Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Beta - Avast => Topic started by: Jakub Dubovic on June 24, 2020, 06:27:03 PM
-
Remote Desktop Protocol (RDP) is the most dominant cyber security attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019.[1] (https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases) The average downtime related to a ransomware attack is 7.3 days and its average cost is $64,645.[1] (https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases) Besides spreading malware, RDP attacks are used by skilled hackers to infiltrate corporate environments. RDP is the ultimate infection vector that evades all security layers in most antivirus software and compromises the system directly. During the recent COVID-19 pandemic, the frequency of RDP-based attacks has drastically increased as a result of a large number of employees working from home.[2] (https://healthitsecurity.com/news/covid-19-remote-work-causes-spike-in-brute-force-rdp-cyberattacks)[3] (https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820)
The most common ways of gaining access of a computer via RDP are the following:
- Brute-force attack - the attackers attempt to sign in to an account by using trial-and-error methods. These can include repeatedly trying to log in with commonly used or stolen credentials, leading to many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds.[4] (https://www.microsoft.com/security/blog/2019/12/18/data-science-for-cybersecurity-a-probabilistic-time-series-model-for-detecting-rdp-inbound-brute-force-attacks)
- Unpatched OS - the operating system is vulnerable to known Remote Desktop exploits. An example is BlueKeep[5] (https://blog.avast.com/what-is-bluekeep), which allows the attacker to run malicious code in the kernel memory of the server, taking control of the entire system.
We are proud to introduce our solution to the Remote Desktop vulnerabilities - Remote Access Shield.
The shield offers the protection of your business or your personal data with the following features:
- Choose who can remotely access the protected computer using Remote Desktop, blocking all other connection attempts.
- Automatically block any brute-force attacks trying to crack the protected computer's credentials.
- Automatically block connections attempting to use Remote Desktop exploits like BlueKeep to take control of the protected computer.
- Automatically block Remote Desktop connections from high-risk IP addresses.
- Get notifications about Remote Desktop connection attempts blocked by Avast.
The Remote Access Shield is available in Avast Premium Security starting with version 20.5 and it will reach Avast Business edition soon.
If you have any questions or suggestions for this new feature, please let us know! We would appreciate all of our beta testers to try the Remote Access Shield out and give us feedback!
[1] https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases
[2] https://healthitsecurity.com/news/covid-19-remote-work-causes-spike-in-brute-force-rdp-cyberattacks
[3] https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820
[4] https://www.microsoft.com/security/blog/2019/12/18/data-science-for-cybersecurity-a-probabilistic-time-series-model-for-detecting-rdp-inbound-brute-force-attacks
[5] https://blog.avast.com/what-is-bluekeep
-
How does this impact/benefit anyone with Windows 10 Home version, which doesn't have the Remote Desktop function.
-
How does this impact/benefit anyone with Windows 10 Home version, which doesn't have the Remote Desktop function.
If your system doesn't have Remote Desktop enabled (e.g., because it is running Windows 10 Home, or you have disabled it manually), the shield will have no effect at the moment. There might be new supported protocols/methods of access in the future.
-
Hi Jakub, thanks for the details. :)
-
How does this impact/benefit anyone with Windows 10 Home version, which doesn't have the Remote Desktop function.
If your system doesn't have Remote Desktop enabled (e.g., because it is running Windows 10 Home, or you have disabled it manually), the shield will have no effect at the moment. There might be new supported protocols/methods of access in the future.
Thanks for the clarification.
-
Hi, could you please provide a FAQ article..!? Cheers
-
Hi, could you please provide a FAQ article..!? Cheers
Hi Asyn, we don't have many frequently asked questions yet. Mostly only those that were asked here in this very thread. What else would you like to have in FAQ article? Maybe as others start seeing the detections or will start to interact with this new shield, we'll have more questions and answers. ;-) L.
-
Let's put it this way, it would be nice to have a general article in the support section for reference when v20.5 gets released. Cheers
-
Hi,
This new Remote Access Shield feature seems to break the Remote Web Access in Small Business Essentials 2016. Users get a protocol error when trying to connect. Have made sure that the 'Allow Remote Desktop' setting in AVG is set to enabled but AVG still blocks their connections. Disabling the feature immediately allows the connection to be made again.
Any suggestions?
Thanks,
Mike
-
Hi,
This new Remote Access Shield feature seems to break the Remote Web Access in Small Business Essentials 2016. Users get a protocol error when trying to connect. Have made sure that the 'Allow Remote Desktop' setting in AVG is set to enabled but AVG still blocks their connections. Disabling the feature immediately allows the connection to be made again.
