2015.10.0.2208
I provide internet access via wifi to 2 satellite links to those in my remote community. I use a peplink balance 20 dual wan router as the gateway. This router has decent logging of all internet traffic. I usually keep a window open on my computer showing graphically traffic to the 2 satellite links individually and combined.
Today I came in from working outside and noticed one of the satellite links had been running for some time at 3mb down and about 2k up. I was curious to see who was using the bandwidth and switched to a screen that showed me current traffic by user. Surprisingly it was my computer.
I have virtually no auto updates configured on my machine except for Avast and Malwarebytes, everything else is set to notify me before updating. There were no downloads scheduled.
I was somewhat concerned and opened avast firewall network connections to see what program was generating the traffic. I have the interface set to detailed view with resolve names and show full path both active.
There wasn’t much going on within the firewall. My email program, firefox, storagecraft backup (no cloud backup setup), Avast, and one svchost thread (doing dns lookups) were the only web traffic showing. There is no total traffic stat shown by the avast firewall interface (sure would be a nice addition) but I did a rough count and it was nowhere near 3mb down, not even a tenth of that.
At this point I made a mistake which made it impossible to say for sure the traffic was bypassing avast. I wanted to stop the stream and should have used the Avast Network Lock. If the traffic continued then for sure it was bypassing the Avast firewall. I thought maybe the router stats were in error and killed the NIC in my computer instead to see if the traffic stopped at the router. It did.
I went back through the router stats which continuously records traffic by user. The finest resolution is by hour. My computer had downloaded 179mb and uploaded 4.97mb in the previous hour.
Both Malwarebytes and Avast do regular full scans of my system including for rootkits, realtime protection is enabled in both. My system runs well with no malware problems. I use an isolated vmware virtual machine to access any risky websites.
I’ve set it up so I can quickly log such traffic if it occurs again but unfortunately I wasn’t prepared to do this today because the secondary firewall I was using which allowed for this conflicted with avast and had been uninstalled. I haven’t yet found an alternative firewall able to do this. Suggestions?
I have 3 nics in the computer, an intel pro/1000, a realtek PCIe, and a Kasen usb wifi for checking the wifi access points. I normally run with just the intel pro/1000 active. Does the Avast firewall automatically check all NICS? I couldn’t find anywhere to specify the nics to monitor which was required to stipulate in my old firewall. I believe Avast was installed before I installed the intel pro/1000. The firewall does appear to collect traffic normally on this nic. I check it pretty regularly to see how much traffic programs are generating and who is calling home. Everything I expected to see has been there up until this happened.
How else can I track down what happened?
Thanks for any suggestions.