Avast Update Problems

I was working at a customer’s workplace yesterday who have been complaining about popups from avast after a few minutes of starting the computer, and throughout the day, saying the updates could not be downloaded.

There are approx 15 pc’s all running avast, it has been installed but had not been updating at all for about 2 years. We manually installed 4.7, which brought the connection falure popups.

We spent a while trying to figure it out.

While avast is searching for an update, avast.setup runs in proceses. If you try run an update while it is running, or try change certain settings - avast will hang for 5-10 minutes, then it would come up with the error saying avast could not update. As soon as that popped up though, the updates would install.

The problem is that we can not get it to download automatically. Obviously asking someone in the building to manually update 15 computers, and the fact that it hangs and takes 5-10 minutes for each computer - isn’t really possible.

We NEED it to be automatic.

We checked all proxy settings and they are all correct, in both avast and internet explorer.
We tried auto detect, and manually entering them - with no luck.

We ran tracert to the avast update site - what we found is that it connected with the business’s server fine, but a few connections later (number 5) it timed out - yet still carried on and ended up connecting with the avast servers…

The avast servers file seems to be fine, and contains addresses of a bunch of servers.

I will try and find the error message being logged, my workmate wrote it down.

I did a search on it yesterday and found a lot of threads talking about proxy settings, but everything is configured correctly.

I am wondering if they are going to an off site server to do with the business which doesnt like avast?

Cheers

I have also problems with Avast not connecting to the update server through a proxy (MS ISA SERVER). All settings - automatic, NTLM authentication or with a known good username and password do not work. It is a recent problem, and it probably has to do with changes in Avast or the update servers.

This is part of the log:

06.02.2007 17:53:03 package: GetPackages - set proxy for inet
06.02.2007 17:53:03 internet: SYNCER: Proxy company-dell-server:8080
06.02.2007 17:53:03 internet: SYNCER: Type: standard HTTP proxy (rfc2616,2617)
06.02.2007 17:53:03 internet: SYNCER: Auth: no authentication
06.02.2007 17:53:03 internet: SYNCER: Proxy l/p: internet/***
06.02.2007 17:53:03 general: InvalidateCurrent: invalidated server ‘Download59 AVAST server’ from ‘main’
06.02.2007 17:53:03 general: SelectCurrent: selected server ‘Download80 AVAST server’ from ‘main’
06.02.2007 17:53:03 package: GetPackages - set proxy for inet
06.02.2007 17:53:03 internet: SYNCER: Proxy company-dell-server:8080
06.02.2007 17:53:03 internet: SYNCER: Type: standard HTTP proxy (rfc2616,2617)
06.02.2007 17:53:03 internet: SYNCER: Auth: no authentication
06.02.2007 17:53:03 internet: SYNCER: Proxy l/p: internet/***
06.02.2007 17:53:03 general: InvalidateCurrent: invalidated server ‘Download80 AVAST server’ from ‘main’
06.02.2007 17:53:03 general: SelectCurrent: selected server ‘Download72 AVAST server’ from ‘main’
06.02.2007 17:53:03 package: GetPackages - set proxy for inet
06.02.2007 17:53:03 internet: SYNCER: Proxy company-dell-server:8080
06.02.2007 17:53:03 internet: SYNCER: Type: standard HTTP proxy (rfc2616,2617)
06.02.2007 17:53:03 internet: SYNCER: Auth: no authentication
06.02.2007 17:53:03 internet: SYNCER: Proxy l/p: internet/***
06.02.2007 17:53:03 general: InvalidateCurrent: invalidated server ‘Download72 AVAST server’ from ‘main’
06.02.2007 17:53:03 general: SelectCurrent: selected server ‘Download3 AVAST server’ from ‘main’
06.02.2007 17:53:03 package: GetPackages - set proxy for inet
06.02.2007 17:53:03 internet: SYNCER: Proxy company-dell-server:8080
06.02.2007 17:53:03 internet: SYNCER: Type: standard HTTP proxy (rfc2616,2617)
06.02.2007 17:53:03 internet: SYNCER: Auth: no authentication
06.02.2007 17:53:03 internet: SYNCER: Proxy l/p: internet/***
06.02.2007 17:53:03 general: InvalidateCurrent: invalidated server ‘Download3 AVAST server’ from ‘main’
06.02.2007 17:53:03 general: SelectCurrent: unable to find any suitable server in ‘main’
06.02.2007 17:53:03 general: progress end - 0
06.02.2007 17:53:03 general: progress thread end

How about a firewall? Maybe it’s blocking avast.setup from connecting to the servers?
The executable (avast.setup) changes from one version to another, so if the firewall stores a hash of the executable, it would detect a change and possibly block the access, even if it was allowed previously…

Hello all,

I can confirm this behaviour. Running avast home (free) for a couple of years, the problems just started this year. Seems like something has changed in the way automatic update works, just like PCSSL suggested. I will provide more info below:

NOTE that the setup mentioned below has not changed for the last 4 years. Plus, avast was operating just fine till the end of 2006, with regard to updates

  • No personal firewalls are installed at all, on all lan computers. Most are Windows XP/2000 boxes, some Win98 boxes are around as well
  • Proxy in the avast is set to “use internet explorer settings” (we use WPAD, web proxy autodiscovery protocol, for setting proxy ip and port)
  • Access to the internet is provided by a dedicated proxy/firewall system. No access at all is allowed from to LAN to Internet
  • All access to the Internet happens through the dedicated proxy/firewall system. That is (a) DNS requests (all lan pcs use the proxy/firewall as DNS server) and (b) HTTP/FTP access
  • The proxy used is Squid 2.6.12+, running on port 3128 of the firewall
  • In the web shield on some of the lan systems (not all) I have also included port 3128 in order for traffic via proxy to be scanned as well
  • Automatic update fails consistently, the red informational window appears.
  • Now the funny thing is that when the update fails, selecting manually Update → Program Update (or VPS update) works like a charm!