Any suggestions?
Thanks,
Mike
Hello Mike,
Thank you for reporting the issue.
Could you please help us with the investigation by providing some data?
Please enable debug logging (Menu > Settings > General > Troubleshooting > Enable debug logging).
Reproduce the issue (try to connect with the Remote Access Shield enabled).
Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.
Thank you very much,
Jakub
-
Took me quite a while to figure it out, but "Enable Samba protection" on "Remote Access Shield" is an all-or-nothing deal. When enabled, it shuts down my local network because I transfer lots of files frequently. Seems to me an exclusion option for specific computers and/or the local subnet would be helpful.
-
Took me quite a while to figure it out, but "Enable Samba protection" on "Remote Access Shield" is an all-or-nothing deal. When enabled, it shuts down my local network because I transfer lots of files frequently. Seems to me an exclusion option for specific computers and/or the local subnet would be helpful.
Hello kenhagin,
Yes, that is correct at the moment. The reasoning behind not having an exclusion list is that one compromised computer on the network would be able to attack all the other devices. We expected many companies to internally exclude all SMB (or RDP) communication and trust us to keep the network safe, but even one person opening an e-mail attachment would pose a threat to the whole network.
How exactly does it shut the network down? Does Avast slow the file transfers down, or are there false positive detections when a SMB connection fails?
Thank you,
Jakub
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason...
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
-
Re Bruteforce. Also see this:
https://forum.avast.com/index.php?topic=238916.0
-
Re Bruteforce. Also see this:
https://forum.avast.com/index.php?topic=238916.0
That is the thread that got me to this one. The screen shots of the alerts in that other thread are just like the ones that I am getting, however, the ones that I am getting are from a single device on my own network, not from outside.
There is nothing in that other thread or posts that tells me why one (and not the other two) of my NVIDIA SHIELD TV Media Streaming device would be causing these alerts.
-
Re Bruteforce. Also see this:
https://forum.avast.com/index.php?topic=238916.0
That is the thread that got me to this one. The screen shots of the alerts in that other thread are just like the ones that I am getting, however, the ones that I am getting are from a single device on my own network, not from outside.
There is nothing in that other thread or posts that tells me why one (and not the other two) of my NVIDIA SHIELD TV Media Streaming device would be causing these alerts.
I would suggest following the instructions in Reply #9 to
Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.
And read what was in Reply #10.
You don't say what Avast program you are using, just wonder if it has the Avast Firewall component ?
If so do you have the Firewall set to Private or Public network mode ?
That said why it would only alert on one and not the others (but not knowing what they are) is strange.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason...
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
Hello computer guy,
Thanks for the information.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
-
You don't say what Avast program you are using, just wonder if it has the Avast Firewall component ?
If so do you have the Firewall set to Private or Public network mode ?
That said why it would only alert on one and not the others (but not knowing what they are) is strange.
My apologies, I am using Avast Premium Security. I do not have any of Avast Firewall components installed.
Anyway, I have 3 nvidia shield tv media streaming devices. They are all connected to my network with ethernet (not WiFi). The only differences in their configurations may be that they have different apps installed on them (ie, they may all have netflix, but only 2 may have hulu, etc.). Otherwise, all other settings are basically the same. So I found it very odd that one of them would be doing a "bruteforce" attack over SMB protocol.
And as strangely as the alerts started, they also just stopped. There has not been any more alerts since yesterday morning.
I opened support case with both AVAST and NVIDIA. I have not heard anything back from AVAST yet. I need to respond to NVIDIA after 24 - 48 hours to let them know if I am still getting the alerts.
Also, I did restart the SHIELD TV device that was generating the alerts. If I had to guess, these were maybe false positive alerts.
-
Hello computer guy,
Thanks for the information.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
Thank you for the information. Yes, I found that the SMB scanning can be turned off and I actually did turn it off for a while. I had to turn it back on again while on support chat with NVIDIA. So far, there are no settings enabled on the SHIELD TV device for network file sharing or connections to PC folders.
What I also found to be odd is that I have a few other PCs with AVAST Premium Security and there have been no connections blocked from the SHIELD TV device on any of the other PCs. Why would the SHIELD TV device only target one PC on the network if it is just "polling" or attempting to connect to a PC on my network?
And, I also have 2 other SHIELD TV devices which are configured on the network in the same way. They just may have different streaming apps installed. Why would we not see blocked connections from those other two devices.
In any case, the alerts have stopped since yesterday morning.
-
It seems that the alerts started up again last night, 10/22/2020 at around 9:19 pm. I started using the nvidia shield tv device around 7:00 pm and I was using the Plex app to view some TV shows that were recorded on my Windows 10 PC, the one that is getting the alerts.
However, at around 10:30 pm, I turned everything off, though I guess the shield tv devices only goes to sleep. The alerts are still coming in at a regular constant rate. I can't say that it is every minute or every 5 minutes, but it is constantly blocking the incoming SMB traffic.
-
So I have been grasping at straws here. I just did a complete uninstall and reinstall of Avast Premium Security.
So far, for the last 30 minutes there have been no more connection blocked alerts for any incoming SMB traffic from the SHIELD TV device.
About 20 minutes after I made this post, the alerts started again.
-
So I have been grasping at straws here. I just did a complete uninstall and reinstall of Avast Premium Security.
So far, for the last 30 minutes there have been no more connection blocked alerts for any incoming SMB traffic from the SHIELD TV device.
About 20 minutes after I made this post, the alerts started again.
The reinstall won't change anything - those are actual connection attempts being detected.
If the other devices don't share this behavior, it might be infected with malware that is attempting the brute force attacks. Have you downloaded any apps manually from an unauthorized store?
It might be prudent to scan the device with antivirus software or reinstall it completely.
Also, if you have any software for capturing network traffic like Wireshark, you could take a look at incoming connections to your computer's port 445. The SMB client's username is sent in plaintext. Example attached.
-
I am getting the same BruteForce error from within my own network that Jakub is. In my case it appears to be a drive-mapping problem. I have Avast Internet Security on both machines. The attacking machine has drives mapped to the blocking machine. I can see each time it tries to connect the mapped drive, the brute force error comes up on the other machine. Eventually it errors-out and stops trying to connect the mapped drive, at which point, the BruteForce errors stop. But then I can't access those drives, which are essential for my work (as software needs those drives to access project files).
I received 5000 SMB:BruteForce errors from the other machine. I have other machines on the network also mapped to those drives in the same fashion, but don't receive errors from those. The attacking machine differs in that it is a windows 7 machine rather than windows 10 like all the others. As soon as I unmapped the network drive mapping the attacks immediately stopped. So in my case, it is clearly related to the drive mapping.
-
this feature is junk and blocks connections to file sharing on a network so if you use file sharing on your network you need to turn it off there is no easy way to tell it to allow network computers to connect to file and print sharing turned it off and the office can connect to the shared drive again
Avast should make a lite version that just has antivirus they keep adding stuff that is not practical for the work environment
-
this feature is junk and blocks connections to file sharing on a network so if you use file sharing on your network you need to turn it off there is no easy way to tell it to allow network computers to connect to file and print sharing turned it off and the office can connect to the shared drive again
Avast should make a lite version that just has antivirus they keep adding stuff that is not practical for the work environment
There is nothing to stop you Customising your installation.
Choosing either a Recommended, Minimal, Custom or Full installation and simply choose the components that you want/need.
Minimalist installation
-
My honest opinion the software should be able to know the difference between internal network connections and stuff coming in through the internet
it seems like it would be pretty easy to tie this in with the firewall feature of public or private network switch and when switched to private Network should allow access to file and print sharing.
Then it should also have an easy to use screen that resolves all the IP addresses on the network and the windows names of each one and be able to simply click allow or deny which computers you want to talk to yours then do it through the MAC address and not the IP address so if DHCP changes the IP address the network can still work 😁 😉. My ideas should have me working for you guys lol
-
My honest opinion the software should be able to know the difference between internal network connections and stuff coming in through the internet
it seems like it would be pretty easy to tie this in with the firewall feature of public or private network switch and when switched to private Network should allow access to file and print sharing.
Then it should also have an easy to use screen that resolves all the IP addresses on the network and the windows names of each one and be able to simply click allow or deny which computers you want to talk to yours then do it through the MAC address and not the IP address so if DHCP changes the IP address the network can still work 😁 😉. <snip>
Have you even got Avast ?
There is no Firewall in the Avast Free program, that is in the Avast Premium product.
If as you said you think "Avast should make a lite version that just has antivirus" why then would you get/want the Avast Premium product with even more modules.
You have a choice do a custom minimal installation, that is your choice
-
My honest opinion the software should be able to know the difference between internal network connections and stuff coming in through the internet
it seems like it would be pretty easy to tie this in with the firewall feature of public or private network switch and when switched to private Network should allow access to file and print sharing.
