Does Avast 6.x Require Inbound Exceptions In Win 7 Firewall?

[DavidR]

Well the web shield doesn't actually filter outbound connections, neither does it scan outbound content. It only redirects outbound http traffic through its proxy, so that the corresponding inbound traffic is also routed through the proxy and scanned.

So no it isn't acting as a firewall, the network shield monitors outbound connections in the fact it compares the domain against its malicious sites list.

[DonZ63]

I retested the web shield issue this morning with the same result. If it is set to filter all outbound connections, the Win 7 outbound firewall rules are bypassed. My theory on this as you pointed out, Avast web shield is running a proxy server on localhost, 127.0.0.1. By definition, proxy servers bypass firewalls creating in effect a "tunnel" connection. I don't know if this affects all firewalls but it most certainly does the WIN 7 firewall with outbound filtering set on.

As far as web processing goes, running a proxy server is fine. That is as long as you trust the proxy server. However for non-web outbound processing, the proxy is a security risk in that it is overriding the firewalls outbound rules.

I also would like to know what protection web shield provides. If all it is doing is checking IP addresses, I don't need it. I use MBAM PRO whose IP blocker is more effective in tests I have performed.

[DavidR]

Most firewalls are smart enough to know what is using the localhost proxy. It shouldn't be creating any tunnel as you would surely already have a rule to allow avastSvc.exe that controls the shields, including the Web Shield and the localhost proxy.

You really should check out the avast help file as the web shield 'doesn't check IP addresses' so the MBAM IP checking doesn't hold a candle to what the web shield does (apples and oranges, chalk and cheese). See image extract of a little on the web shield in the avast help center/file.

[Dch48]

select an application that connects to the Internet, update is what selected, and for which no output firewall rule exists. You can also just disable one of your existing outbound firewall rules for updating. Then perform an update action for that software. On my PC, the update succeeded. No blocked activity and no firewall alert from WFN.

I have experienced that same behavior with 3rd party firewalls that replace the Windows one. What I have determined is that some applications that update by connecting through IE (taking you to a web page like CCleaner does) will not produce an alert if there is a rule already in place that allows outgoing for the browser. Other applications that connect directly to a server without going through a web page first (MBAM for example) will always produce an alert and a corresponding rule will be created, but maybe not with the Web Shield checking everything.

[DonZ63]

What I have determined is that some applications that update by connecting through IE (taking you to a web page like CCleaner does) will not produce an alert if there is a rule already in place that allows outgoing for the browser.

Thank you! CCleaner being able to connect w/o an outbound firewall rule was driving me crazy. Was just about to e-mail the WFN developer about a leak on CCleaner.

However, what I stated previously about applications that do not do updating via a browser still stands. I have tested with both MBAM and SpywareBlaster both of which have stand alone updaters.

[DonZ63]

This applies to WIN 7 only.

If you are using only a IPv4 router, I see a major issue with the WIN 7 firewall core inbound and outbound rules. They allow Teredo which is a tunneling IPv6 to IPv4 protocol. Numerous exploits to date have been documented with IPv6 to IPv4 tunneling. I have blocked both inbound and oubound rules. For additonal protection I have also added rules to block the IPv6 protocol(type 41) for all connections both inbound and outbound.

Your choice.

BTW - IE8 now runs much better by the way.

[Dch48]

My new router is IPv6 capable where my old one wasn't. My ISP however, is not using IPv6 yet at all. Do you think I should still need those rules?

A question--why IE8 on Win7?

Update:--I found that I can't make a blanket rule blocking IPv6 because it still keeps giving alerts when things get blocked and that's too annoying. What I did was hit block when the alert came up for an IPv6 connection. That put the application in the exclusions list meaning it would now be blocked without a popup. I had a rule allowing connections for TCP and UDP and the program still connects that way but now blocks IPv6 attempts only.

I also found that DonZ is correct about the Web Shield. With the shield scanning everything,I deleted my MBAM rule and then tried to update it. It was in need of updating and it connected and started updating with no complaint from WFN. The strange thing was that when the downloading was almost finished, then the popup showed telling me that the connection had been blocked! The connection had already been made successfully. I then tried it with scanning known browser processes only and a big window immediately came up saying that the connection could not be made along with the WFN popup saying it had been blocked. No connection to the MBAM update server could be made until a rule was created allowing it. I can only conclude that the web shield does indeed bypass the  Windows Firewall outgoing blocking (if it is enabled of course) if it is set to scan all traffic.

[YoKenny]

This applies to WIN 7 only.

If you are using only a IPv4 router, I see a major issue with the WIN 7 firewall core inbound and outbound rules. They allow Teredo which is a tunneling IPv6 to IPv4 protocol. Numerous exploits to date have been documented with IPv6 to IPv4 tunneling. I have blocked both inbound and oubound rules. For additonal protection I have also added rules to block the IPv6 protocol(type 41) for all connections both inbound and outbound.

Your choice.

BTW - IE8 now runs much better by the way.

IE9 is much better than IE8 on Win 7.

The 10 Best New Features in Internet Explorer 9
http://www.technobuffalo.com/internet/the-10-best-new-features-in-internet-explorer-9

[DonZ63]

DCH keeps asking me about the acceptabilty of letting svchost run unfiltered for outbound network processing. Remember Conficker? Below is it's high-level operational write-up.

[Edit] BTW - new strains on Conficker are back in the wild. So much so Sophos has a new  scanner/removal tool for it.

This is just one of a multiple of malware that have used svchost in the past. My opinion is that the lack of svchost.exe protection is the "dirty little secret" of the third party retail firewall industry.

A Static Analysis of Conficker

Like most malware, Conficker propagates itself in the form of a packed binary file.  Our first step in analyzing Conficker consists of undoing the work of the packers and obfuscators to recover the original malware binary code. Conficker is propagated as a dynamically linked library (DLL), which has been packed using the UPX packer. The DLL is then run as part of svchost.exe and is set to automatically run every time the infected computer is started.  After unpacking, we find that the UPX packed binary file is not the original code but incorporates an additional layer of packing. We use IDA Pro to remove this second layer of obfuscation and dump the original code from memory. To do so, we first run the Conficker service, snapshot the core Conficker library as a memory image, and from this code segment reconstruct a complete Windows executable program. The program requires a PE-header template, and we compute an entry point that allows the program to enter Conficker's code segment.  This appears to be a clever way of making the analysis of Conficker a bit more challenging than usual.  We now describe the static analysis of the original code, which reveals the full extent of the malware logic and capabilities.

Ref:http://mtc.sri.com/Conficker/