I have enabled a debug-level logging in order to produce more results. Really hope this problem can be resolved, I’m too happy with avast to switch to something else.

In the meantime, pls do ask me if there is some more information I can provide.

In continuation of my previous email, pls find attached some logs

Log from a failed automatic update:


22.05.2007	09:39:18.000	1179815958	general	Started: 22.05.2007, 09:39:18
22.05.2007	09:39:18.000	1179815958	general	Running setup_av_pro-3e9 (1001)
22.05.2007	09:39:18.000	1179815958	system	Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
22.05.2007	09:39:18.000	1179815958	system	Computer WinName: PC3
22.05.2007	09:39:18.000	1179815958	system	Windows Net User: SYSTEM
22.05.2007	09:39:18.000	1179815958	general	Cmdline: /downloadpkgs /noreboot /updatenews /verysilent /nolog /limitcpu  
22.05.2007	09:39:18.000	1179815958	general	DldSrc set to inet
22.05.2007	09:39:18.000	1179815958	general	Operation set to INST_OP_UPDATE_GET_PACKAGES
22.05.2007	09:39:18.000	1179815958	general	Old version: 3e9 (1001)
22.05.2007	09:39:18.000	1179815958	general	SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
22.05.2007	09:39:18.000	1179815958	system	Computer DnsName: PC3
22.05.2007	09:39:18.000	1179815958	system	Computer Ip Addr: 192.168.0.150
22.05.2007	09:39:18.000	1179815958	internet	SYNCER: Type: use IE settings
22.05.2007	09:39:18.000	1179815958	internet	SYNCER: Auth: another authentication, use WinInet
22.05.2007	09:39:18.000	1179815958	package	Part prg_av_pro-3e9 is installed
22.05.2007	09:39:18.000	1179815958	package	Part vps-74200 is installed
22.05.2007	09:39:18.000	1179815958	package	Part news-4b is installed
22.05.2007	09:39:18.000	1179815958	package	Part setup_av_pro-3e9 is installed
22.05.2007	09:39:18.000	1179815958	package	Part jrog-6 is installed
22.05.2007	09:39:18.000	1179815958	general	Old version: 3e9 (1001)
22.05.2007	09:39:19.000	1179815959	file	SetExistingFilesBitmap: 1024->145->145
22.05.2007	09:39:19.000	1179815959	general	GUID: 0b772745-2fb4-44a5-b08f-60054c63fd14
22.05.2007	09:39:19.000	1179815959	general	Server definition(s) loaded for 'main': 125 (maintenance:0)
22.05.2007	09:39:19.000	1179815959	general	SelectCurrent: selected server 'Download90 AVAST server' from 'main'
22.05.2007	09:39:19.000	1179815959	package	GetPackages - set proxy for inet
22.05.2007	09:39:19.000	1179815959	internet	SYNCER: Type: use IE settings
22.05.2007	09:39:19.000	1179815959	internet	SYNCER: Auth: another authentication, use WinInet
22.05.2007	09:39:41.000	1179815981	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	09:40:02.000	1179816002	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	09:40:02.000	1179816002	general	InvalidateCurrent: invalidated server 'Download90 AVAST server' from 'main'
22.05.2007	09:40:02.000	1179816002	general	SelectCurrent: selected server 'Download2 AVAST server' from 'main'
22.05.2007	09:40:02.000	1179816002	package	GetPackages - set proxy for inet
22.05.2007	09:40:02.000	1179816002	internet	SYNCER: Type: use IE settings
22.05.2007	09:40:02.000	1179816002	internet	SYNCER: Auth: another authentication, use WinInet
22.05.2007	09:40:24.000	1179816024	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	09:40:24.000	1179816024	general	InvalidateCurrent: invalidated server 'Download2 AVAST server' from 'main'

[snip: avast tries to check a whole lot more update servers with the same results]

22.05.2007	10:26:53.000	1179818813	general	SelectCurrent: selected server 'Download46 AVAST server' from 'main'
22.05.2007	10:26:53.000	1179818813	package	GetPackages - set proxy for inet
22.05.2007	10:26:53.000	1179818813	internet	SYNCER: Type: use IE settings
22.05.2007	10:26:53.000	1179818813	internet	SYNCER: Auth: another authentication, use WinInet
22.05.2007	10:27:16.000	1179818836	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	10:27:16.000	1179818836	general	InvalidateCurrent: invalidated server 'Download46 AVAST server' from 'main'
22.05.2007	10:27:16.000	1179818836	general	SelectCurrent: selected server 'Download202 AVAST server' from 'main'
22.05.2007	10:27:16.000	1179818836	package	GetPackages - set proxy for inet
22.05.2007	10:27:16.000	1179818836	internet	SYNCER: Type: use IE settings
22.05.2007	10:27:16.000	1179818836	internet	SYNCER: Auth: another authentication, use WinInet
22.05.2007	10:27:39.000	1179818859	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	10:27:39.000	1179818859	general	InvalidateCurrent: invalidated server 'Download202 AVAST server' from 'main'
22.05.2007	10:27:39.000	1179818859	general	SelectCurrent: unable to find any suitable server in 'main'
22.05.2007	10:27:39.000	1179818859	internet	tried 125 servers to get file 'servers.def.vpu', but failed (0x20000004)
22.05.2007	10:27:39.000	1179818859	file	GetNewerStampedFile:GetFileWithRetry failed: F:\TEMP\_av_proI.tm~a03900\onefile, servers.def.vpu, error: 0x20000004
22.05.2007	10:27:39.000	1179818859	package	Download servers.def, servers.def.vpu failed with error 0x20000004.
22.05.2007	10:28:01.000	1179818881	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	10:28:22.000	1179818902	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
22.05.2007	10:28:22.000	1179818902	general	InvalidateCurrent: invalidated server 'Download202 AVAST server' from 'main'
22.05.2007	10:28:22.000	1179818902	general	SelectCurrent: unable to find any suitable server in 'main'
22.05.2007	10:28:22.000	1179818902	internet	tried 1 servers to get file 'servers.def', but failed (0x20000004)
22.05.2007	10:28:22.000	1179818902	file	GetNewerStampedFile:GetFileWithRetry failed: F:\TEMP\_av_proI.tm~a03900\onefile, servers.def, error: 0x20000004
22.05.2007	10:28:22.000	1179818902	package	Tried to download servers.def but failed with error 0x20000004.
22.05.2007	10:28:22.000	1179818902	general	Err:Cannot connect to download202.avast.com (75.126.120.196:80).
22.05.2007	10:28:22.000	1179818902	package	Transferred files: 0
22.05.2007	10:28:22.000	1179818902	package	Transferred bytes: 0
22.05.2007	10:28:22.000	1179818902	package	Transfer time: 0 ms
22.05.2007	10:28:22.000	1179818902	file	NeedReboot=false
22.05.2007	10:28:22.000	1179818902	general	Return code: 0x20000004 [Cannot connect to download202.avast.com (75.126.120.196:80).]
22.05.2007	10:28:22.000	1179818902	general	Stopped: 22.05.2007, 10:28:22

