OK…thx…but I do not understand why all these type websites OP lists are pinged to DNS IP ?
Also, why so many times/frequency ?
It seems to me (like the example you use with the web browser pre-fetch) that Avast would look in the router table and only test the DNS addresses of IPs visited or some “basic” well known sites…while all the porn and suspect sites ?..seems like you would be testing “good” sites for bad IPs ?
Also…and I am by FAR no expert on this…why would you mess with the router ?
Why wouldn’t Avast do this at the “PC” & Browser level ?
IMHO I don’t want Avast mucking about on my network…I want you resident on the PC snooping/blocking/etc. items that are from/to the PC…not upstream. In fact, I’d rather see Avast expand your coverage to exploit attacks…ala new MBAM Exploit. https://www.malwarebytes.org/antiexploit/
Just my opinion but Avast needs to improve on the A/V side at the client level…these other “Tools” and Network efforts appear to be diluting you…the more of this you do the less I like Avast.
Those sites from the list are known and popular sites. Sure, not for everybody, but in the global point of view, that’s how it is.
Why do it? Well, the more layers of protection you have, the better protected you are. No antivirus product detects everything… so as I wrote before - yes, the Web Shield should/could detect the fake content if you were redirected to a malicious page. But detecting even the presence of the redirection itself is better then just detecting the subsequently downloaded content (also because you know the problem is on your machine/network, while in the other case you may think the remote web page got compromised).
Plus, they may not even be any malicious content to report… in some cases the attackers may just be eavesdropping on your communication and getting your personal data - without serving any malicious content do detect. So it’s better to report the vulnerability on the network than to wait for some “visible” problems to manifest.
OK…I get the intent (valid/good reason) but I will politely disagree with the amount/frequency and “way” this is being done.
If Avast wants to protect the user from this you need to restrict yourself to the sites being visited at the “time” of request.
Again, not an expert but this seems like it can be done in the Web Shield (not just fake content but the re-direct)…intruding on how the router works only causes more layers of things to go wrong (example: how does this work if thru OpenDNS I am blocking these type sites ?, also if this causes network issues it is VERY difficult to trace/ID). Also, I completely disagree that just because these sites are OK every else that it is OK for them to show up on my connections in any form. For me I am a FREE user mostly and the one PC I am not on FREE I am now downgrading to FREE…“this” protection/layer you offer is not worth this intrusion…sorry. I can easily lock down my router without the need for this.
Also, I only point this out because it the bulk of Avast users were educated that this type traffic/operation is going on you’d get a lot of rejection and bad press. I hope you re-think “how” this layer is done.
It cannot be done for visited domains only because it’s simply not enough data to judge by (plus, it’s not possible to check every DNS request for every insignificant domain - if that’s what you mean - Geo DNS would interfere with that) - so it would be basically the same as removing that functionality altogether.
Feel free to disable to Home Network Security tool if you don’t like it (but I certainly disagree with your conclusions, sorry).
That’s OK…my gut feel tells me if other users find out “how” Avast is implementing you are going to get a fairly negative response. I think the only reason you are not now is that typical users are blind to what is being done.
I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don’t see any actuall reason why this operation (doing a DNS query) be something we should avoid.
From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.
Anyway, thanks for the feedback, we’ll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.
Personally I would think that may well make it look even more suspicious as the users firewall or sniffer logs would still be logging this activity - yet looking in the avast log would essentially just show the encrypted data. So the user would still be wondering what the hell avast is doing.
Hi Bob, the OP reported that he used OpenDNS to create log of all DNS activity. You can also capture packets on the network and create a log file from the capture. From the packet log, you can however also tell that the domains are not accessed - which means no connection and traffic between your PC and the suspicous site(s).
As you stated, there are a lot of people who use OpenDNS…great solution. One of the very nice features is to see the statistics of what is being accessed & frequency. I use OpenDNS for variety of things…manage websites my kids can visit on a “global” level within the home, log/see what is going on, and also even look at the stats…one very good way to see that you have a lot of Adware to go resolve.
I no longer have as they say “any dog in the hunt” since I’ve disabled the Avast Home Network function but as an Avast fan I hope to see Avast look into how this works/looks at the ISP level. Avast has 200million users…OpenDNS is HUGE as well.
The issue as outlined by the OP is that while Avast is not contacting the sites it is seen in the OpenDNS logs.
It would also be a good experiment…which I did not try…to put some of these sites on the OpenDNS blacklist of your OpenDNS account and see what happens during an Avast query of the IP thru this layer.
Anyway, I’d suggest Avast do some testing with OpenDNS…seems it would be beneficial.
The OP isn’t the only one using OpenDNS. I was one of the very first forum members to recommend the use of that service a very long time ago.
I am just uncomfortable with that list even if it clearly states that those sites were not accessed.
FYI: OpenDNS will not log anything if the DNS servers on your computer or router are compromised / hijacked, while Avast will know about it and alert you.
@thekochs
After the last explanations I think I understand this function, and if nothing of theses searches are going outside to the Internet - I cannot see anything harmful for me. To say “check only inside my computer” ignores the attacks to the routers we all need to use.
The only real problem left is - these function (and others too) should be explained to new customers of the program. It’s not very funny when I have to search around for informations when I change to such a sensitive and always working tool as a malware scanner.
An easy-to-understand example: in another thread I asked lately for the directory of the virus quarantaine store. I want to know this files when I get an malware alert and want to check for false positive on jotti or virustotal. Never got an answer.
Another example are some very short and rough answers in some threads - instead of RTFM or “use search” or “click the question mark” the helper could give a link to an explanation.
stibi
P.S. how can I search for threads where I wrote? This is also a miracle for me …
I agree it should be somewhere in helps or knowledge base - but you’d still need to know you should be looking there (and I’m not sure you would here). Plus, this kind of stuff changes dynamically, e.g. to deal with new threats - so what we are talking about here may be true today, but the behavior may be different tomorrow (and I don’t mean in the future version of the program, I mean tomorrow).
The quarantine (Chest) is in the “chest” subfolder of the Avast data folder (C:\ProgramData\AVAST Software\Avast).
However, the files are renamed and their content is scrambled, so I don’t know if it’s of much use for you.
Seriously, if you publicized “how” this is working I’m sure your are going to get a ton of people OK with it, a ton that are not. I fall in the latter category so I have chosen to disable this Avast feature and work the security myself.
You can’t upload from the virus chest - so you have to Extract (not Restore) from the chest to a location outside of the chest. The reason not to Restore is that this sends a copy back to the original location, if it was truly infected it could well be active (if a registry entry or other means) of running it were present.
You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
Now you can Extract it (a copy) to that location and upload it to virustotal, etc.
