Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: GrzegorzW on March 28, 2021, 10:00:59 AM

Title: Avast connecting to Trojan infected web page
Post by: GrzegorzW on March 28, 2021, 10:00:59 AM

Is it possible that Avast is infected by a trojan?

I have Avast Premium together with Malwarebytes on Windows 10 Pro 64-bit system (details below). Due to multiple BSODs caused by Avast trying to access Ndu.sys, i have switched it off for some time and then i got an pop-up window from Malwarebytes that Avast has tried to connect to web page infected by trojan:

Domain: 2.pool.ntp.org
IP address: 188.165.17.91
Port: 123
Connection type: outgoing:
File: AvastSvc.exe

And Malwarebytes stopped the connection

Details of the operating system and software:

Operating system: Windows 10 Pro 64-bit
Avast Premium  (version 21.2.2455, compilation 21.2.6096.561, updaten on my PC on 27th March 2021)
Malwarebytes Premium version 4.3.0.98, updated on 28th Mrch 2021
The mutual exclusions were set both in Avast and Malwarebytes.
Ndu.sys was added to Avast exception list, yet it did not stopped the BSODs caused by Avast trying to work on that file.

Any comments from Avast regarding that?
I'm geting more and more disappointed with the product which not only causes BSODs by some strange interaction with Ndu.sys, but also tries to get to infected web pages!

Title: Re: Avast connecting to Trojan infected web page
Post by: Pondus on March 28, 2021, 11:51:44 AM

Quote

but also tries to get to infected web pages!

have you considered that it can be a false positive?

Title: Re: Avast connecting to Trojan infected web page
Post by: GrzegorzW on April 01, 2021, 08:14:03 PM

I have read about this server and even Avast confirms that there is a well-known trojan that is distributed from that server... Malwarebytes very rarely causes false positives

Title: Re: Avast connecting to Trojan infected web page
Post by: bob3160 on April 01, 2021, 11:24:56 PM

Quote from: GrzegorzW on April 01, 2021, 08:14:03 PM

I have read about this server and even Avast confirms that there is a well-known trojan that is distributed from that server... Malwarebytes very rarely causes false positives

Where are you getting that information from?

Title: Re: Avast connecting to Trojan infected web page
Post by: DavidR on April 02, 2021, 01:13:06 AM

Quote from: bob3160 on April 01, 2021, 11:24:56 PM

Quote from: GrzegorzW on April 01, 2021, 08:14:03 PM

I have read about this server and even Avast confirms that there is a well-known trojan that is distributed from that server... Malwarebytes very rarely causes false positives

Where are you getting that information from?

I would agree with Bob in that a screenshot of the MBAM Alert would allow for testing, outside of that who is to say if it isn't an MBAM FP ?

Quote

The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source

So there could well be a legitimate reason for to connect to this NTP source.

I don't know why it would stop access to 2.pool.ntp.org as potentially malicious, there is nothing found on this check, https://www.virustotal.com/gui/url/ad1fab2d49ec9a2dce09ad9b1a182f82be824d79ef0f493d434fcc4066d352fc/detection

Also see https://www.ntppool.org/en/use.html

Port: 123 is also the correct port to use for connecting to the NTP server/s 

But your comment on Avast causing a bsod on Ndu.sys , when this seems unrelated to the above point, I think the two are unrelated and there is a case that it could also be an issue with MBAM.
https://forums.malwarebytes.com/topic/261609-malwareytes-premium-breaking-ndusys/

Having two resident security products can cause conflicts, could this be a possibility in this instance, I don't know.  Even when I did have MBAM Pro lifetime license I didn't let it run as resident.  But I ditched my lifetime license and MBAM when it went to version 3.

Title: Re: Avast connecting to Trojan infected web page
Post by: Pondus on April 02, 2021, 01:35:42 AM

Quote from: GrzegorzW on April 01, 2021, 08:14:03 PM

I have read about this server and even Avast confirms that there is a well-known trojan that is distributed from that server... Malwarebytes very rarely causes false positives

And by rarely you mean what? 

If you mean never then why do they have a FP reporting section in there forum?  https://forums.malwarebytes.com/forum/122-false-positives/


   

Title: Re: Avast connecting to Trojan infected web page
Post by: Asyn on April 02, 2021, 08:44:44 AM

Quote from: DavidR on April 02, 2021, 01:13:06 AM

But your comment on Avast causing a bsod on Ndu.sys , when this seems unrelated to the above point, I think the two are unrelated and there is a case that it could also be an issue with MBAM.
[...]
Having two resident security products can cause conflicts, could this be a possibility in this instance, I don't know.  Even when I did have MBAM Pro lifetime license I didn't let it run as resident.  But I ditched my lifetime license and MBAM when it went to version 3.

Dave is right, more here: https://support.malwarebytes.com/hc/en-us/articles/360051090194-Issues-running-other-security-applications-and-Malwarebytes-for-Windows