I ask this because I have seen in my event logs that avastsrv.exe being blocked at boot time.
I have also reset the Win 7 firewall to default settings since installing Avast.
Yes it does. The Avast service requires incoming to be allowed.
Thanks.
BTW - I tried the paid ver. of Sphinx Win 7 Firewall Control. Didn’t care for it. When I get time, I am going to try out this new freebie: http://www.neowin.net/news/windows-firewall-notifier-130
That new one looks interesting but since it’s very new, I expect it to have a few updates so I’ll wait a while before trying it. I like that it just uses the default firewall and doesn’t use a completely different one in conjunction with the built in one. That should make it much lighter weight.
uses the default firewall and doesn't use a completely different one in conjunction with the built in one
From what I have gleaned from the minimal documentation for it, not exactly. It appears it is designed primarily to alert you to an oubound connection and then allow/block it. It then creates its own allow/block rule which cannot be modified. What is unclear is if you create your own detailed firewall rule for an outbound alert, it will create a WIN 7 firewall outbound rule.
As the “firewall notifier” name implies, I think all the software is designed to do is alert you to an outbound connection, you specify allow or block, and then later set up your own WIN 7 firewall rule and delete the rule Firewall Notifier generated.
At least it should provide good leak protection.
There should be no need to add or remove anything to the windows firewall in default settings for avast.
Uninstall avast then reset your firewall and reinstall avast and things should work as they are supposed to, no exclusions neccessary unless you enable outbound protection in the windows firewall.
Yes, but if you enable outbound protection in the built in firewall, it is very complicated to manually set up rules allowing it for apps since it will then block everything, including things like Windows Update. From what I read about the firewall notifier is that it greatly simplifies the process by first enabling the outbound protection and then alerting you when attempts are made and letting you decide what to do from there. It then creates rules in the Windows firewall based on your decisions. The Win7 Firewall Control is actually another firewall built on top of the existing one and using the same API’s but it does a pretty good job, even in the free version, which is what I’m currently using.
Like I said, the notifier app looks interesting and I may try it out when it matures a little more.
There should be no need to add or remove anything to the windows firewall in default settings for avast.
I agree that Avastsvc.exe does not require an inbound exception in the WIN 7 firewall since the WIN 7 firewall automatically handles inbound localhost which is needed for avastsvc.exe to function. In fact allowing avastsvc.exe inbound access is dangerous since any external inbound TCP port 80 activity should be the result of a oubound connection under stateful inspection criteria.
Exceptions to the above would be P2P activity.
There is the question about browser activity since outbound TCP port 80 activity from the browser should be blocked since that activity is being done by avastsvc.exe. I think I saw occasional TCP port 80 leakage from IE8 when I was using Comodo as my firewall which caused me to block TCP port 80 outbound from IE8.
It doesn’t seem to require an exception in the Windows Firewall but it certainly does in any other firewall you use. I had to allow incoming for the Avast service in both the PC Tools firewall and in Win 7 Firewall Control. I see no reason to block browser activity though.
I have uninstalled Win 7 Firewall Control and I’m trying the Firewall Notifier. There have been a few glitches so far. It did not recognize connection attempts by Ventrilo, a popular voice chat program used by gamers in particular, and I had to manually create an outgoing rule. It also is not allowing Windows Update to connect so I’ll have to find the solution for that.
UPDATE: For some reason the Firewall Notifier app does not automatically allow Windows services like Windows Update, Windows Time, etc. to connect and does not give a notification when they attempt to. I fixed it by creating a rule to allow outbound for C:\Windows\System32\svchost.exe and now everything works as it should. The author of the program says that he has a new version almost ready to release that should fix the problems.
This for me is somewhat strange, as inbound connections that are associated with the outbound connection are generally allowed back in without being molested. e.g. if avastSvc.exe makes an outbound connection request, its associate inbound response should be let in.
Essentially there should be no occurrence of an inbound connection to/for avastSvc.exe if it didn’t originate the original outbound request.
All I know is that the PC Tools Firewall says that Avastsvc.exe is attempting to behave as a server (which means incoming connection attempts) and you have to allow that. The Win 7 Firewall Control alerts to incoming so you have to choose “enable all” for it. My XP machine has an exception in the XP firewall to let avastsvc through. The Win 7 firewall seems to handle it differently or maybe Avast is now on it’s trusted list so it’s allowed automatically.
Yes it has to act as a server as it is intercepting browser calls to connect to the internet so that traffic can be routed through the localhost proxy.
You click on link or type in URL in the Browser
redirect to Web Shield proxy
Internet
< Web Shield proxy
< redirect to browser cache
displayed in browser.
So it is handling outbound connection request and subsequent inbound connection response. That is very loosely what a server does.
UPDATE: For some reason the Firewall Notifier app does not automatically allow Windows services like Windows Update, Windows Time, etc. to connect and does not give a notification when they attempt to. I fixed it by creating a rule to allow outbound for C:\Windows\System32\svchost.exe and now everything works as it should. The author of the program says that he has a new version almost ready to release that should fix the problems.
Here’s the scoop on svchost.exe on Vista and WIN 7. You have to create outbound rules for the container services that handle win updates and time resolution at a minimum or allow just svchost.exe by inself like you did once the firewall outbound protection is enabled. If you look at the default outbound rules, you will see default rules for DNS and DHCP so you don’t have to create additional rules for those.
Now in the XP days, that is all you needed to allow svchost.exe to work and give you maximum protection from svchost.exe dial-outs from malware using it to run their own container services.
