Dozens of 12080 Ports Opened.

Hello, I am a long time user of Avast! Home. I love it, it works really well. I was recently getting very bad connection issues. I opened up cmd and ran a netstat, I found that I had DOZENS of 12080 ports looping back to localhost. This had me a bit concerned since I had no idea what it was, but since I knew it was staying inside, and not sending or receiving information from the outside I was not overly anxious. I ran a

netstat /a /n /o >c:\netstat.txt

to get a log file of what it looks like.

I used a bold font for the 12080 connections.

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1190 127.0.0.1:1191 ESTABLISHED 2824
TCP 127.0.0.1:1191 127.0.0.1:1190 ESTABLISHED 2824
TCP 127.0.0.1:1192 127.0.0.1:1193 ESTABLISHED 2824
TCP 127.0.0.1:1193 127.0.0.1:1192 ESTABLISHED 2824
TCP 127.0.0.1:1196 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1198 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1598 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1669 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1691 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1693 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1695 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1697 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1701 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1703 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1705 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1707 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1708 127.0.0.1:12080 ESTABLISHED 2824
TCP 127.0.0.1:1711 127.0.0.1:12080 TIME_WAIT 0

TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING 1888
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING 2120
TCP 127.0.0.1:12080 127.0.0.1:1196 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1198 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1598 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1623 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1625 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1627 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1629 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1631 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1633 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1635 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1637 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1639 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1641 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1643 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1645 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1647 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1649 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1651 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1653 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1655 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1657 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1659 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1661 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1663 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1665 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1669 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1673 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1675 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1677 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1679 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1681 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1683 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1685 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1687 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1689 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1691 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1693 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1695 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1697 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1699 TIME_WAIT 0
TCP 127.0.0.1:12080 127.0.0.1:1701 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1703 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1705 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1707 ESTABLISHED 2120
TCP 127.0.0.1:12080 127.0.0.1:1708 ESTABLISHED 2120

TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING 1888
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING 1888
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING 1888
TCP 192.168.1.100:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.100:1668 209.85.159.99:80 TIME_WAIT 0
TCP 192.168.1.100:1714 65.214.43.37:80 TIME_WAIT 0
TCP 192.168.1.100:1728 65.54.239.20:1863 TIME_WAIT 0
TCP 192.168.1.100:1729 207.46.111.66:1863 ESTABLISHED 556
TCP 192.168.1.100:1730 65.55.239.188:80 ESTABLISHED 556
TCP 192.168.1.100:1731 216.207.68.80:80 ESTABLISHED 556
TCP 192.168.1.100:1732 65.32.34.146:80 ESTABLISHED 556
TCP 192.168.1.100:1734 65.32.34.131:80 ESTABLISHED 556
TCP 192.168.1.100:13099 192.168.1.1:2869 CLOSING 556
TCP 192.168.1.100:19306 192.168.1.1:2869 CLOSING 556
UDP 0.0.0.0:445 : 4
UDP 0.0.0.0:500 : 768
UDP 0.0.0.0:1025 : 1156
UDP 0.0.0.0:1058 : 556
UDP 0.0.0.0:1121 : 1156
UDP 0.0.0.0:1122 : 1156
UDP 0.0.0.0:1294 : 1156
UDP 0.0.0.0:4500 : 768
UDP 127.0.0.1:123 : 1076
UDP 127.0.0.1:1112 : 556
UDP 127.0.0.1:1727 : 1076
UDP 127.0.0.1:1900 : 1232
UDP 192.168.1.100:123 : 1076
UDP 192.168.1.100:137 : 4
UDP 192.168.1.100:138 : 4
UDP 192.168.1.100:1726 : 1076
UDP 192.168.1.100:1900 : 1232
UDP 192.168.1.100:14960 : 556
UDP 192.168.1.100:41340 : 556

At first I thought I had a virus, because I recently cleaned up a virus which had symptoms quite similar to this, on another computer. But after running hijackthis, and doing a bit of research I am confident that I do not have a virus. And the 12080 port is part of Avast!'s engine. Not sure if its for updates or whatever else, this information was not made clear on your support section.

The number of opened ports seemed to come down drastically to only about 3 or 4 open. I am curious, is the number of ports avast is opened really necessary? Constantly sending information back to myself seemed to kill my net speed. It is quite possible that my connection issues are completely unrelated to this, and it just happened to be a coincidence that my connection was failing at the same time. Whatever the case may be, I thought this information might be beneficial.

Let me know if there is any information I can provide.

Were you browsing before this log? If so, it’s pretty normal. It seems to be Avast! Web Shield (ashWebSv.exe)'s loopbacks. Web Shield is a local proxy, which watches for HTTP connections while sitting at port 12080. It looks for virus/malware between your web browser and web pages, trying to prevent them from getting into your computer.

From [b][u][color=blue]Avast! Support Center

What is Web Shield and how does it work?

Solution

Starting from the version 4.6. avast! comes with a new on-access scanning provider - Web Shield.
It is able to monitor and filter all HTTP traffic coming from the Web sites on the Internet. It’s implemented as a HTTP proxy running on your PC.
Connections from your Web browser are redirected to the Web Shield module. Web Shield in turn connects to the requested web server and while downloading the content it scans it for viruses and Trojans. Only the clean data is delivered to the browser, every malware is stopped before it gets saved on your PC.

You can also see something listening at ports 12025, 12110, 12119, 12143 (You can see the associations…12xxx). It’s Avast! Internet Mail provider (ashMaiSv.exe). It’s another local proxy for email applications and its job is, of course, checking in-coming/out-going email messages or strictly speaking, virus and malware attached to them. The reason why you don’t see any activity i.e. their being in all listening status in the log most likely means you or “something else” were not using email applications.

Please consider them as gate-keepers for your computer. They are checking the common routes where malware get through to your computers.

No I wasn’t browsing, I was just playing a game. And before I got the log, I did an ipconfig /release and /renew to flush all of my connections. That log was taken on a completely fresh connection.

But I’m glad there is a little bit of explanation as to what they are for exactly. I still don’t understand why so many had to be opened, at first glance it was intimidating.

Hmmm… Problem is that I cannot see what processes were running. If you are still worried, how about using app such as [u][b][color=blue]CurrPorts? It’s small and handy.

It’s pretty normal for loopbacks.

That seems like a very cool app. I will definitely use it.

If the game uses http connections, that will be the same, i.e., WebShield will be scanning the connections at 12080.

Dozens of loopbacks when surfing one website should be normal?
I have just opened ‘avast.com’ in chrome when suddenly 136 Loopback conns appeared. I see no sense in that proxy. How can I get rid of it without loosing basic safety?

Well ok, the proxy might be a nice feature, BUT it’s disturbing the net connectivity since it is overloading the network-stack with its virtual connections. Windows cannot handle such amount of tcp-conns.

Thanks
Matze

Well, you post in a pretty old topic…but that aside, the Web Shield’s function is relatively the same still, so I guess it is ok.

It can’t? News to me and the vast majority of Avast! users who have no problems with it. But if it disturbs you, this is purely the Web Shield at play, so…disable it. You still have “basic safety”, the File System Shield will still scan anything that lands on your HDD, in addition to Network Shield and other Avast! components. You will be giving up scanning http traffic in your browser.

When there are 100+ loopback connections, the browser does everything with a high latency.
(i.e. I klick a link and it takes 3 minutes till there is a reaction; Or even worse: If it takes too much time before a website sends response, Windows Network Center reports disconnection from the internet.)
But when the loopbacks are gone everything runs fast.
So I assume, that windows has a problem with too many parallel connections.

By the way, your suggestion is working. I disabled the Web Shield and got no buggin anymore.

