Back to WebShield basics

After reading inumerable posts and contributing to a couple of threads on WebShield, I am more confused than informed on WebShield basics. Could anyone provide or direct me to info regarding

  1. what is WebShield and what it is supposed to do and how,

  2. how it can be configured,

  3. and how can FF traffic alone be channeled through WebShied while all other traffic is forced to reach the internet directly?

Yes, I’ve heard it all in bits and pieces but I’ve never seen a concise and thorough explanation of the above.

You will probably get a better answer from avast!, but here is a users perspective (without going into TCP connections)

  1. Webshield is a local proxy (program between you and the internet) that routes incoming data from the web through a virus scanner before it passes it on to you. It does that rerouting the data from remote port 80 the virus scanner to you.
  2. Some configuration parameters are a bit obscure (intelligent stream scanning, for example), but basically you turn it on and tell it to redirect data from the standard http port (port 80) through the scanner. If you have XP, it sets up transparently to route port 80 through port 12080 on localhost (just a loop through your computer) to the virus scanner to you. Otherwise there is a more manual procedure to accomplish the same.
  3. If you erase the port 80 in avast!, nothing will be routed through webshield. But browsers are set up to use other types of proxies. So if you set up your FF network settings to use an http proxy to IP address 127.0.0.1 (local host) port 12080, it will pass the data through the webshield scanner directly. For the other programs using remote port 80, they will not transit webshield. This is because the default redirect port in avast! for http traffic (port 80) is port 12080. If you use Kerio, for example, you will see that Webshield is always listening on port 12080, no matter what you enter.
    Lots of detailed stuff going on that I probably don’t understand, but to a user these appear to be the options.
  1. what is WebShield and what it is supposed to do and how,

From the Avast website:

The main highlight of avast 4.6 is undoubtly the new avast! on-access scanning provider - Web Shield. It is able to monitor and filter all HTTP traffic coming from the Web sites on the Internet. Since an increasing number of viruses (and other malware, such as adware, spyware and dialers) are being distributed via the World Wide Web, the need for an effective countermeasures has also increased. The Web Shield acts as a transparent HTTP proxy and is compatible with all major web browsers, including Microsoft Internet Explorer, FireFox, Mozilla and Opera.

Unlike most competitive solutions, the Web Shield’s impact on browsing speed is almost negligible. This is because of a unique feature called “Intelligent Stream Scan” that lets the Web Shield module scan objects on-the-fly, without the need of caching them locally. Stream scanning is performed in operating memory only (without the necessity to flush the contents to disk), providing maximum possible throughput rates.

  1. how it can be configured,

It’s auto configured on XP/2000. Otherwise, any browser can be set up through the connections setting the proxy servers settings to localhost, port 12080

  1. and how can FF traffic alone be channeled through WebShied while all other traffic is forced to reach the internet directly?

Manual set up FF proxy settings, and disable the proxy settings in other browsers that you don’t want webshield using.

Yes, I’ve heard it all in bits and pieces but I’ve never seen a concise and thorough explanation of the above.

Bottom line is the webshield scans files in real time while browsing rather than browsing and finding internet related infections later by the standard shield or a scan of your HD. Based on my limited experience with it thus far it appears to be protecting as an additional redundant mechanism. Redundancy is a good thing. For example, the basic but very good AV program Etrust has the standard shield and scans emails but does nothing while browsing. So, infected files can find their way to you HD and Etrust won’t do anything until someone or something tries to open said infected files. The Avast! webshield would or should catch these infected files before they have chance to be saved on your HD, especially without you knowing about it.

Thank you both. Now let me see if I got it right.

Step 1
I click on the avast system tray icon, in the popup window I choose Web Shield on the left under ‘Installed Providers.’ Next I click ‘Customize’ and under the ‘Basic’ tab delete the 80 next to ‘Redirected HTTP port(s)’ and leave its place blank. This in effect prevents any traffic whatsoever from getting channeled through WebShield. Have I missed anything so far?

Step 2
In FF click Tools>Options. Under ‘General’ on the left, click on ‘Connection Settings,’ sellect ‘Manual Proxy Configuration,’ and write ‘localhost’ or ‘127.0.0.1’ in the box next to ‘HTTP Proxy’ while leaving all other proxy boxes blank. Next write ‘12080’ in the ‘Port’ box for ‘HTTP Proxy.’ This in effect redirects all FF traffic through port 12080 and, therefore, through WebShield. So the initial task of channeling only FF traffic through WebShield has now been achieved. Is this correct? But what about two more settings that appear automatically in the ‘Connection Settings’ window, i.e., the ‘SOCKSv5’ radio button (sellected automatically) and the ‘localhost 127.0.0.1’ parameter that appears automatically in the ‘No Proxy for’ box? Should they be left alone or be changed to something else? What do they mean anyway?

