Security leak?

I’m not very techy so please bear with me but it seems that since I installed Avast, my firewall (Kerio) no longer does it’s job! For example if I specifically try to block a program like Ad-Aware in Kerio from going outbound, I can still update it and it doesn’t show up in Kerio’s logs! Is this to do with the Web Shield/Web Scanner acting as a proxy and if so, what do I do to correct the situation as a firewall that does not control outbound traffic isn’t very good.
I assume this matter must have been discussed before (I looked around but couldn’t see anything) so I would appreciate a link or an explanation if someone would be so kind.

Hi Sparan
I hope this helps…go here and read BZ’s (kerio guru) explaination in #12 message.
http://www.wilderssecurity.com/showthread.php?t=69544
He gives some detail on what to setup in Kerio.
Also, there is some clarification by VLK, in the same thread.
Cheers :slight_smile:

Does that mean that webshield scans outgoing http streams as well?

To start, you should update to v4.6.623. This version only filters (intercepts) traffic coming from specific applications.

To start, you should update to v4.6.623. This version only filters (intercepts) traffic coming from specific applications.

Does this sort out the problem the webshield was having with Sygate?

–lee

Until Sygate resolve the ablilty to monitor localhost proxy traffic, this issue has been know about for a very long time but it has yet to be resolved. So I doubt that this 4.6.623 release will make a blind bit of difference to the sygate security hole.

http://forums.sygate.com/vb/showthread.php?s=de402c841bcc0b077d6bc116bcba5f47&threadid=12947

Actually it does make a difference. With the exception of the programs on the approval list of avast, no WebShield scanning is now taking place and therefore Sygate sees everything as usual (outbound access to remote hosts).

That’s good, thankfully it hasn’t taken anywhere near as long as Sygate have taken to resolve the local proxy leak.

Is there any way to find out the programs on the approval list?

Currently, just the mainstream browsers are on the list (including IE, mozilla, firefox, MyIE2 and Maxthon).
Some more info is here: http://forum.avast.com/index.php?topic=11997.msg101370#msg101370

That is really good Vlk!
It really is not so bad when it remains just to trusted browsers and stuff that gets possible virus/trojan web traffic. Just what the web shield is for :slight_smile:

does this mean that sygate will work correctly now e.g. asking for access instead of letting everything through webshield ? bit confused ???

Yes stevejrc that’s what I’m saying.

;D cool have a budvar on me

This is not working if you have a local proxy…
Maybe, as usual, I’m doing something wrong… ::slight_smile:

David, do you know if any other firewall does this job?
I mean, neither Kerio not Sygate seems to filter the outbound HTTP traffic if you’re using a local proxy filter…
Does ZA do this job? Will the applications ask for connection even using a local proxy (this one allowed to connect)?

Technical, the firewall should ask you for permission whenever the app connects to the webshield proxy. That is you would see an outgoing connection attempt to localhost:12080 and you can permit or deny that. It’s not that perfect as without the proxy but should provide you with sufficient amount of control. Kerio and ZoneAlarm can be configured to display these warnings.

I think Keiro does, didn’t Vlk recommend it as an option once to those having problems with ZA?

As far as I’m aware ZA does ask on the new programs connecting through the web shield local proxy, but that should/could be answered by the ZA users on the forum.

It works fine with Outpost Pro, though some don’t like it (and you have to pay for it) and I did have initial teething problems as it didn’t ask abut web shield.

But surely the new changes to web shield not routeing all http traffic through the local proxy, only certain applications, mainly the main stream browsers, then anything else will not go through the local proxy but regular outbound route and be queried by Sygate.

On Sygate forum is written that Kerio has the same trouble of Sygate…

It will be good to know…

That what I suppose… I used it in the past and as far I know, it does not have this problem/bug with local proxies.

But, will you trust IE http traffic, for instance? ::slight_smile:
Or a malware that exploits the IE traffic and is ‘kindly’ tunnelled by WebShield ??? ::slight_smile: :frowning: >:(

Can you help me configurating Advanced rules for:

  1. Webshield: ports (local and remote), protocols, etc. to connect
  2. All other applications: the same for ask. Maybe this is called a loopback… I’m not used to firewall things :-[
    Thanks.

I am sorry to say Technical, but I have read that you use also other local proxy software besides WebShield. So there is no help for you with Sygates otherwise great firewall. Proxy software and Sygate dont match. Outbound protection wil be lost.

You will have to use another firewall! There is nothing else to say.

Only I want to reminder you now that Avast’s webshield is working pretty well with SPF now. So maybe you stop talking about Sygate problems, when they are not so many with Avast’s web shield?

The other solution is to accept that your pc will let outbound connections to internet. That is not really so bad, so does XP SP2 firewall.

You will have to learn to live with your other proxies, or then change the firewall. ZA is the easiest, but it wont offer the same as Sygate. And with ZA there is the performance issue that seems to be really bad.