Hi.

I recently upgraded to the last version, and I had the web proxy activated in the process and here is my issues :

First It’s a great feature and I would like to use it But …

Without going in too much details I wrote an utility to ‘pass thru’ internet proxy (which are usually on port 80). This utility send a special request to my web server which establish a transparent connection (after authentication) to any address and port I choose. This is very convenient as it allows me to stay connected to my pop3 server or others while being inside a private network as long as it have a web proxy.

The problem with the new new avast web proxy is that it seems to block anything which doesn’t look like HTML, (like my protocol). I tried to enter my relay server name in the exception list with no success :(.

Then would it be possible to have a real list of exception and if the target connection is in this list the avast web proxy would act as a transparent proxy without trying to interpret the protocol at all (as it might be anything else once connected like ssh / SMTP / IMAP / etc …).

Sadly for now my only solution is to deactivate the web proxy …

Thanks for any answer.

Hi again,

While reading some of the numerous posts about the web proxy I found a .ini file section which might do the trick :

[WebScanner]
IgnoreProcess=myprog.exe

I added my bridge program in this section, stopped / restarted the web shield, still no luck, my app is still connected to the port 12080 and even if the traffic might not be filtered the unconventional format is still blocked …

Just to be sure when you change avast4.ini, is it enough to stop and restart the service or do you need to do something else, Any solution not involving a reboot would be nice

Another solution might be to provide a transparent bridge on another port something like :

Port 80 redirected to 12080 and filtered and piped to outside 80 and listen on 12880 to provide a direct bridge to outside 80.

My app could use this port (12880) and have no issues.

Thanks again for any answers.

unless you mistyped the myprog.exe name, the avast4.ini trick should work.

Sorry doesn’t work.

To be sure I made the folowing test :

I changed avast4.ini to add

[WebScanner]
AutoRedirect=1
HttpRedirectPort=110 ← POP3 port
IgnoreProcess=avast.setup
IgnoreProcess=telnet.exe ← Added
LoadIsapiFilters=1
ISAPIFilter1=ashWsFtr.dll
IgnoreAddress=
IgnoreLocalhost=1

Then if the proxy was realy transparent I should get the POP3 server identification if I use telnet (which is in the ignoreprocess list) to access it and here is what I got :

With web proxy on :

telnet popserver 110
→ Nothing

(I verified with tcpview that telnet.exe had an opened tcp socket to localhost:12080, the proxy)

With web proxy off :

telnet popserver 110
→ +OK eXtremail V1.5 release 9 POP3 server ready…

It looks that even if the app connecting to the port is in the ignore list, the proxy stills assume that the protocol will be HTML and then it’s still not going thru.

Can anyone confirm this behavior ???

Thanks.

There must be only ONE IgnoreProcess= line in the INI file (in each section). They are not cummulative.
If you need to have more values, separate them by commas. I.e., instead of

IgnoreProcess=avast.setup,
IgnoreProcess=telnet.exe

do

IgnoreProcess=avast.setup,telnet.exe

Also, the experiment you made is somewhat strange because port 110 is actually redirected by the Internet Mail provider (to scan POP3 traffic). So unless you disabled this provider in avast, possibly double redirection was attempted and it could’ve messed things up badly…

Thanks
Vlk

Thanks a lot wlk, It works just fine with this :

[WebScanner]
AutoRedirect=1
HttpRedirectPort=80
IgnoreProcess=avast.setup,java.exe
LoadIsapiFilters=1
ISAPIFilter1=ashWsFtr.dll
IgnoreAddress=
IgnoreLocalhost=1

The only small drawback is that all java programs (the ones launched with the launcher at least) will have direct access to the port 80, but it’s no big deal at all.

And I used the POP3 protocol to test the transparency of the web proxy because I had a server at hand

Thanks again for this great product and support.

Kiks.

Well for your case I reckon it would be actually better to exclude an address instead of a process.
This can be done on the first config page of the WebShield provider.

Yes and No …

As an example let’s see how it works for a POP3 client.

Programs are between and arrows represent TCP connections with the port in ().

[POP3 Client] and [MyUtil] runs on the the client computer (the one with avast).
[WebRelay] is a modified web server and know how to handle special resquest from MyUtil

Here is how it works when I am ‘directly’ on the net.

[POP3 Client] — localhost(8110) —> [MyUtil] — www.myrelay.com (80) —> [WebRelay] — pop.isp.com (110) —> [Some Pop server].

And now when I am inside a firewalled private network with a internet proxy [proxy].

[POP3 Client] — localhost(8110) —> [MyUtil] — inetProxy (80) —> [proxy] — www.myrelay.com (80) —> [WebRelay] — pop.isp.com (110) —> [Some Pop server].

Now if I use the Ignored Address list in avast I have to enter both myrealy.com and inetProxy in the list as the client will attempt a special connection on both of them. For the direct connection it’s OK as I trust www.myrelay.com and only the traffic to this site will avoid scanning, but when I am inside the firewall, all traffic to inetProxy will be exempted, including regular request from my web browser as everything goes thru inetProxy.

In fact it’s better to have myApp in the IgnoreProcess list as in this case it will only ignore the right connections.

Thanks Again.

Kiks.