Problem with the Web Scanner

Environment:

  1. Dell Inspiron 1100
  2. Celeron running @ 2Mhz
  3. 256M RAM
  4. Win XP Pro SP1
  5. Avast Home Edition 4.6.603
  6. Sygate PF 5.5 Build 2710

Since upgrading to the latest version of Avast (great AV btw), I’ve also downloaded and experimented with a few new versions of anti-malware utilities from CNET, and noticed that every time I update any of them, Sygate doesn’t ask if I want to grant rights (which it normally did before the latest Avast Program Update), it just lets them through even though they’re marked as “ask”. I therefore noticed that during the update activity – the Avast Web Scanner (having free rights to the ‘net) was active and presumably acting as their gateway in Sygate.

Moreover, once I changed the rights for the Web Scanner to “Ask”, it was interceded by Sygate during a test update of one of the utilities (good); I allowed it temporary access and let the update go about its business. Afterwards when I updated another utility (to see if Sygate would once again ask for rights), it was allowed to pass without having rights granted (not good).

Ergo with the new Web Scanner, one is not allowed the control needed through Sygate – whether testing a new program over a period of time to see if its web access habits are trustworthy; or whether (God forbid) something from the ‘net or media slips through to the user’s computer.

As the problem seems to be the Web Scanner indiscriminately letting programs pass through the firewall (though they’re marked as “ask”), I need to know if you have a solution to this problem.

Warm regards,
=AirCeej=

I suggest you update to the latest version (4.6.614).
Although officially beta, it helped a lot of peoples to solve their problems.

Thank you for the suggestion, but before downloading the beta version:

  1. Has anyone had the problems mentioned above, and did the beta solve it?
  2. Are there any prohibitive side effects to that particular beta version?

Thank you,
=AirCeej=

As the problem seems to be the Web Scanner indiscriminately letting programs pass through the firewall (though they’re marked as “ask”), I need to know if you have a solution to this problem.

This is a weakness with Sygate not being able to identify programs using localhost, it only sees web shield and not the program that is using the localhost proxy connection. This has been discussed in the sygate forums but there has been no resolution.

The image is an extract of Outpost’s log.

That raises the questions of - what is the:

  1. Difference between the web and network shields?

  2. Downside to terminating the webshield?

Thank you,
=AirCeej=

Take a look at http://forum.avast.com/index.php?topic=11332.msg96221#msg96221 for a partial workaround. But this doesn’t fix the Sygate problem, just mitigates the avast! addition to it. Programs that use, for example, IE services (local proxy) to connect to the internet still look like IE to Sygate and go straight through, with or without Webshield. You can prove it to yourself with something like Real Player updates. If this bothers you, try Kerio 4.1.2. There is a sticky from 2003 on the Sygate forum at http://forums.sygate.com/vb/showthread.php?s=&threadid=7813 saying they are working on an integrated approach to fix the problem, but nothing yet.

As the problem seems to be the Web Scanner indiscriminately letting programs pass through the firewall (though they’re marked as “ask”), I need to know if you have a solution to this problem.

There is not any perfect solution, cause It is a result of a Sygate “local proxy issue” that has been there for many years. They are not going to fix it, and the official reply from Sygate is that it would involve a major firewall rewite to fix the issue. It is something that every Sygate user should know about.

I dont think the test version Eddy mentioned is going to do the help.

I give you 2 solutions you might try.

  1. After installing any new software, you can always 'Terminate" Webshield temporarily from the ‘On-Access-Protection Control’ options and see if anything tries to go out to net.

  2. You can go to that Webshield provider module settings and blank the 'Redirected HTTP port(s) field, that i think by default is 80. Then Sygate should ask from you for every program going to net and them not knowing that the default redirector port is TCP 12080.
    If you want some browser to use the Avast Webshield proxy, you can tell it in the browser’s connection settings. An example is Mozilla Firefox: Tools/Options/General/Connections Settings. Select ‘Manual proxy configuration’ and in HTTP Proxy field put 127.0.0.1 and Port 12080. Leave the other fields, SSL FTP, Gopher and SOCKS blank. With this setting only Firebird browser will use the proxy, all other programs should be asked by Sygate firewall. I have noticed that very few sites with video might not download totally with this setting, but most do.

I normally browse using the port 80 tcp redirector, and then everything gets out. After installing software or otherwise in paranoid mood I blank that field.

You could also run Avast without WebShield, but I prefer not to.

Btw, same kind of behaviour happens also with email clients and ashWebSv.exe. They dont get asked if that provider is running, if otherwise set to do so.

Sded,

Thank you for the link as Vlk’s suggestion seems to have done the trick!

Jarmo P,

I appreciate the confirmation!

=AirCeej=

Difference between the web and network shields?

From Avast Help:
" Network Shield - Provider Settings

Network Shield provider protects your computer from Internet worm attacks. It works similarly to a firewall, even though it does not fully substitutes it. The Network Shield does not require any user interraction.

Note: This resident provider is available on Windows NT, 2000, XP, and 2003 only. "

Your might run without a firewall or using one that is not configured correctly for the inbound attacks. That is what Network Shield is for.

AshWebSv.exe on the other hand is the browsing virus checker before the site content is reached your hard disk (cache) or even browser.

Much obliged!

When I used the suggestion of “blanking the Redirected HTTP Port(s)” in the Web Shield, that allowed the other utilites to be flagged by Sygate for permission. But whether or not I altered Firefox as you suggested, it still fails the test at: http://forum.avast.com/index.php?topic=11911.0 posted by xistenz; any suggestions?

=AirCeej=

You mean the eicar test virus link that was given by xistenz?
I think you rather pass the test.

When that field is blank, it is the Standard shield that warns you and gives you the option to Delete, Move to chest etc. for the suspected virus.
When it is 80, it is the WebShield and in this case there is no options given what to do, cause it is not yet in your puter.
Hope this helps.

You can also do as sded tells in that link in your post.
Open that WebShield window and observe that it is doing the scanning, without any test viruses while a normal web page is loading :slight_smile:

You can also turn “Show detailed info on performed action” on the Advanced tab of WebShield config and you’ll see small notice whenever webshield scans anything. Not very usefull for regular browsing, but might come handy for testing.

Lukas.

Again, thank you for the response, but to paraphrase Val Kilmer in ‘Real Genius’: “though it passed, it failed” ;); meaning, before I followed the advice given here, I did the eicar test out of curiosity and Avast (if I remember right) let me know that the site was infected and asked me if I wanted to abort the connection. After following the advice in this thread (which mostly solved my problem) and doing the eicar test again, Avast now indicates that I have a virus and asks what I’d like to do with it. So it seems as though the Network Shield is now picking it up instead of the Web Shield…

Update Part II

Ah ha! Reading Jarmo’s suggestion again, I blanked SOCKS, reran the test and it works!

Thanks one and all for the help - great community - great software!

=AirCeej=