Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Sulphate on December 31, 2014, 09:20:16 PM

Title: .
Post by: Sulphate on December 31, 2014, 09:20:16 PM
.
Title: Re: Avast accessing websites (DNS logs)
Post by: Pondus on December 31, 2014, 09:50:42 PM
What avast version do you have?  I think this is related to avast secure DNS. This was asked / and explained by somone from avast team in another post

If i find it i will post a link....

Title: .
Post by: Sulphate on December 31, 2014, 10:09:47 PM
.
Title: Re: Avast accessing websites (DNS logs)
Post by: David1008 on January 01, 2015, 10:00:51 AM
Hello Sulphate

May the avast forum users have more information about the current issue that you are experiencing so we can clarify and fix the issue.


What OS do you use,x86 or x64?
If you use other antivirus did you use their official antivirus removal tool?
Windows Update and Drivers is all updated?
Other Programs you are using?
Other Programs you are using is it updated to the latest version?
Title: Re: Avast accessing websites (DNS logs)
Post by: Sulphate on January 01, 2015, 10:56:32 AM
.
Title: .
Post by: Sulphate on January 04, 2015, 10:21:36 AM
.
Title: Re: Avast accessing websites (DNS logs)
Post by: RejZoR on January 04, 2015, 10:51:07 AM
Erm, why did you even bother asking here if you weren't interested in resolving the "issue" in the first place? We don't even know what you were on about with the DNS logs and avast! "accessing" webpages. I hope you do realize that avast! is verifying/scanning all accessed URL's and webpages for malware and phishing, ever thought it might be that?
Title: .
Post by: Sulphate on January 04, 2015, 11:27:49 AM
.
Title: Re: Avast accessing websites (DNS logs)
Post by: igor on January 04, 2015, 12:30:37 PM
Avast doesn't access those sites (should be easy to see via a firewall, shouldn't it?) - it only resolves those DNS records.
The operation is part of the Home Network Security feature - checks for DNS compromise / redirection to unrelated sites.
Title: Re: Avast accessing websites (DNS logs)
Post by: RejZoR on January 04, 2015, 01:34:27 PM
When i read your post, all it said was (let me quote it): "."

That was all it said, so don't yell at me for not understanding what a period is suppose to mean...

@igor
Maybe I don't quite understand it, but why does avast! have to resolve unrelated address through DNS if user doesn't actually try to access those specific webpages? I understand that if you visit one of the mentioned addresses, avast! checks if everything is fine, but why does it have to if you don't visit them?

I thought I understand the scanning/cloud part but apparently I'm missing knowledge on this one...
Title: Re: Avast accessing websites (DNS logs)
Post by: bob3160 on January 04, 2015, 02:46:54 PM
Maybe I'm missing something ??? If someone were to examine my computer,
would it look as though I accessed these sites daily?
Title: Re: Avast accessing websites (DNS logs)
Post by: igor on January 04, 2015, 06:29:06 PM
Maybe I'm missing something ??? If someone were to examine my computer,
would it look as though I accessed these sites daily?

Nope - your computer doesn't access the site, there's no communication with the site, no data are downloaded from there.
Just your DNS server is asked to convert the particular domain to the corresponding IP address - but that IP address is not contacted.

Maybe I don't quite understand it, but why does avast! have to resolve unrelated address through DNS if user doesn't actually try to access those specific webpages? I understand that if you visit one of the mentioned addresses, avast! checks if everything is fine, but why does it have to if you don't visit them?

