Kerio 2.1.5 and Avast 4.6

Can someone explain how to make Kerio 2.1.5 work with Avast 4.6's new Web Scanner proxy stuff? I installed both today. In Kerio's rules I have a loopback rule near the top. And for IE I have it set up with certain remote ports and so on.

I notice now that when I start any new browser, Kerio doesn't ask about it anymore. It asks for permission for Avast's web scanner instead, and then proceeds to allow any program to connect out on remote port 80 without asking for that individual program permission. In fact, I can disable IE's rule and still connect out using IE, without Kerio asking or anything.

I don't understand proxy stuff much at all. I don't want just any old program to be able to get out to remote 80. What do I need to do in my Kerio rules so that Kerio will ask about each program again and so I can configure the proper remote ports?

 

K-

This could turn out to be wild guess, but I have seen a loopback rule that was broken up so that there was no loopback when the traffic was to the proxy port.

I can tell you that I have noticed this sort of behavior when an AV is set up to scan outgoing mail. Once the AV has web access, anything that connected to port 25 would get out with Kerio 2.15.

 

I'm pretty confused about it.. but there must be some way to set it up right. Apparently Avast uses 127.0.0.1 and remote 12080 or some such thing. Maybe I need individual loopback rules for each program? I have no idea. I've always just used the single loopback rule at the top of my rules.

Hopefully there's somebody out there who uses Avast 4.6 and Kerio 2. Right now I've switched to AVG temporarily, but I'd rather use Avast if I can.

 

I think you would need individual rules for loopback as well and would need to remove the top rule...
If you use Kerio v4 [forget its content filter... that's the only thing they make you pay for]... you can set rules per interface in it and 127.0.0.1 counts as a separate one.
About Kerio v2, I don't really remember.
Maybe you'd like to head over to the NOD forum... they might just havea similar thread discussing IMON.

 

Diver - I did a little looking and found some example rule sets over at dslreports. I see what you're talking about now... splitting up the loopback rule and so on. It looks like extra work, but it's probably what I have to do to get things working with Avast. That plus some other config changes for IE and anything that uses port 80.

The web scanner idea in Avast is nice at first glance... scanning any web traffic (downloads, etc) for viruses, the idea being to catch it before you run the program or open it. But after I thought about it for a while, I realized that the same thing could be accomplished in AVG and AntiVir by setting them up to scan on file writes/closes instead of just file opens. So what seems like a nifty feature in Avast is just an unnecessary pain in the ass..

I think I'll skip Avast and just use AVG. Makes firewall life easier...

 

Generic Rule Set for Kerio (Proxy and no Proxy)
http://www.dslreports.com/forum/remark,6642367~root=kerio~mode=flat

 

Thanks Tommy... that's the one I saw just a while ago..

 

The Avast Web Scanner can be turned off if necessary, I was doing so with Sygate Free which has a problem with proxy of any sorts. However, on my system, it is scanning all the web pages requested through my browsers and as a matter of fact caught a .JS worm.

 

Interestingly enough, it works fine as far as I can tell with ZoneAlarm 5.5 Pro. ZA seems to handle it properly. Asks for permission for both Avast and all other programs and browsers as needed.

When I'm done messing with Kerio I will probably use Avast with ZA and maybe even settle down with those 2 for a while hopefully. What I worry about most is using IE. All kinds of crap can happen with IE and it's good to have a good AV running when using it.

 

Kerodo, Avast Web Scanner works fine with both Pro and Free, when used first, it asks for permisson for web scanner to act as server and thats it, works real nice.

For now, just turn of the web scanner feature in Avast and just keep the resident scanner on for read/write. That way you get the benefit of a truly good AV and get to keep Kerio.

 

It seems to me that Kerio and avast are working as they should?
Kerio isn't asking about your browser because your browser is n't doing the dirty work - In simple terms - your browser is asking avast to go grab the info - so kerio catches avast Also the webshield is not scanning everything that is port 80 - Avast is taking control of "Http" requests only.