WIN 7 appears to use svchost.exe for other things that I haven’t fully checked out yet. It also has something called “hardening” that MS states prevents malware from running it’s own container services although I fully don’t buy it. You will get a warning when try to create svchost.exe container service rules stating “hardening” feature and you really shouldn’t create individual svchost.exe service rules.
I guess MS considers Google updater services OK since they run under svchost.exe and you won’t even know it!
What I don’t understand is why the Firewall Notifier program did not alert for svchost trying to connect. It’s supposed to give alerts about all outgoing connection attempts. I have so far found three things it doesn’t alert for. Ventrilo, the game DiRT3 (it does alert for incoming but not outgoing, and the Games for Windows Live framework. I had to manually makes rules for those and in the case of GFWL, I had to look at the outgoing block log of the Notifier app to see what needed to be allowed. It was the LiveID component. Windows Firewall Notifier is a very new application and I’m sure it will get better in time.
UPDATE: There is a new version of the Firewall Notifier out, v1.3.2 and all the problems are fixed. It now notifies for all outgoing connection attempts like it should.
I never and never did put avast! on any Windows Firewall on any pcs i ever used… So i dont think you need to add something to it. No matter what versions of avast! or Windows.
Mr.Agent
The exception for Avast was added to the exceptions in my XP firewall automatically.
Here is a link to the outbound rules one person created for his system: http://npr.freei.me/firewallrules.html. BTW - this link does not work on my home PC but I connect fine to it at work - go figure. Note this should be used as a rough guide only since this person for example uses OpenDNS as his DNS provider. It is a good example for rules for svchost.exe. Note that his AV is MSE and that requires a rule for the BITS container service.
Next is a link to what I consider is the definitive lay person tutorial on everything about the WIN 7 firewall: http://sourcedaddy.com/windows-7/understanding-windows-service-hardening.html. This tutorial is written is non-techo babble found on the MS TechNet site. The two sections I recommend on ready first are ‘Understanding Windows Service Hardening’ and ‘Understanding (Firewall)Rules Processing.’ Note that the WIN 7 firewall does not process rules like most of the popular firewalls in existance today. These firewalls process rules in a top down fashion.
Best to leave WIN 7 outbound default rules in place till you really know what you are doing. Just add rules for your existing outbound Internet applications; primarily anything that requires updating. This would include Avast applications that perform virus definition updating plus the avastsvc.exe program and the like. Finally your browser if using Avast’s web shield would have to allow optionally outbound TCP from any local port to localhost(127.0.0.1) remote port 12080. I say optionally since it appears the WIN 7 firewall will allow all outbound activity to localhost unless specifically overridden. You will also have to include rule for https activity TCP from any local port to remote port 443 for your browser.
I pretty much think that’s gibberish and overkill. If you enable the outbound blocking in Win 7, it’s not easy to manage things and you definitely have to make an outbound rule for svchost since Windows Update, Time, and probably a few other things will not work without it. If you leave the Firewall in it’s default state where all outbound is allowed, then of course you don’t need to do anything. The Firewall Notifier greatly simplifies the handling of outgoing connections and should be a part of the Firewall to begin with in my opinion.
That chart of rules is the very one I used to create rules that would let Windows Update and Time function. With the updated version of the notifier, it now detects the attempt of svchost to connect and lets you choose how to handle it. I tested it by deleting the rules I had created manually and then accessing Windows Update. It detected the connection attempt and I chose to allow it. To simplify my rules, I just accepted the default rule it created that allows all outbound connections. I don’t think I need any specific rules for specific services and/or ports. That’s just overkill in my opinion.
I don't think I need any specific rules for specific services and/or ports.
I think it is important to understand how malware has evolved over time. Malware today hides itself. The days of firing up Task Manager and looking for strange proceses running are long over.
Windows OSes have always included what I call “spawners.” Simply put these programs have the ability to create other processes on demand. However, the sub-processes run under the identity of the name of the creator processes. Hence, the occurance of multiple svchost.exe processes running anytime you view running processes in Task Manager. There are other spawners like svchost.exe most notably rundll32.exe that require periodic examination.
As I stated previously, WIN 7 has tightened up the criteria under which the spawners can execute. However, malware creators are very clever and ability to create new exploits is always present. Then there is the issue of what I call “grey” applications. Grey applications are programs created from legit vendors that are used for analyzing your computer activity for commercial purposes aka non-malicious spyware is how I classify them.
Unfortunately, only a few firewalls have the capability of recognizing and controlling spawning processes. Most are commercial firewalls. The only retail ones that I know of is Vista and WIN 7 firewalls plus PrivateFirewall. I tried to install PrivateFirewall on my WIN 7 installation and it was disaster.
Summing this up if a person is really concerned about undesirable outbound activity, spawning processes cannot be ignored. One alternative is to force each subprocess to be shown indivdually as a separate svchost.exe for example entry. The WIN 7 command run from a command prompt window with admin privledges is SC Config servicename Type= own. To restore original state use the same command with Type= share. Ref: http://commandwindows.com/sc.htm
I don't think I need any specific rules for specific services and/or ports.
Pertaining to ports, the fundamental tenant of outbound firewall creation is restrict outbound activity to specific portocols, ports, and ideally IP addresses or if not possible, at least domain URLs. Simply put, the easiest way to determine if a “legit” outbound application is not really legit is to observe it using non-standard http/https ports or connecting to malicious/questionable IP addresses.
Forget using digital certificates as a failsafe way of determining is an application is legit. Digital signatures are being hacked every day.