Yes you got it right.

The SOCKSv5 radio button is only effetive if you have a SOCKS-type proxy set up (which is not the case here). The “No proxy for” field indicates servers for which proxying (i.e. WebShielding in our case) won’t be done.

By default, browsers fill in the address of your machine. This is effective only if you’re running a local web server, of course (so probably not your case).

Vlk

Right. Think of avast! as two boxes-a redirect box and a proxy/virus scanner box. When you use Webshield normally, the redirect box intercepts all TCP connection requests to remote port 80 and connects them to port 12080 of the proxy box. The proxy box sets up the connection to port 80 of the remote computer. So data will now flow from port 80 of the remote host (website) to the proxy box to get virus scanned to the redirect box and back to the requestor-which still thinks it is connected to port 80 of the remote host. The alternative turns off the redirect box and manually connects FF directly to port 12080 of the proxy box, which again connects to port 80 of the remote computer. And the data flows back similarly. Actual avast! architecture may be a little different, but this is how transparent (implicit) and explicit proxies work. Just multistep TCP connections with some processing along the way. The other browser http requests connect to remote port 80 normally without avast! intervention, since the redirect box is off. And, of course, conflicts with other proxies, redirection of non-http data to port 80, firewalls that don’t recognize local proxies, VPNs, other extended web usage make this all more interesting.

Great thread guys, no arguments, just passing knowledge.
This was a gem of knowledge. :slight_smile:

Thank you all again.

Vlk,

I do run a local web server. It is called e-Dexter, its address is 127.0.0.1, listens at port 80, and its function is to supply at random one of five available images to whatever app (almost always the browser) my Hosts file redirects to localhost. As a result, when the browser is sent to localhost by the Hosts file when the former is trying to contact an advertising site, the browser will receive a harmless image from e-Dexter, which the browser interprets as the advertising site’s content and promptly places it where the ad would normally appear. Without e-Dexter, the redirected browser would find nothing at localhost and would repeat the request until it times out, which would result in a browser slowdown.

So the appearance of ‘localhost 127.0.0.1’ in the ‘No Proxy for’ box is quite appropriate as it will prevent e-Dexter from getting redirected to WebShield, which is as it should be since e-Dexter never needs to either venture out to the internet or be contacted by a remote pc. Am I right?

Yes, you are basicaly right. This line tells the browser not use it’s proxy server when accessing url from http://localhost/… and http://127.0.0.1/… This is correct in your setup, but unfortunately I am not sure if it makes any difference, since the browser thinks it downloads eg. http://www.adsAndBanners.com/banner1.gif and this is the request forwarded to the proxy (WebShield in this setup). You would end up with the suplied image scanned by WebShield but that would not harm you either.

Lukas

Thank you Lukas.

Indeed it doesn’t matter whether e-Dexter images go through WebShield or not as long as no other application can send FF out to the internet without the firewall generating an alert. Now it is time to put all to the test by adopting the configuration discused here and then running the www.grc.com leak test and a second test of my own I have in mind. I will report the results here.

Back for the final chapter.

The configuration outlined earlier in this thread whereby only FF traffic is channeled through WebShield has been tested satisfactorily in a WinXP Home (Service Pack 2) pc equipped with Sygate PFPro. The www.grc.com leak test turned out negative and applications that could utilize FF to get out were flagged by the firewall. Examining several traffic logs revealed that all was well and indeed identical (save for the substitution of firefox.exe by ashwebsv.exe in the logs) as when WebShield was disabled. So all is well that ends well.

The configuration outlined earlier in this thread whereby only FF traffic is channeled through WebShield has been tested satisfactorily in a WinXP Home (Service Pack 2) pc equipped with Sygate PFPro.

Same goes also for standard SPF. There has been though many talks from other users using other local proxy software and also the way the first version 4.6.603 webshield worked, to confuse the issue.
WebShield and Sygate work now really well together. :wink:

the connection settings of windows media player and many of programs default to “use proxy settings of the web browser” (“use internet connection setting”). did/does that effect sygate, concerning application asking and anti-hijacking ?

Steve, I think it would be really better if you did those tests yourself, and then answer your experiences to this thread?
There are many configurations, and that manual proxy is just one. I use that too. But I prefer to keep IE that I don’t use to others to test how it behaves.
You try and report back and then we are wiser ::slight_smile: