Re: Security Issue. Please Advice

I’m currently using Avast 4.6 Pro and Sygate Pro 5.5. My computer is connected to a router for internet access. My system is for business use only.

I have recently read a post that mention about certain issues when using Sygate and Avast Webshield (local proxy loophole).

I have read many post with similar discussions but those discussions were too technical for me to fully understand and I’m nervous about making changes that I don’t completely comprehend.

I’ll be very grateful if someone can advice me on 1 specific setting that would allow both Webshield and Sygate to work together in conjunction without compromising the security of the system.

As I’m using this computer to run my business, I want to make sure I’m correctly protected. If installing WebShield is compromising my security in any way, please let me know.

Thanks again for any advice.

Darren

The nature of the defect is that Sygate does not control access by applications to any “local proxy” or program that is accessed from port to port within your computer (localhost or IP address 127.0.0.1 by convention). Any program can connect to the internet using the local proxy without asking for permission, since it is an internal connection. What Sygate says in their knowledge base in a November 2003 FAQ is:
Q:When will SPF support the ability to control application access to “local proxy”
A:With the current SPF 5.x architecture, support for the loopback adapter or “local proxy” does require major changes to one of the core product engines. This is considered a high risk fix with both high development costs and resource requirements. However, be assured that we are making progress toward addressing the local proxy issue. Sygate apologizes for the delay but has chosen the path towards fully addressing the issue, rather than issuing a patch or partial fix.
Nothing done by March 2005 or in 4.2 beta, so don’t seem terribly concerned.
The avast! team, however, got a lot of feedback from Sygate users (including me at times) about the implications of the new Webshield local proxy. Essentially, in the original design, any program on your computer could access the web through webshield without asking permission. So avast!, in their .623 upgrade, set things up so that only an identified set of browsers were allowed access to the proxy, along with other programs a user specifically requested in avast.ini. That sounds pretty good to me, if what I get in addition is the ability to scan all incoming webpages for viruses. One can also restrict things further by using explicit proxies (127.0.0.1 port 12080 for http) within the browsers one wants allowed, and blanking out the scanning of port 80 in webshield.
If you are using other local proxies, you may have a more pressing Sygate problem on your hands, since not all development teams are as responsive as avast! (Sygate, for instance).
As far as the security implications, I have not seen an expert evaluation, but can relate some observations. As far as concerns about rogue incoming data via an http request, it will all go though webshield and be scanned for viruses, Trojans, etc. Problem before avast! modified webshield was outgoing behavior if you somehow got a Trojan anyway or already had one. For example, since connection requests through webshield would not be seen by Sygate, a Trojan could participate in things like DDOS attacks on websites by high volume connection requests to that site and never be seen by Sygate. But it would be in the Sygate log as webshield actions, and the avast! ball would spin so hard it might burn out the bearings-if a user looked. And there were probably a bunch of other bad things. But still anything coming back to you would be scanned by avast! And avast! has closed the loophole by restricting access to the proxy.
If you still have severe security concerns, they might be better addressed through Kerio or ZoneAlarm or …, rather than giving up the scanning of webpages by webshield. Without webshield, they can be cached on your computer for later mischief, although the standard shield will scan them if you try to open them. But I am comfortable with Sygate and avast! working together, as are most other users I have seen post.

Thanks for the very comprehensive explanation!

I have done a comprehensive scan of my system and I am comfortable there are no trojans hiding within the system.

I just wanted to know your opinion on these settings as I am not a very technical person.

I have both Webshield and Sygate installed.

I didn’t do any changes to Webshield but for Sygate, I enabled SmartDNS, set WebShield to always Allow, and set Firefox to always Ask.

Is this a secure setting? I’m not worried about incoming attacks as I believe the router will take care of it. I’m concerned about outgoing attacks and will Sygate still be able to do its job of preventing Trojans from calling home using FF or any other methods?

Thanks!

Probably some Sygate experts out there with better insight, but I think Sygate will notice and alarm a Hijack if a trojan tries to use FF to access the internet. Other vulnerabilities not through Webshield are as they were. And if the antihijack works, the trojan can’t use webshield through any of the permitted browsers without an alarm either. Don’t think webshield can act as a server?

Would it be more secure if I set Firefox to 127.0.0.1 port 12080 for http, and set Webshield to 'Redirected Http Port = 12080.

I don’t really know what that does but you mention in the previous post that this could be more secure. Btw, would this slow down the internet connection?

Thanks for all the advice!

A little, if it is a concern that IE might be hijacked invisibly and you don’t use it anyway. If you set the FF proxy to 127.0.0.1 port 12080, and just blank out the port in webshield to redirect, so it only sees the direct connect from FF via 12080, only FF will go through webshield. And set IE to deny all in Sygate, so Sygate should block it from access without even asking. You may need to loosen up the latter if you use programs that actually do access the internet through IE, and change to ask if necessary. I think the only difference is you will get block alarms vs ask requests. Can’t test it at the moment because I am trying out Kerio PF 4.1.2-not because of Sygate security concerns, but because of some of the Kerio display and logging features I have found useful.

thanks sded! That was very useful!

One last clarification. In Avast Webshield customize settings, do I set ‘Redirected HTTP Port = 12080’ or do I leave ‘Redirected HTTP Port’ to blank? I have set FF proxy to 127.0.0.1 port 12080

Thanks again for all the advice!

Vik recommended leaving it blank for less confusion and it is certainly a reminder that there is no redirection occurring in webshield. webshield routes the redirected port to 12080 anyway, so putting in 12080 is really a no-op.

Thanks, that works for me. :slight_smile:

I’m sure you have tested these settings before, and i was wondering if you felt any noticeable drop in connection speed?

No; I can’t see the difference with all the other variations affecting the internet.

I set my webshield and IE to “ask”. Then created advanced rule for

IE- Allow outgoing TCP 443 (https).
Webshield - Allow outgoing TCP 80 (http)

Other ports can be added to another rule ie FTP, chat room ports if ever needed…

Just cuts down on possible trojans accessing other ports, webshield should stop any trojans using TCP 80 and I assume IE TCP 443 is secure.

Another interesting current discussion of the Sygate issues at http://www.dslreports.com/forum/remark,13003405~mode=flat~days=9999

Good link, some good general info and other links pointing out the sygate vulnerability. Lots of people living in bliss (as in ignorance is bliss, or what you don’t know doesn’t worry you).

As above, don’t think webshield can act as a server (accept inbound connections from the internet and send back data) but would still go to applications/advanced and remove its permission to do so in Sygate. ::slight_smile:

So, I changed from Sygate…
A well known bug/problem with local proxy servers… Yes, I did not know this and was living in the ignorance :-[

I am currently using Kerio 4.1.2 free, and it seems pretty good. Informative display of all the connections, plus easy to read charts of permissions and selective logging, along with all the usual “ask” and no proxy problems. Seems to have a few stability problems though. Have had it crash a few times when the log is large and I tried to review it, plus occasionally it hasn’t started at boot time. Trying a fix of going to services/Kerio/properties/recovery selecting restart after 0 minutes. So far, seems to take care of it with just a little glitch and not having to look out for it. Plan appears to be that KPF 4.2 will only support Windows 2K and XP, so not for everyone.

Which unfortunately is the case for the majority of users (perhaps this is a factor in sygate’s lack of speed {years} in resolving this). Only those using a local proxy are even likely to notice and many of those won’t notice the hole in their security.