Firewall Logs

Avast Free Antivirus / Premium Security
1

I have been using PrivateFirewall for a long time and it works perfectly for me, does a fine job.

When I recently changed my AV from AVG 2015 Free to Avast Free, the number of FW logs increased enormously. On checking the Local IPs they are all private addresses. My FW blocks them. If I rate these IPs as “trusted”, it reduces the number of logs, but as the Remote IPs often differ for the same Local IPs, the logs keep coming.

I see no reason to rate IP`s as “trusted” when I do not know what they are, who they belong to or what they are trying to do.

Why did this happen when I changed my AV to Avast and how can I stop it ?

This avalanche of FW logs only happened when I installed Avast.

My puzzle is that if Avast is generating these private IPs for some process reason, then my FW is blocking them - Catch 22. Does that mean Avast is being restricted ? I have no idea what all these IPs mean or what they are supposed to be doing.

An example is shown below. Most of these logs appeared whilst my PC was on Standby. The up arrow is outgoing and the down arrow is incoming.

http://i.imgur.com/fqHTpB3l.jpg

2

You probably had a learning mode when you first installed the firewall software and it allowed AVG. Now that you’ve switched AV’s it’s trying to block everything from Avast.

Put the following exceptions in Outbound:
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\AVAST Software\Avast\setup\instup.exe
C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe

3

Thank you for that.
The only place in PFW to put this kind of data is :-
settings>advanced>detected applications>parents>processes

Currently lists :-
Parents

http://i.imgur.com/kkIV68M.jpg

Processes

http://i.imgur.com/nZohOLv.jpg

AVAST Software\Avast\setup\instup.exe is not there, I will add it. The others on your list are there.

4

What exactly does training mode do ?

5

Many firewalls have a training/learning mode, you can set it in some cases (7 days or so). Basically it monitors your activity, what processes that access the internet and what/how they do that and create rules to allow that activity.

6

Thanks for that. Perhaps when training has finished, the number of logs will reduce. i have set training for 3 days at the moment, you can have 7 or 14 days.
Almost all the blocked logs are ICMP or IGMP.

7

Well ICMP is Internet Control Message Protocol and Internet Group Management Protocol, try a search on those to find out more detail on what may be using them.

I would have thought the firewall logs would give more information on, the process making the connection and the domain/IP address it is trying to access. Without full information it is almost impossible to speculate as to the reason for these connections.

8

A place to find many tools that may help:
https://wiki.wireshark.org/Tools
Way beyond my knowledge but, they certainly have a lot of tools. :slight_smile: