hello, today i noticed that my avast (newest version+newest iAVS) created two strange connections to the internet over http to the IP-Adresses “64.18.25.38” and “87.248.218.163”. Can you please tell me why these connections happened? Why did ashserv create them? It never did before… Am i probably hard infected or is my avast infected? Or is this somehow normal? I hope you can give me helpfull answers.
avast doesn’t create/initate internet connections and should only be connecting to the update servers (after a connection exists) to check for updates. Neither of the IPs belong to the avast.com download servers.
So something else is connecting to the internet and most likely going through the web shield local host proxy.
What is your firewall ?
Was this what detected the connections, if not what (and if so what was the process connecting) ?
as mentioned above, ashserv.exe (a service process of avast) created these two connections. I am still wondering what they should be about, hoping about some good answer.i blocked the avast processes now in my software firewall and filtered the IPs on hardware sided network parts. But lets still hope it isnt a hard infection like i am thinking at the moment… Maybe some DevPro (;D) could give some answer.
Sorry missed the mention of ashserv.
As I said there would be absolutely no requirement for an avast process to connect to anything but an avast.com IP and neither of those are.
You didn’t say what your firewall is ?
Whilst I never see any connections for ashServ.exe in my firewall, it is the main scanning element for all the providers so I don’t know if something like the web shield in scanning a download, etc. could activate the ashServ.exe.
There have been some other reports of connection by ashServ.exe in the forums but I think they were with comodo firewall and I think this was explained. But, I can’t understand even if it did connect that it would connect to a non avast.com IP, so there is more to this than meets the eye.
Perhaps you will be lucky and one of the DevPros will notice this topic so I don’t have to trouble you further.
My Firewall “Outpost 4.0” did tell me about the two connections. I after that also tried check the digital signature of the ashserv.exe in Windows and it says that the exe is certied and not modified or something like that. Hmmm, i still hope that these connection dont mean some harmfull infection…
Please spend me an answer <— dont know if this is spelled ok, but ya^^
Although, ashServ.exe sends ping packets to find out if the Internet connection is alive. You can turn this off by checking the “My computer is permanently connected to the Internet” box in the avast Program Settings > Update (Connections) page.
But the IP addresses aren’t from avast ???
OrgName: Baltimore Technologies
OrgID: BALTIM-8
Address: 77 A Street
City: Needham
StateProv: MA
PostalCode: 02494
Country: US
NetRange: 64.18.16.0 - 64.18.31.255
CIDR: 64.18.16.0/20
NetName: CYBERTRUSTCIDR
NetHandle: NET-64-18-16-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS3.US.BETRUSTED.NET
NameServer: NS4.US.BETRUSTED.NET
Comment:
RegDate: 2001-07-11
Updated: 2005-10-24
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 87.0.0.0 - 87.255.255.255
CIDR: 87.0.0.0/8
NetName: 87-RIPE
NetHandle: NET-87-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-04-01
Updated: 2004-04-06
yes, i also somehow already thought that it might be such a check, because that option was not checked here. But still then it is strange, why it would connect to these two non-avast-IPs… And why it only does that once… I tried sniffing for some hour to might get the packets it sends, but it never made a connection again… strange…
And another thing that i have now noticed: I surfed to one of the IPs and it shows a Index-File with many *.crl Files on it. In the downline it there says “Apache/2.0.46 (Red Hat) Server at crlpublish Port 80”… Could that be a Certificate-Server or something like that? And also i would like to point out another thing that i have noticed since yesterday… Is it normal that avast creates virus scan exclusions itself? I noticed that there are some folders (like C:\WINDOWS\CSC) in the exclusion-list without me adding them… thats also pretty strange i think.
The following lines are in the exclusion list but not made by me
C:\WINDOWS\TEMP\*.TMP
*\_AVAST4_\UNP*.TMP
C:\WINDOWS\WINSXS\*.MANIFEST
C:\WINDOWS\WINSXS\*.CAT
C:\WINDOWS\WINSXS\*.POLICY
C:\WINDOWS\CSC\*.TMP
C:\WINDOWS\CSC\?0??????
*\EDB.CHK
Why are there these lines? Why and who added them?
They are there by default. These files/folders are safe to be on the Exclusion lists.