CIS Firewall fails to block outbound browser connections to non-https sites when the application has been explicitly blocked. The problem would seem to be related to the Avast 7 Web-Shield, which acts as a proxy for connections over TCP port 80. If the shield is enabled, any application that uses this combination of protocol and port can connect, even when no firewall rule exists, or the application has been explicitly blocked.
A. The bug/issue - Firewall fails to block certain connections with Avast 7 Web-shield enabled.
-
What you did
-
What actually happened or you actually saw::
-
Install a clean Windows 7 x86 system (not virtual)
-
Install CIS - No AV
-
Switch to Proactive Mode - disable sandbox
-
Change firewall to Custom Policy Mode
-
Change Alert Frequency to Very High
-
Ensure ‘Create rules for safe applications’ is NOT checked
-
Ensure ‘Do not show popup alerts’ is NOT checked
-
Remove default firewall rules
-
Reboot
-
Allow rules to be created for svchost and System as required
-
Install Avast 7
-
Reboot
-
Create Outgoing only rules for the Avast components
-
make sure the Web-Shield is functioning
-
Open any browser and allow firewall rules to be created as required
-
Make a connection to any non-https site
-
Make sure the connection is being proxied through Avast web-Shield
-
Remove the firewall rule for the browser
-
Open the browser and at the first alert select ‘Blocked application’
-
When the browser has opened enter a URL to any non-hhtps site
-
The connection succeeds even though the application is blocked.
-
Check the connection status and observer AvastSvc.exe making the connection.
-
What you expected to happen or see:
With the application explicitly blocked, I would have expected the connection to fail.
- How you tried to fix it & what happened:
Tried various ways of blocking the connection, from a complete ‘block all In/Out’ scenario, to more explicit blocking of the actual connection, which is:
TCP - Out - From 0.0.0.0 - To 127.0.0.1 - Any - 12080
Also tried blocking everything to the loopback zone in both Application and Global rules.
- If its a software compatibility problem have you tried the compatibility fixes (link in format)?:
Not sure there are any, Avast 7 is too new.
- Details & exact version of any software (execpt CIS) involved (with download link unless malware):
Windows 7, 32 bit, SP1
Avast 7.0.1407
- Whether you can make the problem happen again, and if so exact steps to make it happen:
It’s reproducible always.
- Any other information (eg your guess regarding the cause, with reasons):
This is not the only instance of the firewall failing to block certain connection types. The IPv6 problems have already been reported. However, I suspect this is a slightly different issue, more akin to TCP hole punching.
B. Files appended. (Please zip unless screenshots).
- Screenshots of the Defense plus Active Processes List (Required for all issues):
Done.
- Screenshots illustrating the bug:
- Screenshots of related CIS event logs:
See - Re: Comodo Firewall and Avast 7
- A CIS config report or file.
- Crash or freeze dump file:
- Screenshot of More~About page. Can be used instead of typed product and AV database version.
Done.
C. Your set-up
- CIS version, AV database version & configuration used:
CIS Premium 5.9.221665.2197, Proactive config
- a) Have you updated (without uninstall) from from a previous version of CIS:
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
Clean Install.
- a) Have you imported a config from a previous version of CIS:
b) if so, have U tried a standard config (without losing settings - if not please do)?:
Clean Install.
- Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.)
- Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =
- OS version, service pack, number of bits, UAC setting, & account type::
Windows 7 x86 SP1
UAC - Default - Notify me only when programs try to make changes to my computer
Account type - Both Standard user and Administrator
- Other security and utility software currently installed:
Avast 7.0.1407
- Other security software previously installed at any time since Windows was last installed:
None - Clean Install
- Virtual machine used (Please do NOT use Virtual box):
None.
Others are reporting similar findings:
Comodo Does not work with Avast 7!
[attachment deleted by admin]