Online Armor, Avira WebGuard and port 44080

Discussion in 'other firewalls' started by A Tester, Jun 2, 2009.

Thread Status:
Not open for further replies.
  1. A Tester
    Offline

    A Tester Registered Member

    Since many people here are using OA and Antivir Premium same time. I thought to be informative and mention that the default settings of OA will let port 44080 (WebGuard uses it) to be totally open (for example grc.com reports its status as open). To get stealth status you have to restrict port 44080 (and 44110 if using MailGuard). I tested functionality of WebGuard at one known site (if a threat at all) and it worked normally reporting about a threat and then denying access.

    All others firewalls, what I have tried, filter it default (PC Tools, Comodo, Sygate, Windows XP Firewall and Outpost).

    Is it vulnerability? It has been there since I started using OA Free (version 2).
  2. alex_s
    Offline

    alex_s Registered Member

    This is rather a design, than vulnerability. By default OA allows access to the open ports except restricted ports list which is hardcoded in the free version but can be edited in the full version. The idea is to allow your custom public services to work after OA install. It may be worth, though, to add Avira ports to the predefined restricted ports. I'm not sure. I think it is better to contact Tall Emu and talk with them about the issue.

    BTW, if you untick "Show only connected endpoints" and "Resolve addresses" checkboxes on the Firewall status screen, what local address do Avira listening ports show ? If it shows 127.0.0.X address it can't accept connections from any other network interface except loopback, so even being open it can bring no harm. If it has 0.0.0.0 internal address it is open to any interface and can be connected from anywhere. In the second case this is rather Avira's vulnerability, in the first case you have nothing to worry about.
  3. A Tester
    Offline

    A Tester Registered Member

    Thanks for answering. Finally I got some information about it. Yes I contacted to Tall Emu, but they refused to talk about it.

    It shows *:44080. So any address same as 0.0.0.0?
  4. dave88
    Offline

    dave88 Registered Member

    This does not sound like Tall Emu?
  5. hayc59
    Offline

    hayc59 Updates Team

    Not True For Sure!!
  6. A Tester
    Offline

    A Tester Registered Member

    What isn´t?

    I asked this directly from MikeNash and all what he responded was.

    And then he refused to respond. At the forum a month ago no answer to it.
  7. hayc59
    Offline

    hayc59 Updates Team

    sounds to me he answered you
  8. alex_s
    Offline

    alex_s Registered Member

    hm, this sounds very strange, actually
    Yep, "*" is the same as 0.0.0.0 and this does mean the port is open to any interface. If I used Avira I'd contacted Avira, because I think this is potential vulnerability. Take a look at FF, for example, it uses loopback for IPC, but it uses 127.0.0.1:XXXX enpoint for the purpose which is correct and safe.

    Should firewall block all the ports or not by default is a big question. If trusted program (and Avira is definitely trusted program) opens some port to the universe, most likely it needs it to be open and intelligent firewall should not block it silently, IMHO. Still, this is one of the questions where the absolutely correct answer is just impossible :)
    Last edited: Jun 2, 2009
  9. MikeNash
    Offline

    MikeNash Security Expert

    The way Online Armor is designed is very, very simple.

    Trusted programs may access the internet.

    If a port is opened, a firewall doesnt stealth it (ie prevent access to it) because you want the port to be open !

    Maybe I missed something in your question.

    As far as PM's go, now is probably a good time to say: If you want support for OA, the place is in our forums. This way, everyone can see it - and respond to it.

    If you (not you specificially) send me a PM on a support issue, I might respond to it - or I might not, depending on my workload. Yesterday, for example, I've spent much of the day in meeting and then working on another project till midnight. I probably did not check my PM at all.



    Mike
  10. A Tester
    Offline

    A Tester Registered Member

    Well well well...