Then it should also have an easy to use screen that resolves all the IP addresses on the network and the windows names of each one and be able to simply click allow or deny which computers you want to talk to yours then do it through the MAC address and not the IP address so if DHCP changes the IP address the network can still work 😁 😉. My ideas should have me working for you guys lol
Hello TsPCs,
It is common for malware to infect one device, and then to use it to gain access to the rest of the network. That's the reason why it's essential for us to scan internal connections.
Edit: see https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/
"Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network."
The same can easily happen when a device with outdated OS/SW gets infected and then connects to your network, or if a person inside the network downloads an infected e-mail attachment, etc.
I am getting the same BruteForce error from within my own network that Jakub is. In my case it appears to be a drive-mapping problem. I have Avast Internet Security on both machines. The attacking machine has drives mapped to the blocking machine. I can see each time it tries to connect the mapped drive, the brute force error comes up on the other machine. Eventually it errors-out and stops trying to connect the mapped drive, at which point, the BruteForce errors stop. But then I can't access those drives, which are essential for my work (as software needs those drives to access project files).
I received 5000 SMB:BruteForce errors from the other machine. I have other machines on the network also mapped to those drives in the same fashion, but don't receive errors from those. The attacking machine differs in that it is a windows 7 machine rather than windows 10 like all the others. As soon as I unmapped the network drive mapping the attacks immediately stopped. So in my case, it is clearly related to the drive mapping.
Hello sheridan.todd,
Thank you for reporting the issue. Are the credential used by the Win7 "attacking" device configured correctly? The detection should only happen in case of multiple consecutive unsuccessful connections.
I will look into what differences there could be between using the different versions of Windows and what could be causing the false detection.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason...
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
Hello computer guy,
Thanks for the information.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason...
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
Hello computer guy,
Thanks for the information.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.
I completely understand. We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason...
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
Hello computer guy,
Thanks for the information.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.
I completely understand. We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
How will the average user know if the attack is genuine or a false positive? Simply adding an ability to bypass the attack might not be the best solution.
-
I am having the same issue but the URL is not a local 192.168.1.*** address but something completely different.
I am using Avast Premium Security and the details are:
Threat Name - SMB: BruteForce
URL - smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process - System
Detected By - Remote Access Shield
Status - Connection Blocked
Any way to stop this, getting it several times a day.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alerts started yesterday. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
Since October 18, 2020, there have been 2936 connection attempts blocked. The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.
I am really puzzled by this alert for the following reason...
192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.
I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.
So, is this a false positive notification? Has someone hacked my NVIDIA SHIELD TV device?
Hello computer guy,
Thanks for the information.
The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.
SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.
Thank you for your patience, I realize it must be annoying.
I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.
I completely understand. We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
How will the average user know if the attack is genuine or a false positive? Simply adding an ability to bypass the attack might not be the best solution.
We are working on a FAQ with instructions on how to tell false positives from attacks.
Also this:
We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
doesn't mean that anything will be bypassed, just hidden.
-
I am having the same issue but the URL is not a local 192.168.1.*** address but something completely different.
I am using Avast Premium Security and the details are:
Threat Name - SMB: BruteForce
URL - smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process - System
Detected By - Remote Access Shield
Status - Connection Blocked
Any way to stop this, getting it several times a day.
Hello greg262,
please refer to the FAQ: https://support.avast.com/en-us/article/Antivirus-Remote-Access-Shield-FAQ
The section "Why am I receiving threat detection alerts?" should cover this.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?
I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?
I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.
So where is Avast hiding? why no answers? Are you working on a solution or what is the status????
Hey Jakub maybe you have some answers to the above whitelist question at least, if nothing else. No?
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?
I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.
So where is Avast hiding? why no answers? Are you working on a solution or what is the status????
Hey Jakub maybe you have some answers to the above whitelist question at least, if nothing else. No?
This is the question I am referring to:
Besides all of the above, and as I described in detail in my initial post, why exactly is it that I am able to use "block all connections" and use the exception list to allow/whitelist IPv4 addresses but it will not work on IPv6 addresses, how about Avast providing an answer to that if nothing else, hi there Jakub, maybe you have something to say about this specific issue, as I said, I 100% identified the address being blocked as another PC in my local network, I need real answers with real solution, as it is, Avast has become unusable garbage software, sorry to say.
-
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...
Incoming connection blocked
Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked
The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?
I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.
So where is Avast hiding? why no answers? Are you working on a solution or what is the status????
Hey Jakub maybe you have some answers to the above whitelist question at least, if nothing else. No?
