Hello, I am a long time user of Avast! Home. I love it, it works really well. I was recently getting very bad connection issues. I opened up cmd and ran a netstat, I found that I had DOZENS of 12080 ports looping back to localhost. This had me a bit concerned since I had no idea what it was, but since I knew it was staying inside, and not sending or receiving information from the outside I was not overly anxious. I ran a
At first I thought I had a virus, because I recently cleaned up a virus which had symptoms quite similar to this, on another computer. But after running hijackthis, and doing a bit of research I am confident that I do not have a virus. And the 12080 port is part of Avast!'s engine. Not sure if its for updates or whatever else, this information was not made clear on your support section.
The number of opened ports seemed to come down drastically to only about 3 or 4 open. I am curious, is the number of ports avast is opened really necessary? Constantly sending information back to myself seemed to kill my net speed. It is quite possible that my connection issues are completely unrelated to this, and it just happened to be a coincidence that my connection was failing at the same time. Whatever the case may be, I thought this information might be beneficial.
Let me know if there is any information I can provide.
Were you browsing before this log? If so, it’s pretty normal. It seems to be Avast! Web Shield (ashWebSv.exe)'s loopbacks. Web Shield is a local proxy, which watches for HTTP connections while sitting at port 12080. It looks for virus/malware between your web browser and web pages, trying to prevent them from getting into your computer.
Starting from the version 4.6. avast! comes with a new on-access scanning provider - Web Shield.
It is able to monitor and filter all HTTP traffic coming from the Web sites on the Internet. It’s implemented as a HTTP proxy running on your PC.
Connections from your Web browser are redirected to the Web Shield module. Web Shield in turn connects to the requested web server and while downloading the content it scans it for viruses and Trojans. Only the clean data is delivered to the browser, every malware is stopped before it gets saved on your PC.
You can also see something listening at ports 12025, 12110, 12119, 12143 (You can see the associations…12xxx). It’s Avast! Internet Mail provider (ashMaiSv.exe). It’s another local proxy for email applications and its job is, of course, checking in-coming/out-going email messages or strictly speaking, virus and malware attached to them. The reason why you don’t see any activity i.e. their being in all listening status in the log most likely means you or “something else” were not using email applications.
Please consider them as gate-keepers for your computer. They are checking the common routes where malware get through to your computers.
No I wasn’t browsing, I was just playing a game. And before I got the log, I did an ipconfig /release and /renew to flush all of my connections. That log was taken on a completely fresh connection.
But I’m glad there is a little bit of explanation as to what they are for exactly. I still don’t understand why so many had to be opened, at first glance it was intimidating.
Hmmm… Problem is that I cannot see what processes were running. If you are still worried, how about using app such as [u][b][color=blue]CurrPorts? It’s small and handy.
Dozens of loopbacks when surfing one website should be normal?
I have just opened ‘avast.com’ in chrome when suddenly 136 Loopback conns appeared. I see no sense in that proxy. How can I get rid of it without loosing basic safety?
Well ok, the proxy might be a nice feature, BUT it’s disturbing the net connectivity since it is overloading the network-stack with its virtual connections. Windows cannot handle such amount of tcp-conns.
Well, you post in a pretty old topic…but that aside, the Web Shield’s function is relatively the same still, so I guess it is ok.
It can’t? News to me and the vast majority of Avast! users who have no problems with it. But if it disturbs you, this is purely the Web Shield at play, so…disable it. You still have “basic safety”, the File System Shield will still scan anything that lands on your HDD, in addition to Network Shield and other Avast! components. You will be giving up scanning http traffic in your browser.
When there are 100+ loopback connections, the browser does everything with a high latency.
(i.e. I klick a link and it takes 3 minutes till there is a reaction; Or even worse: If it takes too much time before a website sends response, Windows Network Center reports disconnection from the internet.)
But when the loopbacks are gone everything runs fast.
So I assume, that windows has a problem with too many parallel connections.
