Notes on the AVG Firewall. Feb 2010.
This Document
This document is an attempt by me to improve the rather lamentable manual that AVG produce about their firewall.
Technically the Firewall seems an excellent affair, though I'm no expert judge as I have only seen and handled three or four in any depth.
This document was forced on me when a customer using an AVG business solution ran into trouble, I diagnosed the problem as being the firewall by the simple expediency of turning it off and seeing if the problem went away; it did. So I turned to the AVG manual, and was sorely disappointed. There is little technical content, hardly any explanations, and only the words are English: the grammar and syntax are Czech I guess.
So this is an extract of the AVG pdf for version 9. I can't be bothered to copy over all AVG's images but recommend these notes are read in conjunction with the AVG manual.
Overview
The AVG Firewall works using “Profiles”. It contains five pre-set profiles of: allow everything, allow nothing, direct to the Internet, small office, and windows domain. However you can manually add as many profiles as you care to configure. Each profile effectively contains two lists:
1. A list of all the network adaptors and network address ranges that the PC can currently see, and whether this profile considers them safe or unsafe to use.
2. A list of all the applications and services inside the PC, and how this profile should individually allow them to behave.
A computer can find itself in a number of different network “environments”. For example: connected directly to the Internet, connected to a Home LAN, connected to an Office LAN, connected to a Public Wireless hot-spot, etc. Each of these environments can be assigned an appropriate Firewall Profile.
The firewall can automatically switch between profiles based on network changes it detects.
Limitations and Restrictions.
The automatic profile switching is a very powerful facility. After some testing it appears to work by detecting the MAC address of the local router, although as there are tick boxes for "use AVG heuristics" and "use Microsoft Heuristics" it obviously uses other methods as well.
The rest of this document refers to the section numbering in the AVG manual.
10. Firewall Settings
The Firewall configuration dialogues open from a separate place in the AVG control panel. So you won't find the firewall settings where the rest of the anti-virus and anti-everything-else settings are.
10.1. General
The only buttons on this page are Import and Export, which allow you to copy all the settings in your firewall into a file. You can then either save the file as a backup of your firewall settings or copy the file to another machine and there Import the settings. What this section does not say, and I have yet to find out, is now this all works if you are using the AVG control centre. From the Control Center you can ship a firewall config to a number of PCs, but I have yet to discover exactly how this works.
10.2. Security
This section is fairly obvious. One permission set is for overall changes and the other is restricted to the pop-up dialogues that occurs when you haven't set a defined rule. What is not clear is how much damage an untrained user could do in a confirmation dialogue. Need to check this – are they restricted to pre-set choices?
10.3. Areas and Adapters Profiles
This is probably the most important area as the settings on this page allow the firewall to switch automatically between profiles depending on the network connectors and IP ranges it is picking up. However, despite its importance there are almost no controls in this page.
· Disable area detection and automatic profile switch – Ticking this box will stop the firewall from automatically switching between profiles as it detects changes in the networks it is connected to. This does not stop you switching between profiles; it's just that you have to do it manually. Of course if your PC is physically static and is only ever going to need a single profile, then define that profile, tick this box, and set the profile manually. What happens if you do have a static PC, and only need one profile, but leave this box un-ticked? I am fairly certain the firewall will continue watching for network changes, so if one day you boot your PC while the local router is disconnected the firewall will see this as a new network connection and produce pop-ups asking for details.
Note also that detection seems to be “change” triggered. The active profile appears to switch only when then firewall detects a change in its network adaptors, it does not continuously monitor its status. So if something or somebody switches the profile to an inappropriate setting it will remain there until the firewall next detects a change in its network connections. I guess the firewall assumes that manual profile changes are made by someone who knows what they are doing. Maybe there should be a “prevent manual profile changes” button???
· List of adapters, areas and assigned profiles – Here is where the fun begins: The firewall seems to list every adaptor, real or virtual, it thinks it has. The list cannot be altered manually. I am not sure how or when the Firewall produces this list, I suspect it only lists the adaptors it finds in the Windows “Network Connections” panel, because if I load VPN software “on the fly” so that it does not show up in the Windows panel, the firewall does not pick it up. Double-clicking on an adaptor allows you to select a profile for it, which the firewall switches to when it detects the adaptor going active. Most adaptors are left in the "unassigned" setting as profile switching seems to be mainly based on Areas.
Areas are a list of specific networks that the PC has connected to in the past. It produces this list automatically, possibly using a set of AVG or Microsoft heuristics to analyse the network. So when an adaptor becomes active the Firewall analyses the connection to see if has been connected to this Area in the past. If it has been, it switches to the profile used last time. If it thinks the Area is new it produces a series of pop-ups to ask the user what name to apply to the new Area, and whether it is a direct Internet connection or a small local network or a domain. It doesn't appear to matter which adaptor the PC uses to connect to an Area, so using either an Ethernet cable or a wireless connection to the same network should cause the Firewall to select the same Area in both cases.
