I noticed on my port explorer, after I close my firefox browser. ashwebsv.exe will stay connected until I actually go into webshield, terminate it and then restart it again.
I tested this a few times. Went to some websites, closed firefox and let it sit for over 24hrs. and ashwebsv.exe stayed connected to the sites the entire time. Any ideas on what is going on??
Does your port explorer go to the lengths to say exactly what this connection is as the web shield is always listening on its localhost port 12080 and not actually connected externally.
See image, example of my firewall used ports and you can see the web shield and the internet mail, note they are listening on the localhost:loopback not physically connected. I am obviously on-line but there still isn’t a connection as my activity is static whilst posting this.
Do you have any URLs we can test this on? Does that happen regularly or just from time to time ?
It’s not loopback 127.0.0.1 It has the actual ip address and say established. I just did it with Ebay. I will do again and see if can post a pic of the activity.
I can replicate this to some extent but I should say that I am currently using the avast beta release.
Normal case:
I open Firefox and go to the ebay site. Using Current Ports I see the connections to ebay from ashWebSv.exe.
I close Firefox - Current Ports shows the connections instantly come down and go to Close Wait state.
Partial replication:
I open Firefox and view the avast site.
I open another instance of Firefox and in that instance of Firefox I go to the ebay site. Using Current Ports I see the connections to ebay from ashWebSv.exe.
I close the instance of Firefox that is viewing the ebay site (the other instance of Firefox viewing the avast site is still open). In this case the ashWebSv.exe connections to the ebay site are maintained in Established status for a number of minutes (5-10) before they close. If, during the period, I terminate the instance of Firefox browsing the avast site then all the connections (including the lingering ebay ones) instantly close.
billman1037,
do you use the Firefox Preloader on your system?
The same problem can also be seen if the Firefox Preloader is used. In this case when the user terminates a Firefox session the Firefox process remains loaded. So in this case:
I open Firefox and go to the ebay site. Using Current Ports I see the connections to ebay from ashWebSv.exe.
I close Firefox but the ashWebSv.exe connections to the ebay site are maintained in Established status for a number of minutes (5-10) before they close.
Later edit: I just repeated the test and timed the delay in connection termination in my system - it is 4 minutes.
Nope…I don’t use firefox preloader.
Ok no pic…but here is one that has been active for over an hour after shutting down firefox:
209.62.180.191 - which I looked up on coolwhois and shows it to be double click, inc.
Ok…same deal…209.62.180.191 still connected.
Well no it isn’t … here is the file you just posted and then withdrew from your post …
--------------------------------------------------------------------------------------------------------------------------------------------------
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
--------------------------------------------------------------------------------------------------------------------------------------------------
| SYSTEM | --- | 4 | TCP | 0.0.0.0 | 445 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 4 | TCP | 192.168.1.7 | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 4 | UDP | 192.168.1.7 | 137 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 4 | UDP | 0.0.0.0 | 445 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 4 | UDP | 192.168.1.7 | 138 | *.*.*.* | * | LISTENING | --- | --- |
| alg.exe | 12:25 05/02/2009 | 240 | TCP | 127.0.0.1 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| lsass.exe | 12:25 05/02/2009 | 728 | UDP | 0.0.0.0 | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| lsass.exe | 12:25 05/02/2009 | 728 | UDP | 0.0.0.0 | 4500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 12:25 05/02/2009 | 992 | UDP | 192.168.1.7 | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 12:25 05/02/2009 | 992 | UDP | 127.0.0.1 | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 13:39 05/02/2009 | 1040 | UDP | 0.0.0.0 | 49659 | 4.2.2.2 | 53 | LISTENING | 1/40 | 1/70 |
| svchost.exe | 15:24 05/02/2009 | 1040 | UDP | 0.0.0.0 | 51426 | 4.2.2.2 | 53 | LISTENING | 1/36 | 1/76 |
| svchost.exe | 15:51 05/02/2009 | 1040 | UDP | 0.0.0.0 | 57518 | 4.2.2.2 | 53 | LISTENING | 1/33 | 1/80 |
| vsmon.exe | 12:25 05/02/2009 | 1684 | Other | 0.0.0.0 | 0 | 192.168.1.1 | 0 | LISTENING | 1/40 | 0/0 |
| ashwebsv.exe | 16:35 05/02/2009 | 3364 | TCP | 127.0.0.1 | 12080 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| ashwebsv.exe | 17:01 05/02/2009 | 3364 | TCP | 192.168.1.7 | 3681 | 8.14.104.66 | 80 | TIME_WAIT | 1/506 | 1/1 |