Thannks

There is most certainly something else in the mix, as if this truly was the case then these forums would be on fire about it.

My links open almost instantly and using the same netstat command you gave there is nothing close to what you are recording whilst just on-line for this topic (XP Pro SP3).

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 672
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 4064
TCP 127.0.0.1:1048 127.0.0.1:1049 ESTABLISHED 2460
TCP 127.0.0.1:1049 127.0.0.1:1048 ESTABLISHED 2460
TCP 127.0.0.1:1056 127.0.0.1:1057 ESTABLISHED 2460
TCP 127.0.0.1:1057 127.0.0.1:1056 ESTABLISHED 2460
TCP 127.0.0.1:1062 127.0.0.1:1063 ESTABLISHED 3372
TCP 127.0.0.1:1063 127.0.0.1:1062 ESTABLISHED 3372
TCP 127.0.0.1:1066 127.0.0.1:1067 ESTABLISHED 3372
TCP 127.0.0.1:1067 127.0.0.1:1066 ESTABLISHED 3372
TCP 127.0.0.1:1698 127.0.0.1:12080 ESTABLISHED 3372
TCP 127.0.0.1:1699 127.0.0.1:12080 ESTABLISHED 3372
TCP 127.0.0.1:1701 127.0.0.1:12080 ESTABLISHED 3372
TCP 127.0.0.1:1708 127.0.0.1:12080 ESTABLISHED 3372
TCP 127.0.0.1:1715 127.0.0.1:12080 ESTABLISHED 3372
TCP 127.0.0.1:1717 127.0.0.1:12080 ESTABLISHED 3372
TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 2860
TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12080 127.0.0.1:1698 ESTABLISHED 852
TCP 127.0.0.1:12080 127.0.0.1:1699 ESTABLISHED 852
TCP 127.0.0.1:12080 127.0.0.1:1701 ESTABLISHED 852
TCP 127.0.0.1:12080 127.0.0.1:1708 ESTABLISHED 852
TCP 127.0.0.1:12080 127.0.0.1:1715 ESTABLISHED 852
TCP 127.0.0.1:12080 127.0.0.1:1717 ESTABLISHED 852
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12465 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12563 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12993 0.0.0.0:0 LISTENING 852
TCP 127.0.0.1:12995 0.0.0.0:0 LISTENING 852
TCP 192.168.1.72:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.72:1512 209.62.2.75:443 CLOSE_WAIT 496
TCP 192.168.1.72:1513 209.62.2.75:443 CLOSE_WAIT 496
TCP 192.168.1.72:1514 207.218.232.82:443 CLOSE_WAIT 496
TCP 192.168.1.72:1515 207.218.232.82:443 CLOSE_WAIT 496
TCP 192.168.1.72:1516 207.218.232.82:443 CLOSE_WAIT 496
TCP 192.168.1.72:1517 207.218.232.82:443 CLOSE_WAIT 496
TCP 192.168.1.72:1631 96.8.83.129:80 CLOSE_WAIT 1636
TCP 192.168.1.72:1702 77.238.187.43:80 CLOSE_WAIT 852
TCP 192.168.1.72:1703 77.238.187.43:80 CLOSE_WAIT 852
TCP 192.168.1.72:1705 77.238.187.43:80 CLOSE_WAIT 852
TCP 192.168.1.72:1709 69.60.7.199:80 ESTABLISHED 852
TCP 192.168.1.72:1716 209.85.146.132:80 ESTABLISHED 852
TCP 192.168.1.72:1718 209.85.146.118:80 ESTABLISHED 852
TCP [::]:135 [::]:0 LISTENING 180
TCP [::]:2869 [::]:0 LISTENING 672
UDP 0.0.0.0:445 : 4
UDP 0.0.0.0:500 : 1776
UDP 0.0.0.0:4500 : 1776
UDP 127.0.0.1:123 : 348
UDP 127.0.0.1:1037 : 348
UDP 127.0.0.1:1900 : 672
UDP 192.168.1.72:123 : 348
UDP 192.168.1.72:137 : 4
UDP 192.168.1.72:138 : 4
UDP 192.168.1.72:1900 : 672

Have you changed any of the avast settings, avastUI, Settings, Troubleshooting, Redirect settings, added anything to the redirect ports or unchecked the Ignore local communication ?