This is not connected with the ordinary Web Shield scanning. The Home Network Security feature tries to find vulnerabilities on your local network (say a router with the ROM-0 vulnerability, a router with a weak default password - accessible from the Internet etc.). It also tries to detect other problems like compromised DNS (be it a router problem, hijacked hosts file or something else) - part of which is checking (= resolving) a number of popular domains and somehow evaluating the result; if HNS concludes that the DNS returns suspicious results, it will notify you about the problem. [Like it or not, but those are quite popular domains - but it's certainly not a complete list of what's checked.]
So this is not about the scanning of a particular network connection, this is about evaluating the general state of your DNS. Whether Web Shield would detect the malicious content after your DNS redirects you to a bad site... well, maybe/hopefully. This is just another, different protection layer.
Title: .
Post by: Sulphate on January 04, 2015, 08:29:12 PM
.
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 04, 2015, 08:36:08 PM
Nope - your computer doesn't access the site, there's no communication with the site, no data are downloaded from there.
Just your DNS server is asked to convert the particular domain to the corresponding IP address - but that IP address is not contacted.

So what you are saying is that Avast loads various "sites" (no comms, no data) to test the DNS IP address return ?
If so, why would it contain these type sites listed ? .....how does Avast choose sites to test IP ?

Anyway.....Wow, while I get the "intent" of this "layer" most definitely an activity I don't want happening in the background on my PCs....this is why I run OpenDNS.  IMHO seems to me Avast should work on extending items like ID-ing online exploits of your PC security holes (eg. Java, Adobe, etc.) and not trying to manage the network layer.....to me WAY out of the scope of an A/V.
Title: Re: Avast accessing websites (DNS logs)
Post by: lukor on January 04, 2015, 10:28:44 PM
Nope - your computer doesn't access the site, there's no communication with the site, no data are downloaded from there.
Just your DNS server is asked to convert the particular domain to the corresponding IP address - but that IP address is not contacted.

So what you are saying is that Avast loads various "sites" (no comms, no data) to test the DNS IP address return ?
If so, why would it contain these type sites listed ? .....how does Avast choose sites to test IP ?

Anyway.....Wow, while I get the "intent" of this "layer" most definitely an activity I don't want happening in the background on my PCs....this is why I run OpenDNS.  IMHO seems to me Avast should work on extending items like ID-ing online exploits of your PC security holes (eg. Java, Adobe, etc.) and not trying to manage the network layer.....to me WAY out of the scope of an A/V.

Hi,
avast does not load the sites, it merely connects to the router and ask it a few questions. It does not connect to the IP, does not check if the IP is accessible or not, nothing. Compare it to for example the prefetch feature of the modern browsers - where site might get downloaded only because it is shown in the search result list.

The sites used by avast happen to be from the alexa.com top 1000 sites list.

Can you please elaborate why you have troubles with avast doing these DNS requests? I can see now that it may not look pretty when the logs are viewed by some other person (say a network admin in a corporate environment), but why you personaly have issues with this?  Is it the bandwidth consumed by the DNS lookup (once a day) the concern? We would probably like to improve this and add more configuration options (such as a way to keep HNS enabled but disable this periodic scans - currently you can only disable HNS as a whole in Settings / Tools / HNS), but to do this we would like to know your reasons.

thanks. lukas
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 04, 2015, 11:14:37 PM
avast does not load the sites, it merely connects to the router and ask it a few questions. It does not connect to the IP, does not check if the IP is accessible or not, nothing. Compare it to for example the prefetch feature of the modern browsers - where site might get downloaded only because it is shown in the search result list.

Thx....but if Avast does not go "out" past the router then why does OpenDNS show the sites as OP outlined ?

