Avast using very excessive internet bandwidth & outbound connections ..

Hello there…

Been using Avast free antivirus for over 3-4 months now. All of a sudden, when my broadband usage and hence the bill started to shoot up… i became too very conscious about the internet usage. (Since my connection is charged on basis of amount of data UL/DL)

I am well aware that Avast automatically updates the virus definitions and program files as and when needed and the update confirmation pop-up window almost shows up on my screen every single day. But all the updates are usually done with during the first few minutes of my connection being established.

However, when browsing this noon I noticed something unusual. Though there wasn’t any UL (upload) or DL (download) from my side, my broadband connection constantly kept pinging data and the bandwidth meter that I had installed to monitor the amount of data exchanged started shooting up the MB’s at a rapid rate. Almost 40 - 50 MB of data exchanged/downloaded within a couple of minutes.

My comodo firewall applications recorded more than 175 outbound connections ! With avast recording 99.9 % of my bandwidth traffic. (Pls. refer screenshot here http://img269.imageshack.us/img269/5790/avast1.jpg )

When I looked into the connections in detail from within comodo firewall application, I was shocked to see that the entire 50 MB + data were resulting from the Avast application only. I then had to manually “terminate” the connection by right-clicking on them. I also changed the update settings for Avast to “Manual update”.

Within moments of doing so and moving away from my PC, I was once again in for a surprise as the bandwidth was being used again without any activity from my side. (Pls. refer screenshot here http://img545.imageshack.us/img545/336/avast.jpg ) Several outbound connections from Avast and the worst part is almost 140 MB + of data being received …!!!

I am really concerned. Could a regular update be the reason behind this ? I dont think so … considering the fact that I update almost daily with no backlogs on the definitions. And this data from the screenshot did not stop growing after I took the screenshot ! I had to manually terminate them again and shut down Avast.

The Destination ip’s also gives me the creeps… Why are they so random?

208.117.241.288 - New Orleans, USA
194.221.68.21 - Berlin, Germany
212.77.100.95 - Poland
62.41.85.96 - Netherlands
195.59.171.20 - London, UK
195.27.182.37 - Frankfurt, Germany
173.194.37.104 - Brisbane, Australia
72.32.8.40 - Baltimore, US

Thanks for your time and help …!

Remember that the Avast! web shield acts as a proxy and so the connections may not be initiated by Avast! but routed through it.
What part of Avast! was connecting… was it the avast service?
Did you take note at the remote port this connections where pointing to?
What other programs did you have running at the time.
My cousin uses Comodo and he always sees most of the traffic as being from Avast! but a check on the connections tells another story, usually it is a web browser or other program routing via the proxy.

Martin.-

Hi Martin,

Thanks for helping.

Well, if it was the Avast Service, it is one of the shields acting as a proxy. And if you had yahoo messenger on, it was that program connecting not Avast.
The traffic was either from the web shield or the Instant Messaging shield (if you check it’s options you’ll see that it has a lot of clients it can monitor) you can either disable the shield or tell it to ignore the traffic from yahoo messenger, neither of which are recommended.
What ever you do, you’ll still have traffic to report, you see, if you disable Avast shields, yahoo messenger will connect on it’s own and still generate the traffic.
As to why it was causing so much of it, I don’t know since I don’t use the program.
It could also have done some http check since if I remember correctly it connects to other networks and services (it does tell you when you receive mail doesn’t it?).

I’m not too technical either but the proxy on the shields works like this (to my understanding): when a program attempts a connection for which Avast has a shield in place, the connection will go through the proxy (usually on a local connection 127.0.0.1 -this is your localhost (PC) ip) and from there to it’s destination, and so you’ll see avast connecting and not that particular program.

Also, to my understanding, comodo doesn’t deal very well with proxies. I used to use PC Tools, it has a version 7 in beta which correctly detects avasts proxy service and acts upon it. Very helpful.

Martin.-

Pretty much all the data you are seeing as downloaded by avast! was in fact downloaded by you and just passed through avast!. There is some traffic generated by avast! but that’s only for virus definition updates and CommunityIQ service. But this one only uploads stats if you encounter anything malicious.

@RejZoR and @MasterTB

As i said earlier, no other services apart from the messenger was running… Is it possible for Yahoo messenger to receive so much (150 MB) of data…?? “Receive” that is where im confused… as the data is shown under “bytes in”… Would be very helpful if someone could let me know what this possibly could be. Updates are set to manual though.

Anyway, will monitor this once again with no other applications running in the background…

Windows Updates? guessing here…
But yes, it could be that yahoo downloaded as much as that. As said before, take a look at comodo firewalls logs, that should tell you a lot. If you don’t know where to look, zip them and post them or pm me and I could take a look to see if there is something else.
BTW is this an isolated incident or has repeated since?

Martin.-

Windows update … mm… I have had them disabled always…

The logs. Yes, I was getting there. Wanted to know if there was a way to check the original source of the traffic that are actually routed through Avast. Considering that these comodo logs could help us find that, my question would be how do I get to these logs… As i dont know what Im supposed to zip and send over to you…

And this might not be an isolated incident. My broadband bill for the month of August also went well beyond my ‘actual’ usage (meaning… the time when I myself was sitting in front of the computer downloading/browsing.
oh… if u meant has it re-occurred since yesterday, no it hasn’t. (I have turned off automatic updates in avast)

Also… may I add…
You said that all my network traffic from various applications like my browser are actually routed through avast for malware scanning, etc. Due to this, comodo shows as though those traffic are from Avast.

I’m still confused with this because, all the other applications that I use also have individual network traffic entries of their own within comodo’s ‘Active connections’ window. Why would that be?

Well, not all traffic will be routed. The proxy usually routes HTTP traffic and Mail traffic so, yes, you’ll see other apps directly connecting to the WWW in comodo. There is nothing to worry there as that info will be checked by the resident scanner.

I can’t be more technical on this because sincerely I’m not a techie. :slight_smile:

Martin.-

Guess you missed my previous post… :wink: the logs ?

Sorry… working… :slight_smile:

If I remember correctly, when you see active connections on the firewall there is a more… button (I speak spanish natively and that is a rough translation) clicking that button should show you the detailed logs and give you the option to save them (export them).

On the other hand, I forgot to ask if you’re using Defense+ since that is a good source. This is why: Defense+ will alert you when a program tries to use another to connect so checking (on the D+ tab) the settings for the programs could show some more info. Like I said, haven’t used comodo in a while so I’m a little rusted.

Martin.-

Edit: you can find the Comodo Firewall Help here: https://forums.comodo.com/firewall-help-cis-b135.0/
and here: http://www.personalfirewall.comodo.com/Comodo_Internet_Security_2011_User_Guide.pdf is the user manual just in case.
I’ll always ask… ¿did you read the manual? :):):slight_smile: