Hi,

When I start my computer and start browsing, everything seems to be ok. Over time, some pages start to load corrupted and will eventually not load anymore. It took me a while to track it to ashWebSv.exe. Now I have that disabled and thing are ok.

More info: It appears with IE6, IE7beta2, Firefox, Opera, so apparently not browser related.
When things start to go bad, my sniffer finds more and more packets with invalid checksums.

Avast 4.6.763
Windows XP-Pro SP2, and all security fixes up to date
Kerio 4.2.1

Obviously, I would like the Webshield active though :

Please advice.

Thanks, peter

Peter,
WebShield does really filter your connections during browsing - but it does that on Winsock level, as a regular Winsock application. It does not modify individual packets in any way. The packet checksums are filled into packet in the TCPIP layer, way beyond Winsock.

Do you have any filtering modules enabled in Kerio? Add-blocking or something like that?

Thanks.
Lukas.

No, no filtering. Maybe the invalid checksum have nothing really to do with the problem. I just noticed that. I traced the problem, bu looking at the traffic in kerio. I found out that the browser was having problems accessing post 12080, netstat -a gave a quadzillion other ports beeing redirected through 12080. tcpview from sysinternals revealed that ashWebSv.exe was doing that, so I disabled that part of avast and browsing was ok again. I’ll sniff for some bad packets. I did not do that after disabling ashWebSv.

To be continued.

Peter,
connections are redirected from the original host port 80 (eg.www.google.com:80) , to localhost, port 12080. On this port listens WeShield (ashWebSv.exe) which reconnect to the webserver the browser originaly intendet - (www.google.com:80).

Knowing this, you have to configure your firewall to allow:

1. browsers to connect to localhost:12080
2. webshield (ashwebsv.exe) to listen on localhost:12080
3. webshield (ashwebsv.exe) to accept the connections from localhost:anyport
4. webshield to connect to webservers port 80.

L.

Hi L,

I still get enough tcp errors and browsing is no problem at the moment, so it might be “normal” for my connection. Anyway, I don’t really think it’s a firewall problem because:

1 - it does not come immedeately, but only after a while, somtimes a couple of hours, browsing.
2 - there are no processes blocked in the firewall, I keep them on allow or ask, because I like to know what happens…
3 - I have had the firewall disabled completely to see if the problem was firewall related.

But to be sure I allowed webshield explicit to do whatever it wants. Have to reboot to get webshuidl active again though. Until now, without webshield , no problems.

Thanks, Peter

Is there some kind of loggin option that could possibly show what webshield is doing???

Thanks, Peter

kind of.

Edit avast4.ini, find the section [WebScanner] and add the line: EnableLogging=1

There will be a log file created in c:\program files\alwil software\avast4\data\log\ashwebsv.log

Lukas.

Well, no luck so far. With the wenshield disabled, no problems. This morning, after reactivating webshield I had 15 minutes of undisturbed browsing when things started to go bad again. The only probably interesting thing I could see in the log is:

15-3-2006 8:38:37,“http://www.cichlitopia.be/phpBB2/templates/Cichlitopia/images/icon_minipost.gif",“”,"GET”,304,0,0,568,1354,1354,568,\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe,PID: 3148, SEQ: 1
15-3-2006 8:38:37,“”,“”,“”,0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,“”,“”,“”,0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,“”,“”,“”,0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,“”,“”,“”,0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,“”,“”,“”,0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,“”,“”,“”,0,0,0,0,0,0,0,Unknown process,PID: 0, SEQ: 0
15-3-2006 8:38:37,“http://www.cichlid-forum.com/phpBB/templates/subSilver/images/folder.gif",“”,"GET”,0,0,0,0,695,695,0,\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe,PID: 3148, SEQ: 1

After stopping the webshield and hitting refresh on the browser windows, things were back to normal again…

Please advice, Peter

Anyone?

After a couple of days undisturbed, but webshield-less browsing, I decided to activate it again… Within the hour It started causing page load faillures again. IE says:

You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

After deactivating the webshield again things where back to normal…

Can anyone try to help me out on this, or do I need to search for another anti-virus program?

Peter

Apparently more people are experiencing similar problems with the websv.exe… Is there any news on this issue? I’ve read aling the other problems and tried descibed sollutions, without effect though.

Thanks, Peter

Hello Peter,
Why do you think there is more people experiencing the same problem?

To further narrow down the possible cause we might try to eliminate the redirecting part of WebShield. WebShield has a low level support in driver, that monitors outgoing connection to port 80, and redirects them to localhost, port 12080. If you delete the “80” in the redirected ports in WebShield configuration, redirect will not be active. You must then configure you browser to use localhost:12080 (WebShield) as your HTTP proxy.

Is the problem reproducible even in this setup?

I will lookup what are the “unknown process” lines in your log in the meantime.

There are some threads about similar, not same, problems where bebshield apparently influences browsing. I can not describe it more general. It seems like I have the worst case there when after images and pages get corrupt, browsing stops completely.

Will do that and will keep you posted. Thanks for picking this up again!

Peter

This method gave me no problems… Do I understand correctly that avast works as a proxy this way and the other way as transparent proxy???

Then I put the settings back and the problem stayed away ??? I’ll keep trying and when I get the problem back again, I’ll try the proxy-way to see if that triggers the sollution… (hope this makes any sense)

Thanks so far!

Peter

Trigger,
in fact the functionality of the WebShield application is always the same. It works as a proxy. The only difference is how the connection is directed to the WebShield app.

But if the redirecting part is the problematic place, it is most probably some conflict with a networking software on your comp. The work than is done in our driver during redirect is rather simple, just the address is patched in the request - but it may (theoretically) confuse some other software that might have already checked the destination address.

Do you have some other security software besides Kerio Firewall? Something that might be running as a LSP hook?

(you may display the list of loaded LSP modules with LSPFIX, downloadable from here: http://www.cexx.org/lspfix.htm) Can you post the list of LSP dlls that is displayed?

What about kerio? Do you have “Web Filtering” enabled? (Block advertisements, popups, scripts) ? Allthough it should work correctly, this might be a potential source of some problems…

Thanks.
Lukas.

Kerio is not blocking web contents. I already disabled that to be sure. Other software, mmm, spywareblaster and spybot may be of influence.

lsp-fix gave me:

mswsock.dll - Tcpip
winrnr.dll - NTDS
NWWS2NDS.DLL - Novell Directory Service Name provider
NWWS2AP.DLL - Novell IPX/SPX SAP Name provider
NWWS2SLP.DLL - Novell SLP provider
nwprovau.dll - NWLink IPX/SPX/Netbios-compatibel transportprotocol
spampalLSP.dll (Protocol handler)
rsvpsp.dll (Protocol handler)

Peter

Still no problems anymore… Switching the settings may have set a problem right. There was a microsoft fix installed in between. Maybe that did the trick, but it seems like I am problem free now.

Thanks, Peter

Hello everybody!Thanks in advance for your help.
I am using avast home and when i browse it allow me to view the first page the when i click the second page it comes up that page has moved with a link then when i click that i get coded pages,when i disable avast everything is fine which defeats the purpose of having avast if i need to keep disableing it.Does anabody have this isssue or know how i can resolve this issue?Thanks Very Much for all your help.

Joe, can you post more info about your computer?

• Which OS are you using? Is it up to date?
• What avast! version and VPS file (virus database) number?
• What was the filename and path where the virus was found?
• Which actions have you taken to try solving the problem?
• Do you use a firewall? Which one?
• Do you have any other antivirus installed in your system?
• Any other security programs that could interfere?
• Which browser areyou using?