And this is a log of a successful check/update operation, by manually selecting update from the avast icon:


22.05.2007	10:35:20.000	1179819320	general	Started: 22.05.2007, 10:35:20
22.05.2007	10:35:20.000	1179819320	general	Running setup_av_pro-3e9 (1001)
22.05.2007	10:35:20.000	1179819320	system	Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
22.05.2007	10:35:20.000	1179819320	system	Computer WinName: PC3
22.05.2007	10:35:20.000	1179819320	system	Windows Net User: PC3\xxxx
22.05.2007	10:35:20.000	1179819320	general	Cmdline: /stopstat /silent /noreboot  
22.05.2007	10:35:20.000	1179819320	general	Operation set to INST_OP_[16]
22.05.2007	10:35:20.000	1179819320	general	Old version: 3e9 (1001)
22.05.2007	10:35:20.000	1179819320	general	SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
22.05.2007	10:35:20.000	1179819320	internet	SYNCER: Type: use IE settings
22.05.2007	10:35:20.000	1179819320	internet	SYNCER: Auth: another authentication, use WinInet
22.05.2007	10:35:20.000	1179819320	package	Part prg_av_pro-3e9 is installed
22.05.2007	10:35:20.000	1179819320	package	Part vps-74200 is installed
22.05.2007	10:35:20.000	1179819320	package	Part news-4b is installed
22.05.2007	10:35:20.000	1179819320	package	Part setup_av_pro-3e9 is installed
22.05.2007	10:35:20.000	1179819320	package	Part jrog-6 is installed
22.05.2007	10:35:20.000	1179819320	general	Old version: 3e9 (1001)
22.05.2007	10:35:21.000	1179819321	package	Transferred files: 0
22.05.2007	10:35:21.000	1179819321	package	Transferred bytes: 0
22.05.2007	10:35:21.000	1179819321	package	Transfer time: 0 ms
22.05.2007	10:35:21.000	1179819321	file	NeedReboot=false
22.05.2007	10:35:21.000	1179819321	general	Return code: 0x20000001 [Nothing done]
22.05.2007	10:35:21.000	1179819321	general	Stopped: 22.05.2007, 10:35:21

One note: as you can see, when the automatic update runs, it runs under the SYSTEM account, whereas when the user manually starts the update process, it seems (not sure here, you are the experts here) that it runs under the specific user account that started the update process.

So I was wondering, whether this is the same mechanism as used by avast say 8 months ago, because before that time it worked just fine.

Anyways, hope these help. If you need more information pls do not hesitate to ask me.

The only difference between manual and auto updates is that in the former case, avast.setup is spawned directly by the application from which you invoked the update. In the auto-update case, however, avast.setup is executed by ashServ.exe, the avast service. The service runs under the LocalSystem account, i.e. not under the account you’re currently loggen on.

In old versions, all avast.setup’s were being executed by aswUpdSv.exe - the ‘avast iAVS4 Control Service’. In build 4.7.357, this service lost much of its importance and is used only when invoking manual updates from non-administrative accounts…

avast.setup changes with every program update. That is, its MD5 checksum changes as well… You need to tell the firewall that you don’t want to check the MD5 of this file, or at least update the stored MD5 hash to the one of the latest version.

For info about the IP addresses, please refer to the FAQ: http://www.avast.com/i_kat_81.html#idt_1366

Therefore, and if I understand correctly, what has changed over the last months is that in the automatic update case (which is the problematic one here), old versions of avast used the aswUpdSrv.exe service, whereas the newer versions utilize ashServ.exe for the same purpose.

The question in this case is: what became broken, with regard to auto-update, in the transition from aswUpdSrv.exe to ashServ.exe? IMHO this is a bug. How can this be filed as a bug for avast home, taking into account that I am an avast home free user? And can an even more verbose log be produced, to help the avast crew isolate this problematic behavior? Apologies for the questions, but manual update of the avast installations unfortunately is not an option. :-\

avast.setup changes with every program update. That is, its MD5 checksum changes as well... You need to tell the firewall that you don't want to check the MD5 of this file, or at least update the stored MD5 hash to the one of the latest version.
Like I said in my first post here, there are no software firewalls installed (at least on most PCs that exhibit this odd problem). There is a [b]central/"hardware"[/b] firewall and proxy combination, which I have installed and control as the network's administrator.

Last thing: as I said before, some LAN computers do update just fine. However I have yet not found what the systems with the problematic auto-update have in common :-\

maleas

Last thing: as I said before, some LAN computers do update just fine. However I have yet not found what the systems with the problematic auto-update have in common

I cannot see where you gave this information before. If you have a configuration where some of the machines do auto-update without problems and some do not then there is a clear need to identify the differences between the machines, for I’m sure you will agree - that logically there must be differences.

