Important: Strange UDP Connection from Avastsvc Service to suspicious domain

is this connection from Avastsvc to that suspicious domain is usual ??

(Snapshot from windows resource monitor & Avast)

https://i.ibb.co/stL1QNb/avastsvc.jpg


https://i.ibb.co/gV7T4nY/2019-11-25-19-21-36-Clipboard.png

You don’t say what Avast version and build number you are using ?

I don’t see any attached snapshot, so we can’t see that this suspicious domain is. EDIT: now I see it, it didn’t appear when I first viewed your post.

Don’t forget that the Avast Service is used by the various shields, so it is possible the web shield could have been scanning a site or links from it.

Avast Premium Security
Program version: 19.8.2393 (build 19.8.4793.544)

OK, aside from your using Avast Premium Security and I’m using Avast Free we are on the same version and build number. The AvastSvc.exe is the main scanning engine, this would be used by the Shields and very likely by the Web Shield.

Given this is a URL when you are browsing the web shield scans content and also checks links from that page to prevent redirects to malicious or blacklisted sites. I suspect was related to the web shield, but I have no way of positively confirming this.

Hello,

Thank you for reporting the issue. Could you please generate a process dump of AvastSvc.exe so that we can investigate it further?

You can follow the instructions here: https://support.avast.com/en-in/article/56/

Thank you!

Edit: specified which process dump to generate


https://i.ibb.co/tJ349WV/2019-11-26-15-31-43-Generating-a-user-mode-process-dump-in-Windows-Official-Avast-Support.png

I think the process is running in kernal mode http://cloanto.com/kb/14-139

Hello MohamedRaheem, if you are able to reproduce, could you please also attach output of command: “netstat -ano” (from CMD line), together with the PID of AvastSvc process?


https://i.ibb.co/YXR3NqL/2019-11-26-17-16-02-Administrator-Command-Prompt.png

Thank you. Have you please seen that strange connection in resource monitor at the same moment (as the netstat command was run)?

In that case, could you please try running the following from cmd as administrator to generate the dump file? Replace SVC_PID with the real AvastSvc PID (5272 in the last screenshot).
It will create, run and delete a task that uses Avast dump system.

@schtasks.exe /CREATE /SC ONIDLE /I 999 /RU "NT AUTHORITY\SYSTEM" /TN "SvcDumper" /TR "\"c:\Program Files\AVAST Software\Avast\avdump.exe\" --pid SVC_PID --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file c:\service.dmp"

@schtasks.exe /RUN /TN "SvcDumper"

@timeout 10

At this point, please check that the scheduled task has really run. If the file “c:\service.dmp” was not generated, run Windows Task Scheduler, look up the created “SvcDump” task, right-click it and select run (shown in attached screenshot).
The last command deletes the task.

@schtasks.exe /DELETE /TN "SvcDumper" /F

dump file has been uploaded to ftp with name service.zip

Hello,

Thank you for the dump, we’ve started to investigate it. There is one more thing that would help - would you please run:

ipconfig /displaydns > c:\dns.txt

And upload the DNS dump to the FTP server?

Thanks Jakub for your follow up
the file has been uploaded to ftp with name dns_MohamedRaheem.txt

Hello Mohamed,

The IP address of the milena12.niklanovic.example.com PTR record in the DNS dump belongs to a legitimate Avast server.

It’s strange that the PTR record is this and not *.ff.avast.com, but it will most likely be fixed when your DNS cache (and maybe the cache of your ISP’s recursive name server) is flushed.
Thank you for being vigilant and reporting the issue!