We believe our network IDS is false positive’ing on ICMP (pings) coming from the Avast SecureLine VPN client.
The packets we see are normally considered to be associated with the Alureon Trojan and wanted to establish if there was a way to distinguish between the two.
Can you please confirm functionality of your software?
[ol]- Does your product send ICMP pings?
Thanks and best regards.
Hello Paul,
yes, we are sending pings, but only to our servers to test the reachability during connection setup. Currently it’s not configurable.
Is it causing you big problems?
Thanks,
David
We have had to retire a signature that detected the Alureon Botnet and explain a false positive to the customer. This is already done. You are sending the same string of "E"s that the Bot did. 
If you want to avoid this in the future, you would have to change the ping payload. My suggestion would be something like “AvastAvastAv…”. 
Paul
Thank you for the clarification, we’ll look at it!
Sorry, one more thing cause it isn’t 100% clear.
Do you indeed send pings with EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE as the payload?
If so why? Was there a reason for the E’s or was this just a coincidence?
Hello,
yes, we send ICMP Echo Requests with payload consisting of 32 'E’s. The payload was chosen randomly.
The payload pattern is not restricted to a single company and anyone can use whatever he wants. Unfortunatelly, in this case it was chosen by the botnet and the same can happen even in case of ‘AvastAvast…’ pattern you’re suggesting.
As the pings are deterministic (destination is one of our servers) I suggest extending the signature.
Best regards
Marek
Thankyou. That’s exactly what I thought. I just needed confirmation.
Paul