Avast 2016: Setting up firewall application rules

Configuring the firewall application rules in Avast Antivirus 2016

Avast Premier 2016 and Avast Internet Security 2016 include a firewall. You can set application rules to determine the network and Internet communication for specific software applications. The firewall uses these rules whenever an application tries to connect to the Internet or another network. These instructions explain how to create, adjust and configure the Avast firewall application rules for most common applications:

How to create new application rules in Avast Antivirus 2016

Default rules are created automatically for software applications from known and trusted sources the first time you start the application when Avast Premier 2016 or Avast Internet Security 2016 installed.

  1. Right-click the icon in your system tray and select Open Avast user interface, or double-click the Avast icon on your desktop.
  2. Go to Tools → Firewall and click Application rules at the bottom of the screen.
  3. The Application rules window lists software applications, sorted into groups according to developer or publisher. Click a group name to view access restrictions and rules for that group.
If the application is already listed, go to the next section to learn how to adjust application rules for it.

If the application is not listed, you can create a new application rule manually as follows:

  1. Choose an existing group, or create a new one by clicking New Group at the bottom of the window. (You can rename it to identify the software application.)
  2. Click New application rule at the bottom of the window,
    ...and select the executable file of the software application you want to add. Click Open.

The selected software application is then listed in the group you specified. (If the application uses a group of executable files, repeat steps 4 and 5 to add others.)

How to adjust application rules in Avast Antivirus 2016

The firewall creates default rules to manage communication between your computer and the Internet or another network. You can adjust the rules for each application. Click any group on the Application Rules screen to view details.

The set of orange bars represents access levels. Listed from highest to lowest:

  • All connections - This is the least secure setting, as all incoming and outgoing communication will be allowed.
  • Friends in and Internet out - Outgoing connections to the Internet are allowed, plus both inward and outbound communications defined as Friends in/out.
  • Internet out - No incoming connections are allowed, but outgoing communication is allowed to the Internet (including Friends out).
  • Friends in/out - Incoming and outgoing communication is allowed only with networks defined as Friends.
  • Friends out - This is a highly secure setting. No incoming connections are allowed and outgoing communication is allowed only with networks defined as Friends.

When moving the mouse over the orange bars, a blocker icon appears at the left side:

  • Block all connections. This is the most secure setting, as no incoming or outgoing communication is allowed.
Friends are low-risk networks which are defined in Firewall Settings. To manage these networks go to Tools → Firewall, click Settings at the bottom of the screen, and go to the Friends tab. You can edit the list of networks that you trust, and click OK to save.

Advanced application rules settings in Avast Antivirus 2016

The firewall in Avast Premier 2016 and Avast Internet Security 2016 provides full user control over the ports accessed by software applications communicating with other networks and/or the Internet. Depending on the selected access level, you can define incoming and/or outgoing ports which will be accessible for the relevant software application and also how to deal with all requested connections which are not specified as allowed.

On the Application Rules screen click an application rule to unfold its preferences. Click Specify Ports, and in the drop down menu you can define the port numbers for outgoing connections (if outgoing connections are allowed).

You can also select what to do with other connections which are not specified according to the rule. For example, if an incoming connection from the Internet is detected, but the access level is set only to Internet out, or if a software application tries to establish an outgoing connection on a different port number than is defined.

  • Auto-decide
    Connections above the specified level are allowed if they come from a trusted application, however any suspicious connections are automatically blocked. This is based partly on a large whitelist database of safe applications maintained by Avast.
  • Block
    Connections above the specified level are never allowed.
  • Ask
    Avast asks you what to do when a connection above the specified level is requested.

If some applications report an issue connecting with a network or the Internet, check if the problem is related to Avast firewall by temporarily stopping it - go to Settings → Tools and click the on/off switch next to Firewall. If the problem continues, it is most likely due to another firewall, NAT, router, etc.

Application rules - examples

The examples below illustrate how to configure the application rules in Avast Antivirus 2016 for the most common network protocols.