This is the question I am referring to:
Besides all of the above, and as I described in detail in my initial post, why exactly is it that I am able to use "block all connections" and use the exception list to allow/whitelist IPv4 addresses but it will not work on IPv6 addresses, how about Avast providing an answer to that if nothing else, hi there Jakub, maybe you have something to say about this specific issue, as I said, I 100% identified the address being blocked as another PC in my local network, I need real answers with real solution, as it is, Avast has become unusable garbage software, sorry to say.
https://forum.avast.com/index.php?topic=243267.0
-
this feature is junk and blocks connections to file sharing on a network so if you use file sharing on your network you need to turn it off there is no easy way to tell it to allow network computers to connect to file and print sharing turned it off and the office can connect to the shared drive again
Avast should make a lite version that just has antivirus they keep adding stuff that is not practical for the work environment
ACTUALLY what this is doing is telling you that a computer is attempting to access a resource TOO FREQUENTLY.
This is an integral part of ANY firewall service. MAN I hate people like you. Can't figure something out and go mental on it. What you NEED to be doing is figuring out why your devices on your network are hitting your main drive so often while you're not viewing your illegal downloads. That's the real question.
Right now I'm on Rogers and since I need to have a number of ports available for real computer things vs stealing videos and stuff, I'm getting Brute Force attacked by someone on the Rogers network which should have ZERO ability to get inside both a hardware and software firewall. The BrueForce attempt is flagged but I sure as hell don't know why it's getting through my router/firewall so that Avast see's and react's to it.
-
Hello
I am getting the alert constantly from the Avast Omni Hub IP address. Is this something the Omni Hub might be doing?
-
Установлена программа Avast Premier Security. Странная блокировка в модуле "Удаленный доступ".
Объясните такую вещь, почему Аваст блокирует входящее соединение по сети на расшаренную папку. Вижу, что в модуле "Удаленный доступ" блокируется мой IP. В белом списке указал IP-адрес входящего компьютера и даже его IPv6. Самое интересное, блокирует по IP, а разрешает по IPv6. Как это возможно? Это что Аваст такой проблемный или что-то не так делаю? При этом еще и тормозит в проводнике, когда обращаюсь на расшаренную папку. Хотя в мониторе "Удаленный доступ" о блокировке нет упоминания.
Поэтому пришлось в модуле "Удаленный доступ" убрать галочку с "Включить защиту Samba".
Installed Avast Premier Security program. Strange blocking in the "Remote Access" module.
Explain such a thing why Avast blocks an incoming connection over the network to a shared folder. I see that my IP is blocked in the "Remote Access" module. In the white list indicated the IP address of the incoming computer and even its IPv6. The most interesting, blocks the IP, and permits on IPv6. How is it possible? Is that avast such a problem or something wrong? It also slows down in the conductor when I appeal to the shared folder. Although there is no mention in the "Remote Access" monitor on blocking.
Therefore, it was necessary in the "Remote Access" module to remove the checkbox with "Enable Samba's Protection".
Я полностью изучил Faq (https://support.avast.com/article/Antivirus-Remote-Access-Shield-FAQ) и все эти действия сделал в настройках Avast.
В белом списке все IP-адреса моей сети, а также указаны все IPv6. А также продублировал IP в виде диапазона: 192.168.0.20-192.168.0.24.
Но все равно происходит блокировка по IP-адресу, а затем соединение разрешено по IPv6. Почему так происходит?
I fully studied the FAQ (https://support.avast.com/article/Antivirus-Remote-Access-Shield-FAQ) and made all these actions in the Avast settings.
In the white list, all IP addresses of my network, as well as all IPv6. And also duplicated IP in the form of a range: 192.168.0.20-192.168.0.24.
But still there is a lock on the IP address, and then the connection is allowed by IPv6. Why is this happening?
-
Unlike many in this thread I quite like this new feature
My issue is that it is being listed as an 'ignored issue', effectively inactivating that shield.
I'm not doing that, and I want to see the list of threats, specifically date, time and IP addresses
I seem to get a flood of rdp attempts when I send a file from a particular software vendor to the Avast Threat Labs. I'm trying to see what triggers this thread, and if go looking for rdp attempts at time not related to me sending a file the threat labs, it looks like the shield has been inactivated - certainly not of my doing.
Why is this shield being turned off automatically on my machine?
-
Hi!
My kid's computer is trying to access my PC and get this SMB BruteForce alarm.
How to add an exception (would be best to add for my internal IP range of 192.168.1.x)?
thx
-
-> https://support.avast.com/article/Antivirus-Remote-Access-Shield-FAQ