if such tools like “surf shield” or web protection of antivirus programs as AVG and AVAST! are activated the internet access of the browser will be redirected to these tools. Therefore the COMODO-log shows only 127.0.0.1 accesses of the browser. That’s fine. But the accesses of these tools are not logged if they are allowed.
Example: AVAST!'s tool is ashWebSv.exe If the internet access of this program is blocked (and the log activated) the log shows this blockage. If the same rule is simply changed from block to allow - no log entry of the program is found any more.
I made the same experience with AVG already.
The result: The log is filled with 127.0.0.1 entries of the browser, but none of the reached IPs is logged.
Does anybody know the reason why? And do you have an idea whether I can change that behavior or is that an issue of CFP/CIS?
To do so look up the rule under Firewall → Advanced → Network Security Policy → Application → select it → Edit → choose Use a Custom Policy → try reusing rules using “copy from” → make sure the outgoing rule(s) have logged enabled.
Hi EricJH,
thank you for your answer.
No, unfortunately it doesn’t work. Please see the attachments.
The log option in the rules is set, but the accesses of the applications (both web- and e-mail-scanner) are not logged if access is allowed.
If the rule says “block and log”, then the access of the application will be logged.
For what application are you setting the loggings? For the browser or the webshield? You show you set the loggings for the web browser policy. What policy is the webshield set to?
I am currently not using a AV with webshield (using full blown CIS) so I cannot check on my end right now. I am not sure to whether to call this a bug or a feature.
Dropped a question to the mods to stop by and give their best shot at this.
It could be that there isn’t an application to track, but a web browser plug-in that is doing the work. If that is the case, then CIS rules for the web browser itself would apply.
It may take monitoring the network traffic to find out. Maybe netstat or TCPView, or at worst case, Wireshark to determine the outbound IP address that is being queried, so as to set up a CIS rule to log the traffic.
Logging does work, you just need to set up a TCP rule with logging,
that does the trick (for me).
An IP permit is allowed earlier in the inspection process and at that stage the layer 4 information TCP port number is not available and therefore can also not be logged.
This works the same on Cisco Access-lists if you set an Permit IP you won’t see port numbers logged.
If you set a Permit tcp any any eq 80 it will log nicely.
What the Cisco logs and CIS not is a.b.c.d (0) e.f.g.h (0) that’s source ip, port always zero, destination ip, port always zero. So i guess it would be nice if CIS at least logged the packets with “unknown” ports like a Cisco ACL does.
Edit:
And permitting the packet on IP level is all about performance of course, if you can allow the packet based on info in layer 3 why would you even inspect layer 4 ?
Hi Ronny,
but not for me. The “Allow and Log Outgoing HTTP Requests” IS an TCP rule with logging.
I found this workaround: I created another web browser policy with exactly the same rules as the CFP default for web browsers, this means WITHOUT logging. So I have two identical web browser policies, one WITH and one WITHOUT logging.
Now, I assigned the policy WITH logging to the web shield and the one WITHOUT logging to the browser - and the internet access of the web shield is logged! As soon as the loopback access of the browser (to the web shield) is logged, the web shield access to the internet is not logged any more.
So the firewall has obviously a problem with logging internet traffic which is redirected via a web shield.
The same thing happens with the e-mail traffic. I stopped logging the e-mail traffic for the e-mail client - and the mail scanner access to the internet is shown in the log. As soon as the traffic of the client is logged, the mail scanner disappears in the log.
I think this is a workaround, not a solution. The firewall should log all traffic for which there is a logging rule.
there is an application to track. Please see my earlier attachments (the blocked application) and my most recent replies.
The web shield of avast! is ashWebSv.exe, the e-mail scanner ashMaiSv.exe
I am using CFP version 3.8.65951.477 (no AV), Windows XP SP3 and avast! antivirus. The web shield of avast! is ashWebSv.exe, the e-mail scanner ashMaiSv.exe
