Firewall blocking rs57.avast.com & sm27.avast.com

Avast Free Antivirus / Premium Security
1

Hello,

Can someone help me understand what this means? My firewall keeps alerting me that it has blocked internet access to my computer from (TCP Port 1029) from sm27.avast.com (70.86.42.146) AND from (TCP Port 1030) from rs57.avast.com (67.15.14.12).

Although I have given my firewall permissions to allow Avast and it “seems” to be functioning properly, does this mean my firewall is blocking an important function of my Avast anti-virus that I’m unaware of in any way?

Further, looking up the above mentioned IP addresses, neither refer to Avast.com. “70.86.42.146” refers to “ThePlanet.com Internet Services, Inc.” as follows:
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14
NetName: NETBLK-THEPLANET-BLK-13
NetHandle: NET-70-84-0-0-1
Parent: NET-70-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2004-07-29
Updated: 2006-02-17

RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: admins@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: admins@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins@theplanet.com

AND

“67.15.14.12” refers to “Everyones Internet” as follows:
OrgName: Everyones Internet
OrgID: EVRY
Address: 390 Benmar
Address: Suite 200
City: Houston
StateProv: TX
PostalCode: 77060
Country: US

NetRange: 67.15.0.0 - 67.15.255.255
CIDR: 67.15.0.0/16
NetName: EVRY-BLK-15
NetHandle: NET-67-15-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2004-02-06
Updated: 2005-12-16

RTechHandle: RW172-ARIN
RTechName: Williams, Randy
RTechPhone: +1-713-579-2850
RTechEmail: admin@ev1.net

OrgAbuseHandle: ABUSE477-ARIN
OrgAbuseName: ABUSE
OrgAbusePhone: +1-713-579-2850
OrgAbuseEmail: abuse@ev1.net

OrgNOCHandle: NOC1445-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-713-579-2850
OrgNOCEmail: noc@ev1.net

OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-579-2850
OrgTechEmail: admin@ev1.net

OrgTechHandle: VST3-ARIN
OrgTechName: Stinson, Valarie
OrgTechPhone: +1-713-579-2850
OrgTechEmail: admin2@ev1.net

These seem to be servers and/or internet providers? How do they relate to Avast.com and why are they wanting to access my computer since the last “program” update? I was not getting these alerts prior to the last “program” update. Am I blocking any important functions of my Avast anti-virus and if so, how do I remedy that? Help me understand.

Thanks much,
LTS

2

:slight_smile: Hi LTS :

 I had to do a "search" for your other posts to find you use
 Zone Alarm ( no mention of "Pro" or "free" ) which you 
 could have easily mentioned in this post . 
 Your problem seems to indicate you have some malware 
 on your machine !? Since I saw in the other post you have
 Ad-Aware and Spybot, have you run their "Full scan(s)" &
 if yes, what has been the result(s) ?
 You may have something easily detected and removed IF
 you had Ewido on your machine and run its "Complete
 System Scan"; their site is www.ewido.net/en and there is
 a "tutorial" at www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf .
3

Thank you for responding.

With the type of alerts mentioned, I didn’t think it was necessary to mention that my firewall was ZoneAlarm (I must say, that you sounded a bit “scolding” in the fact that I didn’t, which really wasn’t necessary). In any case, I “wrongly?” assumed most if not all firewalls give these types of alerts and my main concern was what does this mean and how does it relate to Avast?

To answer your question, I haven’t run Spybot or AdAware in the past few days, but have run both since updating the Avast “program” and since I began receiving these alerts after the update. Both have shown my computer to be free of malware. I will run them again, just to be sure. I also utilize Spybot’s resident scanner as well as SpywareBlaster and SpywareGuard (both up to date).

In light of this, can you explain further what makes you think it is due to malware? Is it because these IP addresses have nothing to do with Avast? How would this malware be doing this? Redirection of some sort? I’m trying to understand.

I know many are fans of Ewido and I’m sure it’s a great program, but I can’t afford to buy it and I’m hesitent to run the online or trial because when I’ve done that in the past…mucho stuff gets left behind on your computer and registry (ie Panda online scan, etc.). But thanks for the suggestion.

