Vulnerability Detected -alert from Network Shield-

Avast Free Antivirus / Premium Security
1

I’ve been having this pop up alert for the last two days from the Network Shield but when I look at the logs there is nothing there.
What does it mean?
The next time it happens I’ll try to post a screen shot.

Martin.-

2

Network shield usually block’s access to malicious site’s, have you checked ( program data/alwil software/avast5/log/nshield ) should be something there if its blocked it.

3

Yes, I was doing that.
They are DCOM and LSASS exploit attacks to ports 135 and 445 but they come from my router (???)
How can this be?

Martin.-

4

port 445 is typically used by window’s file sharing and some p 2 p program’s. Have you run a full scan with malwarebytes to see if any nasties have crept there way in to your system.

5

Will do. Although I’m pretty sure the pc is clean.
Besides even though I rarely use BitTorrent I have it set on a high port and block all the rest -which includes 445-.
My PC is on a home lan but at the time of the alerts no other PC was turned on.
Really weird.

Martin.-

6

Did the Scan, found 0 threats. Now What?
Everything is working fine despite the alerts but since they quote my router’s IP I’m getting worried.

Martin.-

7

It sounds like your router forwards incoming traffic to your PC on local ports 445/135 (see NAT info, that’s why you see router’s IP in the pop-up). Your computer may be vulnerable (I don’t say it is!!) that’s why avast scans all incoming traffic on 445/135 local ports. If you don’t have those ports opened or they’re blocked in your firewall… it’s good for you, but avast doesn’t know that.

Probably some other PCs send DCOM/LSASS exploits on your IP address and because your router doesn’t block them, avast is able to scan those packets. Just turn firewall on in your router’s settings - or block DCOM service in its settings.

8

My router blocks all incoming IP traffic and the DMZ is enabled so all traffic that is not routed by me via Virtual Servers or port triggering is redirected there.
There is no rule to forward any traffic on those ports to my PC’s IP which by the way, is not on the DHCP list, it is a fixed IP outside that range.
There should be NO traffic coming to those ports from the Router’s IP to my PC.
Any other ideas?

Martin.-

9

Could you use Wireshark (http://www.wireshark.org/download.html) to make sure?

10

Did a capture with wireshark but the log is huge. I started BitTorrent to make all the stress possible.
I’ll try to upload the file somewhere and let you know so you can download it if you want to give me a hand.
Will analyze it later.

Martin.-