    Who responded now. :D

    MikeNash why you say this now? Many days have gone and case solved.
  11. hayc59
    Offline

    hayc59 Updates Team

    wow you get another answer by Mike and you dont like that answer
    strange.....*puppy*
  12. Peter2150
    Offline

    Peter2150 Global Moderator

    Probably because you were posting about them not responding yesterday.
  13. A Tester
    Offline

    A Tester Registered Member

    If it matters... :rolleyes:

    First time when I posted to him, if I correctly remember, was 26th May. Then at next day(?) I asked reply from him and then I got that. After that he didn´t respond to my message(s) where I asked more information. At least then he had the chance to say same thing what he is now here saying.
  14. alex_s
    Offline

    alex_s Registered Member

    I think this could be taken in account that a CEO (any CEO, not only Mike) has a lot of things to do other than do support. BTW, have you tried official support ? Also it should be taken in account that Free version support may be somewhat limited and depends much on how company resources are mapped at the moment.
  15. A Tester
    Offline

    A Tester Registered Member

    Thanks for your interest!

    Yes I understand it and I mentioned that same thing to him, but when same time he is answering others questions day after day. It is then excuse and a clear sign to refuse talk to me.

    I think this is more general concern about my and others people security than support issue and I wanted that they do something about it. So this meaned to me he doesn´t care about their customers security.

    For example if he refuses to talk. He could have sent the following one to me and it would be OK.

    Yes, but I don´t want bother them anymore. They did a good job, but you are the only one who gave information about it. Thanks once again.

    I comment a little about Nash´s post

    Maybe you missed. I can tell what is this all about.

    I think that Port 44080 should not be open, when you are using firewall. To me it means as PcFlank.com states it:
    "Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor;"

    When same time it can be this without losing functionality:
    "Stealthed" (by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;

    And grc.com states this:
    "If our tests have shown one or more of your ports to be OPEN!, then Internet packets requesting a connection with your machine are being accepted and connections are being created. If this is NOT what you intend, if you are not deliberately operating Internet servers and offering services to the public, then you should work to determine the source of the open port(s) and take measures to close them...

    ...a high percentage of open ports are "exploitable" by malicious Internet hackers. This means that sooner or later some clever "exploit" could be crafted to take advantage of your open ports to gain an advantage without your knowledge or permission...

    ...If your system did NOT show up as Stealth, but you would like it to, you will need to use one of the many free or inexpensive personal firewalls that are now widely available... "
    Last edited: Jun 3, 2009
  16. hayc59
    Offline

    hayc59 Updates Team

    As far as I can tell Mike answered your question
    so move on and get a life....Mike and CO. go out of his way
    to please folks, just some cant or wont ever be happy!
    that is all
  17. A Tester
    Offline

    A Tester Registered Member

    Actually he hasn´t answered to my original question to this day. The original question was. Is it vulnerability? Is it a security risk? Alex_s answered to my question, MikeNash didn´t.

    But yes he answered to this question:

    Interested will you do anything for it or not? Obviously answer is no.

    It is not about pleasing, it is about making firewall that won´t leak.

    Did you get it? :rolleyes: :thumb:
  18. hayc59
    Offline

    hayc59 Updates Team

    Oh I get you for sure!!
  19. MikeNash
    Offline

    MikeNash Security Expert

    As I mentioned, I don't do often do private support by PM at all. This way, by it being in public on a forum, more than one user will get the benefit of the answer. This is pretty clearly stated on our site, in our forums and even on the contact form, and in the product that the best and only way to get support is thru forums.

    Nevertheless, let's take a look at the issue.

    Some background first.

    The way Online Armor is designed it allows trusted programs to access the internet. It's designed to do this in as simple a way as possible for users, particularly in advanced mode so they do not have to make decisions about what trusted programs really need at a technical level. After all - they are trusted programs, right ?

    The example I use is my mum. I tell her Yahoo IM is safe. Her firewall then says "Can Yahoo IM access the net?" - and, it's a question she is comfortable with. "Mike told me it is safe, so I will allow it."

