It’s not quite as simple as that mouse. Although this problem manifests itself with CIS and Windows 7 firewall, it’s quite successfully dealt with by several other vendors firewalls.
The problem persists in Avast 7.0.1426
And if it wasnt “avast”, but a bad guy who creates such a program?
I would not call a firewall “acting correctly” like that.
Then CIS would sandbox it.
[Edit @ Radghast] Sorry just remembered you did a bug report 
Best wishes
Mouse
Could you say which firewalls handle correctly then I will add this info to the bug report?
I suppose that if Avast is a strict proxy then it should still look to CIS as if the internet is being accessed, so CIS should still intercept the program accessing via Webshield. Or maybe CIS intercepts at too deep a level and is (in this case unfortunately) NOT fooled by the proxy deception.
Maybe the malfunction is deeper - Avast is stopping CIS working at some other level. Anyone tried unticking advanced protection mode in D+ settings and rebooting?
Best wishes
Mouse
To keep the example, we have to speak about a program that has been allowed to connect to the internet by the user, like avast.
A scenario could be, a regular program with a “hidden package”.
What i expect from a firewall is indeed, that every attempt to connect to the internet gets detected.
Like, “… tries to connect through a proxy”.
Or at least that a proxy is detected.
I’ve done comparative test with avast 6 and 7
With avast 6 e web shield enabled:
- Create firewall rule to block and log outgoing connections for a live updater who need to access web on port 80 (live update of pdfxcview)
- updater doesn’t go out to internet and there is log entry
- modify block rule in ask rule
- updater ask for access to port 12080 (that is avast webshield listening port)
4.1 if answer is “block”, updater doesn’t go out and there id “blocked” log entry
4.2 if answer is “allow”, updater goes out and there is “allowed” log entry
Avast 7 with webshiel enabled:
- Create firewall rule to block and log outgoing connections for the updater.
- updater GO OUT to internet and there ISN’T “blocked” log entry
- modify block rule in ask rule
- updater DOESN’T ask for access GOES out and there ISN’T any log entry
Avast 7 with webshield disabled:
- Create firewall rule to block and log outgoing connections for the updater
- updater doesn’t go out to internet and there is “blocked” log entry
- modify block rule in ask rule
- updater ask for access to port 80
4.1 if answer is “block” updater doesn’t go out and there id “blocked” log entry
4.2 if answer is allow updater goes out and there is “allowed” log entry
To me the release 7 of avast has introduced some incompatibility with comodo firewall BUT this is also a hole in the security because some malware could use the same techniques to bypass the firewall.
I think Comodo and Avast should talk each other to understand what is the problem and solve it.
I forgot to mention security level of firewall was on “custom policy” and security level of D+ was “Safe mode”. Windows 7 X64
I didn’t test every product out there, just a representative sample. The results are on page two of this thread - Re: Comodo Firewall and Avast 7
...Maybe the malfunction is deeper - Avast is stopping CIS working at some other level. Anyone tried unticking advanced protection mode in D+ settings and rebooting?
Don’t forget, it’s not just CIS, it’s Windows 7 firewall too, and that makes me wonder about the relationship between the firewall in CIS and the built-in firewall in Windows 7…
As far as D+ is concerned, it makes no difference if it’s on or off, or how the configuration is changed. This is pure firewall.
OK added link to your v useful post.
Will also add as known issue with fix (xref to your post) tomorrow.
Best wishes
Mike
Hi All,
Please note the Avast team member response on the Avast forum post regarding this - Avast 7 and Comodo Firewall
Done
Is he saying they found a security hole and are using it with thier antivirus to fix the issue.
If so, maybe they should’ve notified microsoft…
@ Radaghast and Mouse 1
FYI Private firewall was reported to have the same problem in th Avast! forum
Three comments by Lukor, Avast! dev:
Hope it helps for the bug report.
This is a serious bug, comodo doesn’t block my apps from connecting to the internet.
Avast 7 act like a proxy, i’ve done a scan with sysinternals tcpview and it sees the connection of the various apps redirected to the loopback zone.
Maybe Avast intercept the connections before comodo, so comodo see only avast connecting to the internet.
This can be used by a lot of malwares and viruses and have to be fixed soon or a lot of people will migrate to better firewalls.
As of now, I can’t suggest comodo as a good firewall to all my friends, don’t misunderstand, I’ve always used Comodo and I hope thi bug will be fixed soon and not ignored, because this problem has been discovered several weeks ago.
It’s not just Comodo. As mentioned above, Windows 7 firewall and Private Firewall also exhibit the same behaviour. It may also be the case that other, as yet untested firewalls, behave the same way.
Avast 7 act like a proxy, i've done a scan with sysinternals tcpview and it sees the connection of the various apps redirected to the loopback zone. Maybe Avast intercept the connections before comodo, so comodo see only avast connecting to the internet.
Avast made a change in version 7 and it’s this change that’s causing the problem. From reading the thread over at Avast, they changed to using the Windows Filtering Platform. What we don’t know, is why that change is having this effect.
This can be used by a lot of malwares and viruses and have to be fixed soon or a lot of people will migrate to better firewalls.
Indeed it can, it’s a very serious issue that needs to be addressed as quickly as possible. I’ve already created bug report with Comodo, but with other firewalls exhibiting the same bahaviour, I’m not totally convinced the responsibility rests solely with Comodo.
As of now, I can't suggest comodo as a good firewall to all my friends, don't misunderstand, I've always used Comodo and I hope thi bug will be fixed soon and not ignored, because this problem has been discovered several weeks ago.
There again, you could always disable the Avast Web-Shield or change the ‘Expert Settings’ to “Scan traffic from well-known browser processes only” However, if you do decide to change, you must make sure, whichever firewall you recommend, is also not susceptible
I don’t believe it’s a “security hole” as such, it’s more about the change of driver in Avast 7. From what lukor said, Avast have moved from using the TDI to using WFP and he believes that if Comodo is still using the TDI - from what I can see, it does - then this may be the reason we’re seeing this. The problem with that hypothesis is, this also affects the Windows 7 firewall, - and others - and the Windows 7 firewall is surely using the Windows Filtering Platform.
Bitdefender Internet Security 2012 is also susceptible to this ‘leak’. I wonder how many more…
And as Microsoft is fond of saying… the issue lies with Avast’s software. They need to correct it.
Is it a leak or is this due to these programs trusting Avast in some way and it is thus allowed to ‘bypass’ all these programs?
It’s the same as CIS, Windows 7 Firewall and Private firewall (I haven’t personally tested PF), so far. They’re simply unable to block connections being made through the Avast transparent HTTP proxy. Call it a leak, call it a failure on behalf of the firewall to block certain connections or call it a problem with the new Avast driver…