For others benefit, the link you provided (http://www.greyknight17.com/spy/Tutorials/ewidoQucikGuide.pdf) is incorrect. It should be QuickGuide.pdf at the end rather than QucikGuide.pdf.

I’m going to run Spybot and AdAware again now and see if there’s any current problem being reported. I’ll let report back one way or the other.

Thanks again,
LTS

Edit:
I have again scanned with Spybot & AdAware…still nothing found. Any other suggestions as to why these IP’s (that at first glance seem to be related to avast.com) are trying to gain access to my computer since updating the Avast “program”? (v. 4.7.827). Thanks.

4
I know many are fans of Ewido and I'm sure it's a great program, but I can't afford to buy it and I'm hesitent to run the online or trial because when I've done that in the past...mucho stuff gets left behind on your computer and registry (ie Panda online scan, etc.). But thanks for the suggestion.
Ewido will run just fine even after the 14 day trial period. The trial period is for the Guard resident scanner. After the trial period, just disable Guard on the program user interface. Also, after the trial period, automatic updates stop.

Once you have done the above, you continue using Ewido free of charge but now you have no resident scanner and you must activate updates from the user interface. I run Ewido once a week and always download updates just before the scan. These updates are quick even on dial-up.

5

Note : Edited based on subsequent info .

6

Both servers you’ve mentioned are hosted by our hosting providers, that’s why you’re getting their WHOIS records. Basically, we do use all the servers named in servers.def file and all of them should have the reverse pointer mentioning avast.com as a part of the hostname. You know, ‘avast genuine’ ;D

7

CharleyO & kubecj…thank you both.

CharleyO:
Thanks for the further info about Ewido. I wasn’t aware. Maybe I’ll give it a whirl.

kubecj:
Thanks for explaining these are servers used by Avast, I feel a little better. But now this raises further questions for me. Why would my firewall block these IP’s when I have given Avast permissions (and never had this happen before the program update). What exactly is my firewall blocking? Anything important? When I started up today, Avast updated it’s virus database automatically as usual, so all seems well…I don’t understand. But also, just prior to the virus database update notification…my firewall blocked, this time…sm05.avast.com (IP: 70.86.43.210, ThePlanet.com Internet Services, Inc.). Basically, am I losing any type of anti-virus protection with these firewall blocks and if not, what do these blocks mean? What is Avast trying to do that ZoneAlarm is blocking?

Thanks again,
LTS

8

Heh, don’t know anything about ZA.

Avast’s updater just goes to site thru standard http port 80. It does nothing spectacular, so I don’t know why is ZA putting such warnings. If you let avast.setup to have full internet access, ZA should just shut up and let the traffic go. Maybe some ZA user may shed some light on this.

9
What is Avast trying to do that ZoneAlarm is blocking?
I haven't used ZA for some considerable time 3-4 years) but what reason is ZA giving for blocking it ?

ZA on occasion gets very forgetful and even though a process/program is allowed access it gets blocked. I would suggest that if you have an entry for avast.setup that you delete it then do a manual update ZA should ask again, ensure you give permission and if there is a remember this box, etc. tick it.

10 
  I use ZAF Ver. 5.5 I have 3 entries for AVAST.  Update ,Mail Scan, Web Scan.ALL are set to ALLOW. Do You have the Same?
11

They’re not the same. Into the firewall settings, the following programs should be allowed to connect:

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner)
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (avast! e-Mail Scanner Service)
C:\Program Files\Alwil Software\Avast4\Setup\avast.setup (avast! Update executable)

Don’t need rights to connect:
C:\Program Files\Alwil Software\Avast4\ashServ.exe (avast! antivirus service)
C:\Program Files\Alwil Software\Avast4\ashUpdSv.exe (avast! Update Service)

12 
 As I am Overdrawn at the Memory Bank I looked again at ZAF/Program Control. It shows Avast AV Update. I set it to ASK. I ran Man.Update for AVS & Progran. I get a Pop-UP Alert saying Avast AV Update is trying  to Access the Internet. If I CK Entry Detail in ZA Program Control for Avast AV Update I seeAvast Setup. So it looks like We  are both Right .