Author Topic: a few questions  (Read 7860 times)

0 Members and 1 Guest are viewing this topic.

Karl

  • Guest
a few questions
« on: April 08, 2003, 09:39:29 PM »
First of all: thank you for this great av software!

However, I would like to ask a few questions:

- How often does Avast look for updates when it detects an online connection? I notice that the update check starts within a few seconds after the internet connection is available. When  will the next check occur?

- Are the incremental updates merged into the main 400.vps? (I cannot find any other database files in the data subdir...)

- Why does Avast open port 135 and 1025 as a listening connection?

Thanks in advance and keep up the good work!

Karl

  • Guest
Re:a few questions
« Reply #1 on: April 08, 2003, 10:32:31 PM »
Ok, further investigation shows that it is not directly avast but microsoft's dcom service (rpcss.exe) keeping these ports open. Disabling dcom renders avast unfunctional.

While I am not aware of any direct exploits of the remote procedure call services, I still think that it is not a good solution, to build security software on. But I would like to hear other opinions.

Thanks again.

RaLX

  • Guest
Re:a few questions
« Reply #2 on: April 09, 2003, 05:51:40 AM »
We'll have to wait a developer's answer but if you're using a firewall simply doesn't allow it server rights (incoming connections) and that's enough to avoid any possible exploit I think.

Karl

  • Guest
Re:a few questions
« Reply #3 on: April 09, 2003, 04:28:01 PM »
RaLX, I agree with you that there are ways to close the ports, but the question is why those issues are brought up by a security program, which should be aware of such problems.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:a few questions
« Reply #4 on: April 09, 2003, 09:43:49 PM »
Karl,

- How often does Avast look for updates when it detects an online connection? I notice that the update check starts within a few seconds after the internet connection is available. When  will the next check occur?

The next check will occur in 4 hours, by default. In other words, if you're permanently connected to the Internet, the updating period is set to 4 hours.

- Are the incremental updates merged into the main 400.vps? (I cannot find any other database files in the data subdir...)

Yes, you're right. 400.vps is the avast virus database (the one and only), and all virus database updates are therefore written to this file.

- Why does Avast open port 135 and 1025 as a listening connection?

First of all, I should clearly state that these ports are open for local connections only, i.e. only connections established on the very same machine (under which you have full control). This is an extremely important point - NO ports are open for foreign hosts.

As for RPC: it's the fact that avast! internally uses RPC to do its job (namely it uses it for communication between its components). But RPC is a fully documented and supported interface and we believe there is absolutely nothing wrong with avast! using it. The fact that the Windows RPC subsystem opens the RPC net port even if the communication is taking place only on the local machine is unfortunate, but there is really nothing we can do about it (except for stoping using it), but I am confident that the mere fact that the port is open doesn't really mean any security risk...

Quote
As for port 1025, I wasn't sure about this one, so tried google and got a lot of matches. Most of the discussion sounded like this:

Port 1025 is the first dynamic port that Windows opens when it needs a
connection. There is usually something that needs to create a connection
or listen for something, so most of the time Win2K Pro has something
active on port 1025.

The second connection uses 1026, the third 1027, etc. If only 1026 is
open, that just means that the first connection was closed.

So, I don't really know...

Hope this helps,
Vlk
« Last Edit: April 09, 2003, 09:46:01 PM by Vlk »
If at first you don't succeed, then skydiving's not for you.

Karl

  • Guest
Re:a few questions
« Reply #5 on: April 10, 2003, 11:47:52 AM »
Thank you for the answers. I agree with you that RPC is a fully documented interface and thus it is of course possible to use it :). After checking more info about RPC I would say that RPC behaviour is more an annoyance than a real security risk.