Avast WEBforum

Consumer Products => Avast Cleanup => Topic started by: yavuzacar on January 14, 2019, 12:41:33 PM

Title: CLEANUP Security Issue - Corporate FW warns about Port Scan
Post by: yavuzacar on January 14, 2019, 12:41:33 PM

Hello,

When Avast Cleanup Premium has been installed in our laptops, our Fortinet Firewall creates the following Port Scan alerts :

2019-01-11 14:17:46
Source.Position EQUAL in
EventMap.Type EQUAL Session
Source.IP BEHAVIOR Port Scanner Hosts

...

Destination
•   Country : Reserved
•   Interface : unknown-0
•   Port : 138
•   IP : 192.168.1.255
•   NatISP : noop
•   Location : Unknown
•   Position : in
Session
•   ID : 5551432
Application
•   Name : netbios forward
•   Category : unscanned
Service
•   Name : udp/138
Protocol
•   ID : 17
•   Name : UDP

...

I don't know whether it is a feature of Cleanup tool. It may do this scan for finding all the servers in LAN (by scanning NETBIOS service port 138 for all of LAN). I am just trying to understand whether it is a standard behavior of the tool or some malicious code has been injected into the tool (thus scanning Windows LAN MANAGER/NETBIOS server services). We had uninstalled all installations of this product due to this suspicious behavior. After uninstalling, alerts have been disappeared.

I couldn't find another related topic in my search. If you think it should be posted to some other entry, please forward it or inform me. Thanks for your cooperation and kind support in this issue.

Regards,

Yavuz Acar

Title: Re: CLEANUP Security Issue - Corporate FW warns about Port Scan
Post by: catlin_mc on January 15, 2019, 04:33:14 AM

I would be interested in learning about this too, cos' I'd like to know if this is normal behavior or if I'm somehow infected with something.
Thank you