Topic: Avast updates with Dansguardian

[brick]

Hi all,
I´m running the Avast antivirus on my LAN with about 25 PCs running windows.
The Gateway is a SME running in Server/Gateway mode with the Dansguardian contrib.
Access by IP is denied, since the users are smart enough to figure the address.
I added the allowed MIME types and the extensions that avast updates uses, but since the updates come from hosts such as:

Code: [Select]

1251728311.985    227 192.168.0.160 TCP_DENIED/403 0 GET http://67.228.112.199/iavs4x/prod-av_pro.vpu - DEFAULT_PARENT/127.0.0.1 application/octet-stream
the updates never come through.
Does anyone have a solution for that?
Thanks for any comments on this

[RedBeard]

I simply white list the update site, i.e. and an exemption for the appropriate website.  I usually do this for MS's update site, the anti-virus' update site, java, adobe and others as they pop up.

See: http://wiki.contribs.org/Dansguardian/ConfigFiles#exceptionsitelist

exceptionsitelist

This contains a list of domain endings that if found in the requested URL, DansGuardian will not filter the page. Note that you should not put the http:// or the www. at the beginning of the entries.

exceptioniplist

This contains a list of client IPs who you want to bypass the filtering. For example, the network administrator's computer's IP.

exceptionurllist

URLs in here are for parts of sites that filtering should be switched off for.

Good Luck

[dadoudidon]

and don't forget after modifications

Code: [Select]

service dansguardian restartDavid

[brick]

Thank you for the comments, I understand how to use, the problem is that I would need to provide every IP from avast in the IPexceptionlist, and they change quite often.
I tried bypassing by extension name and MIME type, but the IP block comes first.

[dadoudidon]

...
Access by IP is denied, since the users are smart enough to figure the address.

Code: [Select]

1251728311.985    227 192.168.0.160 TCP_DENIED/403 0 GET http://67.228.112.199/iavs4x/prod-av_pro.vpu - DEFAULT_PARENT/127.0.0.1 application/octet-stream
the updates never come through.
...

Why don't you use the reverse lookup function?

Reverse Lookups for Banned Sites and URLs
If set to on, DansGuardian will look up the forward DNS for an IP URL address and search for both in the banned site and URL lists. This would prevent a user from simply entering the IP for a banned address. It will reduce searching speed somewhat so unless you have a local caching DNS server, leave it off and use the Blanket IP Block option in the bannedsitelist file instead.

David

[RedBeard]

Thank you for the comments, I understand how to use, the problem is that I would need to provide every IP from avast in the IPexceptionlist, and they change quite often.
I tried bypassing by extension name and MIME type, but the IP block comes first.

You should be able to use the exceptionsitelist entering the url for avast updates ( avast.com/iavs4x ).  I would avoid using reverse lookup as suggested by dadoudidon unless absolutely necessary as it can slow down the filtering considerably.   

[dadoudidon]

thanks for infos RedBeard, cause i do not use reverse lookup

David

[brick]

You should be able to use the exceptionsitelist entering the url for avast updates ( avast.com/iavs4x ).  I would avoid using reverse lookup as suggested by dadoudidon unless absolutely necessary as it can slow down the filtering considerably.

Maybe I oughta look for the reverse option, putting avast.com in my exception list was one the first things I did.
Like I said, the updates come from different servers, their addresses are IP. Adding the files to the exception list does not help, since Dans is looking at the IP before it looks at the extension/MIME.

[janet]

brick

What about exceptionfilesitelist
It says IPs can be matched too.

# Exception file site list
# Use this list to define sites from which files can be downloaded,
# overriding a blanket download block (blockdownloads = on) or the
# banned MIME type and extension lists (blockdownloads = off).
#
# DOES NOT override content/virus scanning or site/URL bans.

# Don't bother with the www. or
# the http://
#
# These are specifically domains and are not URLs.
# For example 'foo.bar/porn/' is no good, you need
# to just have 'foo.bar'.
#
# You can also match IPs here too.

[RedBeard]

   I missed that one.  That looks like that should do the trick.