Also, alexa.com is meant as an analytics tool.
On the surface this looks less like "security" and more about data collection, etc.
It is items like this that get people wondering if Avast collect and sell user data ?
At the very least Avast is using the access to generate a ton of analytics.....seems awful heavy handed.
The Avast EULA http://files.avast.com/files/legal/eula-avast-free.pdf states the information collected.......
The information collected by the Software is generally not correlated with any other personal information related to you that AVAST may be processing such as information given by you to AVAST or its distributors or agents during the process of ordering and downloading the Software. Unless you have permitted otherwise, the information collected by the Software is used anonymously in aggregation with similar information from other users of the Software for analytical purposes to identify new viruses and threats and for improvement and development of the Software and for statistical purposes.
Title: Re: Avast accessing websites (DNS logs)
Post by: stibi on January 04, 2015, 11:45:45 PM
I don't use DNS logs, but I also don't understand the reason to "connect to the router and ask it a few questions" for a mass of IP addresses. The result will not be very surprising. The addresses will be well known. Or do you search for any kind of forgery?
Title: Re: Avast accessing websites (DNS logs)
Post by: RejZoR on January 05, 2015, 08:35:09 AM
So, if I understand it correctly, avast! connects to router and checks if the address it asked for is also returned by the router. If it's not, this may be indication that something is redirecting your connections on your computer. Or have I failed understanding it? This is basically an internal connectivity check and doesn't actually go beyond your home network.
Title: Re: Avast accessing websites (DNS logs)
Post by: igor on January 05, 2015, 09:32:03 AM
avast does not load the sites, it merely connects to the router and ask it a few questions. It does not connect to the IP, does not check if the IP is accessible or not, nothing. Compare it to for example the prefetch feature of the modern browsers - where site might get downloaded only because it is shown in the search result list.

Thx....but if Avast does not go "out" past the router then why does OpenDNS show the sites as OP outlined ?

I don't think Lukor meant to say that the DSN queries don't go past the router... the router doesn't have a table of all domains on the Internet, it propagates the queries further - to the DNS servers.

Also, alexa.com is meant as an analytics tool.
On the surface this looks less like "security" and more about data collection, etc.
It is items like this that get people wondering if Avast collect and sell user data ?
At the very least Avast is using the access to generate a ton of analytics.....seems awful heavy handed.

I think you got it wrong (vice versa, I would say)... alexa.com list if built on the results of analytics. To trigger the analytics, you would not only have to connect to the particular site (which doesn't happen there), but also to download its web page and download the links from that web page (one of those being the analytical link).
Selling DNS results? They would be basically the same for almost all the users - no interesting data here ;)


I don't use DNS logs, but I also don't understand the reason to "connect to the router and ask it a few questions" for a mass of IP addresses. The result will not be very surprising. The addresses will be well known. Or do you search for any kind of forgery?

Yes, exactly. The expected results are well known - and that would be the case for most users. However, if you have a compromised router that redirects some domains to fake/phishing pages, you get something unexpected and you may report a problem (of course, assuming that it's at least one of checked domains that gets redirected - that's why the top alexa.com domains were chosen - being popular, they are also likely to be used for an attack).


So, if I understand it correctly, avast! connects to router and checks if the address it asked for is also returned by the router. If it's not, this may be indication that something is redirecting your connections on your computer. Or have I failed understanding it? This is basically an internal connectivity check and doesn't actually go beyond your home network.

Lukor may correct me if I'm wrong, but I believe Avast simply makes a number of DNS queries. Sure, they go via your router (all your traffic does), the router could be the potential cause of problems (if any are found), but I wouldn't say it doesn't go beyond your home network - the queries would be propagated to DNS servers (usually supplied by your ISP, or OpenDNS if you manually configured that).
Title: Re: Avast accessing websites (DNS logs)
Post by: lukor on January 05, 2015, 09:33:23 AM
I don't use DNS logs, but I also don't understand the reason to "connect to the router and ask it a few questions" for a mass of IP addresses. The result will not be very surprising. The addresses will be well known. Or do you search for any kind of forgery?

We are doing this to detect so called DNS hijacking, where a malicious attacker might change the settings inside your PC (and point you to a infected DNS server), or with the help of router vulnerabilities (such as ROM0) or misconfiguration (such as default passwords) change the DNS settings on your router.

http://www.gohacking.com/dns-hijacking/
http://www.whogothacked.com/2014/02/hackers-exploiting-router.html
http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 05, 2015, 02:10:37 PM
OK...thx.......but I do not understand why all these type websites OP lists are pinged to DNS IP ?
Also, why so many times/frequency ?

