Avast WEBforum

Avast Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Bob13 on September 10, 2015, 12:06:57 AM

Title: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 12:06:57 AM
My malwarebytes keeps telling me that there is malware with the domain of su2.ff.avast.com, IP Address 92.242.140.21 Port 50183 Outbound  in Avstsvc.exe

I am not sure what this is and why this is happening.  How can I fix it.

I run Malwarebytes and my Avast and neither of them find any issues.

Regards,
Title: Re: su2.ff.avast.com
Post by: SamsTheMane on September 10, 2015, 12:29:53 AM
Same exact pop-ups here. First time this happened to me starting earlier today. It's still popping up.
Title: Re: su2.ff.avast.com
Post by: Donna4 on September 10, 2015, 12:56:09 AM
my malwarebytes has also detected it...it won't stop, popping up about every 2-3 minutes...ran a scan and cleaned computer and all is good, nothing found, so definitely has to be on avasts side of things since many others are also having the same issue...very very annoying
Title: Re: su2.ff.avast.com
Post by: DavidR on September 10, 2015, 01:18:11 AM
For me the first thing I disable in MBAM Pro was the malicious sites as it doesn't do as it says on the tin - it notifies you on much more than malicious sites or rather it has many categories other than malicious sites included in its database.

AS you can see these are sub-domains of avast.com.
Title: Re: su2.ff.avast.com
Post by: CyberTom on September 10, 2015, 02:19:41 AM
For me the first thing I disable in MBAM Pro was the malicious sites as it doesn't do as it says on the tin - it notifies you on much more than malicious sites or rather it has many categories other than malicious sites included in its database.

AS you can see these are sub-domains of avast.com.

Thank you and Yes, temporarily disabling the Mailicious Website Protection on MBAM pro does stop the pop-ups.   However, I don't feel comfortable surfing the web with it off though :).

Hopefully Avast can confirm this is not a real threat or MBAM will flag it.....

Title: Re: su2.ff.avast.com
Post by: SamsTheMane on September 10, 2015, 02:37:46 AM
I looked at my MBAM a few minutes ago and it was stuck on updating. So I've restarted MBAM to complete the update (v2015.09.09.07) and no pop-ups notifying that ip so far.  :)
Title: Re: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 04:03:55 AM
I did the update and I am still getting the popups...  This is crazy..
Title: Re: su2.ff.avast.com
Post by: SamsTheMane on September 10, 2015, 04:37:22 AM
I did the update and I am still getting the popups...  This is crazy..

Whoops. Sorry guys! Restarting MBAM disabled my protection the whole time... Go figure.
So I had to re-enable "Malware Protection" and "Malicious Website Protection", and did another update (v2015.09.10.01).

As of so far right now, there have been no pop-ups while the following protection settings are turned on. Will say if it happens again.

There are 2 threads about it on their site: https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/

I'm using Windows 7 btw.

EDIT: lol And the pop-up is happening again. Ugh! Hope this gets fixed.
Title: Re: su2.ff.avast.com
Post by: m2carlson36 on September 10, 2015, 04:59:17 AM
Getting the same thing.  Has been happening all day - including MBAM pop up every 2-3 minutes.  Have run scans, nothing found.  Rebooted computer, etc.  Still happening.   IP address look up says it's unallocated.barefruit.co.uk   Class B:  92.242.0.0 - 92.242.255.255. 
Title: Re: su2.ff.avast.com
Post by: CraigB on September 10, 2015, 08:46:01 AM
See here https://forum.avast.com/index.php?topic=176230.0
Title: Re: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 05:27:31 PM
This is a freaking mess... Why can't someone put a fix out there. 
Title: Re: su2.ff.avast.com
Post by: Michael634 on September 10, 2015, 06:02:28 PM
In 24-hours I will find a new protection software and DELETE avast.
Title: Re: su2.ff.avast.com
Post by: lou14 on September 10, 2015, 06:07:55 PM
It would seem that Avast needs to update its client-side software and/or server configuration to resolve this issue.  It's affecting a number of people (myself included) and it doesn't seem to be attributable to Malwarebytes.  Of course, if Avast disagrees that's fine, but I would ask that Avast take up the issue with Malwarebytes and come to an agreeable solution.  Each company telling all these people to contact the other company's support staff is a waste of everyone's time.  Thanks!
Title: Re: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 06:10:20 PM
Quote from another User...
Quote
it is an avast-issue.. the avast program is trying to make connections to "su2.ff.avast.com" but "su2.ff.avast.com" does NOT resolve to an IP address and therefore the connection is redirected to the "92.242.140.21" IP address which is being flagged by the MBAM program..

