Author Topic: avast programs needing firewall holes  (Read 19048 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re:avast programs needing firewall holes
« Reply #15 on: December 31, 2004, 02:36:08 AM »
Weird?
I think not, but ashserv.exe never ask me for connection.

avast.setup and ashmaisv.exe should be enough...  ::)
The best things in life are free.

gbark

  • Guest
Re:avast programs needing firewall holes
« Reply #16 on: December 31, 2004, 03:18:04 AM »
haertig,

Quote
I don't know why I'm the only one who has run into ashquick.exe needing to get out.  That's strange.

I hope someone here will correct me if I'm wrong. (I thought I was wrong once before, but I was mistaken.) ::)

Ashquick.exe is the module that does on demand file/folder scans. If you used that method to test your email alerts, perhaps that's why Ashquick.exe was flagged as requesting an outbound SMTP connection.

I went to the Avast SMTP configuration dialog and hit the "test" button and that's when I got the OP popup requesting approval for Ashserv's connection. Perhaps each has their own SMTP connection capabilities. If so, and you only have Ashquick configured, a real-time A-V hit might not be able to get that email back to you. Try the "test" button on your present configuration and check the logs.

By the Way, Agnitum has a Christmas special until mid-Jan where if you buy OP for full price. $39.95, you get free upgrades for life! Such a deal. Here's the link: http://agnitum.com/christmas.html


haertig

  • Guest
Re:avast programs needing firewall holes
« Reply #17 on: December 31, 2004, 03:30:56 AM »
I get the ashquick.exe popup when I right-click on a virus file and choose "Scan with avast" option from the context menu.

Delta

  • Guest
Re:avast programs needing firewall holes
« Reply #18 on: December 31, 2004, 09:23:26 AM »
I get the ashquick.exe popup when I right-click on a virus file and choose "Scan with avast" option from the context menu.

Hi, I'm afraid I've just scanned the eicar file from the context menu and ashquick made no attempt to reach the internet.

Delta.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re:avast programs needing firewall holes
« Reply #19 on: December 31, 2004, 11:52:28 AM »
Ashquick.exe is the module that does on demand file/folder scans. If you used that method to test your email alerts, perhaps that's why Ashquick.exe was flagged as requesting an outbound SMTP connection.

I think not. ashserv.exe will take care of it.
ashquick.exe is the Quick avast scanner, used by the Explorer Extension and, if you set so, into your download manager, archive packer (winzip), etc..

I went to the Avast SMTP configuration dialog and hit the "test" button and that's when I got the OP popup requesting approval for Ashserv's connection. Perhaps each has their own SMTP connection capabilities.

This is the prove for what I posted before...

If so, and you only have Ashquick configured, a real-time A-V hit might not be able to get that email back to you. Try the "test" button on your present configuration and check the logs.

ashquick.exe could never be the on-line scanner...
The best things in life are free.

haertig

  • Guest
Re:avast programs needing firewall holes
« Reply #20 on: December 31, 2004, 04:56:34 PM »
I'm trying to attach a jpg showing ashquick.exe connecting outgoing.  After a couple of failed attempts to attach, maybe this one will work (?)  The attachment is a 50kb jpg

haertig

  • Guest
Re:avast programs needing firewall holes
« Reply #21 on: December 31, 2004, 05:16:15 PM »
I just installed avast on a second computer to see if connecting programs change.  This computer is running W2kpro ... same as the first computer I was using.  ashquick.exe still connects outgoing from here as well.  Also, I found two MORE avast programs that connect outgoing (these did not appear on the first computer ... yet!)

ashdisp.exe
ashsimp2.exe

Both of these attempted to connect to my SMTP server. [edit] Oops - might have been my POP3 or IMAP server.  I had already made my firewall rules generic (non-IP specific) before I posted this message, but the fact that I generi-sized the rule to ports 25, 110, 143 means it was SOME email related server that these new guys attempted to connect to! [/edit]

I have no problem with all these avast programs connecting.  I'm just trying to nail them all down to configure firewall rules for a computer that will soon be out of my immediate control.  Maybe I should just search the avast directories for all executable files and give them all access?   :-\
« Last Edit: December 31, 2004, 05:23:28 PM by haertig »

haertig

  • Guest
Re:avast programs needing firewall holes
« Reply #22 on: December 31, 2004, 05:26:35 PM »
Could this possibly be a bug in Kerio in that is is INCORRECTLY reporting which program is attempting to connect?  I've never run into that before, but with me being the only one finding these "other" programs connecting outgoing, it makes me wonder...

