I’ve seen a few other recent threads with similar issues regarding some unexplained and recent Avast Web Scanner problems, when all had been working fine for a good six months.
I set up Avast 4.8 on my wife’s computer and all has been well for the past six month’s until the past few days. She suddenly could not connect.
I opened up the rule based firewall (Kerio 2.15) and discovered that while I had restricted the Avast web scanner to connect to the usual outbound ports (1024-4999), the Avast Web Scanner was now suddenly requesting access to higher ports as well as to port 443 to use Firefox. So what changed this past week? Was this a change in the Avast web scanner, a change caused by a Microsoft update of this past week, or the update to Firefox version 3.5.1? Those are the only things I can imagine that might have caused the change.
Is this correct and do I now have to allow outbound access to all ports? Thanks.
What’s strange is that I then set up two sequential firewall rules, the first with the original outbound port range (1024-4999) and a second rule with open ended ports, set to alert. The next day, all went back to normal again for a day (no alerts), and then back again to the need to use higher ports to connect (continual alerts). So what gives?
If a few people have the same issue as the same moment, we’re not all using the same firewall or the same browser, so I’d rule those out. It seems like it can either be an Avast Web Scanner issue or due to an MS update.
Can someone kindly verify/investigate please. I would think that opening all ports defeats inherent firewall security. And since it was not necessary before, without explanation, this is even suspicious. Thanks.
Thanks for confirming that. When one sets up a program it usually won’t require some modification of your firewall six months later unless something has changed. That something could be an operating system change, the program has changed or something malicious is forcing a change. So for this to happen with an AV is NOT a good thing because for all one knows it could be related to something forcing you to connect via insecure ports or re-routing your connection…
I’m also running FF 3.5.1 and Kerio 2.1.5.
Are these connections requests to localhost or external?
The avast! web scanner uses (local) port 12080 for HTTP redirection, for instance.
In my Kerio setup, I’m allowing loopback (localhost) access to all programs to ports 1-49151.
The avast! web scanner is only allowed ports 80 and 8080 (TCP, outgoing).
Thanks and to answer your question, the Kerio 2.15 rule that had been working successfully for the past six months is:
Avast Web Scanner TCP Out Local Ports 1024-4999 Any Address Remote Port: 80 Application: ashwebsv.exe
And a “DENY ALL” as the last firewall rule, so everything is denied unless explicitly permitted. That had locked it down pretty well.
I did NOT set up the HTTP proxy in Firefox.
Now, after examining why my wife’s PC could no longer connect, I see that she was getting requests on local ports 50,000+, 443, etc. I can’t even determine the necesary local port range, so I’d have to leave it to “ALL” or my wife’s won’t be able to connect when I’m not there to look at what’s going on.
If it everything worked before, my wild guess is that you need to check out your Kerio rule for the updated Firefox. Did you allow Firefox’s loopback and it’s access to 127.0.0.1:12080? Also, I guess you have to allow FF’s access to Remote port:443 since Avast! Web Shield won’t interfere with SSL connection.
If you can get the log, what prevents you from deciding necessary local port range?
@blue2: in my kerio’s FF rules, I allow it access to remote ports 21, 80, 443, 1935 and 8080 only.
I’ll add something to see if I can reproduce your problem with local ports higher than 50000.
(but you need to allow it port 12080!)
I use Firefox on 5 pcs. I only use Avast on one of them, which my wife travels with so it’s not always in front of me.
When I udpated FF to 3.51 (and as has ALWAYS been the case with FF updates) NO change was needed in the Kerio ruleset. Firefox has always been allowed access to 443.
I did not know of Avast’s need for port 12080 when I initially set it up, and did not set up the HTTP proxy within Firefox. When I initially installed Avast to use with Firefox, I simply opened up the firewall “KILL ALL” rule at the end, saw what connections were needed for Firefox, Avast updates, Avast Web Scanners, etc. and then set up permanent rules for those connections. So if there was a problem, I would think I would have surfaced six months ago.
Not being a network expert, how would Firefox’s loopback and it’s access to 127.0.0.1:12080 work in this scenario, particularly if it was not needed for the past six months?
Because the Avast Web Scanner is requesting access to higher ports with each connection. So how high do I have go? It isn’t just requesting one additional port.
And as I indicated, I’m also suspicious when things change without explanation. I’ve updated Firefox many times and it never required a firewall rule change. The same with MS updates, although one never knows. No other PC has this issue so that immediately rules out everything else. The only thing different on my wife’s PC is Avast and the user (but don’t tell her I said that).
I used Kerio 2 in the past and I may be wrong but it asked me if the updated program should be allowed or not every time I updated a program. If I answered no, it blocked the program in question. I wonder how it was called but it checked fingerprint of each program. Edit:It’s called MD5 and it looked like this.