| ashwebsv.exe | 17:01 05/02/2009 | 3364 | TCP | 127.0.0.1 | 12080 | 127.0.0.1 | 3745 | TIME_WAIT | 2/1109 | 1/1 |
| ashwebsv.exe | 17:02 05/02/2009 | 3364 | TCP | 192.168.1.7 | 3998 | 8.14.104.67 | 80 | TIME_WAIT | 2/957 | 2/1161 |
| ashwebsv.exe | 17:04 05/02/2009 | 3364 | TCP | 127.0.0.1 | 12080 | 127.0.0.1 | 4143 | TIME_WAIT | 2/374 | 1/1 |
| ashwebsv.exe | 17:05 05/02/2009 | 3364 | TCP | 192.168.1.7 | 4252 | 74.125.242.25 | 80 | CLOSE_WAIT | 1/573 | 1/417 |
| ashwebsv.exe | 17:05 05/02/2009 | 3364 | TCP | 192.168.1.7 | 4255 | 76.13.218.11 | 80 | CLOSE_WAIT | 1/507 | 1/717 |
| ashwebsv.exe | 17:21 05/02/2009 | 3364 | TCP | 127.0.0.1 | 12080 | 127.0.0.1 | 1384 | LISTENING | 5/1385 | 2/2 |
| ashwebsv.exe | 17:22 05/02/2009 | 3364 | TCP | 192.168.1.7 | 1535 | 209.62.180.191 | 80 | LISTENING | 1/505 | 1/737 |
| ashwebsv.exe | 17:22 05/02/2009 | 3364 | TCP | 127.0.0.1 | 12080 | 127.0.0.1 | 1624 | ESTABLISHED | 3/19900 | 3/3 |
--------------------------------------------------------------------------------------------------------------------------------------------------
If the connection was being maintained then the port status would be ESTABLISHED - it clearly is not. I am not sure what PORT EXPLORER is reporting here with a LISTENING status.
thanks…I was trying to post my log like you did and screwed it up…that’s why it was removed.
Listening is maintaining the connection…if you look at the packet information being transfered, you can see this.
Listening - all TCP sockets that have a status of LISTENING, showing all listening ports.
Established - all TCP sockets that have a status of ESTABLISHED, showing all current connections.
So, the port is open and not closed. Normal behavior would be like my firefox connections. When I close firefox, the connections are closed and you don’t see anything in port explorer. So, still the same problem remains that ashwebsv.exe is not closing.
Agreed there is an issue.
The avast team has just issued a new release of the program - as you can see from a few posts down. I am using that new release. I rather suspect that someone will suggest that you establish that the problem continues for you with the new release (even though I rather doubt it will change the condition you are seeing).
You will note from the table you posted that a number of the connections that had been made by avast are in the proper closing status.
Is there any consistency about the connections that do not close properly (like for doubleclick or for ebay)?
For now I cannot replicate the “LISTENING” issue.
I have had this problem with other sites but I didn’t note the particular ip’s. The doubleclick was within Ebay. I will have to keep note of more instances.
I just updated to the new release. So, we will see. I’ll post back with more info.
If you are using firefox I would suggest that you use adblock plus and NoScript as that kills the likes of doubleclick.net stone dead.
I’m a bit confused - is this all about the connections in the TIME_WAIT and CLOSE_WAIT states?
In any case, I’d recommend the OP to update to the latest avast program version (4.8.1335) and post a new capture from port explorer.
Thanks
Vlk
I updated to avast program version (4.8.1335)…and no go
It’s random IP addresses that are listening through ashwebsv.exe…I really don’t think it has anything to do with one particular IP because as I remember from the past several days it has been various ones. I could be here forever trying to list each one cause it’s different everytime.
Thats part of the problem TIME_WAIT and CLOSE_WAIT states because they never close. The main problem is having open ports as you can see port 80 through ashwebsv.exe.
As stated before, normal behavior on all programs is once they are closed the connections are closed.
Here is another capture:
also, that screen capture was an hour after I had already closed firefox.
billman1037,
in the address bar of Firefox can you please enter:
about:config
and then tell us the value of your Firefox setting network.http.keep-alive.timeout?
Firefox setting network.http.keep-alive.timeout is the default setting as with my other pc. I have not touched that.
I spoke wrong earlier that it’s not a particular ip…cause i think that could be the problem. Though it’s probably many ip’s (ones that avast considers harmful).
I went to Facebook, closed firefox , and everything closed in ashwebsv.exe except one instance of 127.0.0.1 which is normal cause I have it running.
Now, as far as Ebay and certain other sites (I don’t remember the ones from the past several days). I’m thinking for some reason ashwebsv.exe gets stuck on a particular ip for example the 2 shown earlier:
209.62.180.191 (Double Click) and 66.235.132.145 (stat.esomniture.com)
…and when I close out firefox, ashwebsv.exe will sit on the IP it considers trouble and won’t close. Unless I terminate the webshield and start it again.