There Is a Problem Running an Antivirus Program

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Typically, you see this problem occur when an antivirus program tries to automatically download a file--such as a virus definition file, a signature file, or a program update--either from the Internet or from a server on your corporate network. When this happens, you might see a Windows Security Alert dialog box (notification) that displays a message informing you that the application is trying to use a port that is blocked, or the application might stop responding or it might behave unpredictably.

Cause

If the download is initiated by a central server and "pushed" down to your computer, then the download traffic will be considered unsolicited incoming traffic and Windows Firewall will block the traffic. Many antivirus programs use the file transfer protocol (FTP) to transmit program updates, virus signatures, and virus definitions to a computer, and because Windows Firewall blocks the FTP ports by default, the program cannot process the download request. Although many antivirus programs have been updated and use the Windows Firewall application programming interface (API) to open the FTP ports, not all programs do this. If a program does not automatically open the proper ports to allow an unsolicited download, the program might fail when Windows Firewall is enabled.

Solution

To solve this problem, contact the program vendor or read the program documentation to see if you can configure the antivirus program so files cannot be "pushed" down to your computer. In some cases, you can configure an antivirus program so it "pulls" files down at specified intervals or when you manually initiate an update or download.

If this is not acceptable behavior in your organization, contact the program vendor or read the program documentation to see if the antivirus program uses FTP to download program updates, virus signature files, or virus definition files. If the program use FTP, make sure that the Application Layer Gateway (ALG) Service is started. Windows Firewall uses the ALG Service to process active FTP traffic.

To start the Application Gateway Service

1. Open the Services snap-in.

2. Double-click Application Layer Gateway Service.

3. On the General tab, if Service status is not Started, click Start.

If the ALG Service is running and you still cannot get your antivirus program to work with Windows Firewall, try adding the antivirus program to the exceptions list.

To add a program to the Windows Firewall exceptions list

1. Open Windows Firewall, and then click the Exceptions tab.

2. Click Add Program, and then follow the directions that appear on your screen.

If this does not work, you need to determine which port(s) the antivirus program uses, and then add the port(s) to the exceptions list.

To determine the ports used by a program

1. Start the program that you want to evaluate.

2. At the command line, type tasklist, and then press ENTER.

3. Look up the process ID (PID) that is associated with the program you are evaluating. If the program relies on more than one .exe file, be sure to look up the PID for each .exe file that the program is using.

4. At the command line, type netstat -a -o -n, and then press ENTER.

5. Use the program’s PID to determine the ports on which the program is listening.

After you identify the port that the antivirus program uses, try adding the port to the exceptions list.

To add a port to the exceptions list

1. Open Windows Firewall, and then click the Exceptions tab.

2. Click Add Port.

3. In Name, type a friendly name for the port exception.

4. In Port number, type the port number used by the program.

5. Click either TCP or UDP to specify the type of port that corresponds to your port number.

6. Repeat steps 2 through 5 if your program uses multiple ports and the ports are not enabled in the exceptions list.