Hello,
I’ve identified a networking issue which thus far appears Avast related. For starters, I’m running a fully up to date XP Pro desktop equipped with Firefox 3.6.8, latest Noscript/AdblockPlus/etc, Avast 5.0.594 (100828-0), and Comodo Firewall 4.1.150349.920. Any malware infection is highly unlikely. I’m not sure when this issue first cropped up, but it has been awhile.
I’ve at times seen unusually heavy network activity lights a short time after closing my last browser instance (when there should be virtually no network traffic). Investigating, I’ve seen what I believe are abnormal terminations of the connection between AvastSvc.exe and some (not all) target webservers. For example, www.digg.com loads .js, .ico, .png, .css, and perhaps other types from the likes of cdn1.diggstatic.com which forward resolves to 98.142.106.40. That IP address reverse resolves to lb140.nyny.cotendo.net and it is this later hostname you will see in the following logs. A simple, reproducable (for me at least) test case where I simply load http://lb140.nyny.cotendo.net…
When Avast WebShield is running:
2010-08-28 14:14:50.328672 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
2010-08-28 14:14:50.348124 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
2010-08-28 14:14:50.348353 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
2010-08-28 14:14:50.348912 [my ipaddress] lb140.nyny.cotendo.net HTTP GET / HTTP/1.1
2010-08-28 14:14:50.368373 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [ACK] Seq=1 Ack=377 Win=6432 Len=0
2010-08-28 14:14:50.385265 lb140.nyny.cotendo.net [my ipaddress] HTTP HTTP/1.1 403 forbidden (text/html)
2010-08-28 14:14:50.450851 [my ipaddress] lb140.nyny.cotendo.net HTTP GET /favicon.ico HTTP/1.1
2010-08-28 14:14:50.485166 lb140.nyny.cotendo.net [my ipaddress] HTTP HTTP/1.1 404 not found (text/html)
2010-08-28 14:14:50.617714 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [ACK] Seq=734 Ack=1184 Win=64352 Len=0
2010-08-28 14:14:53.449087 [my ipaddress] lb140.nyny.cotendo.net HTTP GET /favicon.ico HTTP/1.1
2010-08-28 14:14:53.487361 lb140.nyny.cotendo.net [my ipaddress] HTTP HTTP/1.1 404 not found (text/html)
2010-08-28 14:14:53.680120 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [ACK] Seq=1121 Ack=1779 Win=65535 Len=0
2010-08-28 14:15:13.530165 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [FIN, ACK] Seq=1779 Ack=1121 Win=8576 Len=0
2010-08-28 14:15:13.530218 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [ACK] Seq=1121 Ack=1780 Win=65535 Len=0
** Note: time gap **
2010-08-28 14:16:48.927284 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [FIN, ACK] Seq=1121 Ack=1780 Win=65535 Len=0
2010-08-28 14:16:48.947329 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [RST] Seq=1780 Win=0 Len=0
2010-08-28 14:16:50.488877 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [FIN, ACK] Seq=1121 Ack=1780 Win=65535 Len=0
2010-08-28 14:16:50.509768 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [RST] Seq=1780 Win=0 Len=0
2010-08-28 14:16:53.660650 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [FIN, ACK] Seq=1121 Ack=1780 Win=65535 Len=0
2010-08-28 14:16:53.682473 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [RST] Seq=1780 Win=0 Len=0
2010-08-28 14:17:00.113569 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [FIN, ACK] Seq=1121 Ack=1780 Win=65535 Len=0
2010-08-28 14:17:00.134217 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [RST] Seq=1780 Win=0 Len=0
2010-08-28 14:17:12.910029 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [FIN, ACK] Seq=1121 Ack=1780 Win=65535 Len=0
2010-08-28 14:17:12.929682 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [RST] Seq=1780 Win=0 Len=0
2010-08-28 14:17:38.502955 [my ipaddress] lb140.nyny.cotendo.net TCP syscomlan > http [FIN, ACK] Seq=1121 Ack=1780 Win=65535 Len=0
2010-08-28 14:17:38.521268 lb140.nyny.cotendo.net [my ipaddress] TCP http > syscomlan [RST] Seq=1780 Win=0 Len=0
Then again after Avast WebShield is stopped:
2010-08-28 14:25:37.721448 [my ipadress] lb140.nyny.cotendo.net TCP cognex-insight > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
2010-08-28 14:25:37.741270 lb140.nyny.cotendo.net [my ipadress] TCP http > cognex-insight [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
2010-08-28 14:25:37.741542 [my ipadress] lb140.nyny.cotendo.net TCP cognex-insight > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
2010-08-28 14:25:37.742376 [my ipadress] lb140.nyny.cotendo.net HTTP GET / HTTP/1.1
2010-08-28 14:25:37.760486 lb140.nyny.cotendo.net [my ipadress] TCP http > cognex-insight [ACK] Seq=1 Ack=377 Win=6432 Len=0
2010-08-28 14:25:37.881849 lb140.nyny.cotendo.net [my ipadress] HTTP HTTP/1.1 403 forbidden (text/html)
2010-08-28 14:25:38.190579 [my ipadress] lb140.nyny.cotendo.net TCP cognex-insight > http [ACK] Seq=377 Ack=589 Win=64947 Len=0
2010-08-28 14:25:57.901817 lb140.nyny.cotendo.net [my ipadress] TCP http > cognex-insight [FIN, ACK] Seq=589 Ack=377 Win=6432 Len=0
2010-08-28 14:25:57.901871 [my ipadress] lb140.nyny.cotendo.net TCP cognex-insight > http [ACK] Seq=377 Ack=590 Win=64947 Len=0
** Note: no time gap **
2010-08-28 14:26:03.924709 [my ipadress] lb140.nyny.cotendo.net TCP cognex-insight > http [FIN, ACK] Seq=377 Ack=590 Win=64947 Len=0
2010-08-28 14:26:03.944991 lb140.nyny.cotendo.net [my ipadress] TCP http > cognex-insight [ACK] Seq=590 Ack=378 Win=6432 Len=0
I’m rusty when it comes to TCP/IP and Windows networking, but based on the above and observing the TCP/IP connections of Firefox and AvastSvc.exe with Sysinternals Process Explorer, my initial guess is that under some circumstances AvastSvc.exe might not be promptly recognizing and responding to the webserver closings its end.
I’m sharing this in the hopes that others can reproduce it and thus Avast folk can easily investigate further. Confirmation and comments appreciated. Thanks!