Author Topic: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?  (Read 13999 times)

0 Members and 1 Guest are viewing this topic.

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #15 on: October 01, 2011, 12:40:10 AM »
The exception for Avast was added to the exceptions in my XP firewall automatically.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #16 on: October 01, 2011, 01:11:55 AM »
Here is a link to the outbound rules one person created for his system: http://npr.freei.me/firewallrules.html. BTW - this link does not work on my home PC but I connect fine to it at work - go figure. Note this should be used as a rough guide only since this person for example uses OpenDNS as his DNS provider. It is a good example for rules for svchost.exe. Note that his AV is MSE and that requires a rule for the BITS container service.

Next is a link to what I consider is the definitive lay person tutorial on everything about the WIN 7 firewall: http://sourcedaddy.com/windows-7/understanding-windows-service-hardening.html. This tutorial is written is non-techo babble found on the MS TechNet site. The two sections I recommend on ready first are 'Understanding Windows Service Hardening' and 'Understanding (Firewall)Rules Processing.' Note that the WIN 7 firewall does not process rules like most of the popular firewalls in existance today. These firewalls process rules in a top down fashion.

Best to leave WIN 7 outbound default rules in place till you really know what you are doing. Just add rules for your existing outbound Internet applications; primarily anything that requires updating. This would include Avast applications that perform virus definition updating plus the avastsvc.exe program and the like. Finally your browser if using Avast's web shield would have to allow optionally outbound TCP from any local port to localhost(127.0.0.1) remote port 12080. I say optionally since it appears the WIN 7 firewall will allow all outbound activity to localhost unless specifically overridden. You will also have to include rule for https activity TCP from any local port to remote port 443 for your browser.  
« Last Edit: October 01, 2011, 01:21:12 AM by DonZ63 »

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #17 on: October 01, 2011, 04:28:48 AM »
I pretty much think that's gibberish and overkill. If you enable the outbound blocking in Win 7, it's not easy to manage things and you definitely have to make an outbound rule for svchost since Windows Update, Time, and probably a few other things will not work without it. If you leave the Firewall in it's default state where all outbound is allowed, then of course you don't need to do anything. The Firewall Notifier greatly simplifies the handling of outgoing connections and should be a part of the Firewall to begin with in my opinion.

That chart of rules is the very one I used to create rules that would let Windows Update and Time function. With the updated version of the notifier, it now detects the attempt of svchost to connect and lets you choose how to handle it. I tested it by deleting the rules I had created manually and then accessing Windows Update. It detected the connection attempt and I chose to allow it. To simplify my rules, I just accepted the default rule it created that allows all outbound connections. I don't think I need any specific rules for specific services and/or ports. That's just overkill in my opinion.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #18 on: October 01, 2011, 03:55:07 PM »
Quote
I don't think I need any specific rules for specific services and/or ports.

I think it is important to understand how malware has evolved over time. Malware today hides itself. The days of firing up Task Manager and looking for strange proceses running are long over.

Windows OSes have always included what I call "spawners." Simply put these programs have the ability to create other processes on demand. However, the sub-processes run under the identity of the name of the creator processes. Hence, the occurance of multiple svchost.exe processes running anytime you view running processes in Task Manager. There are other spawners like svchost.exe most notably rundll32.exe that require periodic examination.

As I stated previously, WIN 7 has tightened up the criteria under which the spawners can execute. However, malware creators are very clever and ability to create new exploits is always present. Then there is the issue of what I call "grey" applications. Grey applications are programs created from legit vendors that are used for analyzing your computer activity for commercial purposes aka non-malicious spyware is how I classify them.

Unfortunately, only a few firewalls have the capability of recognizing and controlling spawning processes. Most are commercial firewalls. The only retail ones that I know of is Vista and WIN 7 firewalls plus PrivateFirewall. I tried to install PrivateFirewall on my WIN 7 installation and it was disaster.

Summing this up if a person is really concerned about undesirable outbound activity, spawning processes cannot be ignored. One alternative is to force each subprocess to be shown indivdually as a separate svchost.exe for example entry. The WIN 7 command run from a command prompt window with admin privledges is SC Config servicename Type= own. To restore original state use the same command with Type= share. Ref: http://commandwindows.com/sc.htm
« Last Edit: October 01, 2011, 03:59:04 PM by DonZ63 »

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #19 on: October 01, 2011, 04:13:15 PM »
Quote
I don't think I need any specific rules for specific services and/or ports.

Pertaining to ports, the fundamental tenant of outbound firewall creation is restrict outbound activity to specific portocols, ports, and ideally IP addresses or if not possible, at least domain URLs. Simply put, the easiest way to determine if a "legit" outbound application is not really legit is to observe it using non-standard http/https ports or connecting to malicious/questionable IP addresses.

Forget using digital certificates as a failsafe way of determining is an application is legit. Digital signatures are being hacked every day.

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #20 on: October 02, 2011, 02:18:34 AM »
Quote
I don't think I need any specific rules for specific services and/or ports.

Pertaining to ports, the fundamental tenant of outbound firewall creation is restrict outbound activity to specific portocols, ports, and ideally IP addresses or if not possible, at least domain URLs. Simply put, the easiest way to determine if a "legit" outbound application is not really legit is to observe it using non-standard http/https ports or connecting to malicious/questionable IP addresses.

I have never done that with any firewall I have ever used and never had a problem. Like I said, I consider that overkill. I have no idea what other things use svchost besides Update and Time and I certainly don't want to have a different rule for each one of them. Considering the fact that the huge majority of home computer users are sufficiently protected by the default state of the Windows Firewall and a good AV product(especially if they are connected through a router), I often wonder why I even concern myself with having more than that since I have been on line since 1999 without a single infection. I was on dial up from 1999 to 2004 and never even used any kind of a firewall at all. I only had first McAfee and then Norton AV and they caught every attempt that was made.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #21 on: October 02, 2011, 03:57:38 PM »
Quote
Considering the fact that the huge majority of home computer users are sufficiently protected by the default state of the Windows Firewall and a good AV product(especially if they are connected through a router),

I agree with you 100% on this one. This main point is if you are protected by a good router or modem/router combo with a built-in firewall. The router should also have NAT, statefull inspection, and IPS protection in the form of denial of service attack protection. Note however that router safety no longer can be taken for granted. Millions of existing routers are susceptable to DNS rebinding exploits. Mine was hacked with this. Resolved it by creating a "honeypot" server on my router to trap those rebind attacks.

If a user does not have a router, then all versions of Windows Firewall would not be adequate since they could be hacked via a DoS or DDoS attack. Also with NAT missing, their actual sending ports would be exposed.

Again outbound firewall protection is really only protection against yourself. If one keeps their PC free of malware and practices safe Internet usage, outbound firewall protection is redundant. Unfortunately, the first thing the average young PC user installs is peer-to-peer software that exposes his PC to the world.  

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #22 on: October 04, 2011, 02:43:48 AM »
I finally got around to installing Windows Firewall Notifier. Got to say I am impressed by this little app. Does everything that the WIN 7 outbound firewall processing is missing. The WIN 7 world needs to really find out about this gem.

I also see the problem with limiting svchost.exe. WIN 7 appears to use it network wise for a lot more than Win Updates and Time Updating. Probably if you want to limit its services you will have to create create firewall rules for all the netsvcs items shown in Task Manager plus any application update services such as Adobe Reader, etc. A lot of work. Probably just allowing everything is OK due to the "hardening" WIN 7 firewall applies. One still has to periodically examine what services are loaded to determine if an "undesireable" exists.

I did get an answer to the stange rundll32.exe dial-outs have been experiencing. Appears WIN 7 is dialing out on port 443 to MS servers periodically. What it is doing is beyond me but I suspect it has something to do with run statistics and the like MS is harvesting. Need to research that more. I did change the WFN rule to only connect to the MS server IP range. You definitely don't want to give unrestricted outbound access to rundll32.exe.

I also tightened up my IE8 rule to only connect to TCP 21, 443, and 12080. You really want to eliminate any port 80 outbound activity from your browser if you are using Avast's web shield.

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #23 on: October 04, 2011, 05:58:33 AM »
I have not gotten any notice for rundll. Is it included in the default rules? I don't use WebRep or anything else like it though.

If you open up Notifier again after it's activated, you can see all of the default rules of the Windows Firewall and there are quite a few allowing outbound connection for svchost. Why Windows Update and Time weren't included is a mystery to me. Making them break when you enable the outbound protection makes no sense to me at all. In my opinion, Microsoft needs to look at the Firewall Notifier and at least consider adding it's functionality to the Windows Firewall.

I looked in the Task Manager just now and it doesn't show a single instance of svchost running. I always had multiple ones in XP. It did come up momentarily when I went to Windows Update but disappeared again as soon as WU was fully loaded. I guess this is part of the hardening they speak of?
« Last Edit: October 04, 2011, 10:08:32 AM by Dch48 »

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #24 on: October 06, 2011, 03:43:45 PM »
Quote
I looked in the Task Manager just now and it doesn't show a single instance of svchost running. I always had multiple ones in XP. It did come up momentarily when I went to Windows Update but disappeared again as soon as WU was fully loaded. I guess this is part of the hardening they speak of?

Sure doesn't sound right to me. You should have multiple instances of svchost.exe running at any given time. Remember that only a few svchost.exe services require internet access; most run on localhost only. You sure you are not filtering out the display of them in Task Manager?

I will be posting in the next couple of days, the svchost services my WIN 7 x64 SP1 requires. I really should charge for this info since no where on the web could I find details on this.

