OK, first thing I have reinstalled with only File System Shield enabled because of other problems Avast is causing with forums and email.
Also
Every day, sometimes 2 or 3 times per day I get prompted from my firewall to allow emergency updates from Avast. There are usually 5 to 7 prompts consecutively all wanting to connect through port 80 from multiple Avast servers. Even if I set a rule to allow them permanently I still get prompted. At one time I had over 15 permanent permissions just for the Emergency Update service in my firewall filter rules but still the prompts kept coming. This is not acceptable!
Nothing wrong with Kerio, it’s one of the finest firewalls.
@dolphins, when Kerio alerts, look at the bottom - you need to make a permanent rule for this application - but don’t include the remote IP since the server changes. Make sure your rules sequence is ok - it might not be since you say you allow the update and it still won’t run. But I suspect your problem is with the child executables.
The main problem is what happens after when the new file comes in.
Outpost, OnlineArmor, Sunbelt, any GOOD firewall, sees a NEW EXECUTABLE. By design it must ask for permission.
Since Avast gives those new child executables a different filename, such as
c:\Program Files\AVAST Software\Avast\Setup\fec4d8ce-99fb-4ea5-8a09-f19dcf12eb20.exe
c:\Program Files\AVAST Software\Avast\Setup\629ce6f5-9888-4934-b71d-7fbd07ed0dea.exe
the good firewalls must alert, even if something like trusted app (avastEmUpdate.exe parent) is permitted.
Kerio 2.1.5 is one of the best no nonsense rule based firewalls ever developed. But don’t take my word for it, ask some security experts on some of the accredited security forums. I’ll put it up against any of today’s bloated firewalls. I don’t need bells and whistles I just want strong protection which is what Kerio gives me.
That is not my IP address it is an Avast server’s IP address. It wouldn’t matter if it was my IP anyway.
@cooby I set the permanent rule and it works until Avast wants to phone home again. Like you said, Avast’s executable changes its file name every time so I don’t see any way to allow it with filter rules?
I followed much about The Avast EMupdater discussions(Here and the Agnitum Forum) and Just adding I have NO Issues here using Outpost Pro on either xp or W8.1 with this Avast process or nagging popups.
@dolphins,
Now, your screenshot doesn’t show the full name of the .exe file you put there, I guess it’s the same as in the rule name.
AvastEmUpdate needs a connection as you’re coding it. Just put it in the right place.
The randomName.exe file does not need the internet connection, at least not for me. It gets downloaded when emergency update sees one is required. It is then run.
It causes some firewalls to alert because its name changes so HIPS or behavior blocking sections of a firewall respond, not the packet rules.
On the other hand, if you look into the Outpost forum thread I posted, you will see that there was an alert for both behavior and connection for the randomName.exe. So I guess every firewall alerts slightly differently or sees different events, and also it may well be related to what sort of HIPS/behavior settings one has. I don’t have that option, so every new .exe causes a prompt.
Are you sure the alert you get from Kerio is for the randomNamed.exe? The one you posted originally is just for the emergency update.
This is off-topic: You may want to put port 80 into the remote port, also limit your local ports to 1029-5000 if on XP, some other range for newer Windows.
Last time i checked, “best firewall” and “being heavely outdated” doesn’t go together at all. Kerio is not being updated for years, so why are you even relying on it?
It isn’t. Hardware firewall is a dumb firewall that just filters packets, but has no clue what’s going on on a system level. Hardware firewall is only useful if you want to prevent access in or out for specific ports and IP addresses.
@cooby The filter rule is for the Emergency Update exe not one of the random file names. I deleted all the old filter rules for Avast so I’m starting fresh to see if I can get this straightened out?
Oddly this has been happening for the last 2 weeks but today it has not happened yet. It usually happens right after I boot up in the morning but so far nothing. I will make screen captures of each one and post them here if and when they pop up again? If you’re familiar with Kerio you already know it will always use the first rule in the list which overrides the lower priority filters. So maybe one of the old rules was the problem? Since this is an ongoing problem with other firewalls also, I will post any new results here that may or may not help you.
Thank you for staying on topic and not joining the pissing contest about firewalls.
There haven’t been new emergency files since Jan23, so it has to be quiet if your packet filtering rules are now ok and in correct sequence.
When one arrives, Kerio will alert you if you check for new or changed executables.
I just dusted off an XP box that had Avast on it. In the log of MD5 items in Kerio is at least one of the randomName.exe jobs - see picture.
So, like I said, for me it’s on the behavior side and not the packet filtering side of the firewall.
Now, as I think about it some more, even if the fileName didn’t change, a firewall will alert to the change of contents. So yes, we do need to live with it if we want a firewall to monitor what runs, rather important protection method in my opinion
Sorry about that copied post#8, I meant to edit something, messed up and gave up.
First thing this morning after boot up it started again only this time the ‘New found Hardware’ wizard opened when I allowed the update. I have not installed any new hardware in this machine in the last year.
The MD5 signatures stay the same but the file name changes (See Attachment).
No, you can’t get a fix neither here nor in the firewalls as I mentioned earlier when I took a bag off my head.
Firewalls with HIPS or behavior will alert so long as they’re setup to alert on new executables, new components etc. So the settings do play a role. For instance in Kerio if you didn’t want any behavior alerts, you’d need to turn off MD5 monitoring. Bad idea, unsafe, but you can do that. Likewise in Outpost’s antileak settings.
Yeah, I got a emergency update yesterday as well.
I feel those things are cleverly written when they can make a change without the need for reinstallation of Avast.
Are ‘emergency updates’ dependent on streaming updates being enabled? If so, I’ll disable the thing.
This is a flippin’ nuisance. An occasional emergency update is one thing but it’s routine. I put up with it because Avast is such good protection but it’s a bad do really.
How about an option to be able to set Avast to request randomly or fixed name emergency update executables? Obviously random naming should be default but the user ought to have the option of electing to download fixed named executables. These things are digitally signed after all. I would like the choice.
@hake, we have to live with it. I finally came to the conclusion that’s how it has to be, unless you want a convenient, but much weaker, protection. Emergency update is not routine. Yes, it runs often checking. Just connects out to check and stops when there’s nothing to do. But the download and a new .exe file is infrequent and a pest of sorts.
@bob3160, The issue is not “access through the firewall”.
Avast setup and emergency update need outbound connection to avast servers and get it.
The random named executables never want any outbound.
The debate is about what avast emergency runs. It loads and runs a child process of a random named .exe file.
Just like a trojan would from an infected website or an obfuscated link in email.
A good firewall watches that sort of thing. It sees it as a new executable file and alerts. Even if the filename were the same, it will be seen as a change. See the Outpost discussion in a link I showed in post#4 as well as more of my ramblings in post#12 in this thread.
Edit:
In post#14 , dolphins shows the behavior logged new executables, and here’s mine from yesterday - see pic.
Not a TCP to http port connection at all, just a new .exe file to deal with when emergency launches the new file just loaded into \setup.