Comodo Firewall and Avast 7

[Guest]

[languy99]

I would guess that it's either this or Avast has stumbled on a new way of bypassing many of the firewalls out there. Either way it's definitely worth it for Comodo to look into, at least to make sure that malware couldn't do this.

My best guess would be that it wouldn't happen if Avast weren't trusted, but I'm not sure. I'd like to hear from Comodo about this.

I'm in talk with the devs so we will get to the bottom of it.

[tbmaster]

It's staggering how many people still cling to the ridiculous notion that the firewall in Windows 7/Server 2008 is "simple" when it's anything but! It's also frustrating to see people pointing fingers at Comodo, when we know the problem is much wider than that.

The bottom line here, supposedly, Avast made a change to a single driver in Avast 7, that change appears to have rendered several firewalls, including CIS, vulnerable. 

Well I Know that you can manually set advanced rules even in the windows firewall.
With "simple" I mean that it lacks a lot of features of more advanced firewalls.
However with windows firewall is not only Avast the problem, there are other apps that can bypass it.

[Radaghast]

Well I Know that you can manually set advanced rules even in the windows firewall.
With "simple" I mean that it lacks a lot of features of more advanced firewalls.
However with windows firewall is not only Avast the problem, there are other apps that can bypass it.

I have this feeling you're equating the firewall found in Windows 7/Server 2008 with the firewall from earlier versions of Windows. It's not the same, in any way, shape or form. It's like comparing apples with oranges. There are numerous 'advanced' features found in this firewall that can't be found in any other third-party product. You also forgot the other products affected by this new 'driver' Avast has added.

[jovanlibra]

Hi,

Can anyone recommend me free firewalls that do not have this "hole" when the avast! 7 Web Shield is running?

I use avast! Internet Security, and its built-in firewall functions properly of course... but my cousin uses Windows 7 Firewall so she is affected by this.

Thanks

[kail]

Can anyone recommend me free firewalls that do not have this "hole" when the avast! 7 Web Shield is running?

I use avast! Internet Security, and its built-in firewall functions properly of course... but my cousin uses Windows 7 Firewall so she is affected by this. ..

Hi jovanlibra, welcome to the forums.

It is probably best to ask this question on the Avast forums rather than here.

[reason]

Hi guys.I've read your posts and found that someone believe that if Avast can bypass Comodo FW,so a malware or another program can do.That's not correct .Why?
The question is why the programs that Avast enforces their traffics to pass from Avast Filter can access the internet?
Look at this diagram:

Webbrowser => Avast Filter => CFW => Internet

When u install Avast ,Web browsers and other programs that connect to internet through port 80(for example) ,first connect to Loopback(127.0.0.1) and Avast takes their traffics and sends it outside your computer.In this case Avast works like a Proxy.If you trust this Proxy other programs can connect through this Proxy.You can check this by other Proxy softwares like CProxy.The problem is Comodo FW does not monitor Loopback.Other firewall that I've used before: Agnitum Outpost Pro can monitor Loopback but it's not enabled by default and you have to edit Machine.ini file manually and enable Loopback monitoring.But what I can't understand is Why previous versions of Avast have not this problem?
I think if CFW monitors Loopback traffic it can monitor traffic of any proxy software and Avast too.(I mean traffic between proxy and program)

[jovanlibra]

Hi jovanlibra, welcome to the forums.

It is probably best to ask this question on the Avast forums rather than here.

Thanks for replying. 
It seems like there is more information here about this issue than over at the avast forums, but ok, I will do that.

[Radaghast]

Hi guys.I've read your posts and found that someone believe that if Avast can bypass Comodo FW,so a malware or another program can do.That's not correct .Why?
The question is why the programs that Avast enforces their traffics to pass from Avast Filter can access the internet?
Look at this diagram:

Webbrowser => Avast Filter => CFW => Internet

When u install Avast ,Web browsers and other programs that connect to internet through port 80(for example) ,first connect to Loopback(127.0.0.1) and Avast takes their traffics and sends it outside your computer.In this case Avast works like a Proxy.If you trust this Proxy other programs can connect through this Proxy.You can check this by other Proxy softwares like CProxy.The problem is Comodo FW does not monitor Loopback.Other firewall that I've used before: Agnitum Outpost Pro can monitor Loopback but it's not enabled by default and you have to edit Machine.ini file manually and enable Loopback monitoring.But what I can't understand is Why previous versions of Avast have not this problem?

Avast implements a transparent HTTP proxy, which intercepts and redirects all outbound HTTP connections on port 80. The problem with Avast 7, is that, with the firewalls mentioned in this thread, it's impossible to block any connection using this proxy. If the 'Expert settings' for the Web-Shield are changed to "Scan traffic from well-known browser processes only" then only browser connections remain 'unblockable'

I think if CFW monitors Loopback traffic it can monitor traffic of any proxy software and Avast too.(I mean traffic between proxy and program)

It does monitor loopback traffic by default - Firewall Behaviour Settings/Alert Settings/Enable alerts for loopback requests.

[clockwork]

Hi guys.I've read your posts and found that someone believe that if Avast can bypass Comodo FW,so a malware or another program can do.That's not correct .Why?