It seems to me (like the example you use with the web browser pre-fetch) that Avast would look in the router table and only test the DNS addresses of IPs visited or some "basic" well known sites......while all the porn and suspect sites ?......seems like you would be testing "good" sites for bad IPs ?

Also......and I am by FAR no expert on this......why would you mess with the router ?
Why wouldn't Avast do this at the "PC" & Browser level ?
IMHO I don't want Avast mucking about on my network....I want you resident on the PC snooping/blocking/etc. items that are from/to the PC.....not upstream.  In fact, I'd rather see Avast expand your coverage to exploit attacks....ala new MBAM Exploit.
https://www.malwarebytes.org/antiexploit/
Just my opinion but Avast needs to improve on the A/V side at the client level....these other "Tools" and Network efforts appear to be diluting you....the more of this you do the less I like Avast.

Thx.
Title: Re: Avast accessing websites (DNS logs)
Post by: igor on January 05, 2015, 03:11:02 PM
Those sites from the list are known and popular sites. Sure, not for everybody, but in the global point of view, that's how it is.

Why do it? Well, the more layers of protection you have, the better protected you are. No antivirus product detects everything... so as I wrote before - yes, the Web Shield should/could detect the fake content if you were redirected to a malicious page. But detecting even the presence of the redirection itself is better then just detecting the subsequently downloaded content (also because you know the problem is on your machine/network, while in the other case you may think the remote web page got compromised).
Plus, they may not even be any malicious content to report... in some cases the attackers may just be eavesdropping on your communication and getting your personal data - without serving any malicious content do detect. So it's better to report the vulnerability on the network than to wait for some "visible" problems to manifest.
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 05, 2015, 03:41:52 PM
Those sites from the list are known and popular sites. Sure, not for everybody, but in the global point of view, that's how it is.

Why do it? Well, the more layers of protection you have, the better protected you are. No antivirus product detects everything... so as I wrote before - yes, the Web Shield should/could detect the fake content if you were redirected to a malicious page. But detecting even the presence of the redirection itself is better then just detecting the subsequently downloaded content (also because you know the problem is on your machine/network, while in the other case you may think the remote web page got compromised).
Plus, they may not even be any malicious content to report... in some cases the attackers may just be eavesdropping on your communication and getting your personal data - without serving any malicious content do detect. So it's better to report the vulnerability on the network than to wait for some "visible" problems to manifest.

OK....I get the intent (valid/good reason) but I will politely disagree with the amount/frequency and "way" this is being done.
If Avast wants to protect the user from this you need to restrict yourself to the sites being visited at the "time" of request.
Again, not an expert but this seems like it can be done in the Web Shield (not just fake content but the re-direct)....intruding on how the router works only causes more layers of things to go wrong (example: how does this work if thru OpenDNS I am blocking these type sites ?, also if this causes network issues it is VERY difficult to trace/ID).  Also, I completely disagree that just because these sites are OK every else that it is OK for them to show up on my connections in any form.  For me I am a FREE user mostly and the one PC I am not on FREE I am now downgrading to FREE......."this" protection/layer you offer is not worth this intrusion.....sorry.  I can easily lock down my router without the need for this. 

Also, I only point this out because it the bulk of Avast users were educated that this type traffic/operation is going on you'd get a lot of rejection and bad press.  I hope you re-think "how" this layer is done.
Title: Re: Avast accessing websites (DNS logs)
Post by: igor on January 05, 2015, 03:50:00 PM
It cannot be done for visited domains only because it's simply not enough data to judge by (plus, it's not possible to check every DNS request for every insignificant domain - if that's what you mean - Geo DNS would interfere with that) - so it would be basically the same as removing that functionality altogether.