The error you are reporting, x2EFD, differs from the report of the original poster in this thread and has most recently been found to be associated with blocking of the machine in question from access to the network. The most recent case was a block by a firewall. I understand that you have told us that none of the machines have a software firewall but it would suggest a possible course of investigation between those machines that do auto-update and those that do not.

You stand corrected, I had the false impression that I posted this piece of information in my previous posts…

If you have a configuration where some of the machines do auto-update without problems and some do not then there is a clear need to identify the differences between the machines, for I'm sure you will agree - that logically there must be differences.
I'd agree, if
  1. those same machines which now fail to auto-update, also failed to auto-update 6 months ago. This is not the case.

  2. those same “problematic” machines failed also to manually update, which is also not the case.

Therefore, it feels as though this behaviour is strongly correlated to changes that might have taken place in the avast codebase over the course of the last 6-8 months…

The error you are reporting, x2EFD, differs from the report of the original poster in this thread and has most recently been found to be associated with blocking of the machine in question from access to the network. The most recent case was a block by a firewall. I understand that you have told us that none of the machines have a software firewall but it would suggest a possible course of investigation between those machines that do auto-update and those that do not.
Stranger and stranger. If a software firewall was in place, I believe that blocking would affect both auto- as well as manual updating, iow both wouldn't work, which is not the case here.

I consider this to be an “interesting” problem (from a troubleshooter’s point of view). Perhaps you could be so kind and continue this investigation with me? With any luck I’ll be able to provide some more info to isolate this behaviour.

Key issue here is the way LAN PCs “find” the proxy/port to be used for Internet access. As I said this is provided automatically to client PCs via the WPAD protocol, which utilizes DHCP requests. It corresponds to the “Automatical detection” checkbox in control panel → internet options → Connections tab → LAN options button. Plus, in all LAN PCs, Avast is configured to use “Auto Detect (use Internet Explorer Settings)”.

Those who know me in this forum are very well aware that I have a “bee in my bonnet” on this update issue and yes, I do believe that the avast code is part of the problem. By that I mean that there are conditions that cause problems to the the avast update process that the avast code could be more sensitive to or circumvent.

We have seen a number of documented cases (quite a few now in this forum) where users experience regular failures of the automatic update but have no problems at all with a manual update. These issues go back more than the few months you are considering. We have also seen cases were users are unable to perform automatic or manual updates.

If I were to characterize the responses they have been:

  1. network configuration errors by the user
  2. firewall configuration errors by the user
  3. firewall updates blocking where they did not previously
  4. updated avast programs no longer being permitted access by a firewall
  5. suggestions that write access to the system defined temporary directory was not permitted

There are documented cases where problems 1-4 have been proved. They become part of the folklore. There have also been instances where uninstalling avast and re-installing seem to have removed the problem and where uninstalling and re-installing a firewall have been effective. They were probably all examples of problems 1-4. One interesting recent case was one where the firewall was restricting svchost service network access. This was preventing certain DNS inquiries and, once permitted, the user reported that avast automatic updates functioned normally again.

I cannot think of any case of (5) that I have ever believed was provable and several cases where it beggared belief.

There have been instances that are also (at least to a degree) chronic. That is they occur for a while and then the problem disappears. I can think of one user who has reported the problem occurring, going away, coming back and then, alas, we heard no more from the user. Maybe it went away or maybe he did.

I was able to find one reproducible instance with one of the folks I support. This has become known as the “Microsoft Tuesday” issue where it appears that the Microsoft Automatic Windows update process can impair the ability of avast to perform its automatic update at startup. This appears to more apparent when Microsoft updates are being distributed and when Microsoft is restricting access to its servers to prevent overload to them. In this case the symptoms reported by avast always indicate a failure to write to the Windows defined temporary file directory. We found that disabling the Windows Automatic Update service completely alleviated the problem for the avast automatic update at startup. In the last case recently reported in this forum the user was asked to disable the Windows Automatic Update service. Once that was done the avast automatic update at startup proceeded normally. As soon as the Windows Automatic Update service was restored the avast automatic update at startup failed again. Unfortunately the user made the choice to switch to AVG rather than continue to investigate the problem.

I think that summarizes what I know of the problem. It has not proved an easy one to track down and , not surprisingly, quite a few of the users who have experienced the issue do not have the time, interest or patience to work on diagnosis of the problem.

I rather suspect there may be more than one contributing factor here, but it would be good to eliminate any that we can. I also believe that the avast development team demonstrate a healthy skepticism that any problem exists in the automatic update process that I confess I find frustrating - so there may not be much input from them on problem isolation.

First and foremost, my sincere gratitude for your exemplary written and informative post! Being in tech support myself, I regret to admit that it is not every day that I see answers to bug reports/tickets of mine, of the same high level, even in paid services!

In the context of the specific problem I am experiencing now:

Nice categorization and a solid one. (2) and/or (3) would be a definite possibility, if also manual update failed.

I was able to find one reproducible instance with one of the folks I support. This has become known as the "Microsoft Tuesday" issue where it appears that the Microsoft Automatic Windows update process can impair the ability of avast to perform its automatic update at startup. This appears to more apparent when Microsoft updates are being distributed and when Microsoft is restricting access to its servers to prevent overload to them. In this case the symptoms reported by avast always indicate a failure to write to the Windows defined temporary file directory. We found that disabling the Windows Automatic Update service completely alleviated the problem for the avast automatic update at startup. In the last case recently reported in this forum the user was asked to disable the Windows Automatic Update service. Once that was done the avast automatic update at startup proceeded normally. As soon as the Windows Automatic Update service was restored the avast automatic update at startup failed again. Unfortunately the user made the choice to switch to AVG rather than continue to investigate the problem.
An interesting scenario and one I must add to the "test" cases I have in mind.
I think that summarizes what I know of the problem. It has not proved an easy one to track down and , not surprisingly, quite a few of the users who have experienced the issue do not have the time, interest or patience to work on diagnosis of the problem.
Indeed, I also believe the "update problem" can have a large number of different factors.
I rather suspect there may be more than one contributing factor here, but it would be good to eliminate any that we can. I also believe that the avast development team demonstrate a healthy skepticism that any problem exists in the automatic update process that I confess I find frustrating - so there may not be much input from them on problem isolation.