I would post your question on Avasts forum - they are well versed in kerio

 

Its simple... Avast's Mail, and Web scanning services have become software proxies which invisisibly redirect traff8ic. Also just like my default replacement says, if you have a software proxy, you must not use a standard loopback rule, and exclude the port its listening on from any loopback range allowed, so if any program needs to use the proxy, you must give it permission first.

This is advanced basics of rule based firewalls, and there is no need to turn off the web scanner, you only do that if you have no idea how to user Kerio correctly....

You have lost any creditability you had with me, which was very little, come on, how freakin long have I had my default replacement out?

"Loopback:
The standard loopback allows all traffic with the localhost loopback, and if you use a software proxy you will want to configure the port ranges to exclude any ports used for software proxies, which you will have to make allow rules per program so you don't have the proxy be a hole in your firewall. You can also make separate rules for programs that require loopback access, and not use any general loopback rules.

Here is a link to help with software proxy configurations.
[Kerio] Generic Rule Set for Kerio (Proxy and no Proxy)"

So, I know you knew about my default replacement, I guess you just didn't read the instructions...

 

BZ,

Thank you very much, was actually waiting for your response as I am using your rules exclusively.

 

This is simply not true. The thing is, a HUGE number of today's malware takes advantage of various exploits in web browsers (most notably, IE). The same applies to nuisance like dialers, spyware etc.

In such a case, howevers, scanning of network streams (http streams in case of Web Scanners - i.e. avast's WebShield or Nod's IMON) is the only way to prevent the infection. The filesystem based scanner will simply act too late...

BTW, avast can be also set up to scan on-close, of course (it's actually on by default).


Cheers
Vlk

 

Hi vlk,

Nice to see you here, always see you at the Avast forum, speaking of the web scanner, Avast today stopped a .js worm on track while I was surfing, goes to show how good an idea web scanning really is.

 

If IE gives you worries, get Firefox. I use it for everything now, except windows update. The only place it seems to rarely work right is with some of the multimedia stuff on Yahoo. They support earlier versions of Netscape, but not FF.

The web proxy scanning feature in Avast illustrates something I have been saying for a while elsewhere. On demand scanning percentages do not tell the whole story.

It totally amazes me that I guessed right on the loopback rule exclusion. Firewall hacking is good for you.

Implementing the BlitzenZeus rule set was my firewall 101 course. I had used the old versions of Tiny (pre Kerio) before, but never with the slightest idea of what I was doing. From using those rules with Kerio 2.15, I was able to build on the knowledge and learn more with Jetico, CHX-1 and a few others. The expert rules in ZA are kind of obscure in their own way. Without the prior experience on other rule based firewalls I could not have done anything with them.

 

Same here Diver.... BlitzenZeus rule set ...made me learn lods of issues. I still love it...& the explanation were pretty much to the point. Thx to him for his precious time..not only made the rules but also explained why it is implemented that way. Graziee BlitzenZeus

 

Rule based firewalls are highly complex in the configurations they allow, its not like you can just read a few FAQs, and know what your doing. The weakest point in rule based firewalls has always been the user, most are not willing to spend the time to learn how to do things correctly as they are part of the crowd that requires user-friendy interfaces that do things for them, and honestly back in the days I was learning all I really had was a few examples, along with tcp/ip whitepages which gave the gory technicial details of the protocols themselves, much of it was trial and error.

The two easiest ways you can debug your ruleset it make sure all your blocking rules are logging, and disable certain allow rules or temporarily set your allow rules to logging in cases when you can't tell why something is being allowed that your not being prompted for. The only exceptions to things like this are exploits in programs you already have allowed, which you need to fix the program, or even replace it with another while blocking the original with the exploit. Also some firewalls have implicit rules, like the old tiny required you to have a loopback rule in earlier versions, otherwise if you disabled/deleted it you were unable to even access the admin, so they added a implicit rule to allow the firewall to access the localhost loopback outside of your rules due to many users preventing the firewall from connecting to its own engine.

Also the order of the rules is the most important thing in your ruleset, the first rule to effect the packet, will be the last, and its quite easy to allow traffic you want to block, or block traffic that you want to allow if your not careful. In some newer firewalls there are multiple groups of rules, and certain groups take effect before other groups of rules, so that just adds to the complexity of the configuration itself.