In the meantime, a FYI:

I have found a somewhat "brute force" method of determining what svchost service is executing when a popup alert is generated by WFN. This works for WIN 7 x64 SP1. I also assume it will work for XP and Vista.

Note: Before adding any firewall rule for a svchost.exe service, determine that the service is a valid Windows or application generated service. Also remember that the service might be valid but intrusive e.g. Google update service, etc.

Allowing the svchost.exe service to execute as noted below could cause a leakage of data from your PC if the service is malicous. At present, I know of no way to determining what service requires outbound access until it does a network transmission. If the developer of WFN can figure out a way to display the short service name of a blocked svchost.exe request, he would have found the "Holy Grail" of Windows sub-tasking in my opinion.


1. Keep the WFN popup visible on the desktop and note the IP address and port shown.
 
2. Open a command prompt window as admin.

3. Enter the following minus the quotes after the command prompt  - "netstat -anob". Do not press the enter key yet.

4. Click on the Allow button on the WFN popup for svchost.exe. Immediately thereafter press the keyboard Enter key to execute the netstat command that was previously entered.

5. Scroll up in the command prompt window searching for the original blocked IP address. Once found, you will observe to left on the same line, the short name of service that svchost requested.

Note that netstat command will most likely display the program name that called svchost.exe. Therefore, you will not see the service short name listed under svchost.exe but under the calling program name.

6. Open up Task Manger and click on the Services tab and search for the full service name associated with the short name that was displayed as a result of the netstat command.

7. Delete the global allow firewall rule for svchost.exe that WFN generated.

8. Create a new WIN 7 firewall custom outbound rule for svchost.exe selecting the above appropriate service. For protocol I always use TCP and for destination/receiving ports I always use 80 and 443.




« Last Edit: October 06, 2011, 04:25:40 PM by DonZ63 »

Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #25 on: October 07, 2011, 09:52:31 AM »
Like I said in the other thread at ghacks, There are default rules in the Firewall allowing svchost to connect to ports other than 80 and 443 and using protocols other than TCP. The one I made for my home network had to allow all ports since I'd allow one and the next time a different one would come up. I even got one for port 0. I allowed all ports but restricted the IP's to the ones created by the router for the 3 different computers connected to it.

I still have no instances of svchost showing in Task manager .AHH wait, I didn't have "Show processes by all users" checked. With that checked there are 11 instances of svchost running. None have given any alerts though except for Update, Time and elements of my network.
« Last Edit: October 07, 2011, 09:59:57 AM by Dch48 »

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #26 on: October 07, 2011, 03:50:34 PM »
I just posted an new inquiry on why avastsvc.exe is listening on port 135 and using svchost.exe RpcSs services on the Internet. This in spite of the fact I have it set to "connect to web known browsers" only?

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #27 on: October 09, 2011, 01:47:48 AM »
Had my first hiccup with WFN today. I was fooling around with my MBAM firewall rules and did something WFN didn't like. The result was .Net error everytime I opened WFN. Error was something to do with corruption in the WFN log file.

I tried to fix by uninstalling retaining my rules and settings, then deleted the WFN folder and restored it from the download. Still a no go. Then I shut down the PC for a while and when I rebooted later, magically WFN was fine. Go figure?

I did find out something in my testing that I asked Avast about and received a contrite answer to the issue. If you have web shield configured to check all outbound connections, it bypasses all Windows firewall outbound processing in the .1289 version! So I guess if you trust Avast which I do not, then you don't have to do anything in regards to Windows firewall outbound processing. Just run web shield with full outbound connection scanning. 


Dch48

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #28 on: October 09, 2011, 05:43:55 AM »
Why would you not trust Avast? I also don't completely understand what you mean when you say Avast bypasses all outbound rules. Do you mean while you're in the browser or at all times? I definitely get alerts for other applications trying to connect and I have the web shield set to scan everything so, it's not completely bypassing outbound rules. I'm not sure what "scan only well known browser processes" means so I haven't selected that option.

DonZ63

  • Guest
Re: Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?
« Reply #29 on: October 09, 2011, 03:37:12 PM »
I don't trust any "free" software. My mother taught me as a young boy that "there is no such thing as a free lunch." Now I am not implying anything malicious but stuff like spy and adware. More so in these tight economic times when everyone is scrambling to make a buck. That is my personal opinion.

As far as Avast web shield goes, first ensure that web shield is set to filter all outbound connections i.e. the "well known web browser" box is unchecked. Next select an application that connects to the Internet, update is what selected, and for which no output firewall rule exists. You can also just disable one of your existing outbound firewall rules for updating. Then perform an update action for that software. On my PC, the update succeeded. No blocked activity and no firewall alert from WFN.

My theory is web shield in this .1289 ver. is actually operating as a firewall and has some how turned off portions of the WIN 7 firewall.