You have certainly provided me with a number of additional pointers to check for. Being stubborn as mule myself, I loathe giving up on a problem of this magnitude. Taking into account avast’s positive facets, I prefer to work the problem through, instead of giving up. Uninstalling is an easy way out for many users, personally I consider it to be the equivalent of a nuke :slight_smile:

I’m getting some packet captures from the firewall rig, to check what a problematic pc is sending. Plus, checking the different avast update options (direct/ie settings/manual specification) in order to narrow down the contributing factors.

Thank you once more and I hope we can continue this discussion with more data in hands.

Ok, seems like I have some more data, that tend to point towards proxy settings used for the auto-update. In all the following, the same Windows XP SP2-equipped for the tests employed, to alleviate the possibility of different system configurations. Two scenarios are examined. Since there seems to be a maximum post length I will split these scenarios to different posts.

Scenario 1

  • Internet Options in the control panel are set to “Automatically detect Internet Explorer Settings”. The WPAD protocol is used for the PC to discover the ip address and port of the LAN proxy server.

  • In the avast options, the proxy is set to “Use Internet Explorer Settings” (hence, WPAD is used as well)

  • File c:\program files\alwil software\avast4\setup\setup.ini contains the following portion with regard to proxy used:


[Common]
Tooltip=b?MTE3MDgzOTc1Mw==
ZeroFootprint=0
NetAcc=1
NetIP=gw.our.domain
NetPort=3128
NetUser=
NetPwd=

IMPORTANT NOTES:

  1. NetAcc=1 above corresponds to use Internet Options from the Windows control panel.

  2. There is also another file, data\avast4.ini which also has references to proxy. In that other file, no matter which choice I select for proxy, the following lines remain constant:


[...]
[Common]
[...]
ProxySettings=Autodetect
ProxyAddress=
ProxyPort=0

Don’t know what this file is for.

With the previous in place, I get failed auto-update attempts as follows:


23.05.2007	09:34:03.000	1179902043	general	Started: 23.05.2007, 09:34:03
23.05.2007	09:34:03.000	1179902043	general	Running setup_av_pro-3e9 (1001)
23.05.2007	09:34:03.000	1179902043	system	Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
23.05.2007	09:34:03.000	1179902043	system	Computer WinName: USERX
23.05.2007	09:34:03.000	1179902043	system	Windows Net User: SYSTEM
23.05.2007	09:34:03.000	1179902043	general	Cmdline: /downloadpkgs /noreboot /updatenews /verysilent /nolog /limitcpu  
23.05.2007	09:34:03.000	1179902043	general	DldSrc set to inet
23.05.2007	09:34:03.000	1179902043	general	Operation set to INST_OP_UPDATE_GET_PACKAGES
23.05.2007	09:34:03.000	1179902043	general	Old version: 3e9 (1001)
23.05.2007	09:34:04.000	1179902044	general	SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
23.05.2007	09:34:04.000	1179902044	system	Computer DnsName: USERX
23.05.2007	09:34:04.000	1179902044	system	Computer Ip Addr: 192.168.0.248
23.05.2007	09:34:04.000	1179902044	internet	SYNCER: Type: use IE settings
23.05.2007	09:34:04.000	1179902044	internet	SYNCER: Auth: another authentication, use WinInet
23.05.2007	09:34:04.000	1179902044	package	Part prg_av_pro-3e9 is installed
23.05.2007	09:34:04.000	1179902044	package	Part vps-74200 is installed
23.05.2007	09:34:04.000	1179902044	package	Part news-4b is installed
23.05.2007	09:34:04.000	1179902044	package	Part setup_av_pro-3e9 is installed
23.05.2007	09:34:04.000	1179902044	package	Part jrog-5 is installed
23.05.2007	09:34:04.000	1179902044	general	Old version: 3e9 (1001)
23.05.2007	09:34:14.000	1179902054	file	SetExistingFilesBitmap: 1024->145->145
23.05.2007	09:34:14.000	1179902054	general	GUID: cd26144a-e208-4014-82ae-a705be6769d0
23.05.2007	09:34:15.000	1179902055	general	Server definition(s) loaded for 'main': 125 (maintenance:0)
23.05.2007	09:34:15.000	1179902055	general	SelectCurrent: selected server 'Download34 AVAST server' from 'main'
23.05.2007	09:34:15.000	1179902055	package	GetPackages - set proxy for inet
23.05.2007	09:34:15.000	1179902055	internet	SYNCER: Type: use IE settings
23.05.2007	09:34:15.000	1179902055	internet	SYNCER: Auth: another authentication, use WinInet
23.05.2007	09:34:30.000	1179902070	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:34:31.000	1179902071	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:34:31.000	1179902071	general	InvalidateCurrent: invalidated server 'Download34 AVAST server' from 'main'
23.05.2007	09:34:31.000	1179902071	general	SelectCurrent: selected server 'Download91 AVAST server' from 'main'
23.05.2007	09:34:31.000	1179902071	package	GetPackages - set proxy for inet
23.05.2007	09:34:31.000	1179902071	internet	SYNCER: Type: use IE settings
23.05.2007	09:34:31.000	1179902071	internet	SYNCER: Auth: another authentication, use WinInet
23.05.2007	09:34:33.000	1179902073	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:34:33.000	1179902073	general	InvalidateCurrent: invalidated server 'Download91 AVAST server' from 'main'
23.05.2007	09:34:33.000	1179902073	general	SelectCurrent: selected server 'Download33 AVAST server' from 'main'
23.05.2007	09:34:33.000	1179902073	package	GetPackages - set proxy for inet
23.05.2007	09:34:33.000	1179902073	internet	SYNCER: Type: use IE settings
23.05.2007	09:34:33.000	1179902073	internet	SYNCER: Auth: another authentication, use WinInet
23.05.2007	09:34:36.000	1179902076	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:34:36.000	1179902076	general	InvalidateCurrent: invalidated server 'Download33 AVAST server' from 'main'
23.05.2007	09:34:36.000	1179902076	general	SelectCurrent: selected server 'Download42 AVAST server' from 'main'
23.05.2007	09:34:36.000	1179902076	package	GetPackages - set proxy for inet
23.05.2007	09:34:36.000	1179902076	internet	SYNCER: Type: use IE settings
23.05.2007	09:34:36.000	1179902076	internet	SYNCER: Auth: another authentication, use WinInet
23.05.2007	09:34:39.000	1179902079	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:34:39.000	1179902079	general	InvalidateCurrent: invalidated server 'Download42 AVAST server' from 'main'
23.05.2007	09:34:39.000	1179902079	general	SelectCurrent: selected server 'Download52 AVAST server' from 'main'
23.05.2007	09:34:39.000	1179902079	package	GetPackages - set proxy for inet
23.05.2007	09:34:39.000	1179902079	internet	SYNCER: Type: use IE settings
23.05.2007	09:34:39.000	1179902079	internet	SYNCER: Auth: another authentication, use WinInet
23.05.2007	09:34:42.000	1179902082	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:34:42.000	1179902082	general	InvalidateCurrent: invalidated server 'Download52 AVAST server' from 'main'