EDIT: re ran the netstat command as it didn’t over write an existing file, so the last stats were incorrect.

I personally don’t understand either of your connections.

I use IE8.

My IE8 browser will send TCP with source port in the 49154 - 65535 range to localhost port 12080. Avastsvc.exe then opens up a bunch of localhost ports in the 12000 - 12999 range. Avastsvc.exe then sends the http output from those localhost ports to TCP ports in the 48152 - 65535 range.

Forgot to mention that I use WIN 7 x64. That might explain the higher values in port numbering. TCP/IP is different in 7 than XP. However the workings of using a localhost proxy remain the same. One port on the localhost is designated to receive output from the browser. The proxy then takes over and eventually routes the http traffic to the Internet.

BTW - proxies are very bad if you do VPN connections since the firewall is bypassed entirely. I also suspect the same might hold true for IPv6 tunnels?

Hi, you are speaking about hundreds but you only have 13 connections established from our localhost webshield proxy. I don’t see that to be such a problem. The truth is that having webshield enabled doubles the number of connections used during browsing – but I wouldn’t see a localhost connection to be something so pricey here. If you ponder about all the other things webshield does, like scanning the file, which involves opening and saving temporary file on disc, possibly unpacking it, running the heuristics on it, running polymorphic algorithms etc. - then I would really thing that this is neglectable.

Windows is able to handle tens of thousand connections, however if your working habits include having frequently opened those thousands of connections in the web browsers (rare but possible) you might indeed consider disabling WebShield completely. For normal computer usage other factors would be more important that the number of lines visible in the netstat output.

I just noticed this today, after getting fed up with my system being irrationally slow online, while my fiancee’s system next to mine (connected to the same router) had none of the lag.

Looking at the port traffic, I saw hundreds of “unknown” connections, all from port 12080, and the destination ports were a constant escalation. HUNDREDS of these connections. It looks exactly like a portscan in its activity and progression.
Look, I don’t care if this thing is only referencing the internal loopback address; the system still has to tend to the constant stream of new ports being opened by Avast as it runs through this routine that apparently somebody thought would be acceptable behavior, and it most certainly has an adverse affect on the system’s ability to process the web traffic I’m actually wanting it to do.

Total active ports on system with Avast running (and most frivolous add-ons like Web Shield and Mail Shield turned off): 586
Total active ports on system with Microsoft Security Essentials running instead (stock installation, no settings modified): 145

Folks, that is a whopping 441 ports that Avast was keeping in the list. Now to be fair, 302 of those were in Time Wait state (waiting to timeout and close), but that means that Avast is still actively keeping 139 ports open/listening/established at a time, opening new ones with incrementally increasing destination ports. That is simply not acceptable for a program that is supposed to be a behind-the-scenes utility. I want my anti-virus scanner to be almost a thing forgotten until it’s needed. If I wanted a system of protection that intentionally lagged my system, I would’ve installed McAffee’s or Symantec’s products.

As it is, since this behavior seems to have been defended for years on these forums as legitimate and as-intended, I have no choice but to switch away from a long-time friend that seems to be following in the “big guys’” footsteps with the feature creep, social networking and internal advertising.

Sorry, but the mere fact that you have some open ports/connections doesn’t slow down your system - even if you say it “most certainly” does (so if a slowdown happens, it’s not because if this).

You have revived a thread more than two years old - so it has most likely little relevance for anything current.
On Windows 7 or higher, avast! v9 uses a different mechanism (than the local proxy). Since you don’t say what operating system you have, it’s not clear what applies in your case.