What’s the point of logging Network Shield (NetworkShield.txt) when it doesn’t even list blocked items?!

It seems that the log file only contains started & stopped datetime, and run-time info, nothing else.

There’s absolutely no way to check past “blocked” events by this shield. The “statistics” page in GUI only shows graphs.

According to the “statistics” page in GUI for network shield, I had 147 connections blocked last year. None is in the log. Why?

Mine does - Are you viewing it in notepad as other text editors can mangle the actual alert format.

This format I believe has recently been changed as previously the URLs of blocked sites could cause a false positive on the report file. So when this change in format was made I don’t know if the previous entries were removed.

Thanks for the URL to test this with. On my desktop PC I browsed to the URL in your screencaps with Opera, and I got the warning popup from avast Network Shield. Same thing with my laptop, except I used Firefox.

Both computers are using the latest avast version in Windows XP SP3, plus the avast in my laptop (which has “clean” install of WinXPSP3), is in unmodified state (no settings changed, just registered) after install of 7.0.1456.

I tested opening the NetworkShield.txt with Windows Notepad, Notepad2 and with Notepad++ on both PC’s, there’s no blocked items at all!?

There are 0 blocked items listed in my desktop PC NetworkShield.txt which spans from “Wednesday, May 12, 2010” to today (~1200 lines of text). All I see is started & stopped datetime, and run-time info, nothing else.

EDIT: I stopped and restarted the Network Shield on my desktop PC, and then tried to load the malicious URL again, got the warning, but nothing in the log except new stop and start messages. It is not working.

I don’t know why it isn’t working on your systems, it did work on my XP Pro system as my images show.

Having said that I have just tested it again and it hasn’t logged the alert (XP system) and checking my win7 system no entries since 19/7/12, that netbook doesn’t get switched off that frequently, mostly on standby/hibernation. But stop/start network shield shows a start entry but a test after that doesn’t get recorded.

So there appears to be a problem in recording, certainly from some time after 2012/7/11.

What’s the policy around here? Is bug reports accepted through forum? Will somebody from avast answer that the report is acknowledged? (Why was this message deleted earlier? Can’t I ask this?)

The blocked URLs are logged into log/nshield.log file, not into report/Network Shield.txt.
What’s the point of this report file… well, not much I guess; you can check out whether the Network Shield is/was really running. The existence of the report file is “caused” by an automatic report creation for every shield started/stopped. Why is the nshield.log file there… I believe the Network Shield used to write the log directly from kernel, without actually going into the user mode - so it couldn’t interfere with the usual report file.

What makes me worried though, is the first David’s screenshot. That block shouldn’t be there…

Thanks again Igor. Found my 21st day tests logged in the nshield.log (with the rest of the blocked items starting from 19.05.2010). Mystery solved.

David, can you please send me (e.g. on the FTP) the NetworkShield.txt file you showed, together with the nshield.log?
You don’t happen to remember what you did around that time the block (whose information is “present” in NetworkShield.txt) occurred… did you stop the Network Shield after it has blocked the site, or…?
Thanks.

OK, uploaded as file name DavidR_NetworkShied_Log_Report_files.7z.

I can’t recall exactly what I was doing around that time, the hits in my network shield log/report files are normally due to investigating sites reported in the viruses and worms forum. Though it is a rare occasion when I would disable the network shield when investigating, but it would depend on the circumstances.

Windows XP-sp3, Avast free 7.0.1456

The site in DavidR last screenshot was flagged here and recorded in nshield.
What baffles me a bit is the content of the log - Avast sometimes implicates Opera which is correct, sometimes TClockX which is a DDE type of thing for a nicer timestamp - seems wrong to me.

I attached two nshield logs - the first one is from long ago, the trojan was in an invisible iFrame script, the second one is from the run I just did.
In both instances, Opera had just one tab open.
In both instances, the old one and now, what nshield says matches what the alert says, it’s just flaky with the tclockx dragged in.
Are the numbers in parenthesis pid of what’s implicated? See 2-opera screenie.

Thoughts?