[...]

23.05.2007	09:40:45.000	1179902445	general	SelectCurrent: unable to find any suitable server in 'main'
23.05.2007	09:40:45.000	1179902445	internet	tried 125 servers to get file 'servers.def.vpu', but failed (0x20000004)
23.05.2007	09:40:45.000	1179902445	file	GetNewerStampedFile:GetFileWithRetry failed: C:\WINDOWS\TEMP\_av_proI.tm~a02472\onefile, servers.def.vpu, error: 0x20000004
23.05.2007	09:40:45.000	1179902445	package	Download servers.def, servers.def.vpu failed with error 0x20000004.
23.05.2007	09:40:46.000	1179902446	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:40:47.000	1179902447	package	ERROR:HttpGetWininet, catch returned 0x00002EFD
23.05.2007	09:40:47.000	1179902447	general	InvalidateCurrent: invalidated server 'Download82 AVAST server' from 'main'
23.05.2007	09:40:47.000	1179902447	general	SelectCurrent: unable to find any suitable server in 'main'
23.05.2007	09:40:47.000	1179902447	internet	tried 1 servers to get file 'servers.def', but failed (0x20000004)
23.05.2007	09:40:47.000	1179902447	file	GetNewerStampedFile:GetFileWithRetry failed: C:\WINDOWS\TEMP\_av_proI.tm~a02472\onefile, servers.def, error: 0x20000004
23.05.2007	09:40:47.000	1179902447	package	Tried to download servers.def but failed with error 0x20000004.
23.05.2007	09:40:47.000	1179902447	general	Err:Cannot connect to download82.avast.com (75.126.53.173:80).
23.05.2007	09:40:47.000	1179902447	package	Transferred files: 0
23.05.2007	09:40:47.000	1179902447	package	Transferred bytes: 0
23.05.2007	09:40:47.000	1179902447	package	Transfer time: 0 ms
23.05.2007	09:40:47.000	1179902447	file	NeedReboot=false
23.05.2007	09:40:47.000	1179902447	general	Return code: 0x20000004 [Cannot connect to download82.avast.com (75.126.53.173:80).]
23.05.2007	09:40:47.000	1179902447	general	Stopped: 23.05.2007, 09:40:47

Scenario 2

  • Internet Options in the control panel are set to “Automatically detect Internet Explorer Settings”. The WPAD protocol is used for the PC to discover the ip address and port of the LAN proxy server. No change from scenario 1 in that respect.

  • In the avast options, the proxy is set to manual specification of proxy, with a proxy name of "gw.our.domain

  • File c:\program files\alwil software\avast4\setup\setup.ini contains the following portion with regard to proxy used:


[Common]
Tooltip=b?MTE3MDgzOTc1Mw==
ZeroFootprint=0
NetAcc=2
NetIP=gw.our.domain
NetPort=3128
NetUser=
NetPwd=

IMPORTANT NOTES:

  1. NetAcc=2 above corresponds, from what I concur, to specifically use proxy gw.our.domain:3128

With the previous in place, I get the following:


