avast programs needing firewall holes

[haertig]

Is there a comprehensive list of avast programs, modules, etc. that may need to connect outgoing?  I am setting up firewall rules before I ship this new computer I am configuring to someone else, and I would like to preconfigure all the avast stuff before delivering the computer.  Below is what I've found and configured thus far. POP3 email only.  I realize I can tighten up "any_address" to my ISP's pop/smtp servers for the port25/110 listings.  I may or may not do that.  Is there a suggested tightening of the address/ports for avast.setup (this program appears to be gone now, after initial setup)?  Are there other avast programs that I've missed?

avast.setup  any_address/any_port
ashmaisv.exe any_address/ports_25_and_110
ashserv.exe any_address/ports_25_and_110
ashquick.exe any_address/ports_25_and_110

[RejZoR]

avast.setup  any_address/any_port
ashmaisv.exe any_address/ports_25_and_110
ashserv.exe any_address/any_port
ashquick.exe NO_NEED_FOR_CONNECTION

This should do the trick. I also assume that avast.setup and ashserv.exe use standard HTTP port 80 or 8080 for its updates.

[haertig]

Thanks for the quick reply!  I step out to get a cup of coffee and you've already replied.  

I do think that ashquick.exe needs to connect outgoing.  I added that firewall rule after seeing a firewall popup saying this program wanted to connect outgoing.  That happened when I was doing a test with eicar.com and seeing if avast could successfully email me an alert notification.

One thing that is funny is that avast.setup program.  It comes and goes.  During update attempts, it will be created in avast's setup folder.  Then it disappears after the update has finished.  Not moved to a "hidden" or "system" file ... it actually disappears ... and is subsequently recreated (temporarily) during the next update.  But it must be recreated identically each time because my firewall lets it out with the existing rule, which checks not only the file name, but it's MD5 signature as well.

I am a little concerned about the dynamic nature of avast.setup.  It's being created identically NOW, but I wonder about the future.  If it's MD5 signature ever changes, the firewall will block it.  And I'm not sure that the person I'm delivering the computer to will understand the firewall popup that says "avast.setup has been replaced by another program.  Do you want to accept this?"  Programs that have been replaced should always generate suspicion and investigation.  This may be beyond the knowledge-scope of newbies.  So if anyone knows the details on the dynamic avast.setup program I would appreciate being clued in.  That way I can explain to the newbie what to expect from the firewall/avast combination (Kerio 2.1.5 is the firewall).

Thanks!

[RejZoR]

We try to be the fastest when it comes to support

Strange,never saw ashQuick.exe requireing net connection
Yeah avast!.setup changes on program updates (or VPS maybe).
Almost all firewalls have option "Do not bug me again"
I'm almost sure that Kerio should have it too (Kerio 4.x is really bugging user for each and every small change).
Last resort solution could be some other firewall...

[Delta]

Hi, I use Kerio 2.1.5 and love it. But I have something you perhaps may have to consider.
If you are setting up Kerio for a newbie then what would happen when they install a new piece of software which requires an internet connection. The user will have to write the rule for him/herself (or allow Kerio to create an appropriate rule and not ask again for that app). Can you be sure that doing this will not create a very weak rule? Some thing like:
Allow any application to any address via any port, both inbound and outbound.
(And, yes, I have seen that once or twice, as well as a rule blocking an app completely followed by a rule allowing it internet access, and the user not being able to figure out what is wrong.)
That would totally screw up any hope of the firewall working as it should.
I hope you understand what I mean.

Delta.

Edit to add:
I have never seen ashquick require internet access. Also, I don't think Kerio can be set up to ignore the MD5's of a program.

[lee16]

And I'm not sure that the person I'm delivering the computer to will understand the firewall popup that says "avast.setup has been replaced by another program.  Do you want to accept this?"

Taking into consideration what the others have said, why not just teach the user how to use a firewall?

--lee

[haertig]

Thanks once again for the quick reply.

Yes, Kerio 2.1.5 has the "don't bug me again" option (they call it "create a rule"), however you should tie your firewall holes to specific programs at minimum, and optimally tie these rules to specific IP addresses, ports, protocols, directions (incoming vs. outgoing), etc. for maximum security.

So while I can tie a rule to "avast.setup", it is blown out of the water if the MD5 signature of that program changes.  There is no way to override this MD5 checking in Kerio that I know of (I will look deeper into the config however).  This is exactly the way I'd want a firewall to behave.  Because if avast.setup's MD5 has changed, then it is no longer avast.setup as far as the firewall (and myself) are concerned.  It could have been replaced by a malicious program.  There are many examples of malware trying to sneak out piggybacked on well know programs that are often granted carte blanche access in firewalls (IE comes to mind...)

The only reasonably secure firewall config setting I can imagine in Kerio to allow for a changing avast.setup would be:

"Allow any_program to connect outgoing to <IP_addresse(s)> on <port(s)>"

... where IP_addresses would have to be tightly configured  to avast update server(s) and port(s) similarly tightly configured.  any_program is required because that's exactly what avast.setup is.  This is not as tight as I'd prefer, but I suppose it would be acceptable.

Do we know all the avast servers and ports?  I imagine this could change over time so creating a firewall rule by trial and error probably wouldn't do the trick.  It's probably impossible anyway, given that new servers might be added over time.

I imagine the best setup for a newbie would be to tell them to always accept an MD5 change on avast.setup, and pray that some malware does not start targeting this particular program.  I might suggest for a future avast upgrade that avast.setup does NOT change dynamically.  Whatever it requires that must be changed dynamically should be handled in an external config file or equivalent storage OUTSIDE of the executable itself.