Feel free to disable to Home Network Security tool if you don't like it (but I certainly disagree with your conclusions, sorry).
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 05, 2015, 03:53:06 PM
Feel free to disable to Home Network Security tool if you don't like it (but I certainly disagree with your conclusions, sorry).

That's OK........my gut feel tells me if other users find out "how" Avast is implementing you are going to get a fairly negative response.  I think the only reason you are not now is that typical users are blind to what is being done.
Title: Re: Avast accessing websites (DNS logs)
Post by: lukor on January 05, 2015, 04:16:47 PM

That's OK........my gut feel tells me if other users find out "how" Avast is implementing you are going to get a fairly negative response.  I think the only reason you are not now is that typical users are blind to what is being done.

I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don't see any actuall reason why this operation (doing a DNS query) be something we should avoid.

From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.

Anyway, thanks for the feedback, we'll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.

Thanks, Lukas.
Title: Re: Avast accessing websites (DNS logs)
Post by: bob3160 on January 05, 2015, 04:30:54 PM

That's OK........my gut feel tells me if other users find out "how" Avast is implementing you are going to get a fairly negative response.  I think the only reason you are not now is that typical users are blind to what is being done.

I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don't see any actuall reason why this operation (doing a DNS query) be something we should avoid.

From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.

Anyway, thanks for the feedback, we'll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.

Thanks, Lukas.
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.
Title: Re: Avast accessing websites (DNS logs)
Post by: DavidR on January 05, 2015, 04:43:38 PM
<snip quote>
I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don't see any actuall reason why this operation (doing a DNS query) be something we should avoid.

From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.

Anyway, thanks for the feedback, we'll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.

Thanks, Lukas.
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Personally I would think that may well make it look even more suspicious as the users firewall or sniffer logs would still be logging this activity - yet looking in the avast log would essentially just show the encrypted data. So the user would still be wondering what the hell avast is doing.
Title: Re: Avast accessing websites (DNS logs)
Post by: lukor on January 05, 2015, 04:45:30 PM
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Hi Bob, the OP reported that he used OpenDNS to create log of all DNS activity. You can also capture packets on the network and create a log file from the capture. From the packet log, you can however also tell that the domains are not accessed - which means no connection and traffic between your PC and the suspicous site(s).
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 05, 2015, 05:08:22 PM
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Hi Bob, the OP reported that he used OpenDNS to create log of all DNS activity. You can also capture packets on the network and create a log file from the capture. From the packet log, you can however also tell that the domains are not accessed - which means no connection and traffic between your PC and the suspicous site(s).

As you stated, there are a lot of people who use OpenDNS.....great solution.  One of the very nice features is to see the statistics of what is being accessed & frequency.  I use OpenDNS for variety of things....manage websites my kids can visit on a "global" level within the home, log/see what is going on, and also even look at the stats.......one very good way to see that you have a lot of Adware to go resolve. 

I no longer have as they say "any dog in the hunt" since I've disabled the Avast Home Network function but as an Avast fan I hope to see Avast look into how this works/looks at the ISP level.  Avast has 200million users......OpenDNS is HUGE as well.
The issue as outlined by the OP is that while Avast is not contacting the sites it is seen in the OpenDNS logs.
It would also be a good experiment.....which I did not try.....to put some of these sites on the OpenDNS blacklist of your OpenDNS account and see what happens during an Avast query of the IP thru this layer.

Anyway, I'd suggest Avast do some testing with OpenDNS.....seems it would be beneficial.

Cheers.
Title: Re: Avast accessing websites (DNS logs)
Post by: bob3160 on January 05, 2015, 06:11:57 PM
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Hi Bob, the OP reported that he used OpenDNS to create log of all DNS activity. You can also capture packets on the network and create a log file from the capture. From the packet log, you can however also tell that the domains are not accessed - which means no connection and traffic between your PC and the suspicous site(s).
The OP isn't the only one using OpenDNS. I was one of the very first forum members to recommend the use of that service a very long time ago.
I am just uncomfortable with that list even if it clearly states that those sites were not accessed.
Title: Re: Avast accessing websites (DNS logs)
Post by: Avosec-UK on January 05, 2015, 06:14:06 PM
The issue as outlined by the OP is that while Avast is not contacting the sites it is seen in the OpenDNS logs.

