Hi All,

Since installing Kaspersky 5.0, whenever I click on update or with Kav updating itself every three hours, I always get an alert from Outpost that an attack was detected from xxx.xxx.xxx.xxx (the Kav servers) and then it blocks it for the time limit that is set in the attack detection plug-in.

The only way that it can update without an attack alert is if I leave the attack plug-in set on Normal instead of Maximum. I really would like to set it to Maximum and I've tried adding the servers to the kavsvc.exe in the application rules but I still get this alert.

Is there a rule that needs to be created in the global rules? or just better set up in the application rules for Kav? I have used Outpost for a while now and really like it and have learned how to create rules but sometimes they are a little beyond me so I need some help. Has anyone experienced this with either Outpost or any other firewall with Kav 5.0?

Thanks for any and all help.

Are you running OP in in block most mode?

You'll have to create an application rule. The rule assistent will let you do that easiest.

Hi meneer, at first I ran it in "Rules Wizard" and when the wizard detected Kav, it's suggestion was to use the browser preset, so I chose it.

If I leave the attack plug-in in Normal mode then it works well whether I'm in "Rules Wizard" or in "Block Most" mode. It only happens when the attack plug-in is set to Maximum.

Hello PikeDude !
My attack detection plugin is set to high and with the rules below, i can update KAV 5.0 every three hours without any problem:

Protocol:
TCP

Destination:
Out

distant host (sorry for the translation, i've got french version):
downloads0.kaspersky-labs.com,downloads1.kaspersky-labs.com,
downloads2.kaspersky-labs.com,downloads3.kaspersky-labs.com,
downloads4.kaspersky-labs.com

distant port:
HTTP, FTP

Politic:
available

Hope it cant help ...

PikeDude,

Check that your rule for Kaspersky Update does include FTP (File Transfer Protocol - mentioned in StephB's post) - if it does and you still get the problem then Activate Stateful Inspection for that rule (this will allow all network connections between your PC and the Kaspersky server while the initial connection is up).

FTP works by having multiple network connections - a "control" connection (FTP) down which commands are sent and one or more "data" connections (FTPDATA) which handle the file transfers. However with normal FTP, it is the server that opens the data connections so Outpost will see these as incoming connections. It should allow them if you have FTP specified but if it isn't, specifying SPI should solve the problem.

For more details on Outpost's Stateful Inspection feature, check the FAQ forums at the Outpostfirewall.com (www.outpostfirewall.com) forum (when it is back up - currently down for an upgrade :( ).

Hi StephB and Paranoid2000,

Thanks for helping, I just read the post and will be creating those rules and do some updating and will be reporting back soon if all is well. :)

Hi again, well I created the rule and applied it but I still would get the attack warning from Outpost once I put it in Maximum mode. I had tried all the various ways that was mentioned here, SPI turned on then off, specifying some local ports because they were always happening on ports 5001-5010 but I would still get the attacks.

Then I deleted the kavsvc.exe rule, recreated as per StephB's and Paranoid2000 advise, put the attack plug-in in Maximum mode and Outpost in Block Most mode. I tried updating Kav and got the attack warning, but instead of changing anything this time, I simply rebooted the computer.

Once back up, I verfied the settings in Outpost and everything was as I had left them (the Kav rule, attack plug-in in Maximum mode). I then clicked on the update for Kav and it went through without the attack warning from Outpost. I repeated this several times and always without a glitch. I verified the logs in Outpost and sure enough the connection were allowed through.

All Outpost needed was a reboot to apply the new setting, don't know why though as all the other rules created were applied by Outpost on the fly. Doesn't really matter though as long as it works now, although I did learn that when changing a rule if it doesn't seem to work when it should, the most simple thing to do is reboot and verify.

Thanks for all the help. I really appreciate it. :)

With the help of MegaHertz on the official Outpost forum I was able to create a updater preset for KAV 5 so if anyone else has problems with KAV 5 updating you can add this to your Outpost's Preset.lst file.:

[KAV Update]
VisibleState: 1
Exe:
KAV Updater, kavsvc.exe
DefaultState: 1
RuleName: KAV Updater HTTP,FTP connection
Protocol: TCP
RemotePort: HTTP,FTP
Direction: Outbound
RemoteHost: 212.5.80.19, 195.218.139.150, 81.176.69.89, 195.170.248.15, 81.176.69.86
AllowIt