 

y'all need to take up this issue with avast.. tell avast that the avast program is trying to make connections to "su2.ff.avast.com" but "su2.ff.avast.com" does not resolve to an IP address and, so, the connection is redirected to the "92.242.140.21" IP address which is flagged by the MBAM program..

Avast please fix this otherwise you will be losing a lot of users...
Title: Re: su2.ff.avast.com
Post by: CyberTom on September 10, 2015, 06:13:21 PM
This seems to be a DNS hijack as reported on Malewarebytes.

https://forum.avast.com/index.php?topic=176230.0

https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/


Many have changed their DNS which fixed the problem without disabling Malwarebytes.

Here is a link to change your DNS.
https://developers.google.com/speed/public-dns/docs/using?hl=en
Title: Re: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 06:43:08 PM
I have decided to remove Avast and go to Webroot... 
Title: Re: su2.ff.avast.com
Post by: bob3160 on September 10, 2015, 08:44:13 PM
I have decided to remove Avast and go to Webroot...
Good luck.... The problem is Malwarebytes not Avast .
I have the Pro version but use it only on demand. Malwarebytes starting with v2, has become a system hog and doesn't always work well
with other security programs.
Title: Re: su2.ff.avast.com
Post by: CraigB on September 10, 2015, 08:56:57 PM
I have decided to remove Avast and go to Webroot...
Good luck.... The problem is Malwarebytes not Avast .
I have the Pro version but use it only on demand. Malwarebytes starting with v2, has become a system hog and doesn't always work well
with other security programs.
Not necessarily true Bob, as far as Malwarebytes are concerned the detection is positive and appears to be a DNS hijacking as the IP in question is not related to Avast.

Malwarebytes being a system hog isn't part of this topic but as you raised it then I'll answer it, Malwarebytes plays well with all AV's I've tested it with ( and that is many ) as long as exclusions are put in place as suggested on the Malwarebytes forum or simply by excluding the complete program file from each other.
Malwarebytes does use more memory than previous versions though I haven't noticed any slow downs plus RAM is there to be used, the CPU use with MBAM is quite low as that would normally be the major cause of system sluggishness which I don't see either.
Title: Re: su2.ff.avast.com
Post by: SamsTheMane on September 10, 2015, 09:41:45 PM
Yeah... My Malwarebytes just crashed an hour ago. Perhaps the log was overloaded because of this popup. I have my notification settings turned off atm.
Title: Re: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 10:24:02 PM
I removed Avast and installed WebRoot and I no longer get the malware alerts.. So it was Avast...
Title: Re: su2.ff.avast.com
Post by: iroc9555 on September 10, 2015, 10:24:44 PM
No problems or alerts by MBAM here. I ran Premium 2.1.8.1057 with malware and malicious website protection enabled
Title: Re: su2.ff.avast.com
Post by: Alikhan on September 10, 2015, 10:26:44 PM
No problems or alerts by MBAM here. I ran Premium 2.1.8.1057 with both shields up.

Same.

I'm using Avast along with MBAM Premium and MBAE (free) and also have not had any problems/alerts regarding any IP blocks.