It isn’t the Process that is the issue but the Object, given the image you posted it is more likely that the site that TClockEX.exe is connecting with has been hacked. If you actually do a forum search (viruses and worms forum) for phpinclide-bin you will see many such network shield blocks on what are hacked sites redirecting to this phpinclide-bin url.

Well, TClockX doesn’t go anywhere, just sits on my computer. Ever. Honest.

Well I have no idea what it does, my assumption is that it is a clock and much get its timings from somewhere. But that is the parent process trying to make a connection, which has subsequently been redirected to a site that the Network Shield considers malicious.

Well, then what might the (number) be? See my expanded log and new screen shots 3,4,5,6 and a composite log of all today.
It maybe a coincidence but the numbers match Opera PID (for 17:36 today I failed to grab a screenshot but it also matched Opera, it was 872).

When I try to connect to that flawed site, Opera is what’s doing it. There is no redirection. I typed in the URL from your earlier post.
TclockEx is not the parent of anything

Why is it that the only time ever that’s I’ve seen anything related to TclockEx and the internet is in these logs where the first was a real trojan link, the second one is the address I picked up in this thread?

All I know is this:
TClockEx sets a windows hook right after login to Windows never to be heard of again (my old SSM logs showed it to be quiet long ago).
It silently communicates with ??? time service on windows to grab the time and just makes a nice display.
As far as I know it just gathers the time by DDE from the clock of Windows set by the Windows Time Service (W32Time) which is running and updates the clock when it feels like it.

Finally,
TClockEx on my box cannot get out to the internet because it is not in the firewall rules allowing out through the avast proxy over 12080 port.
Nor is it allowed to go directly to port 80 or any other port out there.
If it tried to sneak out, I would see an alert or simply a log entry of a denied connection in the firewall. I’ve never seen any such for TClockEx.

Needless to say, Avast! blocks it. I’m happy. But what I see, I don’t understand.

Have to split attachments due to size - one more post after this

Last one includes the log on the screen shot

Firstly I’m an avast user not an avast developer, so I can’t only comment on what I see from a users stand point.

Well since you don’t use a signature to indicate what security software, OS etc. etc. on your system we have no reference point, e.g. we have to continually go back over your posts to try and find that information (a forum profile, signature helps us to help you).
What your firewall that you are creating these rules with ?

I can’t explain why avast is indicating TclockEx as I have never used it and I don’t know exactly know how it achieves this getting the time, if it calls the the Windows Time Service and that goes of and syncs the time, I would assume that avast would still see TclockEx as being the initiator process.

As for Opera, being a browser there is a possibility that in the course of browsing there is a link in a website to this phpinclude-bin then the network shield would jump on that as and when a connection attempt to that was made. The PIDs change as can be seen between your images different PID for Opera in both, since there is no time stamp on process explorer it is hard to say for certain. That will have to come from someone more knowledgable of the internal workings of the network shield.

I certainly can’t say anything other than as an avast user on how the network shield is meant to work in identifying the parent process accessing the object, from my own experience and in the forums the parent process I have found to be correct.

Bottom line first: I’m pretty sure that the number in ( ) is PID, therefore nshield was not always reporting the application correctly. Remember my first log with a real trojan? Opera did show up there, so it’s not always TClockEx.

TClockEx is not calling Windows Time Service. Using DDE it collects time value from some SystemTime variable using its hook to a windows process, I suppose. If it did call the service, I’d see WindowsTime going out in the firewall log, since it’s one of few allowed connections I log.

Today, using Autoruns, I disabled TClockEx from startup and rebooted. Then I ran the same old link three times. In all cases Opera was identified in the log and it matches PID.
Note anotations in my screenies. I promise I won’t post any more of those unless somebody asks for more
As I described, Process Explorer is behind the Opera window - I start PE before starting Opera, so the clock values apply.
Time stamp in these last screen shots is the crummy windows display since TClockEx not running. See bottom right corner in these as well as yesterday’s shots. So to answer your question that there’s no timestamp on PE - well there is, always there, in the right corner.

I wish I didn’t hijack this thread, ouch Could we split it out since it’s about nshield?

Thank you for your patience, and whom do you think we should ask to explain?

… continued, 2of3

… final 3of3