FYI: OpenDNS will not log anything if the DNS servers on your computer or router are compromised / hijacked, while Avast will know about it and alert you.  ;)
Title: Re: Avast accessing websites (DNS logs)
Post by: stibi on January 05, 2015, 07:06:58 PM
@thekochs
After the last explanations I think I understand this function, and if nothing of theses searches are going outside to the Internet - I cannot see anything harmful for me. To say "check only inside my computer" ignores the attacks to the routers we all need to use.

The only real problem left is - these function (and others too) should be explained to new customers of the program. It's not very funny when I have to search around for informations when I change to such a sensitive and always working tool as a malware scanner.

An easy-to-understand example: in another thread I asked lately for the directory of the virus quarantaine store.  I want to know this files when I get an malware alert and want to check for false positive on jotti or virustotal. Never got an answer.

Another example are some very short and rough answers in some threads - instead of RTFM or "use search" or "click the question mark" the helper could give a link to an explanation.

stibi


P.S. how can I search for threads where I wrote? This is also a miracle for me ...
Title: Re: Avast accessing websites (DNS logs)
Post by: bob3160 on January 05, 2015, 07:21:34 PM
P.S. how can I search for threads where I wrote? This is also a miracle for me ...
@ stibi,
Click on your username
(http://www.screencast-o-matic.com/screenshots/u/Lh/1420481831597-5217.png)
Next:
(http://www.screencast-o-matic.com/screenshots/u/Lh/1420481922236-78323.png)
That will show you all of your participation on this forum.
(http://www.screencast-o-matic.com/screenshots/u/Lh/1420482073732-63242.png)
Title: Re: Avast accessing websites (DNS logs)
Post by: igor on January 05, 2015, 08:02:47 PM
The only real problem left is - these function (and others too) should be explained to new customers of the program. It's not very funny when I have to search around for informations when I change to such a sensitive and always working tool as a malware scanner.

I agree it should be somewhere in helps or knowledge base - but you'd still need to know you should be looking there (and I'm not sure you would here). Plus, this kind of stuff changes dynamically, e.g. to deal with new threats - so what we are talking about here may be true today, but the behavior may be different tomorrow (and I don't mean in the future version of the program, I mean tomorrow).


An easy-to-understand example: in another thread I asked lately for the directory of the virus quarantaine store.  I want to know this files when I get an malware alert and want to check for false positive on jotti or virustotal. Never got an answer.

The quarantine (Chest) is in the "chest" subfolder of the Avast data folder (C:\ProgramData\AVAST Software\Avast).
However, the files are renamed and their content is scrambled, so I don't know if it's of much use for you.
Title: Re: Avast accessing websites (DNS logs)
Post by: bob3160 on January 05, 2015, 08:31:20 PM
There's also a very easy way to get to the virus chest and always have it handy. Just look at:
http://youtu.be/Ox8LU6GOlok (http://youtu.be/Ox8LU6GOlok)
Title: Re: Avast accessing websites (DNS logs)
Post by: thekochs on January 05, 2015, 10:43:30 PM
The issue as outlined by the OP is that while Avast is not contacting the sites it is seen in the OpenDNS logs.

FYI: OpenDNS will not log anything if the DNS servers on your computer or router are compromised / hijacked, while Avast will know about it and alert you.  ;)

Why go thru all the efforts.....change your PW on router, disable remote access over WAN and check https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS Seems Avast could just get your IP address and check this link too.......obviously I'm over simplifying.