    Consider the alternative... "Yahoo wants to use DNS API?" "Yahoo wants to access the internet"... "Yahoo wants to connect to <IP> on <port>" possibly several times.... "Yahoo wants to send UDP"... it goes on and on.

    She is no more secure for having answered all of those questions (in fact, less secure is more likely - she would uninstall , or just get conditioned to click yes.

    Doing this requires a tradeoff. It requires that when you trust a program, you trust it. Online Armor will then give it the resources it requests, including internet access.

    Let's define access: In terms of Online Armor, it means that it can make outbound connections (e.g. Firefox connecting to a website) or it can receive, if it listens, inbound connections. Some firewalls would refer to this as "Acting as a Server". This appears to be the case with your proxy.

    So - you run your trusted program. It requests a port to be opened. Windows Opens the port. Online Armor correctly allows access to this port.

    The result is simple. We have an open port, and this port is allowed because the program requested it. The program has been given permission (implictly, or explicitly depending on what settings you have available) to access the internet. So, all is fine.

    Then, you run a test which checks for open ports. And it finds one. This is not unexpected.

    So, the meat of your issue seems to be "But I don't want this port to be open!"

    There are several ways we can handle this. The first way is of course, not to allow Antivir internet access.

    The second way is to use Online Armor's restricted port list to mark this port as an internal only port.

    The last way would be to use endpoint restrictions to limit the IP Addresses which are allowed to connect to this service.

    What is more of an issue is why Antivir is not using a socket bound to the loopback interface.

    It would be interesting to see whether processes running on another machine are able to successfully connect to that port and what happens if you can. (Online Armor would not prevent this unless you tell it to, so it's presence would be irrelevent for the test).

    Antivir should really use loopback interface. This is not a bug in Online Armor. It is possibly a bug or vulnerability in antivir, depending on what happens when third party software or computers attempt to use the open port.

    As for will we do anything about this - I can say probably not.

    You've allowed a trusted program to access the net. The access has been given. Part of this access is to allow this program to act as a server. It's been allowed. OA provides mechanisms for advanced users to adjust this behaviour if they don't like it.

    We could add yet-another-checkbox or yet-another popup... but I don't think it's appropriate.


    Mike
  20. A Tester
    Offline

    A Tester Registered Member

    Thanks Mike! I appreciate your post and your effort to make it!

    You finally did what I wanted. The right thing to do. Thanks. :) :thumb:
  21. zerotox
    Offline

    zerotox Registered Member

    Hello,

    I'm keeping an eye on this thread as it is very interesting. I myself am thinking of using the combo OA with Avira Premium. But from what I understand, it appears that it is not completely safe because of the open port Avira's webguard is using.
    Is this the case with the other firewalls too - for ex. Outpost, or are they filtering the port?
    I like very much both OA and AVIRA and have used them without any major issues. But I would appreciate your advice concerning the issue discussed here. Is it safe to use this combo?


    Regards
  22. MikeNash
    Offline

    MikeNash Security Expert

    Yes - but turn on loopback monitoring to lock down Avira :)
  23. zerotox
    Offline

    zerotox Registered Member

    Thank you very much for answering, Mike!

    I always do that. Was just worried about the possible vulnerability in Avira you mentioned in your post above - "It is possibly a bug or vulnerability in antivir, depending on what happens when third party software or computers attempt to use the open port." I thought Avira's interaction with the loopback interface was the same as NOD32's.
    Is it a likely scenario for a malicious code to try exploit this vulnerability with the open port used by Avira? I myself am a relatively safe surfer but it's not just me using my laptop.
  24. MikeNash
    Offline

    MikeNash Security Expert

    Sorry, I do not know the answer to that question, as I havent tested avria. It is a possible, theoretical problem depending on implementation.
  25. zerotox
    Offline

    zerotox Registered Member

    Thank you very much, Mike. I appreciate your honest reply.

    Good luck with your excellent work
Thread Status:
Not open for further replies.