After years of answering many of the same questions one on one, and helping people one on one who just didn't want to spend the time to help themselves instead of needing their hand held their entire way, just to use something else easier after all that time I wasted on them, if not just using it while not fully understanding what their rules currently do, I have had to become that guy who won't actively help someone unless they are friends/family who haven't abused my services, or are really trying to understand, however just need a little help. Sometimes you just have to let them fail on their own, it will seperate the weak from the strong, and the ones who are not willing to spend the time/too busy to learn will just use something easier like an application based firewall like ZA anyway when they get too frustrated.

 

BZ, yes, you're right, it is fairly simple. I just had absolutely no experience with proxy software, so I never had the need to learn about that aspect of things. My question was simply a matter of asking before I looked around for the answer, so that's my fault, although I don't see any harm in asking. If you've seen the question before and are tired of answering, then just say nothing. No need to insult anyone. Sometimes I have a tendency to talk first and look later. I found the answer in your rules as well as others.

Anyway, thanks to everyone for all the replies. Another minor mystery solved...

 

K-

I don't think BZ is being insulting, just venting a bit about how things are in life.

BZ-

If you are reading this, how do you address the possibility of a trojan terminating persfw.exe? Do you think it is worth installing process guard, is the whole issue not serious enough to bother with, or is there some other way to prevent the process from terminating?

 

Ok, no harm done...

 

During the interlude this afternoon while I had Kerio 2.15 set up, I redid my loopback rules to exclude the mail scan proxy ports, and voila, the strange behavior of the KAV mail proxy ports caused went away. It is still necessary to block inbound trafic on port 20 to those two ports as KAV 5.0.227 uses active FTP to update, and AuditMyPC uses port 20 to deliver its scans. However, blocking inbound taffic from all ports is no longer required. Also, Kerio 2.15 now asks for any mail app trying to use ports 110 or 25 and requires a rule to contact the proxy ports.

 

Process Guard is a useful tool, and if you don't leave update checking enabled the only other implicit rule to contact out tcp 80 becomes disabled. Considering how old it is, there is no reason to have update checking on anyway.

Believe it, or not, Kerio actually monitors its own MD5, you can even see it in your own MD5 tab with dns resolution enabled, but having Process Guard can be a useful layer in your security. The only real downfall of Kerio 2x is os exploits, and since its obviously not a sandbox, if someone is running from an admin account it is possible for Kerio to be altered, however Kerio should show signs of being altered.

You can also enable a setting in the registry for a setting they never put in the GUI, but for a very good reason. It blocks all traffic until its engine is loaded, I have seen rpc take forever to load since dhcp couldn't get a lease, and also you can't disable(not shutdown) the engine while its running, otherwise you will not be able to access the administration again without a involved manual process.

Common sense is my anti-malware device, however I do run a resident av as a fall back, and I'm currently playing with the anti-spyware MS bought from Giant to see if it causes any problems on my machine since another machine I installed it on is getting random bsods after I installed the beta 1 version. I also use a non-admin account for normal use, I can always use runas, or quickly login to my admin account if I really need to, if you use a non-admin account on ntfs you really limit what malware can do to your computer also.

 

Thanks, BZ

The Non-admin account is something I have been considering lately. Also in the cue is to try Process Guard along with Kerio 2.15 and see how that performes compared to some other possibilities. I pretty much have the rule thing knocked on Kerio 2.15 thanks to the path that you laid out for us all.

I have said this before, your rule set is what makes Kerio 2.15 useful for many of us, both for itself, and as a tool to learn about firewall rules in general. I hae seen some rather cool links to articles about the various flags and so forth. More to learn about.

The brain is definitely a valuable security tool. It is the only thing that protects us against social engineering: phishing etc.

-Diver

 

I redid everything here as well and now things work fine. Didn't take as long as I expected either. I like to keep my configs updated and saved from time to time. This is actually the first time I had to figure out proxy stuff. Never needed to before. I'm afraid BZ was right in this case.. I didn't read..