Avast sites inbound UDP & ICMP requests

Dear all,

We have a PC with Avast Home 4.7 installed. It works very well. Thank-you.
Our other PCs use E-Scan.

I was looking at our logs today and noticed these entries on our PIX:

106014: Deny inbound icmp src outside:75.126.53.163 dst inside:84.nnn.nnn.nnn (type 0, code 0)
106014: Deny inbound icmp src outside:75.126.38.77 dst inside:84.nnn.nnn.nnn (type 0, code 0)
106014: Deny inbound icmp src outside:75.126.38.78 dst inside:84.nnn.nnn.nnn (type 0, code 0)
106014: Deny inbound icmp src outside:75.126.38.75 dst inside:84.nnn.nnn.nnn (type 0, code 0)
106007: Deny inbound UDP from 62.42.230.24/53 to 84.nnn.nnn.nnn/1310 due to DNS Response
106007: Deny inbound UDP from 62.42.230.24/53 to 84.nnn.nnn.nnn/1310 due to DNS Response
106007: Deny inbound UDP from 62.42.63.52/53 to 84.nnn.nnn.nnn/1310 due to DNS Response
106014: Deny inbound icmp src outside:75.126.53.164 dst inside:84.nnn.nnn.nnn (type 0, code 0)
106014: Deny inbound icmp src outside:75.126.53.165 dst inside:84.nnn.nnn.nnn (type 0, code 0)
106014: Deny inbound icmp src outside:75.126.38.76 dst inside:84.nnn.nnn.nnn (type 0, code 0)

The IP addresses resolve back to :
Name: sl73.avast.com
Address: 75.126.53.162
Name: sl80.avast.com
Address: 75.126.38.76
…And so on.

What is going on? Why would Avast try and connect back to a PC that runs Avast, especially when almost all PCs have firewalls and block such communications.

Could someone make a comment about this?

Regards.

Generally, the update process need to check your files/virus database versions to allow updating.
But I’m not sure about the protocols used (icmp and UDP). I’m not a firewall or network communications expert.
Hope someone from Alwil could drop a word here…

I thought that the update process was pulled from the Avast server by the client. ^^
I would be unhappy to know that it was the reverse.

Check this please: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=25

Thank-you from the link.

How does the update service work?

* At first, avast! tries to detect if the computer is connected to the Internet - it sends a ‘packet’ (message) to one of our servers and waits for reply.
* If the ‘packet’ is received, avast! “knows” that the computer is connected and the update may begin.

This is fine because the connection is initiated from the actual PC and would therefore traverse the firewall, unless when you say ‘send a packet’ you really meant send a ping, then it will never work for our computers. See notes below.

* If there´s no reply to the ‘packet’ sent, avast! will try to ping (connect to) the server again every 40 seconds.
* If the ping is successful, avast! connects to our server and checks if there´s any new updates available.

Ping will never be successful since the firewall drops all incoming and outgoing ICMP bar unreachable.

* If there is, avast! will download and install them. If not, avast! will wait for 4 hours and then try to connect and check for updates again.
* In short: avast! detects the connection to the Internet every 40 seconds and looks for new updates every 4 hours.


However, this fails to explain the ICMP echo-reply because ICMP echo is blocked by the Cisco PIX in the first place. Now I understand the rest I won’t worry about it. I shall leave it alone because the client will update once every four hours anyway. Also, I see that I can disable this on the client.

Many thanks for your quick replies.

Mr.Qwerty.

To reduce the update time, change update settings. The minimum period is 240 minutes.
http://forum.avast.com/index.php?topic=1647.msg10264#msg10264