I've even checked the Malwarebytes logs, nothing at all.
Title: Re: su2.ff.avast.com
Post by: Bob13 on September 10, 2015, 10:31:33 PM
Looks like some are getting hit and others are not..  oh well...   Too bad Avast lost me for a customer...
Title: Re: su2.ff.avast.com
Post by: Alikhan on September 10, 2015, 10:44:06 PM
Looks like some are getting hit and others are not..  oh well...   Too bad Avast lost me for a customer...

I'm think this issue is related to streaming updates on a particular CDN.

Different parts of the world be on different CDNs and I think there is 1 CDN which is affected (it does have ff.avast.com) at the end but it's possible that this particular IP is not being by avast! anymore too.

I could also be completely wrong with my assumption.
Title: Re: su2.ff.avast.com
Post by: lou14 on September 10, 2015, 11:15:59 PM
Some information that may be useful ... I have used my laptop in two locations in the last 24 hours, and the alerts appeared only in one of those two locations.  (In both cases I am connecting through a Wifi connection.)  Where I am now, they are not happening at all.  Tonight I will be returning to the original location where I saw this problem, and I'll see whether the alerts come back again.

Hopefully this might be a clue as to the root cause and/or fix?
Title: Re: su2.ff.avast.com
Post by: bob3160 on September 10, 2015, 11:20:40 PM
Looks like some are getting hit and others are not..  oh well...   Too bad Avast lost me for a customer...
Maybe you need to read the replies ??? You removed Avast even though this has nothing to do with Avast.
Your computer, your choice. Certainly not mine. :)
Title: Re: su2.ff.avast.com
Post by: Pondus on September 10, 2015, 11:29:48 PM
https://forums.malwarebytes.org/index.php?/topic/172548-infected-by-su2ffavastcom-ip-9224214021-dns-hijacking/?p=988597

Title: Re: su2.ff.avast.com
Post by: SamsTheMane on September 11, 2015, 05:55:24 AM
Looks like some are getting hit and others are not..
Mhmn-yeah, you're not alone. It's been about 2 days that I'm getting hit by this like crazy. I had to delete my overloaded logs.

This fixed it: https://forums.malwarebytes.org/index.php?/topic/172652-read-me-seeing-9224214021-blocks-read-me-please/
Title: Re: su2.ff.avast.com
Post by: JBG on September 11, 2015, 01:05:30 PM
Hi All,
there's a legacy piece of code trying to reach obsolete domain su2.ff.avast.com. It wasn't doing any harm up until recently as every DNS server should be reporting that domain as non-existent.

Note this response from Google DNS servers:
Code: [Select]
nslookup su2.ff.avast.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find su2.ff.avast.com: NXDOMAIN

What seems to be happening is this. Some ISPs are possibly using this service www.barefruit.co.uk for returning custom (advertising?) content to many network related errors, like non-existent domains. And MBAM seems to start having issues with this content or a set of IP ranges, reporting it as a malware content.

We'll disable queries to this domain into the next available release which should resolve the problem with this particular non-existent domain. But the other part of the problem lies elsewhere, ISP serving custom content on invalid requests (DNS, HTTP) and MBAM reporting it as malware.

Regards.
Title: Re: su2.ff.avast.com
Post by: lou14 on September 11, 2015, 01:17:09 PM
^This explanation makes a lot of sense.  Regarding my earlier post above, I can now confirm that the error message only happens in one location (a residence where I believe the ISP is Verizon), and not in another (a hospital setting in which the network is presumably set up by a professional IT staff).
Title: Re: su2.ff.avast.com
Post by: CyberTom on September 18, 2015, 12:59:53 AM
Hi All,
there's a legacy piece of code trying to reach obsolete domain su2.ff.avast.com. It wasn't doing any harm up until recently as every DNS server should be reporting that domain as non-existent.

