changes in Avast web shield/intercepting all internet traffic

system · 2017-01-31T01:14:50.000Z

I use a program called Tripmode which shows which apps are using my bandwidth, and it recently stopped working and only showed Avast using bandwidth. I queried the Tripmode developer, and they said:

"We found out that new versions of Avast are intercepting all the network traffic (e.g.“Mail Shield” / “Web Shield”). This is usually to scan traffic for threats or malware.

Avast is allowing the Internet traffic to pass through and make TripMode function thats why you can see all bandwidth under Avast."

Have there indeed been major changes to the web shield, and if so how? If I’m not misunderstanding what’s happening, is it safe for all of my web traffic to be going through the Avast web shield?

Eddy · 2017-01-31T01:45:38.000Z

No, there haven’t been major changes and it is still working as it has always been.

Tripmode (and other tools like that) are “lying”

In order for avast to be able to scan things it needs to sit between the application you are using (e.g. browser, ftp application and such) and the destination of the data traffic.

To keep it simpel, a normal connection without any protection is like this :
Your system (application you are using) > ISP > destination (e.g. website)

With avast (or other decent protection installed), it is like this :
Your system (application you are using) > avast > ISP > destination (e.g. website)

Tripmode (and other tools like that) are sitting between avast > ISP
That make it looks like avast is causing the traffic while it isn’t.

The programmers/developers from Tripmode (and tools like that) should completely redesign how their tools are working so they check what really is causing the data traffic.

tumic · 2017-01-31T12:22:55.000Z

The Avast Web/Mail shield works this way since it was added to the product which was several years ago. There is even a technical info describing how the shields work from that time:
http://public.avast.com/~tuma/techinfo/

tumic · 2017-01-31T12:30:46.000Z

Eddy post:2:

No, there haven’t been major changes and it is still working as it has always been.

Tripmode (and other tools like that) are “lying”

In order for avast to be able to scan things it needs to sit between the application you are using (e.g. browser, ftp application and such) and the destination of the data traffic.

To keep it simpel, a normal connection without any protection is like this :
Your system (application you are using) > ISP > destination (e.g. website)

With avast (or other decent protection installed), it is like this :
Your system (application you are using) > avast > ISP > destination (e.g. website)

Tripmode (and other tools like that) are sitting between avast > ISP
That make it looks like avast is causing the traffic while it isn’t.

The programmers/developers from Tripmode (and tools like that) should completely redesign how their tools are working so they check what really is causing the data traffic.

Well, I wouldn’t use such strong words as “lying” or “should completely redesign how their tools are working”. Technically, they have not much chances to work correct in a scenario with a transparent proxy (like Avast web/mail shield) unless they would somehow “hijack” the proxy (which would have to be done uniq for every single transparent proxy).

Another story is, that the “process based” approach does not work very well even without Avast installed on modern OS X versions as various processes are accessing the network using a single “webkit process”.

system · 2017-01-31T13:12:19.000Z

Eddy post:2:

The programmers/developers from Tripmode (and tools like that) should completely redesign how their tools are working so they check what really is causing the data traffic.

The real underlying issue is the order in which filters are stacked in the kernel, including the Avast packet forwarder.
If Avast is the first in line and forwards the packets from there, others won’t see them as they are sent from the original app. Once proxied by the web filter, packets go back into the kernel as sent from the Avast proxy where they appear as sent from its process. Not sure of how we can find out what the original app was.
If TripMode is the first in line, packets are seen twice. Once from the original app before they get forwarded then a second time as they come back into the kernel from the Avast proxy. Traffic get attributed to both the app and Avast, but at least the apps can be blocked individually.
Stacking order seems to not be alterable through the network kernel extensions themselves. Only workaround we found on initial testing is that the last loaded extension seems to get placed as the first filter in line.
Suggestions are very welcome on how to fix this issue and make TripMode play well with Avast.

The single webkit process issue is fixed for the most part in an upcoming TripMode release, but Apple unfortunately does not provide a public API to retrieve which XPC helpers match a given app so it is done heuristically.

Announcements