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re:avast programs needing firewall holes
« Reply #23 on: December 31, 2004, 07:25:41 PM »
Could this possibly be a bug in Kerio in that is is INCORRECTLY reporting which program is attempting to connect?

Most probably not...
Are you in a home network?
Do you use a proxy server (or mail proxy server)?

If you disable Kerio, is avast working properly? Does it scan emails?
The best things in life are free.

haertig

  • Guest
Re:avast programs needing firewall holes
« Reply #24 on: December 31, 2004, 08:01:39 PM »
Are you in a home network?
Yes
Quote
Do you use a proxy server (or mail proxy server)?
No.  Well, not for email.  I do use a local proxy for web access (Proxomitron)
Quote
If you disable Kerio, is avast working properly? Does it scan emails?
There is no problem with avast working.  It has always worked fine, scanning emails, etc.  My original question was simply which avast programs need access to the Internet.  I have identified several, but I suspect there may be even more that need Internet access that I simply haven't discovered yet, having not hit the right sequence of events to trigger them. I was hoping to find a comprehensive list of ALL avast programs that may ever require Internet access, under whatever circumstances, so I could preconfigure them ALL in firewall rules before sending this computer off to it's new (newbie) owner.  Once in it's new home, the computer will not be on a home network anymore.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re:avast programs needing firewall holes
« Reply #25 on: December 31, 2004, 10:18:22 PM »
Proxomitron could be the 'bad guy' here.
Is this program redirecting the traffic to a local proxy (127.0.0.1 for instance)?
The problem is, why Kerio is asking for this access if no other firewall do?

I was hoping to find a comprehensive list of ALL avast programs that may ever require Internet access, under whatever circumstances, so I could preconfigure them ALL in firewall rules before sending this computer off to it's new (newbie) owner.  Once in it's new home, the computer will not be on a home network anymore.

Whatever circunstances is the problem here... your configuration could be different that the default ones. I've already said that I use avast fore almost 2 years and only avast.setup for updates and ashMaiSv.exe the avast email scanner have asked for Internet connection.
« Last Edit: December 31, 2004, 10:44:51 PM by Technical »
The best things in life are free.

gbark

  • Guest
Re:avast programs needing firewall holes
« Reply #26 on: December 31, 2004, 10:38:29 PM »
haertig,

Things just get confuseder and confuseder don't they? :o ??? ::)
I noticed that, in your Kerio popup dialog that the description refers to aswquick.exe and the application refers to ashquick.exe. This had me thinking that, perhaps, you had a trojan copy, but when I examined ashquick.exe I see references to aswquick.exe throughout. I guess Alwil must have done a last-minute name change or something. Still, I have no idea why you're seeing these additional apps looking for internet access.

Technical,

I probably wasn't as clear as I could have been about ashquick.exe vs ashserv.exe. What I meant was that if an on-demand scan (which uses ashquick.exe, I believe) finds a virus, perhaps ashquick.exe would attempt the email connection itself thereby triggering Kerio's popup. I doubt it, but could ashquick's calling of ashserv.exe for the email processing somehow be read by Kerio as an attempt by ashquick?  Anyway, my thought was that if Kerio is configured for ashquick.exe and ashserv.exe is not, then the standard shield and other providers might not be able to get ashserv to send the alert via email. (Wow, I think may be even less clear than my first post!  :-\

I suppose that haertig could go for the safest/surest option and, as he suggested, configure all the Avast *.exe's for SMTP access. What could it hurt, as they say?

