Echo bug in Avast's Web Shield module?

I just had the weirdest issue. I’m using:

  • Avast! Free Antivirus version 6.0.1203
  • Virus definitions version 110718-1
  • Windows 7 Professional 64-bit
  • Firefox 3.6.18

I’m a sysadmin and was using Wireshark (a packet sniffer/decoder) to diagnose another application. But when I looked at the results, I noticed that I was seeing a flood of packets to and from a site I visit regularly, dreamwidth.org, all containing HTTP 400 Bad Request responses.

Further investigation revealed that my computer was echoing back the contents of these responses to dreamwidth.org, which then responded with another HTTP 400 Bad Request response. I verified this was a new response because the Date header would differ depending on the time.

Further investigation revealed AvastSvc.exe to be the cause of these packets, as shown in this image: http://neo.theblob.org/avast-weirdness.png . For some reason, Avast was taking part in an infinite loop between Dreamwidth and my computer. I have no idea why.

I managed to fix the problem by temporarily turning off the Web Shield component, which stopped the flood of packets. It seemed to break the infinite loop because turning it back on didn’t resume the flood.

I have no idea when the flood started or why it would have started, so I’m hoping that posting here might help me find some answers. It seems like a bug in Avast!, at least.

(If any people at Avast! would like the capture file I saved with these packets, let me know and I can supply it.)

Hi Sophira,

WebShield sends what it gets from the browser (or other application that gets redirected into it). It would be interesting to see if there were other connections (with localhost) and what was the communication on that channels at the same time. At all cases I would like to see the packets dumps if possible. Thanks a lot, please either send them to my email or upload them to ftp://ftp.avast.com/incoming.

Lukas.

Unfortunately, I didn’t look to see if there were any connections made to localhost; if this happens again I’ll make sure to do a “netstat -an”. I won’t be able to capture any loopback traffic though; WinPcap doesn’t support that :frowning:

I uploaded it to /incoming as avast-dreamwidth-echo.pcap. None of the packets seem to contain too much private info; I’ve expired the session cookies that are in there. :slight_smile:

By the way, I should point out that Firefox wasn’t seeing any of this. I have an extension for Firefox called Tamper Data which I use as a basic sniffer for Firefox if I don’t need to dig out Wireshark; it shows every connection made by Firefox. But Tamper Data wasn’t showing anything while I had it open (about 10 seconds before I closed it), which is why I’m fairly sure it’s Avast! that was the problem here.

thanks a lot, I’ll look at the packet capture right now. Another thing that would be quite useful in case it hapens anytime in the future is the process dump from the webshield process. It is shared with other core avast services so you would have to dump the avastsvc.exe. The easiest way is to right click on it in the task manager and select user dump. For that to be possible, please disable avast self defense - Settings → Troubleshooting → Enable avast! self-defense module.

lukas

Okay! I’ll bear that in mind for the next time this happens, if it happens again. I haven’t seen it since that time, though.