Avast Causing ARP DoS

We are a higher ed institution and have a large broadcast domain as part of our wireless network. I know, I know. It was a decision that was made. Broadcast and multicast are disabled. I don’t need to know the cons of a large broadcast domain.

The issue is that within the last few weeks, the wireless network has been overwhelmed with ARPs from a small number of machines. These are student laptops, not owned by the institution. Basically every time one of these clients connects to wireless, it starts sending an ARP to every other client on the network. This traffic has just slowed that network down to a crawl. We have been blocking the MACs of the offending clients and having them visit our help desk to get reconnected. The common thread we are seeing is that they all have Avast AV installed (mostly free version, if that matters). When we uninstall Avast, the ARP flood stops.

  1. Has anyone seen this behavior on your networks? How did you combat it?

  2. Anyone have a reason this just manifested recently? I’m sure these same students have been connecting since start of the semester (January). We have made no major network config changes recently. Did Avast push something new out?
    EDIT: I see there was a release on April 3rd. This is roughly the time when we started seeing this behavior.

I’m trying to find a way to stop this (other than rearchitecting the wireless network) that doesn’t involve laying hands on every single affected machine every time we get new students on campus. Any help at all is greatly appreciated. Thanks in advance.

I’m not with Avast Staff but the first thing that comes to mind is that the Smart Scan, and Network Scan might be running on those clients. That feature effectively scans the network for vulnerabilities on the network to tell the user if it is safe. I use Avast Premier but, I think all versions of Avast have it, not sure though.

Exactly how many clients are there on the network by average?

Thought that as well, but Avast site says those scans are supposed to be “on demand” only. They are definitely not starting the scans. We confirmed this behavior by having a network engineer install Avast on a fresh Windows 10 laptop and connect to wireless. The flooding started immediately.

To clarify, regardless of how many other clients are connected, it starts to send ARPs for every possible client address (I guess to see what other machines answer??). It’s a Class B subnet so every time someone connects, we start to get about 65k ARPs. We’ve been blocking them as quickly as we see them.

We do not use or provide Avast to students, so it’s a relatively small number that have it installed on their own machines, but it’s still enough to cause a considerable network slowdown and even some crashes. I’m guessing some bug was introduced in the latest release and most people don’t notice it because their subnets are small enough that ARPing all the addresses doesn’t really cause a slowdown. I’d be interested to have a few people fire up tcpdump (or wireshark) and see if they see the same behavior when a new client connects to the network.

I just tested this, with Avast Premier and it repeatedly sends an ARP request to the Main Router of my universities wireless router upon the service starting up and does not stop. With Avast off, no ARP requests.

Have you tried looking at logs for Avast at C:\ProgramData\AVAST Software\Avast\log

I have not personally, but I’ll have my help desk pull logs on the next one that comes in and send them to me. Should I be looking for anything in particular?

No, I’m not an expert on logs for Avast. But it may show something useful if you search through it. Plus you may have to submit your logs to Avast at some point.

On another note the amount of ARP requests sent by my testing machines were not anywhere near the amount you got. I am not certified in Networking as of right now, but depending on the Network hardware you are using there may be a way to limit ARP requests or something. I feel that this can be fixed with a configuration change in an enterprise router or something. Might be worth checking that equipment to see the usage and the ARP cache as well.

Yes now imagine this times the 100 or so machines we’ve have so far that are doing this.

So is there anyone on this forum that can get the attention of Avast to fix what is obviously a software bug? Support doesn’t want to talk to me because we aren’t business customers. This seems like it’d probably be an easy fix if the company acknowledges this behavior.

I’ve reported this topic to Avast, Hope that gets you some help.
Remember, they are located in Prague. :slight_smile:

Thanks for the help. I hope they can release a patch quickly to fix it.

Are there any news about this theme? We have the same problem

I’ve submitted a second request to Avast. :frowning:


We have changed the network scan intensity, so this behavior of devices newly connecting to the network should stop => fixed.


It seems the last version still contains this bug. (18.4.2338)

When will this problem be fix really?