I love a mystery.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re:avast programs needing firewall holes
« Reply #27 on: December 31, 2004, 10:45:25 PM »
gbark
I'm leaving to wait the New Year... I'll come back tomorrow  8)
The best things in life are free.

gbark

  • Guest
Re:avast programs needing firewall holes
« Reply #28 on: January 01, 2005, 02:04:54 AM »
Technical,

Enjoy the wait! I suspect it'll come soon enough.  ;) Today's my B'day so I always have lots to celebrate on New Year's Eve.  ;D

I couldn't stand to wait for haertig to post his latest discoveries (I suspect that he will continue digging into this mystery.) so I went into Avast's setup dialog and did the "Test" for email alert notification. Then I downloaded the EICAR text "virus) to a local folder and did an on-demand scan. Guess what? Ashserv.exe phoned home (well, to my work addy, actually) when I hit the "test" button, but, just as haertig first noted, ashquick.exe phoned home when the on-demand scan found the Eicar file.

Well, it's 8:00p.m. here in Michigan so I guess I'll go watch out the east windows for the new year myself.

Here's a Happy New Year wish for everybody! :)

Here's a copy of the appropriate Outpost firewall logs:

7:30:52 PM   ashquick.exe   mail.gl.centurytel.net   OUT    SMTP
7:29:26 PM   ashserv.exe    mail.gl.centurytel.net   OUT    SMTP
7:29:03 PM   ashserv.exe    mail.gl.centurytel.net   OUT    SMTP

Apparently, ashquick.exe does, in fact have email capabilities built-in and handles the on-demand alert, while ashserv.exe handles the standard shield. I tried to have several of the Eicar files emailed to me, unfortunately (fortunately?  ???) my ISP has A-V filters  that have aparently blocked the emails so I can't verify which Avast module would handle emailing alerts found by the internet mail A-V module

haertig

  • Guest
Re:avast programs needing firewall holes
« Reply #29 on: January 01, 2005, 03:34:44 AM »
Proxomitron could be the 'bad guy' here.
Is this program redirecting the traffic to a local proxy (127.0.0.1 for instance)?
No, I do not think Proxomitron is the problem.  The first computer I noted ashquick.exe connecting does not have proxomitron installed.  My second testing computer does.  But Proxomitron is a local web proxy only.  No email capabilities.  I doubt that avast went out and just found this local proxy sitting there on port 8999 all by itself, and taught it how to handle SMTP protocol, without any help on my part.  ;-) And even if it did, I would not have experienced any firewall popups since Kerio is configured to allow Proxomitron out to any address, any port.  Sorry, just playing around a little here.  :-) Bottom line - the initial computer that alerted on ashquick.exe did not have Proxomitron installed.  I probably shouldn't have even mentioned Proxomitron in the first place since it's only installed on one computer and I now have two exhibiting the same behavior.
Quote
The problem is, why Kerio is asking for this access if no other firewall do?
That's the million dollar question.  But Kerio is not asking for any access.  It's just alerting me that ashquick.exe is asking for access.  I think it's all related to the way I'm starting my scanning.  Right-click on the file eicar.com, and select "scan with avast" from the popup context menu.  I believe it's that right-click triggered single file scan that runs ashquick instead of ashserv.
Quote
Whatever circunstances is the problem here... your configuration could be different that the default ones. I've already said that I use avast fore almost 2 years and only avast.setup for updates and ashMaiSv.exe the avast email scanner have asked for Internet connection.
I guess my config may very well be different, although this is a brand new computer with a clean W2k install and very few other programs in place.  avast works well in my config.  I think I've decided on my planned course of action to handle the firewall rules, so this thread is more becoming an intellectual exercise in fine tuning our understanding of how avast works.  Which is great, by the way.  So continuing on in the discussion...

Do you have email alerting set up?  That's what I believe is triggering the access.  avast finds a virus (eicar), and is trying to send me an email telling me about it's discovery.  This is a seperate thing from scanning of normal incoming and outgoing email.  This is avast CREATING an email on it's own (per my configuration).