Windows Firewall with Advanced Security (Guide for Vista)

Moonblood can you show me how you made the rule for avast service? Is that one rule for inbound and the rest outbound or all inbound?

 

Outbound rules:

Process name: AvastSvc.exe
Protocol: TCP
Remote Address: Any

Process name: AvastUI.exe
Protocol: TCP
Remote Address: Any

Process name: AVAST.SETUP
Protocol: TCP
Remote Port: 80
Remote Address: Any

Inbound rule:

Process name: AvastSvc.exe
Protocol: TCP
Local Addresses: 127.0.0.0/8 and 0.0.0.0

 

I have the outbound rules and the inbound Local ports set to any and it still won't update.

 

That's odd, because I was able to. Do you have, by any chance, DNS Client disabled? If you, then you are required to create one more extra rule for DNS, for each one of those processes.

Otherwise, something else there is preventing avast! from updating.

 

Yes, each rule I make I make a DNS one for it also.

 

OK. You could try making use of TCPView (or similar) and with it opened (executed with Admin. rights), you could see what other process is being executed by the time you update avast! Pro. Perhaps, one other process is also initiated in the paid version

 

Hi Poni,

When the software is installed outside of the programs folder and you go to create a rule, instead of browsing, use full path, example:

C:\users\tomi\appdata\local\google\chrome\application\chrome.exe

Have a nice day....

_____________________

 

Thanks sparviero , worked nicely.

 

Okay, I have done everything but stand on my head and still can't get this thing to update.

The Avast.setup you gave me got my web shield working and thank you.

You have two Avast service rules showing is that one inbound and one outbound?

I don't understand the Local Address: 127.0.0.0/8 and 0.0.0.0. I tried typing this in and WF said it wasn't correct form.

Is the Avast UI.exe inbound and outbound? Sorry, I'm getting a little confused.

 

OK.

It goes like this:

Processes Avast.setup, AvastSvc.exe and AvastUI.exe all have outbound rules.

Then, process AvastSvc.exe also has an inbound rule for localhost (127.0.0.0/8, and 0.0.0.0).

127.0.0.0/8 and 0.0.0.0 are added as separate addresses: You add 127.0.0.0/8 and confirm that. Then, add a new address with 0.0.0.0, and confirm it as well.

Not "127.0.0.0/8 and 0.0.0.0".

 

To see if something from avast! is being blocked, execute cmd.exe with administrator rights and type the following:

auditpol.exe /set /SubCategory:"Filtering Platform Connection" /success:disable /failure:enable (Press enter)

net stop MPSSVC (Press enter)

net start MPSSVC (Press enter)

These two last commands will disabled and re-enable Windows Firewall service. Better disconnect from Internet.

Then, in Start Menu type eventvwr.msc and execute it with administrator rights. Go go Windows Logs (something like that) > Security

Now, start avast! update process and refresh the logs by going to Action - Refresh in the tool bar. See if any of the blocked (if any) processes belong to avast! and what sort of connection is trying to make.

 

The FW will not except the forward slash marks. You don't mention what ports for Avast service inbound.

When I change my FW profile Outbound blocked to allow avast can update so something is being blocked and I think it's cuz I don't have a inbound rule yet so I'm going to try what you said and see.

 

That's odd.

See image attached. It's not for avast!, but I've added a rule like that for Windows Update.

 

I haven't restricted the port, when I tested in the virtual machine, but it's a matter of monitoring it (AvastSvc.exe) with TCPView and see when it tries to make connections and to what ports.

Report back.

 

Ahh... let me try this. Is this for local ip or remote?

EDIT

I used local ip for the address and it didn't work.

 

The inbound rule for AvastSvc.exe is remote IPs 127.0.0.0/8, and 0.0.0.0; Local IP: any.

 

Okay, I changed it like above and it didn't work. I discovered xxx.support.avast.com is blocked.

EDIT:

When I try to update avast it just says "cannot connect to servers".

 

Anyone know if this is something that should be allowed.

Code:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/16/2010 3:24:38 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Seven-PC
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
	Process ID:		1484
	Application Name:	\device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
	Direction:		Inbound
	Source Address:		224.0.0.252
	Source Port:		5355
	Destination Address:	192.168.1.101
	Destination Port:		50166
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	80621
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

 

I wonder if avast! Pro initiates one other process to initiate avast.setup, or vice-versa

Have you tried either monitoring with TCPView or/and with the commands I gave you for cmd line and Event Viewer?

 

Rilla927

Avast rule

for web shield:

%ProgramFiles%\Alwil Software\AvastX\AvastSvc.exe port 80,443 & 8080 + all mail protocol ports (110-995-143-993-25-587-465)

for updating:

%ProgramFiles%\Alwil Software\AvastX\AvastUI.exe allow TCP out port 80

for updating:

%ProgramFiles%\Alwil Software\AvastX\Setup\avast.setup allow TCP out port 80

Remote IP Any.

Have a nice day....

_____________________

 

Greg S

224.0.0.252 is a multicast address limited to your local subnet, I think you do not need it.

Disable Link-Local Multicast Name Resolution (LLMNR)

via group policy:

Group Policy = Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution. > Enabled

by registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast = 0

Then you do not need multicast IGMP connections (IGMP to 224.0.0.24)

In the registry, navigate to the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

In the right pane, right-click and select New – DWORD (32-bit value) and set its name as IGMPLevel , set it to the following values: 0

Or open cmd terminal as administrator an copy in:

Multicast connections is gone. (restart PC is needed).

If you decide to revert to the defaults, simply delete the key.

Have a nice day....

____________________

 

That's very possible.

I have TCP View on my computer but I don't know what I'm looking at.

I haven't done the commands yet, I had to go get some supper. I will try it.

Oh crap, I won't have any FW protection if I do this cuz it disables it. I can give you windows FW log if you want it. I'm going to check event viewer also.

 

Believe it or not I do have these rules but thanks for trying to help.

 

forgotten port 443

EDIT:

______________

 

Ultimately, if you still can't make it to work, you could try, if you have the chance, to install avast! Pro in a virtual machine with Windows Firewall Control app, or with some other firewall like Outpost and see what rules it creates for avast! Pro.

With the rules I mentioned - based on the avast! free edition - you be able to update just fine. Even the Network Shield blocked malicious websites in my testing.

Except for the fact that some other process may be being blocked from connecting, I don't see what could be happening.