23.05.2007	10:16:39.000	1179904599	general	Started: 23.05.2007, 10:16:39
23.05.2007	10:16:39.000	1179904599	general	Running setup_av_pro-3e9 (1001)
23.05.2007	10:16:39.000	1179904599	system	Operating system: WindowsXP ver 5.1, build 2600, sp 2.0 [Service Pack 2]
23.05.2007	10:16:39.000	1179904599	system	Computer WinName: USERX
23.05.2007	10:16:39.000	1179904599	system	Windows Net User: SYSTEM
23.05.2007	10:16:39.000	1179904599	general	Cmdline: /downloadpkgs /noreboot /updatevps /verysilent /tray /limitcpu  
23.05.2007	10:16:39.000	1179904599	general	DldSrc set to inet
23.05.2007	10:16:39.000	1179904599	general	Operation set to INST_OP_UPDATE_GET_PACKAGES
23.05.2007	10:16:39.000	1179904599	general	Old version: 3e9 (1001)
23.05.2007	10:16:39.000	1179904599	general	SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
23.05.2007	10:16:39.000	1179904599	system	Computer DnsName: USERX
23.05.2007	10:16:39.000	1179904599	system	Computer Ip Addr: 192.168.0.248
23.05.2007	10:16:39.000	1179904599	internet	SYNCER: Proxy gw.our.domain:3128
23.05.2007	10:16:39.000	1179904599	internet	SYNCER: Type: standard HTTP proxy (rfc2616,2617)
23.05.2007	10:16:39.000	1179904599	internet	SYNCER: Auth: no authentication
23.05.2007	10:16:39.000	1179904599	package	Part prg_av_pro-3e9 is installed
23.05.2007	10:16:39.000	1179904599	package	Part vps-74200 is installed
23.05.2007	10:16:39.000	1179904599	package	Part news-4b is installed
23.05.2007	10:16:39.000	1179904599	package	Part setup_av_pro-3e9 is installed
23.05.2007	10:16:39.000	1179904599	package	Part jrog-5 is installed
23.05.2007	10:16:39.000	1179904599	general	Old version: 3e9 (1001)
23.05.2007	10:16:40.000	1179904600	file	SetExistingFilesBitmap: 1024->145->145
23.05.2007	10:16:40.000	1179904600	general	GUID: cd26144a-e208-4014-82ae-a705be6769d0
23.05.2007	10:16:40.000	1179904600	general	Server definition(s) loaded for 'main': 125 (maintenance:0)
23.05.2007	10:16:40.000	1179904600	general	SelectCurrent: selected server 'Download207 AVAST server' from 'main'
23.05.2007	10:16:40.000	1179904600	package	GetPackages - set proxy for inet
23.05.2007	10:16:40.000	1179904600	internet	SYNCER: Proxy gw.our.domain:3128
23.05.2007	10:16:40.000	1179904600	internet	SYNCER: Type: standard HTTP proxy (rfc2616,2617)
23.05.2007	10:16:40.000	1179904600	internet	SYNCER: Auth: no authentication
23.05.2007	10:16:41.000	1179904601	general	Used server: http://download207.avast.com/iavs4x
23.05.2007	10:16:41.000	1179904601	general	Server definition(s) loaded for 'main': 125 (maintenance:0)
23.05.2007	10:16:41.000	1179904601	general	SelectCurrent: selected server 'Download100 AVAST server' from 'main'
23.05.2007	10:16:41.000	1179904601	package	GetPackages - set proxy for inet
23.05.2007	10:16:41.000	1179904601	internet	SYNCER: Proxy gw.our.domain:3128
23.05.2007	10:16:41.000	1179904601	internet	SYNCER: Type: standard HTTP proxy (rfc2616,2617)
23.05.2007	10:16:41.000	1179904601	internet	SYNCER: Auth: no authentication
23.05.2007	10:16:42.000	1179904602	general	Used server: http://download100.avast.com/iavs4x
23.05.2007	10:16:42.000	1179904602	general	Used server: http://download100.avast.com/iavs4x
23.05.2007	10:16:42.000	1179904602	package	Load C:\Program Files\Alwil Software\Avast4\Setup\prod-av_pro.vpu
23.05.2007	10:16:42.000	1179904602	package	LatestPartInfo: jrog = jrog-6
23.05.2007	10:16:42.000	1179904602	package	LatestPartInfo: news = news-4b
23.05.2007	10:16:42.000	1179904602	package	LatestPartInfo: program = prg_av_pro-3e9
23.05.2007	10:16:42.000	1179904602	package	LatestPartInfo: setup = setup_av_pro-3e9
23.05.2007	10:16:42.000	1179904602	package	LatestPartInfo: vps = vps-74201
23.05.2007	10:16:43.000	1179904603	general	Used server: http://download100.avast.com/iavs4x
23.05.2007	10:16:43.000	1179904603	package	Part vps-74201 was set to be installed
23.05.2007	10:16:43.000	1179904603	package	Removed obsolete file part-vps-74200.vpu
23.05.2007	10:16:43.000	1179904603	general	Part of license key: W1181341H3600A1106
23.05.2007	10:16:43.000	1179904603	package	FilterOutExistingFiles: 145 & 145 = 0
23.05.2007	10:16:43.000	1179904603	package	FilterOutExistingFiles: 145 & 145 = 0
23.05.2007	10:16:43.000	1179904603	package	IsFullOkay: vpsm-74201.vpu - not okay
23.05.2007	10:16:43.000	1179904603	package	IsFullOkay: vpsm-74201.vpu - not okay
23.05.2007	10:16:43.000	1179904603	package	IsFullOkay: vpsm-74201.vpu - not okay
23.05.2007	10:16:43.000	1179904603	package	IsFullOkay: vpsm-74201.vpu - not okay
23.05.2007	10:16:44.000	1179904604	general	Used server: http://download100.avast.com/iavs4x
23.05.2007	10:16:44.000	1179904604	package	DldPackage: C:\Program Files\Alwil Software\Avast4\Setup\vpsm-74201.vpu, returned 0x00000000
23.05.2007	10:16:44.000	1179904604	package	Removed obsolete file vpsm-74200.vpu
23.05.2007	10:16:57.000	1179904617	package	vps: needs to be updated [074201]
23.05.2007	10:16:57.000	1179904617	package	FilterOutExistingFiles: 145 & 145 = 0
23.05.2007	10:16:57.000	1179904617	package	Transferred files: 5
23.05.2007	10:16:57.000	1179904617	package	Transferred bytes: 21392
23.05.2007	10:16:57.000	1179904617	package	Transfer time: 2765 ms
23.05.2007	10:16:58.000	1179904618	internet	Sending stats 'http://download100.avast.com/cgi-bin/iavs4stats.cgi': 00000000 204
23.05.2007	10:16:58.000	1179904618	file	NeedReboot=false
23.05.2007	10:16:58.000	1179904618	general	Return code: 0x20000000 [Something done]
23.05.2007	10:16:58.000	1179904618	general	Stopped: 23.05.2007, 10:16:58

That is the auto-update procedure on the same system is successful!

I will follow with a separate “conclusions (so-far)” post, to keep things tidy.

Conclusions so far:

  1. The issue is not related to personal firewalls or the existence of the central firewall/proxy

  2. The issue is (possibly) not related to the Windows update problem mentioned above.

My hunch is with the way avast code deals with Wininet and auto-proxy configuration. Being a non-programmer, I’ll try to describe what I consider is going wrong. First though a mini explanation for this wpad thingie. There are a number of ways to configure a system/browser for a proxy server.

