AntiVir Free Question

Discussion in 'other anti-virus software' started by Pikachu762, Feb 17, 2005.

Thread Status:
Not open for further replies.
  1. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi,

    I have AntiVir and Port Explorer running at the same time when I'm online.

    Within PE, it shows AntiVir maintaining the following connections:

    avguard.exe Local Add 0.0.0.0 Port 18350 to Rem Add 0.0.0.0 Port 0
    avguard.exe Local Add 127.0.0.1 Port 18350 to Rem Add 127.0.0.1 Port 1025

    avgnt.exe Local Add 127.0.0.1 Port 1025 to Rem Add 127.0.0.1 Port 18350
    avgnt.exe Local Add 0.0.0.0 Port 1025 to Rem Add 127.0.0.1 Port 0

    I am guessing this has to do with the resident guard part of AntiVir, which is creating a loopback path for incoming and outgoing traffic?

    Could someone explain what this is for, if not a loop for checking traffic? Details are nice, I like tech stuff. Lay it on me, provide links, I love it all. :)
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Actually AntiVir uses 127.0.0.1 (loopback) connection to communicate with its modules. AntiVir uses local TCP/IP protocol to communicate with its modules/processes. Thats normal :)
     
  3. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    OK, thank you for the information :)

    Would it be possible for someone to hijack the 127.0.0.1 loop and send traffic out to the Internet at large? I ask because I have used Sygate firewall in the past (I have Outpost right now) and I have read that Sygate can be bypassed through use of the 127.0.0.1 loopback traffic. If AntiVir is a trusted app, then the potential exists for someone to take advantage of Sygate's loopback traffic flaw and use AntiVir to send data back and forth?

    I use Process Guard too, so this wouldn't really be an issue for me anyway...I have AntiVir on the protection list, preventing the process spaces of its modules from being modified, terminated, or even read. I don't think anyone would be able to hijack the process on my system if PG is running.

    I am curious. Computer networking, security, programming...it's all fascinating stuff to me. I studied electrical engineering, but I still have a lot to learn about programming and hardware. I only had two semesters worth of programming, and one of those was Fortran 90 :) Ugh. The other was an assembler class, but that isn't relevant to high level stuff, like TCP/IP, Windows API stuff, etc. I'm slowly learning C++ on my own. Wish I had more time, outside of work, family, and friends. :)
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    No,localhost is only local. Any communication looped through localhost to the outer "world" would be detected by firewall.

    In AntiVir case:
    127.0.0.1 -> 127.0.0.1
    (nothing detected because it's just a local traffic that never "contacts" outer "world")

    Localhost routing:
    127.0.0.1 -> 60.55.66.15
    (this one is detected because traffic switches from local IP to IP other than localhost).

    I belive there is no method to bypass this at the moment.
     
  5. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Thank you for the information, Rejzor. :)
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    My anti-spam program is Spamihilator. It functions as a proxy between my email client and the server. That is, my email client accesses mail via 127.0.0.1, which causes Spamihilator to grab the request. Spamihilator then downloads the mail from the server, filters it, & passes the non-spam messages on to my email client.

    If I ran AntiVir-PE as my real-time monitor, would the fact that it uses 127.0.0.1 cause a conflict with Spamihilator?
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    No,because it's using different port. So you can use same IP (loopback in this case) for as long as you use different port.
    AntiVir is using local ports 0, 1025 and 18350.
    Mail services use ports 25 and 110. So no conflicts :)
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Dots goot newz. 10Q :)
     
Loading...
Thread Status:
Not open for further replies.