Avast 2015 (Free) Router Breach

Avast Free Antivirus / Premium Security
1

Since recently upgrading to Avast 2015 (Free) My software firewall has been catching some unauthorized communication on my system at system boot. These single events only happen when booting or rebooting my system.


http://1.t.imgbox.com/zsgPlC8n.jpg
http://2.t.imgbox.com/ROSG82LT.jpg

Never had these communication events before upgrading. Is there something in the default settings that caused these?

2

Looking at the port, protocol and the IP’s I would say it is the Network Time Protocol (NTP) - used for time synchronization

3

Good old Kerio never misses a beat :slight_smile:
Remote 123 is for time, but …
Normally a response would be to local port 123.
This is and attempt at incoming connection which makes no sense to me. Normally Kerio sees computer outbound to a time server.
Time update is normally done by svchost on XP, not avast service.
And avastsvc normally doesn’t touch time synch - since it’s not an http (port 80).
Unless 2015 avast hooks that one somehow.
Strange IMO. Deny, deny.

Kerio sees funny servers with remote 123 with a wrong application (not svchost). Maybe Avast service connected out to their port 123 in the first place, maybe some new feature in 2015 avast, which at this point I don’t have where Kerio is, so can’t confirm what you see.

4

Here’s another one from moments ago after a reboot.


http://8.t.imgbox.com/SewmRSUR.jpg

They’re from a different address every time. I have denied all of them without setting a rule in Kerio, I just deny each one of them individually so my rule sets don’t get filled with random addresses. I find it very odd that none of them are persistent. Usually one would have to set a rule in Kerio to deny all incoming requests from each address but that has not been the case, they stop requesting communication after a single denial. What bugs me is they are coming through Avast servers that’s why they have been able to penetrate my router firewall. My router is not pingable nor is it visible to unsolicited traffic.

I find these attempts very disturbing. I have not contacted customer support yet.

5

You say they’re coming through avast servers. How do you know? I doubt it.
You menthion something about the router. Avast doesn’t control the router.
You need to block all inbound in the router. Include uPnP and other such. Normally that would be a router default anyway and I gather yours is ok.

When I think about it looking at your screen shots, some random sites are attempting to send UDP packets to the typical ephemereal ports 1024+ on XP. It so happens that Avast grabs, usually, 1029 or 1030 or one other early port at boot time for its service (check TCPview, you’ll see it) and those sites want to put something there. So if you think that that’s “avast servers”, I don’t think so. Is Avast alerting about anything or not?

All along I’m assuming you run free avast AV and did not install any bloatware, just the three shields. Because if you did allow to install something in the middle column of custom installation, then all bets are off, I have no clue what any of them do other than cause trouble.

Sorry, I really have no idea. Just trying to help a Kerio user :slight_smile:

There is a possibility, slight, that you have something nefarious that goes through avastsvc and gets these funny responses. Do you have your loopback rules set so that only what you allow can use Avast proxy ports?

6

I agree with cooby.
There is no evidence at all that the traffic is coming from a avast server.
Your screenshots show there is incoming traffic, but none shows even something close to a server from avast.
They only show that avast is scanning the incoming traffic.

Do you have any time synchronization software installed or a calender application or something like that ?

7

This is how under normal circumstances it looks, perhaps check if it’s like in the picture

8

Brain fart on my part. I realize now the traffic is not coming through Avast servers. My knowledge of networking is limited to what I’ve picked up over the years on security related forums so forgive my ignorance. I just don’t understand these communication attempts from seemingly random addresses and why they have appeared only after upgrading to Avast 2015.

As for time sync rule set. Mine is set to only allow incoming.

http://i.imgbox.com/NatZ3WDf.jpg