Remote Desktop Protocol (RDP) is the most dominant cyber security attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019.[1] The average downtime related to a ransomware attack is 7.3 days and its average cost is $64,645.[1] Besides spreading malware, RDP attacks are used by skilled hackers to infiltrate corporate environments. RDP is the ultimate infection vector that evades all security layers in most antivirus software and compromises the system directly. During the recent COVID-19 pandemic, the frequency of RDP-based attacks has drastically increased as a result of a large number of employees working from home.[2][3]
The most common ways of gaining access of a computer via RDP are the following:
[ol]- Brute-force attack - the attackers attempt to sign in to an account by using trial-and-error methods. These can include repeatedly trying to log in with commonly used or stolen credentials, leading to many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds.[4]
Unpatched OS - the operating system is vulnerable to known Remote Desktop exploits. An example is BlueKeep[5], which allows the attacker to run malicious code in the kernel memory of the server, taking control of the entire system.[/ol]
We are proud to introduce our solution to the Remote Desktop vulnerabilities - Remote Access Shield.
The shield offers the protection of your business or your personal data with the following features:
Choose who can remotely access the protected computer using Remote Desktop, blocking all other connection attempts.
Automatically block any brute-force attacks trying to crack the protected computer’s credentials.
Automatically block connections attempting to use Remote Desktop exploits like BlueKeep to take control of the protected computer.
Automatically block Remote Desktop connections from high-risk IP addresses.
Get notifications about Remote Desktop connection attempts blocked by Avast.
The Remote Access Shield is available in Avast Premium Security starting with version 20.5 and it will reach Avast Business edition soon.
If you have any questions or suggestions for this new feature, please let us know! We would appreciate all of our beta testers to try the Remote Access Shield out and give us feedback!
If your system doesn’t have Remote Desktop enabled (e.g., because it is running Windows 10 Home, or you have disabled it manually), the shield will have no effect at the moment. There might be new supported protocols/methods of access in the future.
Hi Asyn, we don’t have many frequently asked questions yet. Mostly only those that were asked here in this very thread. What else would you like to have in FAQ article? Maybe as others start seeing the detections or will start to interact with this new shield, we’ll have more questions and answers. L.
This new Remote Access Shield feature seems to break the Remote Web Access in Small Business Essentials 2016. Users get a protocol error when trying to connect. Have made sure that the ‘Allow Remote Desktop’ setting in AVG is set to enabled but AVG still blocks their connections. Disabling the feature immediately allows the connection to be made again.
Could you please help us with the investigation by providing some data?
Please enable debug logging (Menu > Settings > General > Troubleshooting > Enable debug logging).
Reproduce the issue (try to connect with the Remote Access Shield enabled).
Took me quite a while to figure it out, but “Enable Samba protection” on “Remote Access Shield” is an all-or-nothing deal. When enabled, it shuts down my local network because I transfer lots of files frequently. Seems to me an exclusion option for specific computers and/or the local subnet would be helpful.
Yes, that is correct at the moment. The reasoning behind not having an exclusion list is that one compromised computer on the network would be able to attack all the other devices. We expected many companies to internally exclude all SMB (or RDP) communication and trust us to keep the network safe, but even one person opening an e-mail attachment would pose a threat to the whole network.
How exactly does it shut the network down? Does Avast slow the file transfers down, or are there false positive detections when a SMB connection fails?
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows…
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason…
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
That is the thread that got me to this one. The screen shots of the alerts in that other thread are just like the ones that I am getting, however, the ones that I am getting are from a single device on my own network, not from outside.
There is nothing in that other thread or posts that tells me why one (and not the other two) of my NVIDIA SHIELD TV Media Streaming device would be causing these alerts.
I would suggest following the instructions in Reply #9 to
Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.
And read what was in Reply #10.
You don’t say what Avast program you are using, just wonder if it has the Avast Firewall component ?
If so do you have the Firewall set to Private or Public network mode ?
That said why it would only alert on one and not the others (but not knowing what they are) is strange.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer’s security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
My apologies, I am using Avast Premium Security. I do not have any of Avast Firewall components installed.
Anyway, I have 3 nvidia shield tv media streaming devices. They are all connected to my network with ethernet (not WiFi). The only differences in their configurations may be that they have different apps installed on them (ie, they may all have netflix, but only 2 may have hulu, etc.). Otherwise, all other settings are basically the same. So I found it very odd that one of them would be doing a “bruteforce” attack over SMB protocol.
And as strangely as the alerts started, they also just stopped. There has not been any more alerts since yesterday morning.
I opened support case with both AVAST and NVIDIA. I have not heard anything back from AVAST yet. I need to respond to NVIDIA after 24 - 48 hours to let them know if I am still getting the alerts.
Also, I did restart the SHIELD TV device that was generating the alerts. If I had to guess, these were maybe false positive alerts.
Thank you for the information. Yes, I found that the SMB scanning can be turned off and I actually did turn it off for a while. I had to turn it back on again while on support chat with NVIDIA. So far, there are no settings enabled on the SHIELD TV device for network file sharing or connections to PC folders.
What I also found to be odd is that I have a few other PCs with AVAST Premium Security and there have been no connections blocked from the SHIELD TV device on any of the other PCs. Why would the SHIELD TV device only target one PC on the network if it is just “polling” or attempting to connect to a PC on my network?
And, I also have 2 other SHIELD TV devices which are configured on the network in the same way. They just may have different streaming apps installed. Why would we not see blocked connections from those other two devices.
In any case, the alerts have stopped since yesterday morning.
It seems that the alerts started up again last night, 10/22/2020 at around 9:19 pm. I started using the nvidia shield tv device around 7:00 pm and I was using the Plex app to view some TV shows that were recorded on my Windows 10 PC, the one that is getting the alerts.
However, at around 10:30 pm, I turned everything off, though I guess the shield tv devices only goes to sleep. The alerts are still coming in at a regular constant rate. I can’t say that it is every minute or every 5 minutes, but it is constantly blocking the incoming SMB traffic.
L.