HTTP

Avast Antivirus 2016 includes a Web Shield real-time scanning module monitors the most common web browsers (Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Apple Safari) and filters their HTTP and HTTPS traffic coming from Internet websites. Connections from these web browsers are redirected to the Web Shield on port 12080 to be scanned for malware while downloading the web content.

In order to restrict access to allow standard HTTP only, the application rule for the used web browser should be set according to the Web Shield protection status:

  1. With the Web Shield enabled (recommended):
    • At least Friends out access level (because the Web Shield is running on localhost defined with IP address 127.0.0.1 in Friends);
    • Outbound port number 12080;
    • Block all other connections.
  2. With the Web Shield disabled (not recommended):
    • At least Internet out access level;
    • Outbound port number 80;
    • Block all other connections.

HTTPS

Websites secured with SSL encryption are accessible over HTTPS using port 443, in most cases. In order to restrict access to allow standard HTTPS only, the application rule for your web browser should be set as follows:

  • At least Internet out access level;
  • Outbound port number 443;
  • Block all other connections.

SMTP and POP3 or IMAP

Avast Antivirus 2016 includes a Mail Shield real-time scanning module that intercepts and scans all incoming and outgoing e-mails for malware, for e-mail accounts accessed via mail client software.

SMTP POP3 IMAP SMTP over SSL POP3 over SSL IMAP over SSL
Default standard 25 110 143 465 995 993
Mail Shield enabled (proxy) 12025 12110 12143 12465 12995 12993

If the e-mail account is configured for example to SMTP and POP3, both over SSL, the application rule for your mail client depends on the Mail Shield protection status:

  1. If Mail Shield is enabled (recommended):
    • At least Friends out access level (because the Mail Shield is running on localhost defined with IP address 127.0.0.1 in Friends);
    • Outbound port numbers 12465 and 12995;
    • Block all other connections.
  2. If you have disabled the Mail Shield (not recommended):
    • At least Internet out access level;
    • Outbound port numbers 465 and 995;
    • Block all other connections.

FTP

Two connection modes are available for data exchange over FTP (availability depends on the FTP server configuration):

  1. Active FTP mode (FTP server opens the data transfer connection)
    The FTP client software establishes a control connection to an FTP server at port 21, and initiates the data transfer request with the PORT command, which specifies the FTP client's listening port. Afterwards the FTP server will create a data transfer connection back from its own port 20 to the FTP client's listening port.

    In order to restrict access to standard FTP in active mode only, the application rule for your FTP client should be set as follows:
    • Allow All connections access level;
    • Outbound port number 21 and inbound (FTP client's listening) port requested by FTP client via the PORT command - this port varies depending on the FTP server configuration and should be provided by the FTP server administrator;
    • Block all other connections.
  2. Passive FTP mode (FTP client opens the data transfer connection)
    The FTP client software establishes a control connection to an FTP server at port 21, and initiates the data transfer request with the PASV command. Afterwards the FTP server will open the listening port and send back its number to the FTP client, so the FTP client can itself create the data transfer connection to this port.

    In order to restrict access to standard FTP in passive mode only, the application rule for your FTP client should be set as follows:
    • At least Internet Out access level;
    • Outbound port 21 and also outbound (FTP server's listening) port range, that is by default 1024-5000, but it may vary depending on the FTP server configuration and should be provided by the FTP server administrator. It should also be estimated from the Message log of the used FTP client or the Firewall Logs of Avast Antivirus 2016;
    • Block all other connections.
  • Avast Premier 2016
  • Avast Internet Security 2016
  • Microsoft Windows 10 Home / Pro / Enterprise / Education
  • Microsoft Windows 8.1 / Pro / Enterprise
  • Microsoft Windows 8 / Pro / Enterprise
  • Microsoft Windows 7 Home Basic / Home Premium / Professional / Enterprise / Ultimate
  • Microsoft Windows Vista Home Basic / Home Premium / Business / Enterprise / Ultimate
  • Microsoft Windows XP Home / Professional / Media Center Edition

We are sorry, unfortunately this article is not available in the selected language. Would you like to continue reading the article in the current language or go to our home page in the language you have just selected?

Continue reading Go to Home page