Thanks again for your help!

[haertig]

Delta and Lee16 - I totally agree with your comments regarding firewall use.  People need to know how to use what is installed.

However, the particular newbie I am concerned about is very computer illiterate (and elderly).  The chances of teaching appropriate security measures are pretty much nil unfortunately.  They wouldn't even know how to install a new program in the first place.  I have to do that for them via a remote connection.  Through a tightly configured firewall hole, I might add!  

The dillema is (1) All computer users should know what they're doing before going online, and (2) Some users are incapable of this.  I think that this class of users should not be thrown off the Internet if they have knowledgeable people willing to help support them.  I am willing to support in this case, so I'm basically setting up a computer to allow them to do only what I grant them and they must come to me for help for other situations.  The online activities that I'm granting are email, web browsing, remote support from me, and automatic updating of antivirus and WindowsUpdate.  I am a tad leerly of automatic WindowsUpdate given the history of some patches, so I'm still mulling over the best solution to that problem.  It goes without saying that I am also trying to lower them as a target by installing Thunderbird and Firefox instead of IE and outlook.  Same thinking goes for avast really.  Probably less targeted than norton or mcafee.  Other than the programs I have setup with firewall holes, everything else will be blocked.  Silently.  They will not be allowed to create new firewall rules.  They will surely be left wondering "what happened?" if I block something unexpected with the firewall ... which is why I asked my initial question about avast in the first place.

In playing with avast for this newbie's system, I think I have convinced myself to make the switch personally from my currently installed norton AV.  Avast really is a very nice program ... I'm glad I found it!

Thanks again for all the helpful replies.

[DavidR]

Just a thought (I could be wrong, often ), the mail provider may need access to the IMAP port depending on the users email program setup connects to an IMAP mail server.

ashmaisv.exe any_address/ports_25_110 and 143

Oops, welcome to the forums.

[gbark]

Boy, this is one terrific thread!

haertig,

FWIW, I use Outpost Pro v2.5 (OP) for my firewall and I've also noticed the phanthom Avast.Setup.exe app and had some difficulty configuring it to work with Avast 4.x.

OP also has a MD5 checksum checking module (called component controll (c-c)) however, with OP you can turn off c-c either altogether or for a particular app.

Here's my rulesets. Maybe you can see something you can use.

ASHMAISV.EXE
  TCP - outbound - Ports 25, 110, 995 (POPS if you need it.)
ASHSERV.EXE
  TCP - outbound - Port 80
  TCP - outbound - Port 80 - Loopback addy.
  No c-c
AVAST.SETUP.EXE
  TCP - outbound - Port 80
  TCP - outbound - Port 80- Loopback addy.
  No c-c

I had to add the loopback rules and turn off the c-c to finally get background and on-demand updates to get through.

You might want to check out Outpost. It's extremely configurable, works OOTB, and has that c-c per app option. It also fits in nicely with your (and my) preference for a slightly off-the-beaten-path firewall.  

Hope this has been a help.

Quick update. I tried the email notification myself and it's ASHSERV.EXE that seems to need the SMTP rule.

[Eddy]

Welcome to this board gbark.

Not bad for a first post.

[inthewildteam]

@ gbark

another happy Outpost user!  

[gbark]

Been lurking professionally for some time. Actually ever since version 4.5 blew up my OP firewall rules.  

Lots of great posts and info hereabouts. Keep up the great work

[haertig]

Thanks for the Outpost pointer, gbark.  I have heard of that firewall, but never tried it.  It's cc-per-app capability sounds like just the ticket for the problem I am currently faced with.  I've never needed that functionality before running into avast.setup.  I will investigate Outpost.  I will have to decide if paying for it (not free, I don't think) is worth the benefit of not requiring the newbie to accept MD5 changes with Kerio.  Also, I am very familiar with Kerio and not so with Outpost.  That's something to consider in a remote-support situation.

I think I didn't pickup on the loopback requirement because I have a generic "LAN bypass" rule in all my firewalls.  This allows unfettered access amongst all my computers to 127.0.0.1 and 192.168.0.0/24  I know that this is technically not the safest thing to configure, but I did it anyway for the convenience.  I know how to keep my computers clean (maybe!) and nobody else is allowed to plug into my LAN (cat5, no wireless).  Any WAN-side bad guys would have to get their spoofed (LAN) IP address through my rules based router first, before being able to exploit my firewall's LAN-bypass rule anyway.  It's good that you brought up the loopback requirement, so that I don't forget about this and incorrectly wipe out 127.0.0.1 when I delete/modify the LAN-bypass rule prior to sending the computer on. It won't be on a LAN after I'm done with it, so it won't need LAN-bypass, but it should have unfettered loopback.

I've strayed way off topic here (as usual for me!)  But at least we are still on target for security related issues, of which avast is a key component!

[haertig]

Quick update. I tried the email notification myself and it's ASHSERV.EXE that seems to need the SMTP rule.

I don't know why I'm the only one who has run into ashquick.exe needing to get out.  That's strange.  I'll try to play around a little more to see exactly what triggered it.  I guess I'm only halfway assuming that it was my outgoing email test.  But that's what my firewall popup coincided with.  Generally when I see an unexpected, but assumedly benign popup, I create a (temporary) allow rule "for this app, for this IP address, for this port" and then go back later and inspect the created rule to see if it needs modification or deletion.  ashquick.exe is the app that popped up for me.