Seriously, if you publicized "how" this is working I'm sure your are going to get a ton of people OK with it, a ton that are not.  I fall in the latter category so I have chosen to disable this Avast feature and work the security myself.
Title: Re: Avast accessing websites (DNS logs)
Post by: stibi on January 06, 2015, 12:05:43 AM
@ stibi,
Click on your username ..

Thank you - it is easy if you know that, but hard to find for a newbee.
Title: Re: Avast accessing websites (DNS logs)
Post by: stibi on January 06, 2015, 12:10:10 AM
The quarantine (Chest) is in the "chest" subfolder of the Avast data folder (C:\ProgramData\AVAST Software\Avast).
However, the files are renamed and their content is scrambled, so I don't know if it's of much use for you.
Well, in the meantime I found that place myself. If this files there are not original: how can I test them at Jotti or virustotal?
Title: Re: Avast accessing websites (DNS logs)
Post by: DavidR on January 06, 2015, 12:39:15 AM
The quarantine (Chest) is in the "chest" subfolder of the Avast data folder (C:\ProgramData\AVAST Software\Avast).
However, the files are renamed and their content is scrambled, so I don't know if it's of much use for you.
Well, in the meantime I found that place myself. If this files there are not original: how can I test them at Jotti or virustotal?

You can't upload from the virus chest - so you have to Extract (not Restore) from the chest to a location outside of the chest. The reason not to Restore is that this sends a copy back to the original location, if it was truly infected it could well be active (if a registry entry or other means) of running it were present.

You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Now you can Extract it (a copy) to that location and upload it to virustotal, etc.

EDIT added attached image.
Title: Re: Avast accessing websites (DNS logs)
Post by: stibi on January 06, 2015, 10:24:36 AM
Thx, David.

This is a good example for the problems I mentioned in #32 above  ;)

I am new to this important program which should be a kind of safety barrier for my PCs. And to feel safe I must understand the functions. The explanation you give here is an important information and should be available for customers in a kind of central help text for the basic informations.

It may be not intentional by the programmers, but for me such missing or nicely hidden basic informations look like security by obscurity. Sorry...
Title: Re: Avast accessing websites (DNS logs)
Post by: DavidR on January 06, 2015, 03:27:23 PM
You're welcome.
Title: Re: Avast accessing websites (DNS logs)
Post by: ShannonT on April 13, 2015, 02:51:44 AM
Ugh... A couple of weeks trying to figure out what was going on in my household, doubting my teenage kids when they say it was not them, I finally tracked the porn DNS requests to avast. Then found this thread. Another unhappy customer. While I accept the arguments as to why its being done. I would suggest the implementation could use some work. Blindly grabbing the top 1000 domains, and performing lookups against those seems poorly thought out.
Title: Re: Avast accessing websites (DNS logs)
Post by: lboehnke on April 13, 2015, 05:35:58 AM
I second SannonT's comment.  I use opendns, in part to block dns lookups for porn sites.  This wasted a day of my time to track down the suspicious requests to Avast's Home Network Security feature.  Was surprised and disappointed when I finally found the source.  I'd suggest adding configuration that allows filtering the "types" of urls in avast's dns scan.  I'm looking for something that will not trigger my settings for blocked urls in opendns.  For now I will be disabling Home Network Security.
Title: Re: Avast accessing websites (DNS logs)
Post by: ShannonT on April 13, 2015, 06:57:14 AM
The more I think about it, the worse this seems to be.... Overeaction maybe, but, yeah, this just feels bad. Avast is effectively providing a file with the top 1000 websites (and therefore by definition most popular porn sites) and saving it onto customers machines where it can be read. Mum & Dad trying to do the right thing may have installed Avast, and in doing so, have now handed their kids a list of the best of the best porn sites. Clear text in the vps (from memory thats where I saw it) file.

Another thought..... Worst case scenario.... What happens if one of those top 1000 site are on the interpol block list for child abuse that certain ISPs have implemented..... Wonder if there would a liability issue there? Yeah, I am used to thinking worst case scenario for customers. Its my job lols.