  • The simplest is to specify the proxy address and port for each protocol you want to be proxied.

  • The next more advanced way, is to use what is called Proxy configuration script. In this case, the browser/system is given the URL of a special javascript file. In order to select whether a connection should be direct or proxied and, in the latter case, which proxy:port should be used, the browser/system executes the javascript file in order to deduce what to do when given a URL to visit. Much more flexible option, yet the user still has to configure the system/browser with the URL of this proxy configuration file.

  • And a yet more advanced way is via WPAD, web-proxy autodiscovery protocol. This utilizes the solution in the previous paragraph, automating the process of finding the URL of the proxy configuration file. The automation is performed via special DHCP and/DNS setup. More initial effort is required, but minimal intervention to client pc’s is required. That is, only selecting “aytomatic proxy configuration” in internet options.

Windows (and IE/Firefox) can use either one of these three methods. In our case WPAD is used. I suppose that the way internet is accessed, when “use ie settings” in avast setup is selected, is somewhat abstracted. That is, regardless of the actual method to find the proxy:port used, in an ideal scenario avast would ask Win API for a file to be fetched and the Windows API would transparently utilize whichever method it is configured with, to just fetch the file.

Coupling the above mentioned observations with the fact that it has been some months since the auto-update (use ie settings) here is broken on some rigs, I’d say that this might be the area where avast code was changed, introducing this problematic behaviour in the process.

Really hope that what I’ve written above do make sense and, more importantly, can be utilized by alwil engineers to deduce the spot on the code that is responsible.

Feel free to contact me if I can provide more information. Like I said, I like toughies, it’s so much more enjoyable when you “crack” one :wink:

In both cases, you’re running setup under SYSTEM account.

If you use no-proxy or you manually specify proxy settings (using normal RFC obeying proxy), everything works.

If you have proxy which checks user credentials using NTLM (MS proprietary gizmo) it will refuse local SYSTEM account. Manual updates are running under your account and proxy will pass them.

I’d still stick to ‘user’s misconfiguration problems’ for most cases of these problems, but I admit that our error messages and explanations are not as clear as they might be, but since there is many potential problems and we’re just getting ‘no connection’ it’s hard to be more specific. :-\

This is indeed a case where everything works.

If you have proxy which checks user credentials using NTLM (MS proprietary gizmo) it will refuse local SYSTEM account.
I'm afraid I was misunderstood here: in the problematic case, no NTLM is used! In fact the exact same proxy as above (a normal RFC obeying proxy) is used. [b]No user authentication is performed whatsoever![/b] The only thing is that instead of specifying the proxy address and port manually, via the WPAD mechanism this information is automatically discovered. And, furthermore, WPAD and avast worked perfectly up to some months before and that is also what is really confusing me.

If you’re confident that there is no user-checking mechanism employed while going thru proxy, I can’t see what may cause the problem.

The last option would be taking someone with the knowledge of tcp/ip to the machine and having him inspect the traffic by wireshark/tcpdump/whatever.

BTW: 0x2EFD is CANNOT_CONNECT.

Another request:
Could you please put here the content of your WPAD.DAT? If not, can you send it to me (PM)? We’ll make some tests and we want as close as possible behaviour.

Same here, this one got me really confused.

The last option would be taking someone with the knowledge of tcp/ip to the machine and having him inspect the traffic by wireshark/tcpdump/whatever.
Tried with wireshark, but unfortunately I do not know the exact time the program tries to update so it's a bit difficult to "catch" the avast traffic.
Another request: Could you please put here the content of your WPAD.DAT?
No problem here, thank you for asking me :) The wpad.dat is as follows:

function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.0.0", "255.255.255.0") ||
  isInNet(host, "192.168.1.0", "255.255.255.0") ||
  dnsDomainIs(host, ".our.domain") || 
  isInNet(host, "127.0.0.0", "255.0.0.0") ||
  shExpMatch(host, "localhost"))
    return "DIRECT";
else
    return "PROXY 192.168.0.1:3128";
}

In the above, 192.168.0.1 is the proxy ip address. I’ve been using the same wpad.dat for about 4 years now.

For the WPAD mechanism to work, the dhcpd.conf file contains:


# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
default-lease-time 604800;
max-lease-time 604800;
option local-proxy-wpad code 252 = string;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-update-style none;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;


subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.32 192.168.0.254;
  option routers 192.168.0.1;
  option domain-name "our.domain";
  option domain-name-servers 192.168.0.1;
  option broadcast-address 192.168.0.255;
  option local-proxy-wpad "http://wpad.our.domain/wpad.dat";
  option router-discovery false;
  option subnet-mask 255.255.255.0;

Additionally, our LAN name server resolves wpad.our.domain as follows:


$ttl    86400
$ORIGIN our.domain.

@       IN      SOA     our.domain.gr. postmaster.our.domain. (
                        200209101       ; serial, todays date + todays serial #
                        24H             ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
      IN        NS      ns.our.domain.

our.domain.      A       192.168.0.1

localhost       A       127.0.0.1
gw              A       192.168.0.1
wpad            A       192.168.0.1
                TXT     "service: wpad:http://wpad.our.domain/wpad.dat"

An apache server hosted on firewall/proxy machine, at port 80, serves the wpad.dat file.

maleas

a couple of thoughts …

  1. I am very impressed that you have engaged the thoughtful interest of kubecj … definitely a plus

  2. With wireshark … perhaps some opportunity to run it by command line at start up. I recently talked with one of my folks about using an avast4.ini setting (which delays the avast automated VPS update) and we wanted to know if it was real or “fluff”. So he set up a command line wireshark (ok to be completely honest he is still using ethereal - now renamed wireshark) and demonstrated that the avast4.ini delay in VPS auto update is as true as its word.

So if you care for any assistance with wireshark at startup … just say.

When we’re loosing a battle, some soldiers ask for the general to come here 8)

It works for sure… Change the option and check to see an icon on task bar.
Make the logon and see when the icon appears.