Hm, you could change the name from avast to something else (best, to a user "trusted" name). Then you would see, that any same program can do it

Your argument is like you could assume that its allways clear when you have a malware in front of you. But it just needs to load a "mediaplayer" from a trusted page where this mediaplayer is changed by intruders. You load it, allow it, and from then on, a lot of things can use the internet without your consent.
http://s.gullipics.com/image/l/r/k/hq2x3b-julooi-s51w/img.jpeg

More dangerous than an existing bypass would be a false feeling of security! As long as the user has to press buttons, and malware detection is not permanent 100%, he needs to be able to expect the behaviour of the firewall, or he can not make the choices.

Its somehow amazing how people try to argument a watchable situation away.
While you can not convince malware or programs by argumentations

Btw,

if Avast can bypass Comodo FW,so a malware or another program can do.

"Your" undetected keylogger could use the internet now allready. As long as he doesnt send a detected virus through the shield

[MartiusD]

My best guess would be that it wouldn't happen if Avast weren't trusted, but I'm not sure. I'd like to hear from Comodo about this.

Can trusted programs be configured in the Win7 firewall? If not, then Avast being a trusted program must be irrelevant to this problem.

[Radaghast]

Here's a 'kludge' that should prevent unauthorised applications from being able to use the Avast proxy. Add an rule below your existing Application rules that blocks everything else:

Application Name - All Applications (found under Select File Groups when creating a rule)
Action - Block and Log
Protocol - IP
Direction - Out
Source Address - Any
Destination Address - Any
IP Details - Any

You just have to ensure any process that needs network access, has a rule above this. Not ideal, but it does work.

[mouse1]

Just wondered, is there any way of just blocking the proxy port?

Just wondering how analogous this is to svchost.

• svchost is trusted by D+
• CIS as varied its svchost f/w rule over time. Sometimes its blocked at other's trusted. Not sure what gives at present - my rules are tailored to block it
• files can use it (via API call?) to access the internet, though use is not automatic
• firewall is prevented from knowing the id oof the initialting file

Any thoughts?

Best wishes

Mouse

[Radaghast]

Just wondered, is there any way of just blocking the proxy port?

I've tried various combinations of block rules, from specific address/port blocks, to block everything type rules. The only rule that works is the one I posted above. That in itself is curious. I assume it works because it blocks all internal and external communication, whereas, a block rule assigned to a process only blocks external communication, but that's only a guess.

Just wondering how analogous this is to svchost.

• svchost is trusted by D+

I'm really not convinced this has anything to do with D+. Of course, one could remove Avast as trusted and then manipulate the services, but at the end of the day, AvastSvc.exe (awsRdr2.sys) needs access to winsock and if you prevent that, you've effectively killed Avast. Also, as mentioned several times, this is not a problem that's exclusive to CIS.

• CIS as varied its svchost f/w rule over time. Sometimes its blocked at other's trusted. Not sure what gives at present - my rules are tailored to block it

Svchost needs to be allowed to make some connections, without them, you're connectivity is going to be non-existent.
 

• files can use it (via API call?) to access the internet, though use is not automatic

Unless you've got some malware, the only processes, with the exception of those that use BITS for updates, that use svchost for making connections are OS services, hence it's name.

• firewall is prevented from knowing the id oof the initialting file

I'm not sure I know what you mean by this?

[mouse1]

I've tried various combinations of block rules, from specific address/port blocks, to block everything type rules. The only rule that works is the one I posted above. That in itself is curious. I assume it works because it blocks all internal and external communication, whereas, a block rule assigned to a process only blocks external communication, but that's only a guess.

Thanks for trying out these things we all appreciate it!

I'm really not convinced this has anything to do with D+. Of course, one could remove Avast as trusted and then manipulate the services, but at the end of the day, AvastSvc.exe (awsRdr2.sys) needs access to winsock and if you prevent that, you've effectively killed Avast. Also, as mentioned several times, this is not a problem that's exclusive to CIS.

Agreed in general though trusted status cobfers f/w pivs

Svchost needs to be allowed to make some connections, without them, you're connectivity is going to be non-existent.
 
Unless you've got some malware, the only processes, with the exception of those that use BITS for updates, that use svchost for making connections are OS services, hence it's name.

I'm not sure I know what you mean by this?

I think malware has used svchost in the past to access the internet, that's why its a potential security issue. I think - but do not know for sure - that any process constructed as a service can use svchost facilities, but there may be restrictions on use for internet access. Use for internet access is I suppose is what we are worried about re Avast. Hence the possible parallel. Use of svchost to access the internet means the program accessing the internet is unknown to CIS - in some way then similar to Avast.

I suppose I'm just pondering the threat scenarios here...... Would be good to lay them out maybe. For example with Av7 webshield operating what happens if a sandboxed process tries to access the internet (assuming alert suppression settings NOT in use)? The alert supression settings make things very complicated

Re svchost, yes, thanks for advce but I realise some things may not function, I'm blocking and logging & checking the log. But all OK so far except one update process which I don't want to run anyway.

If no alert then that's very serious....

Best wishes

Mike

[Radaghast]

Agreed in general though trusted status cobfers f/w pivs

Indeed it does, and here again is another curiosity. If one switches the firewall to Custom Policy mode with alerts on very high, then whatever 'trust' may have been conferred by D+, should be removed. That is, or should be, the point of Custom Policy mode.

That aside, I did delete the TVL and trusted database, along with all the other files in the database directory. After allowing the least number of D+ rules to keep Avast working, the firewall is still bypassed. 
 

[Tags:]