Double-clicking an Area, like the Adapters, brings up an "area properties" box that allows you to select which profile should be used when the area is detected.
There is an "Add Area" button that brings up another Area Properties box, this time allowing an new area to be named and asking for a MAC address, an IP address, and offering a profile selection. It appears from testing that this is looking specifically for the MAC address of the default router of the connected network. Any other MAC address from the LAN will not cause the Area to be selected. The data in the IP address field appears to make no difference whatever, selection appears to be decided purely on the router MAC address. I put the router's IP address in this field for convinience, but once added, the MAC and IP addresses are not seen again, only the Area name ever shows up. Clicking "Edit" on an added Area only allows you to change the associated profile.
However, the "Add Area" button does allow a Network to be pre-defined in a Firewall with the correct profile long before the PC is actually connected to it. So the user does not see pop-ups asking what kind of network it is. It could be important to pre-define appropriate profiles for various networks.
· Advanced settings – Has two tick boxes.
"Always use default profile and do not dosplay new network detection dialog" - I am not sure what this does and how it differs from "disable area detection and automatic profile switching" at the top of the page. If the default profile is used whenever a new network is detected there seems little point in detecting the new network in the first place. Maybe I'm missing something.
10.4. Logs
One of the main things one needs to see in the log is the firewall switching between profiles. “Network XXX detected- switching to profile 123”, Profile 456 – manually activated, etc. Unfortunately the log doesn't record switching events, so although it logs all traffic events as one would expect, as the profile in force at the time is unknown it is not possible to know if the packet events are supposed to happen or an error.
10.5. Profiles
Clicking on the “Profiles” tab rather than a specific profile name gets you to the “Profiles' settings” [[Note correct use of apostrophe, so someone in AVG speaks good English!]] where you can create or delete profiles, decide whether a profile should use the AVG trusted database, and finally activate a given profile. Apart, obviously, from the one in bold letters which is already the active profile.
There is no “add” button. You create a new profile by duplicating the existing profile that most nearly corresponds to what you want, renaming it, and then clicking on the new profile to change its settings away from the profile you duplicated.
Note that clicking on a profile and then clicking “activate profile” does not actually activate the profile even though the bold lettering switches to it. The profile is only activated when you hit the “Apply” button on the bottom of the page. The profile may not remain active - see “Area detection” above.
Before moving on to the "Applications" or "System services", you need to understand "rules". A rule lists a "protocol" (for instance UDP or TCP), a direction (in or out), local ports, remote prorts, and remote addresses. They allow an application or service to be very specifically controlled as to what it can send where.
10.5.1. Profile Information
This is where individual profiles are configured. This initial screen sets some basic parameters.
10.5.2. Defined Networks
This is puzzling. Most of the items that appear on this page are put there automatically by the Firewall. Here is a screen shot of my test frame.
Most of the entries have been added by the Firewall and cannot be altered. I know this because if I reboot the PC without a network connected, and thus no data from DHCP all of the normal network addresses disappear. So although the top 10 lines are there, only the top three of the "unsafe" group above, and the broadcast / multicast have allocated addresses. All the 192.168.x.x stuff disappears!
Also there must be some weird priority stuff going on as the local IP address is declared safe at the top and unsafe at the bottom!
Also the system seems to be including the WINS and DNS target addresses in an unsafe list. Surely this is just for the WINS and DNS ports (understandable) and not all ports on that address.
Of the controls on the right:
Add network – I can use at any time. I added TEST LAN NAME for instance.
Edit network – only works on: the network I added, Fictive Local IP address, and the three items at the bottom of the list all of which are adaptors
Delete network – Only works on the Network I added.
Mark as Safe/Unsafe – Only works on the network I added and the three adaptors at the bottom.
This is as far as I have got with the analysis. more will follow, the rest is still original AVG text.
10.5.3. Applications
Most applications are controlled in what they can send through the firewall. They can send either: nothing, anything to a "safe" address, anything to any address, or cause a pop-up to ask the user.
However, there is a fifth "advanced settings" option that allows rules to be set against applications thus controlling exactly what they can send where.
10.5.4. System Services
Most of the profiles seem to contain the same 24 rules with different settings depending on the profile used, but the "small home or office network" profile seems to carry some 36 rules.
Although the rules seem fairly sensible the weird thing is that they all seem to carry the usual "allow for all" or "block" actions, yet when you edit one it only allows the selection and editiing of rules. So somewhere there is a set of pre-defined rules for certain actions.
Why you can set certain logging actions here in the System services of a specific profile rather than in the "Logs" area where you would expect is anybody's guess. Interestingly there is no "Logs" area in the AVG control centre, presumeably because logs are kept on individual PCs and not in the control centre. So someone must have assumed that the "logs" area is for accessing the logs rather than configuring them.!
Log unknown traffic