Because the Avast Web Scanner is requesting access to higher ports with each connection. So how high do I have go? It isn’t just requesting one additional port.
[/quote]
Then, How about setting it, for example, 1025-4999 and see if it will still request for higher ports?
Yes, of course, I’ve allowed the FF update to replace the existing program. And as a further insurance, I also ALWAYS check the full Kerio MD5 database table for inconsistencies EVERY time I do updates, so that a month later I don’t get asked whether I permit an update of something I’ve long since forgotten I updated.
Trust me, that’s not the issue. It’s not Firefox. It’s the Avast Web Scanner that is blocking the connection and creating the issue.
I explained, my normal rule HAS ALWAYS BEEN TO permit connection to ports 1024-4999 for all applicatoins. NOW, that caused my wife’s PC to stop connecting using Firefox.
Now I have to permit ports 48,458 and 48,459 and 48,460 and … or whatever to get the Avast Web Scanner to permit FF to connect to a webpage. So how high? It gets incrementally higher with EACH and EVERY connection to a webpage. So clearly something is NOT WORKING CORRECTLY with the Avast Web Scanner.
If I didn’t misunderstand your comment, Avast! has been there, too, without problem for six months, hasn’t it? Also, I don’t think Avast engine was updated during the week since it’s last update was February 5, 2009. However, it’s indeed odd of Avast! Web Scanner to ask connections in such seemingly random and unusual ports… If you suspect Avast!, you may like to fix it through the installer.
Yes, Avast has been there too. But in case it was not perfectly clear. it’s the Avast Web Scanner that is demanding access to these ports NOT Firefox. So in order for Firefox to connect one has to permit the Avast Web Scanner access to port 50,000 for example. Normal?
So unless something modified Avast, it can only be an Avast issue (or an incompatibility with an MS update), since the EXACT same drive image is used on all machines, with the only exception being one PC with Avast on it that now has this problem. That’s why I’d start looking there.
Why would it be demanding access to new and incremental ports each time? My first suspicion was a pushed update that initiated some change. But if the engine hasn’t been updated in months…
Are you absolutely sure your Kerio rules are the same as 6 months ago?
Maybe a pop-up appeared once when your wife was on the computer and she created a new rule by accident?
Just a shot in the dark.
The order the rules are is also crucial for the job you want, but I’m sure you are already aware of this.
Well, actually the ruleset is continaully tweaked after updates, application changes, etc. (e.g. MD5s change on MS Office apps each time there’s a security update) but everything looks correct. The ruleset is in top down order (a month at the former Kerio forum taught me a lot) and I DO NOT let my wife run as Admin or touch the ruleset, so the damage of any mistake that she might make is limited.
Now what is really odd, is that I’m now connected here on her computer via Firefox and the port requests have reverted back to normal (for now). But this has happened before, and then she suddenly can’t connect out of the blue, which is why it is disconcerting.
I’ve now sent up Kerio with an Avast Web Scanner rule to the usual port range 1024-4999 and a similar rule just below that allowing all local ports and set to alert and log. So as soon as this issue occurs again, I’ll know.
But this one really has me stumped as the most obvious issues (e.g. my ISP changed DNS server addresses, etc.), I can figure out pretty quickly. But this is an intermittent problem without much rhyme or reason.
No, on the contrary, I appreciate your questions in case there’s something I haven’t thought about or don’t know.
Yes, she runs under LUA and always has. That’s the way I set her up. So she can’t change too much and she’s never touched the firewall (and wouldn’t even know where to begin). That’s what made me so curious when she came to me a few days ago and said that she could no longer connect. I quickly verified that it wasn’t ISP, modem, hosts file, etc. related. Then I opened up the firewall connections. Even after I do Windows updates each month I insure that the connection is still working properly. So this one is really a mystery.
It happened two days ago, lasted for two days, and I haven’t got a clue what caused it or what might bring it on again.
I have never used Kerio, but I’m going to throw something else into the mix.
In the past Sygate had a localhost loopback flaw, in that it only monitored the parent of the localhost proxy, in this case the web shield, ashWebSv.exe. So if anything else was using port 80 avast would also filter that through the proxy and it sailed through unmolested by the firewall. Rather than all applications requiring outbound connections even if they went through a localhost proxy were subject to challenge.
So could something like this also happen with Kerio ?
Kerio didn’t have the Sygate’s bug when I was used to use it. Hope they don’t mess the things. But, indeed, there is such possibility. As a side note, Outpost Free does not have this bug: each program is warned by the firewall (even being scanned by WebShield).