Firewall Application Rules

Avast Firewall is another major component of Antivirus protection offered alongside Core Shields, and it is available for Windows workstations. Our Firewall monitors all network traffic between devices and the outside world to help protect you from unauthorized communication and intrusions.

Firewall's application rules are specifically meant to control how Firewall behaves toward applications or processes when they connect to the internet or to another network. These rules are created each time an application or process makes a connection attempt for the first time. Advanced users can set connection permissions for each individual app to determine how strictly Firewall monitors any incoming or outgoing communication.

We recommend you only modify these rules if absolutely necessary. In most cases, Firewall formulates optimal rules without any user input.

Configuring Application Rules

To access Firewall application rules:

1. Open the Policies page
2. Click the desired policy to open its Detail drawer
3. Select the Settings tab, then Firewall
4. Expand the Firewall Settings section
5. Select the Firewall rules tab, then Application rules

Although you can allow local configuration of all Firewall rules by selecting the Let user set their own rules option at the top of this section, we recommend choosing the Override all the local (user) rules option, ensuring these rules are controlled by your console for maximum security across your network.

Each policy contains default application rules to allow common applications to communicate properly. You can delete or modify these rules in order to change how the listed application communicates, or add new rules to the existing list.

You can also set the default action Firewall will take for new applications with no defined rules:

• Auto-decide (Smart Mode on the endpoint): Either allows or blocks connections depending on their trustworthiness.
• All connections ( Allow on the endpoint) : Allows all connections.
• No connections ( Block on the endpoint) : Blocks all connections.
• Ask user ( Ask on the endpoint) : Prompts the user to manually allow or block connections as they occur.

Adding Application Rules

To add a new application rule:

1. Click the + Add application rule button at the bottom of the list
2. Enter the application's name and path (you can use System Path Variables)
3. Select the desired rule (No connections, Internet in only, Internet out only, All connections, or Custom)
   1. For detailed instructions on how to configure custom rules, refer to the Customizing Application Rules section below.

   

   The new rule will then be added to the list. You can edit/delete it if needed by clicking the pencil/trash bin icon in the Actions column. When modifying custom application rules, the options to add, edit, delete, or disable the packet rules will also be available.

   

   System Path Variables

   Clicking Show system path variables in the Add Application Rule dialog will show all accepted system variables, and the tooltips will provide more information:

   Use this if you need to specify an executable file located in a folder where shared program files for 32-bit applications are stored.

   Example: %CommonProgramFiles(x86)%\app.exe → C:\Program Files (x86)\Common Files\app.exe

   Use this if you need to specify an executable file located in a folder where program files for 32-bit applications are stored.

   Example: %ProgramFiles(x86)%\app.exe → C:\Program Files (x86)\app.exe

   Use this if you need to specify an executable file located in a folder where shared program files are stored.

   Example: %CommonProgramFiles%\app.exe → C:\Program Files\Common Files\app.exe

   Use this if you need to specify an executable file located in a folder where program files are stored.

   Example: %ProgramFiles%\app.exe → C:\Program Files\app.exe

   Use this if you need to specify an executable file located in a core folder of the operating system.

   Example: %WINDIR%\SysNative\app.exe → C:\Windows\System32\app.exe

   Use this if you need to specify an executable file located inside an operating system folder.

   Example: %WINDIR%\app.exe → C:\Windows\app.exe

   Use this if you need to specify an executable file located anywhere else on the system drive.

   Example: %SYSTEMDRIVE%\folder_name\app.exe → C:\folder_name\app.exe

   Clicking any listed variable will automatically add it to the Application Path field.

   

   Customizing Application Rules

   To customize an existing rule or create a new custom rule:

   1. Do one of the following:
      • To make a new custom rule, click the + Add application rule button at the bottom of the list
      • To customize an existing rule, click the pencil icon in its Actions column
   2. Enter the app's name and path (if creating a new rule)
   3. Select Custom from the drop-down menu in the Allow column

   

   1. Do one of the following:
      • If you are creating a new packet rule, click the + Add packet rule button
      • If you are modifying an existing packet rule, click the pencil icon in its Actions column
   2. Fill out/modify the following:
      • Rule name
      • Action: Indicates whether Firewall will Allow or Block the connection
      • Protocol: Indicates the network protocol the rule applies to. One protocol may be selected, or All if the rule applies to all protocols.
        • If you select Internet Control Message Protocol (ICMP/ICMPv6), you will also need to specify the ICMP type, which indicates the control message (represented by a code number) to which the rule applies. The rule may apply to a single code number, or multiple codes (separated by commas). The code numbers of control messages are listed in the technical specifications of the ICMP (RFC 792).
      • Direction: Indicates whether the rule applies to incoming connections (In), outgoing connections (Out), or to connections in both directions (Both).
      • IP Address: Indicates the source or destination IP address the rule applies to. The rule may apply to a single IP address, multiple IP addresses (separated by commas), or an IP address range (starting with the lowest IP address and separated with a dash). If the field is blank, the rule applies to all IP addresses.
      • Local Port: Indicates a network port number on the local IP address of your PC's network interface. The rule may apply for a single port number, multiple ports (separated by commas), or a port range (starting with the lowest port number and separated with a dash). If the field is blank, the rule applies to all local ports.
      • Remote Port: Indicates a network port number on the remote IP address of the external server or device. The rule may apply for a single port number, multiple ports (separated by commas), or a port range (starting with the lowest port number and separated with a dash). If the field is blank, the rule applies to all remote ports.
        • An application may need to communicate with a specific remote port in order to function. For example, your internet browser usually needs port 443, as this is the default port used for HTTPS (secure HTTP). To verify the remote port that is required by a particular application, contact the application vendor or refer to the application's support pages.
      • Profile: Indicates whether the rule applies to Private, Public, or All networks
   3. To finish, click Add packet rule if you are creating a new rule, or the save icon in the Actions column if you are modifying an existing rule

   

   Other Articles In This Section: