firewall doesn't log internet access of "safe surf" tools of e.g. AVG and AVAST!


if such tools like “surf shield” or web protection of antivirus programs as AVG and AVAST! are activated the internet access of the browser will be redirected to these tools. Therefore the COMODO-log shows only accesses of the browser. That’s fine. But the accesses of these tools are not logged if they are allowed.

Example: AVAST!'s tool is ashWebSv.exe If the internet access of this program is blocked (and the log activated) the log shows this blockage. If the same rule is simply changed from block to allow - no log entry of the program is found any more.
I made the same experience with AVG already.
The result: The log is filled with entries of the browser, but none of the reached IPs is logged.

Does anybody know the reason why? And do you have an idea whether I can change that behavior or is that an issue of CFP/CIS?

Kind regards

You can manually edit the rules for outgoing.

To do so look up the rule under Firewall → Advanced → Network Security Policy → Application → select it → Edit → choose Use a Custom Policy → try reusing rules using “copy from” → make sure the outgoing rule(s) have logged enabled.

Does that do the trick for you?

Hi EricJH,
thank you for your answer.
No, unfortunately it doesn’t work. Please see the attachments.
The log option in the rules is set, but the accesses of the applications (both web- and e-mail-scanner) are not logged if access is allowed.
If the rule says “block and log”, then the access of the application will be logged.

[attachment deleted by admin]

For what application are you setting the loggings? For the browser or the webshield? You show you set the loggings for the web browser policy. What policy is the webshield set to?

The webshield has like the browser itself the web browser settings, what I think makes sense, because it is a “tunnel” for the web browser.

What happens when you set the webshield to trusted application and let it log everything it does? Does the same thing happen?

Unfortunately yes.

Do you have “Enable alerts for loopback” enabled? The setting can be found under Firewall → Advanced → Firewall Behaviour Settings → Alert settings.

Yes, see screenshot.

[attachment deleted by admin]

I am currently not using a AV with webshield (using full blown CIS) so I cannot check on my end right now. I am not sure to whether to call this a bug or a feature.

Dropped a question to the mods to stop by and give their best shot at this.

It could be that there isn’t an application to track, but a web browser plug-in that is doing the work. If that is the case, then CIS rules for the web browser itself would apply.

It may take monitoring the network traffic to find out. Maybe netstat or TCPView, or at worst case, Wireshark to determine the outbound IP address that is being queried, so as to set up a CIS rule to log the traffic.

I can have a go in a VM,
Which versions of CIS and Windows?

I used to use AVG but I don’t remember the traffic behavior for the shield ATM.
I went to full on CIS a while back.


I use a local proxy and if i’d like to have it logging packets i have to setup a full TCP rule, not an IP rule.

Allow From ANY to ANY src port ANY dst port 80 [log]

That works for me.

Good point, Grue! AVG’s web filtering piggybacked off the browser. It would be TCP port 80 and/or 443 traffic.

Ewen :slight_smile:

Logging does work, you just need to set up a TCP rule with logging,
that does the trick (for me).

An IP permit is allowed earlier in the inspection process and at that stage the layer 4 information TCP port number is not available and therefore can also not be logged.

This works the same on Cisco Access-lists if you set an Permit IP you won’t see port numbers logged.
If you set a Permit tcp any any eq 80 it will log nicely.

What the Cisco logs and CIS not is a.b.c.d (0) e.f.g.h (0) that’s source ip, port always zero, destination ip, port always zero. So i guess it would be nice if CIS at least logged the packets with “unknown” ports like a Cisco ACL does.

And permitting the packet on IP level is all about performance of course, if you can allow the packet based on info in layer 3 why would you even inspect layer 4 ? :wink:

Hi Ronny,
but not for me. The “Allow and Log Outgoing HTTP Requests” IS an TCP rule with logging.

I found this workaround: I created another web browser policy with exactly the same rules as the CFP default for web browsers, this means WITHOUT logging. So I have two identical web browser policies, one WITH and one WITHOUT logging.
Now, I assigned the policy WITH logging to the web shield and the one WITHOUT logging to the browser - and the internet access of the web shield is logged! As soon as the loopback access of the browser (to the web shield) is logged, the web shield access to the internet is not logged any more.
So the firewall has obviously a problem with logging internet traffic which is redirected via a web shield.

The same thing happens with the e-mail traffic. I stopped logging the e-mail traffic for the e-mail client - and the mail scanner access to the internet is shown in the log. As soon as the traffic of the client is logged, the mail scanner disappears in the log.

I think this is a workaround, not a solution. The firewall should log all traffic for which there is a logging rule.

Hi grue155,

there is an application to track. Please see my earlier attachments (the blocked application) and my most recent replies.
The web shield of avast! is ashWebSv.exe, the e-mail scanner ashMaiSv.exe

Hi Bad Frogger,

I am using CFP version 3.8.65951.477 (no AV), Windows XP SP3 and avast! antivirus. The web shield of avast! is ashWebSv.exe, the e-mail scanner ashMaiSv.exe

I think this has something to do with the point where the firewall driver intercepts the traffic

  1. between the browser → over the loopback → Not on the AV Scanner
  2. Not on the browser/loopback → only on the AV Scanner

Seems like it’s already seen that “session” and does not want to record it to the logs twice.