Firewall rule for Avira Update Servers

Hallo,
How can I create a special firewall rule:
There is one machine (Win7 ) blocked by firewall to red WAN.
Is it possible to create a firewall rule / firewall group to allow this machine the access right only to Avira-Update-Servers ? There are no static IP adresses for this servers ! I found this on Avira support pages:
" …
Which exceptions must be stored in the firewall/proxy for updating?

If a firewall or proxy is active in the network and there are problems updating Avira Antivirus Pro or Avira Antivirus Server, as well as the Avira Mirror, certain exceptions should be set.

Please set the following exceptions:

** prod.update-bridge.avira.net with Port 443**
** .avira.com*
** .avira-update.com*
** .cloudfront.net*
** api.mixpanel.com**

The update servers are accessible via port 80.

Note
IP addresses cannot be added for the update due to the CDN used having different, changing IP addresses.
…"

Thank you for every advice !

Hi,

first, welcome to the IPFire community (and thanks for posting this again in English :wink: ).

Assuming this AV scanner is able to work with and through a HTTP proxy - which may or may not be true -, you could set up a user group for this client, whitelist those desired FQDNs, and deny access to the rest. Please refer to the web proxy documentation for further information on how to do this.

For security reasons, IPFire does not support DNS-based firewall rules; if the proxy solution does not work, I am currently out of ideas.

Thanks, and best regards,
Peter Müller

P.S.: Just for the records: Support for Windows 7 has been discontinued. Please consider upgrading to a new version either way. :slight_smile:

Hallo,
thank you for the advice. In a silent hour I will try to understand this and build a rule

PS: I Know, that Win7 is out of Support. But on this machine is installed some good and expensive Software the users need still some years and an upgrade is not possible.

Thanks, and greetings,

Does Avira provide also IP addresses for the update servers?

Hi,

Does Avira provide also IP addresses for the update servers?

as @rowihei mentioned initially, no. If they would to so, creating firewall rules would not be an issue… :slight_smile:

Thanks, and best regards,
Peter Müller

Ok… Why don’t compile some… iplists from hostnames? Then group them?

A lot of services are available for “extracting” highest number of addresses from hostnames.

Otherwise… consider other antivirus softwares. I am quite an… “endorser” of ESET, which by the way provide a detailed list of hostnames and ip addresses used for update, statistics and license status for a quite long product list. It’s updated (at time of posting, updated 4 days before) time to time.

I know, AVIRA provide better single client quotes than ESET, but… if budget is an issue, maybe an updated software will cost a lot more than a different kind of AV. Eset is only one of the available names on the market, get some documentation and info might be a gamechanger for choosing which alternative test before give the run.

Side note: backup often, backup now, create a disaster recovery procedure and test it, because hard drives can retire from job without 4 weeks notice.

Hi,

sorry for replying late.

Ok… Why don’t compile some… iplists from hostnames? Then group them?

This is dangerous because those IP addresses can change at any time and an attacker (or the domain owner himself) could inject arbitrary IP addresses into your firewall ruleset.

A lot of services are available for “extracting” highest number of addresses from hostnames.

This is unfortunately true, but I strongly recommend against this. Even if the domain in question is DNSSEC-signed, this does not protect against malicious DNS replies coming from the (hacked?) domain owner.

Thanks, and best regards,
Peter Müller

I can understand that the project says “better no connection than unsafe connection”. But this may be not the way that the users are intending “firewalling”.
Also, you’re blinding believing that you can fool at all not only the DNS, but also the update management (and signing) of the antivirus system.
Most AV producers allow HTTP and FTP (without s) for allowing proxies to cache and reduce bandwidth for distributed systems (without a in-lan update server…)

Thanks for all the tips …
I found another way, not comfortable but good enough:

  • Created a script on windowsPC
  • download fusebundle.zip from AVIRA-Server with wget
  • unpack with 7zip
  • scan PC with scancl.exe from AVIRA
  • mail to admin with scan report (blat.exe)
  • IPFire Updateaccelarator edit with AVIRA-Sources for fusebundle.zip

If someone is interested, write me please - but I think it’s too special