbound connection are generally allowed back in without being molested. e.g. if avastSvc.exe makes an outbound connection request, its associate inbound response should be let in.

Essentially there should be no occurrence of an inbound connection to/for avastSvc.exe if it didn't originate the original outbound request.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #10 on: September 29, 2011, 09:12:41 PM »
This for me is somewhat strange, as inbound connections that are associated with the outbound connection are generally allowed back in without being molested. e.g. if avastSvc.exe makes an outbound connection request, its associate inbound response should be let in.

Essentially there should be no occurrence of an inbound connection to/for avastSvc.exe if it didn't originate the original outbound request.
All I know is that the PC Tools Firewall says that Avastsvc.exe is attempting to behave as a server (which means incoming connection attempts) and you have to allow that. The Win 7 Firewall Control alerts to incoming so you have to choose "enable all" for it. My XP machine has an exception in the XP firewall to let avastsvc through. The Win 7 firewall seems to handle it differently or maybe Avast is now on it's trusted list so it's allowed automatically.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #11 on: September 29, 2011, 10:04:16 PM »
Yes it has to act as a server as it is intercepting browser calls to connect to the internet so that traffic can be routed through the localhost proxy.

You click on link or type in URL in the Browser
> redirect to Web Shield proxy
> Internet
< Web Shield proxy
< redirect to browser cache
displayed in browser.

So it is handling outbound connection request and subsequent inbound connection response. That is very loosely what a server does.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #12 on: September 30, 2011, 01:09:27 AM »
Quote
UPDATE: For some reason the Firewall Notifier app does not automatically allow Windows services like Windows Update, Windows Time, etc. to connect and does not give a notification when they attempt to. I fixed it by creating a rule to allow outbound for C:\Windows\System32\svchost.exe and now everything works as it should. The author of the program says that he has a new version almost ready to release that should fix the problems.

Here's the scoop on svchost.exe on Vista and WIN 7. You have to create outbound rules for the container services that handle win updates and time resolution at a minimum or allow just svchost.exe by inself like you did once the firewall outbound protection is enabled. If you look at the default outbound rules, you will see default rules for DNS and DHCP so you don't have to create additional rules for those.

Now in the XP days, that is all you needed to allow svchost.exe to work and give you maximum protection from svchost.exe dial-outs from malware using it to run their own container services.

WIN 7 appears to use svchost.exe for other things that I haven't fully checked out yet. It also has something called "hardening" that MS states prevents malware from running it's own container services although I fully don't buy it. You will get a warning when try to create svchost.exe container service rules stating "hardening" feature and you really shouldn't create individual svchost.exe service rules.

I guess MS considers Google updater services OK since they run under svchost.exe and you won't even know it!

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #13 on: September 30, 2011, 03:54:39 AM »
Here's the scoop on svchost.exe on Vista and WIN 7. You have to create outbound rules for the container services that handle win updates and time resolution at a minimum or allow just svchost.exe by inself like you did once the firewall outbound protection is enabled. If you look at the default outbound rules, you will see default rules for DNS and DHCP so you don't have to create additional rules for those.

Now in the XP days, that is all you needed to allow svchost.exe to work and give you maximum protection from svchost.exe dial-outs from malware using it to run their own container services.

WIN 7 appears to use svchost.exe for other things that I haven't fully checked out yet. It also has something called "hardening" that MS states prevents malware from running it's own container services although I fully don't buy it. You will get a warning when try to create svchost.exe container service rules stating "hardening" feature and you really shouldn't create individual svchost.exe service rules.

I guess MS considers Google updater services OK since they run under svchost.exe and you won't even know it!

What I don't understand is why the Firewall Notifier program did not alert for svchost trying to connect. It's supposed to give alerts about all outgoing connection attempts. I have so far found three things it doesn't alert for. Ventrilo, the game DiRT3 (it does alert for incoming but not outgoing, and the Games for Windows Live framework. I had to manually makes rules for those and in the case of GFWL, I had to look at the outgoing block log of the Notifier app to see what needed to be allowed. It was the LiveID component. Windows Firewall Notifier is a very new application and I'm sure it will get better in time.

UPDATE: There is a new version of the Firewall Notifier out, v1.3.2 and all the problems are fixed. It now notifies for all outgoing connection attempts like it should.  
« Last Edit: September 30, 2011, 04:17:30 AM by Dch48 »

Mr.Agent

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #14 on: September 30, 2011, 06:32:42 PM »
I never and never did put avast! on any Windows Firewall on any pcs i ever used... So i dont think you need to add something to it. No matter what versions of avast! or Windows.

Mr.Agent