global allow logging issue

Being very interested in logging as a problem resolution tool, I ran an experiment with the new allow logging fix in .309. All I did was add an “allow and log TCP & UDP out” as a global rule. I got some logging, but not something that would help understanding particularly.

  1. 32 bit Intel
  2. System: Vista Ultimate
  3. Avast!, including ashwebsv.exe, and ashmaisv.exe + stunnel proxy encryption
  4. Attached log is for the following scenario:
    a. Go to a website
    b. Refresh that website
    c. Go to a new website
    d. Go to Comodo website
    e. Use Popman to check on mail
    f. Use Thunderbird to download mail

For the web accesses, only the localhost access of Opera to ashwebsv.exe is logged; there is no indication that ashwebsv.exe ever executed and got to the internet (it did); just that Opera got to 12080, the input proxy port.

For Popman, only the localhost access of Popman to ashmaisv.exe proxy port is logged; there is no indication that ashmaisv.exe ever executed and got to stunnel port 12110, or that stunnel ever executed and got the mail server. It did successfully check the mail for 3 accounts.

For Thunderbird, same results as Popman, with the initial setup localhost also shown. It did successfully check an email account with no mail in it.

Note that the DNS requests seemed to log for the browser; didn’t for the mail programs, but may have already been cached.

From the results, I don’t understand how selective logging works and if there is anything that would help provide a more accurate log of what is happening with the firewall. I think this is a bug, and I should be able to get at least one log from every program that successfull accesses internally or externally. I suggest someone else try a similar experiment with some of the applications.

  1. Custom Policy/Paranoid/High alert level

  2. N/A

[attachment deleted by admin]

Also discovered there is apparently no way to log incoming DNS anymore, although I recall it once worked.
4. Add rule “allow and log/in&out/UDP/any/any/any/any”
Only the outbound UDP requests to the DNS server are logged; the response is not, although the DNS lookup is successful. There appears to be no way to log the SPI related traffic.

[attachment deleted by admin]