Looking at my firewall connection logs and I see something I have noted before with a few other apps. The source location is listed as, device\harddiskvolume2…as shown in the image. I have previously noted this behaviour and subsequent request for firewall access when installing some games, notably GOG games when installing from their game client once download has concluded.
It seems some kind of temp folder is made to complete the installation to your local device. In my firewall logs the destination I.P address was google DNS which I use and not a outside I.P. Overall, not sure what decides to trigger this request from this temp install but they are very annoyin g multiple times per day.
I doubt this helps but it follows a pattern at least.
The problem has been going on for over 4 weeks now.
So far, no one seems to have taken care of it.
Now something is moving.
I had Avira antivirus before, Avast is better.
It would be handy if all of these connections for the update/checks were made from the same location
Given that every connection appears to have a unique id e.g.
C:\Program Files\Common Files\Avast Software\Icarus\Avast-av-vps\temp\asw-‘UniqueID-string’\icarus.exe
Or even
C:\Program Files\Common Files\Avast Software\Icarus\Avast-av-vps\temp\asw-‘UniqueID-string’\common\icarus.exe
This forces the use of wildcards in the firewall to allow its use - however some firewalls don’t allow for the use of a wildcard. Not to mention some consider the use of a wildcard less than secure.
Note I’m currently not experiencing this in Avast Free, with the Avast Firewall on a Windows 10 system.
EDIT: Thanks, I was too quick to post - these screenshots are very helpful. As you can see, it is a DNS traffic, something that we definitely need to do, before reaching for any update. We’ll work on understanding why all of a sudden this get triggered by the firewall.
Original message:
Hello ahahah, thanks. It’s still a bit unclear - does the firewall complain about the traffic? Does the alert mention any traffic details? Outgoing TCP / DNS / UDP maybe? Or a listening port being opened? Anything like that might help us look for any change that might be causing this - because, while we are improving the setup code, the traffic-generating part is pretty stable and has been used in several apps (pretty much in every product we have) for a couple of years already.
Ahahah, you’ve also mentioned that your firewall settings trigger connections from any “new” application - this might be a problem that is hard to overcome - since Icarus is really frequently updated, at the least, once every month. The first thing this product does is checking for it’s own updates, downloading them and then it starts with the fresh copy of itself - then, it checks and downloads updates for the rest of the binaries. … we’ll discuss what the options are, but unfortunately it seems that having the binary static (a setup where even a strict firewall won’t trigger the popup) somewhat fights against the whole purpose of the updater - to be at the latest version allways and make the rest of the installation also new. Eventhough there are tricks, how to make the icarus.exe static, while updating other parts and DLL libraries, that are loaded into it, this whole behavior is a bit strange and may trigger any smarter firewall or IDS/IDP system as well.
1 time every month is extremely more acceptable than 2/3 times a day.
this is normal, nothing to say about that
but… we know the reason, we have many times described it in this topic.
the reason is because icarus.exe changes each time its directory location from where it is executed on the disk, so the firewall considers it each time as a new program. it is for this reason that it asks each time if this “new program” is allowed to connect or not.
Problem we have is not that avast/icarus is asking for connection but rather that since latest major update to avast, icarus keep showing up in deferent locations by which we mean temp folders that are random letters and simply once allowing Icarus.exe in firewall wont do much as it keeps changing its location and asking for updates each day multiple times every time from new random created subfolder that ofc triggers firewall for new approval.
In an ideal world what we would need is that icarus is not creating it self in temp folders, or if it has to download new version of it self to temp folder, then at least for it not to try to connect to internet before replacing old icarus.exe in default location and only then request connection to internet.
So since last update icarus.exe will create random temp sub folders multiple times per day and try to go online from that location, that triggers firewall each time for new approval as location of file is new/has changed.
Personally i used wildcard for subfolder but only for file that would be called icarus.exe so something like this “C:\Program Files\Common Files\Avast Software\ * \Icarus.exe”
Still i dont think that should be solution as many firewalls wont allow for wildcards, and avast didnt need that way up until now, so i cant see why it has to be like that from now on.
its discouraging, after all we did to analyse/explain the problem it is as if they have not read anything in this topic… 
Yes, I think i give up at this rate of progress and simply switch product.
The built-in Windows firewall itself does not support Wildcard paths either.
If the location of icarus.exe is new, as with these temp vps folders, it is considered a new file, and a proper firewall will alert.
If the executable icarus.exe has changed, it has a new size/time/date/hash and is considered a new file, and the firewall will alert.
This is normal and even wanted behavior. If this is not compatible with how Avast uses icarus.exe to update itself, then Avast has made itself incompatible with most if not all firewalls that aren’t Avast Firewall.
Solution for Avast devs: rework how Avast uses icarus.exe, or stop using icarus.exe.
You created this mess. You fix it!
Once a month wouldn’t be much of an issue. But some users are seeing an alert 3 times a day. So if the executable doesn’t change 3 times a day, then it must be that every time it runs, it does so from a different temp folder. As of yet I haven’t seen any explanation of why it needs to do that.
I’d like to chime in. I’m using Simplewall as my firewall of choice and ever since the latest update of Avast, I’m getting Icarus.exe notifications several times a day. Exactly because of the reason stated here. The Icarus.exe process always starts from a different folder, making the firewall think it’s a different process.
I’ve had six instances just today. Just awful. I have picked out a replacement AV for my machine then will swap over the other two family ones also.
I had a look at the update function of Avast, and I noticed that because of this behavior, Avast can’t update at all!
The reason for it is that firewall blocks the icarus.exe process, asking whether to allow it access the internet or not. But by the time you click on “Allow”, Avast already stops the update with an error saying that something went wrong and the update failed.
I attached a screenshot.
in this case, i think you have to go in the avast options to manually force the update.
can you tell me which one you have found? i’m also interested by an other antivirus.
This firewall issue is well known. It happened to AVG (which was purchased by Avast), and so far they’ve done nothing about it. So, I doubt they will do anything now. Icarus and the odd behavior of creating self-copies in a temporary folder is here to stay.
Today there was a program update and I was hoping they had fixed our issue. In the beginning, it seemed like they did and I wasn’t getting the notifications from my firewall anymore every time I pressed the Update button, but after some more testing, the notifications started to appear again.
So still no fix 