Hi,

I am running Avast free antivirus, 2015.10.0.2208 on WinXP SP3. I “Load Avast services only after loading other system services”. Webshield is active. I use a third-party software firewall which loads before all other third-party services. Windows is set to synchronise with an Internet time server (pool.ntp.org).

I noticed that avastsvc.exe was sending UDP to port 123 (various endpoint IP addresses) at system start-up. Fearing malware somehow making use of avastsvc I did some more digging. The packet of data that avastsvc sends (typically from port 1032, 1033, 1035) appears to be garbage (no valid data) - here is an example:

User Datagram Protocol, Src Port: mxxrlogin (1035), Dst Port: ntp (123)
Network Time Protocol (NTP Version 1, reserved)
Flags: 0x08
00… … = Leap Indicator: no warning (0)
…00 1… = Version number: NTP Version 1 (1)
… .000 = Mode: reserved (0)
Peer Clock Stratum: unspecified or invalid (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference ID: NULL
Reference Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Origin Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Receive Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Transmit Timestamp: Jan 1, 1970 00:00:00.000000000 UTC

• the endpoint (which is an NTP server) responds with:

User Datagram Protocol, Src Port: ntp (123), Dst Port: mxxrlogin (1035)
Network Time Protocol (NTP Version 1, server)
Flags: 0x0c
00… … = Leap Indicator: no warning (0)
…00 1… = Version number: NTP Version 1 (1)
… .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (2)
Peer Polling Interval: invalid (3)
Peer Clock Precision: 0.000000 sec
Root Delay: 0.0011 sec
Root Dispersion: 0.0251 sec
Reference ID: 145.238.203.14
Reference Timestamp: Feb 13, 2015 14:03:44.446554000 UTC
Origin Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Receive Timestamp: Feb 13, 2015 14:08:52.199725000 UTC
Transmit Timestamp: Feb 13, 2015 14:08:52.199738000 UTC

• I have monitored this start-up behaviour several times and as far as I can tell the remote address contacted varies but is always an NTP server.

If I manually re-synchronise Windows time with pool.ntp.org the following sequence (typically) occurs:

Source Destination Protocol Length Info
10.0.0.3 10.0.0.2 DNS 72 Standard query 0x4fd5 A pool.ntp.org
10.0.0.2 10.0.0.3 DNS 136 Standard query response 0x4fd5 A (IP addresses - see below)
10.0.0.3 143.210.16.201 NTP 90 NTP Version 3, symmetric active
10.0.0.3 178.62.24.228 NTP 90 NTP Version 3, symmetric active
10.0.0.3 129.250.35.251 NTP 90 NTP Version 3, symmetric active
10.0.0.3 178.79.177.120 NTP 90 NTP Version 3, symmetric active
178.62.24.228 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
143.210.16.201 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
178.79.177.120 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
129.250.35.251 10.0.0.3 NTP 90 NTP Version 3, symmetric passive

• Avast (webshield) does not appear to get involved. I have also tried setting svchost.exe as an excluded application from the webshield and even disabling the webshield altogether. I have also tried disabling Windows internet time synchronisation. The odd UDP from avastsvc.exe still occurs at start-up. I can create a firewall rule to allow or deny this seemingly odd avastsvc behaviour, but I would be happier if I knew WHY it was happening in the first place. I see other communications taking place between Avast application and servers at start-up but it all seems normal (checking for updates etc). I know that “a little knowledge can be a dangerous thing” but I am still curious to know what is going on here.

Can anyone help?

I see a few have viewed this subject but no replies. So I’ll advance my theory / answer my own question.

The Avast program is sending a simple “null data” packet to a Time server (0x08 followed by a string of 0x00’s) - in effect a sort of “Ping” that apparently causes the server to respond with the current time: in other words a simple check for UTC by the program so that the program “knows” the time, independent of local (Windows / PC hardware) time. This may be used to make decisions such as sending usage information or checking for updates, I do not know. This is my best guess. From my observations the program only ever sends a single datagram to the remote IP address (port 123) and the server appears to be one selected (at random?) from a pool. This activity occurs first, before the Avastsvc contacts any other servers.

Since your query is not a general one but rather one for specialist, it is not surprising no-one has replied so far.
I’ve asked avast to have a look at this thread and expect someone to respond to you soon.

Thank you - that’s much appreciated

It is just a small thing to do.

I have the opposite problem. It appears that avast is blocking my time servers. If I disable the shields I can synchronize with my time servers. It may had happened when I has the trial version that included the firewall but I chose to keep the windows builting instead and/or when I downgraded to the free version. should I unistall the version I have and reintall the free version or should I configure the Windos firewall?

First, reviving a thread from 2015 isn’t helpful.
Second, provide details, else we could only guess.

Do your posts in your own NEW post not this old unrelated post. Thanks