By the way, your suggestion is working. I disabled the Web Shield and got no buggin anymore.
There is most certainly something else in the mix, as if this truly was the case then these forums would be on fire about it.
My links open almost instantly and using the same netstat command you gave there is nothing close to what you are recording whilst just on-line for this topic (XP Pro SP3).
Have you changed any of the avast settings, avastUI, Settings, Troubleshooting, Redirect settings, added anything to the redirect ports or unchecked the Ignore local communication ?
EDIT: re ran the netstat command as it didn’t over write an existing file, so the last stats were incorrect.
I personally don’t understand either of your connections.
I use IE8.
My IE8 browser will send TCP with source port in the 49154 - 65535 range to localhost port 12080. Avastsvc.exe then opens up a bunch of localhost ports in the 12000 - 12999 range. Avastsvc.exe then sends the http output from those localhost ports to TCP ports in the 48152 - 65535 range.
Forgot to mention that I use WIN 7 x64. That might explain the higher values in port numbering. TCP/IP is different in 7 than XP. However the workings of using a localhost proxy remain the same. One port on the localhost is designated to receive output from the browser. The proxy then takes over and eventually routes the http traffic to the Internet.
BTW - proxies are very bad if you do VPN connections since the firewall is bypassed entirely. I also suspect the same might hold true for IPv6 tunnels?
Hi, you are speaking about hundreds but you only have 13 connections established from our localhost webshield proxy. I don’t see that to be such a problem. The truth is that having webshield enabled doubles the number of connections used during browsing – but I wouldn’t see a localhost connection to be something so pricey here. If you ponder about all the other things webshield does, like scanning the file, which involves opening and saving temporary file on disc, possibly unpacking it, running the heuristics on it, running polymorphic algorithms etc. - then I would really thing that this is neglectable.
Windows is able to handle tens of thousand connections, however if your working habits include having frequently opened those thousands of connections in the web browsers (rare but possible) you might indeed consider disabling WebShield completely. For normal computer usage other factors would be more important that the number of lines visible in the netstat output.
I just noticed this today, after getting fed up with my system being irrationally slow online, while my fiancee’s system next to mine (connected to the same router) had none of the lag.
Looking at the port traffic, I saw hundreds of “unknown” connections, all from port 12080, and the destination ports were a constant escalation. HUNDREDS of these connections. It looks exactly like a portscan in its activity and progression.
Look, I don’t care if this thing is only referencing the internal loopback address; the system still has to tend to the constant stream of new ports being opened by Avast as it runs through this routine that apparently somebody thought would be acceptable behavior, and it most certainly has an adverse affect on the system’s ability to process the web traffic I’m actually wanting it to do.
Total active ports on system with Avast running (and most frivolous add-ons like Web Shield and Mail Shield turned off): 586
Total active ports on system with Microsoft Security Essentials running instead (stock installation, no settings modified): 145
Folks, that is a whopping 441 ports that Avast was keeping in the list. Now to be fair, 302 of those were in Time Wait state (waiting to timeout and close), but that means that Avast is still actively keeping 139 ports open/listening/established at a time, opening new ones with incrementally increasing destination ports. That is simply not acceptable for a program that is supposed to be a behind-the-scenes utility. I want my anti-virus scanner to be almost a thing forgotten until it’s needed. If I wanted a system of protection that intentionally lagged my system, I would’ve installed McAffee’s or Symantec’s products.
As it is, since this behavior seems to have been defended for years on these forums as legitimate and as-intended, I have no choice but to switch away from a long-time friend that seems to be following in the “big guys’” footsteps with the feature creep, social networking and internal advertising.
Sorry, but the mere fact that you have some open ports/connections doesn’t slow down your system - even if you say it “most certainly” does (so if a slowdown happens, it’s not because if this).
You have revived a thread more than two years old - so it has most likely little relevance for anything current.
On Windows 7 or higher, avast! v9 uses a different mechanism (than the local proxy). Since you don’t say what operating system you have, it’s not clear what applies in your case.