Note this response from Google DNS servers:
Code: [Select]
nslookup su2.ff.avast.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find su2.ff.avast.com: NXDOMAIN

What seems to be happening is this. Some ISPs are possibly using this service www.barefruit.co.uk for returning custom (advertising?) content to many network related errors, like non-existent domains. And MBAM seems to start having issues with this content or a set of IP ranges, reporting it as a malware content.

We'll disable queries to this domain into the next available release which should resolve the problem with this particular non-existent domain. But the other part of the problem lies elsewhere, ISP serving custom content on invalid requests (DNS, HTTP) and MBAM reporting it as malware.

Regards.

The lastest version of Avast did not seem to fix this issue.   Once I switch back to Verizon dns the pop-ups re-occurred.

Title: Re: su2.ff.avast.com
Post by: DavidR on September 18, 2015, 01:10:20 AM
<snip quote>

The lastest version of Avast did not seem to fix this issue.   Once I switch back to Verizon dns the pop-ups re-occurred.

You don't say what version you have, as the latest version is now 10.4.2233 released, very recently.
https://forum.avast.com/index.php?topic=176600.0 (https://forum.avast.com/index.php?topic=176600.0)
Title: Re: su2.ff.avast.com
Post by: bangers on September 18, 2015, 03:16:17 AM
can confirm version 10.4.2233 did NOT fix the su2.ff.avast bug
Title: Re: su2.ff.avast.com
Post by: JBG on September 18, 2015, 04:06:28 PM
Sorry guys, when I was posting my message, the version you're mentioning was already in testing stage and was closed for changes. So the fix will be in the next version, which will probably be (unless any super urgency occurs) Avast 2016.

Regards.
Title: Re: su2.ff.avast.com
Post by: stibi on September 18, 2015, 04:15:25 PM
Good luck.... The problem is Malwarebytes not Avast .
I think the real problem ist that you shouldn't use 2 malware programs at the same time. One is enough. If somethink is really suspicious I send it to Virustotal or Jotti.
Title: Re: su2.ff.avast.com
Post by: bob3160 on September 18, 2015, 04:21:32 PM
Good luck.... The problem is Malwarebytes not Avast .
I think the real problem ist that you shouldn't use 2 malware programs at the same time. One is enough. If somethink is really suspicious I send it to Virustotal or Jotti.
The rule is not to use two resident Antivirus programs at a time. :) Avast and Malwarebytes work well together
Title: Re: su2.ff.avast.com
Post by: 1234ava on September 18, 2015, 04:52:46 PM
Good luck.... The problem is Malwarebytes not Avast .
I think the real problem ist that you shouldn't use 2 malware programs at the same time. One is enough. If somethink is really suspicious I send it to Virustotal or Jotti.

I use both Avast (with real time protection) and Malwarebytes free (only as a scanner) on the same machine, no problem.
Yes I use Virustotal and Jotti too, but they are for individual files, have file size limits, and I can't change any settings in their scanners.  Besides, what if you happen to be offline? :)
Title: Re: su2.ff.avast.com
Post by: CyberTom on September 19, 2015, 05:02:53 AM
Sorry guys, when I was posting my message, the version you're mentioning was already in testing stage and was closed for changes. So the fix will be in the next version, which will probably be (unless any super urgency occurs) Avast 2016.

Regards.

Thank you JBG for the update!
CyberTom
Title: Re: su2.ff.avast.com
Post by: stibi on October 07, 2015, 11:02:32 AM
I use both Avast (with real time protection) and Malwarebytes free (only as a scanner) on the same machine.
I use Avast (or another Tool) as real time protection and as a scanner. Think that's enough security; why use another program?
Title: Re: su2.ff.avast.com
Post by: bob3160 on October 07, 2015, 02:10:29 PM
I use both Avast (with real time protection) and Malwarebytes free (only as a scanner) on the same machine.
I use Avast (or another Tool) as real time protection and as a scanner. Think that's enough security; why use another program?
Because Malwarebytes is an excellent companion to any AV that includes Avast. :)