Firewall rules for Avast ping home?

I just installed Avast antivirus (home edition). According
to the online help, I should configure the firewall to allow
access to

According to
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=25,
the programs that should be allowed access are

  • avast.setup
  • avastXX.setup (where “XX” are some numbers)
  • aswUpdSv.exe
  • ashServ.exe
  • ashWebSv.exe

However, I’m getting firewall access requests that correspond to
neither the IP addresses or applications listed above. The requests
are pings (ICMP[8]) to sl2XX.avast.com, where X varies from 09 to 14
(and probably beyond, except that I got tired of them and created a
blocking rule). The IP addresse are 75.126.203.67-72. There was also
one to sl205.avast.com (75.126.130.172). The firewall lists the
application as tcpip kernel driver.

I haven’t found any information on legitimate IPs for the pings. Do I
have to open up the firewall to all outgoing pings? What is the
impact on Avast functionality or updatability if I don’t?

avast downloads a file called servers.def that lists a large range of avast servers that may be accessed by avast to download virus updates (as the evidence you have seen supports).

I do not know where you got the limited list of url’s but they will not suffice.

Does Avast have any suggested practices for accommodating this behaviour when using a firewall? I assume that amenability to firewall accommodation is a consideration in application design these days (though I could be wrong).

Into the firewall settings, the following programs should be allowed to connect:

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner)
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (avast! e-Mail Scanner Service)
C:\Program Files\Alwil Software\Avast4\Setup\avast.setup (avast! Update executable). This is a temporary file that just appears when an update (check) is about to launch, and disappears again afterwards.

Don’t need rights to connect:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (avast! Update Service)
C:\Program Files\Alwil Software\Avast4\ashServ.exe (avast! antivirus service). Although, ashServ.exe sends ping packets to find out if the Internet connection is alive. You can turn this off by checking the “My computer is permanently connected to the Internet” box in the avast Program Settings > Update (Connections) page.

The list of legitimate IP are into servers.def file in the setup folder.

Tech,

I don’t have a problem giving access rights to all the executables
mentioned. This is becase servers.def contains nearly 200 URLs, so it
could take some time to convert them into IP addresses using
publically accessible free DNS lookup websites. Also, those sites
recently started to limit the number lookups unless you subscribe to
their services. So any solution that avoids the requirement of
supplying far-end IP addresses is preferrable than specifying
destination addresses to the firewall.

I was hoping that one solution that avoids the need to specify far-end
IP addresses would be to grant access to all legitimate apps that
reach out. This is complicated for the ping. For Kerio Personal
Firewall (KPF) 2.1.5, outgoing pings don’t show up under the app that
initiates them. The application is shown as “tcpip kernel driver”.
The generic nature of this app makes it hard to let out only pings
that I know are from Avast. For non-ping accesses, the initiating app
is shown, so I’m not sure why ping-outs are different – perhaps it’s
part of how things work, or how Windows 2000 works. In any case, your
solution to of specifying “permanently connected” avoids the need to
ping, and hence, the need to specify far-end addresses to ensure valid
pings.

One question about this solution – what happens when it checks for
updates every 4 hours, as per
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=25,
and then runs up against a lack of connectivity? I know that if I
manually initiate a check for updates, I am informed of
nonconnectivity via the GUI. Automatic updates happen in the
background (correct me if I’m wrong), so is the user warned of
nonconnectivity via a popup? Aside from notification, does it wait
another full 4 hours before checking again, even if connectivity is
enabled shortly after such a warning? (I suspect yes, since the it no
longer checks for connectivity).

Finally, firewall rules (at least for KPF) require specification of
all these fields:

  • Protocol: TCP, UDP, ICMP, or other
  • Direction: Ingoing, or outgoing
  • Local port: Single port, Port/range, list of ports
  • Application: The *.exe files mentioned above in this thread ie.
    this is the only field for which I have been able to find the
    required details so far
  • Remote endpoint: Leave it as any address, as per explanation above
  • Port number: I guess this is determined by whether access is HTTP,
    SHTTP, FTP, or other (correction welcome, as this isn’t my area)

I’m guessing that this would be very easy for Avast to assemble
(correct me if I’m wrong!), and in fact is essential for firewall
users. I was wondering if Avast could provide these details.

I have to wonder if you expect to have to pre-approve the IP address of every single site you might possibly browse into your software firewall? Would you expect to pre-approve the IP address of every server Skype might visit?

That way is a path to intense frustration. Firewalls are not implemented that way.

Almost all software personal firewalls are implemented in a way that requires you to approve access to processes along with certain other attributes that you have mentioned. I doubt that your firewall requires a list of the IP addresses that will be contacted by those processes. IP addresses are far from permanent and the IP address associated with a URL can change at any time - which is why firewalls are not designed to require them.

Hi, Alanrf,

I agreed that approving remote addresses for external accesses is
extremely frustrating, for the reasons in my 1st paragraph (posting 14
Apr 2008 2:56am). I also agreed that approving the application that
wants to reach out is easier (2nd paragraph). However, 2nd paragraph
also described problem with this approach that afflicts ping, at least
for my firewall. Which is why Tech’s “permanently connected” solution
was so welcome. Paragrah 3 was about what happens if there isn’t
actually any connectivity during one of the automatic checks for
updates.

Paragraph 4 asked whether avast can provide the listed details that are
required for firewall rules for

  1. ashWebSv.exe
  2. ashMaiSv.exe
  3. avast.setup
  4. aswUpdSv.exe
  5. ashServ.exe
  6. avastXX.setup (where “XX” are some numbers)

Tech says that #4 and #5 are not necessary. If I understood
correctly, #5 pings home as a connectivity check, so that makes sense.
However, #4 is to check for updates, so I’d like to enable access for
that. I’m assuming that #5 reaches out for both automatic checks and
manually initiated updates, but confirmation from those in the know
would be welcome.

Finally, #3 is a temporary files, so it might pose problems on some
firewalls that detect when approved apps have changed. This concern
just based on description of that file. I haven’t seen it happen,
though I’m not sure it has attempted to connect yet (my firewall
silently blocks unpermitted accesses to avoid being overwhelmed by
prompts for Windows to phone home).

Anyway, I can face the potential problems with #3 when I reach them.
As a firs step, I was hoping that Avast could provide the details of
accesses of the above apps in order for users to create firewall
rules, including:

  • Protocol: TCP, UDP, ICMP, or other
  • Direction: Ingoing, or outgoing
  • Local port: Single port, Port/range, list of ports
  • Application: The *.exe files mentioned above in this thread ie.
    this is the only field for which I have been able to find the
    required details so far
  • Remote endpoint: Leave it as any address, as per explanation above
  • Port number: I guess this is determined by whether access is HTTP,
    SHTTP, FTP, or other (correction welcome, as this isn’t my area)

I would imagine that many of those using a firewall would find these
details useful (and I’m kind of wondering what they currently do to
accommodate those accesses).

Thanks!

Go ahead, it won’t connect even if you allow… it does not connect. The job is done by avast.setup.

I think both (manual and automatic) work this way. But a confirmation from the programmers will be good.

Firewall will (should) ask for connection again… but this work like exposed.

avast.setup: outbound, TCP, 80, any remote IP.
ashMaiSv.exe: inbound, TCP, 110, 143, 119 (and any other port you use for email), any remote IP.
ashWebSv.exe: I have allowed all activities to it.

Thank you again, Tech!