Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DonZ63 on September 18, 2011, 05:20:20 PM

Title: Why Is AvastUI.exe Dialing Out To India?
Post by: DonZ63 on September 18, 2011, 05:20:20 PM
I have no problem with it connecting to Avast servers but some guy in India? I have also seen it connect to Roadrunner servers in the US?

See attached
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DavidR on September 18, 2011, 05:37:14 PM
When was this happening ?
I have checked my firewall logs and I don't see any connections like this one.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DonZ63 on September 18, 2011, 05:43:21 PM
I think everytime you go into the Avast GUI and enter the screen where you get the Avast upgrade ad, you get the dial-out. The India connection has been "piggy backed" on this dial-out for a while on my PC. What also bothers me is the connection stays in existance in a closed-wait state.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DonZ63 on September 18, 2011, 06:14:56 PM
What is very interesting is the IP associated with the India guy, 74.55.80.203,is on the same servers Avast is using ................

American Registry for Internet Numbers NET74 (NET-74-0-0-0-0) 74.0.0.0 - 74.255.255.255
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-14 (NET-74-52-0-0-1) 74.52.0.0 - 74.55.255.255


Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DavidR on September 18, 2011, 06:23:30 PM
Well there are a number of avast servers shown as theplanet.net so I don't know if this is what is causing confusion when resolving the IP address.

EDIT: If I open the UI, Summary these are the TCPView listings, see image.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Lisandro on September 18, 2011, 08:55:08 PM
Servers are globally distributed for update :)
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DavidR on September 18, 2011, 09:15:47 PM
Yes, but the avastUI doesn't handle updates, the Ad in the Summary and the iNews, etc. has to come from somewhere though.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Vlk on September 18, 2011, 09:30:38 PM
India guy?

74.55.80.203 is definitely our own server.
It is one of the servers that are behind the program.avast.com DNS name, and is physically located in Houston, TX.

Thanks
Vlk
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DonZ63 on September 18, 2011, 10:29:18 PM
I tired a few things on my end and no matter what the second avastui.exe connection in TCPView shows w2k325j.hosttalks.net.

Now it get really weird. Whois.net domain name lookup for w2k325j.hosttalks.net yields an IP address of 128.252.54.18?

Tracert of 128.252.54.18 yields a college endpoint - very suspect.

C:\Users\Don>tracert 128.252.54.18

Tracing route to ACCT-018131.nts.wustl.edu [128.252.54.18]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.1.254
  2    26 ms    25 ms    26 ms  adsl-98-91-36-1.chs.bellsouth.net [98.91.   - me -
  3    36 ms    36 ms    35 ms  72.157.38.17
  4    36 ms    35 ms    35 ms  72.157.38.53
  5    36 ms    36 ms    56 ms  12.81.68.48
  6    35 ms    35 ms    39 ms  12.81.68.24
  7    41 ms    35 ms    38 ms  ixc00jan-5-1-1.bellsouth.net [65.83.237.87]  - ???? -
  8    36 ms    35 ms    35 ms  12.81.98.30
  9    35 ms    35 ms    73 ms  12.81.104.73
 10    35 ms    35 ms    36 ms  12.81.100.4
 11    36 ms    35 ms    35 ms  12.81.104.56
 12    35 ms    35 ms    34 ms  12.81.56.61
 13   101 ms    69 ms    35 ms  65.83.238.190
 14    46 ms    45 ms    45 ms  cr2.rlgnc.ip.att.net [12.123.152.110]
 15    49 ms    47 ms    47 ms  cr1.wswdc.ip.att.net [12.122.3.170]
 16    44 ms    44 ms    44 ms  12.122.135.165
 17    46 ms    45 ms    45 ms  192.205.37.106
 18    50 ms    45 ms    46 ms  te0-4-0-1.mpd22.dca01.atlas.cogentco.com [15
.41.249]
 19    66 ms    64 ms    65 ms  te0-2-0-4.mpd22.ord01.atlas.cogentco.com [15
.40.242]
 20    66 ms    65 ms    65 ms  te0-1-0-0.ccr22.ord01.atlas.cogentco.com [15
.6.178]
 21    72 ms    72 ms    72 ms  te3-2.ccr01.stl03.atlas.cogentco.com [154.54
30]
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.

I have had no previous problems with using the Whois function in TCPView.

This sure smells like some type of DNS rebind to me.

In any event I found a solution - block outbound on avastui.exe.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: High_Treason on September 18, 2011, 10:54:19 PM
Why is is that software today always seems to like connecting to the internet for no apparent reason, I must say, on top of all the scareware, logic bombs and shovelware this does seem suspicious.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Vlk on September 18, 2011, 11:04:37 PM
Reverse DNS lookup is often bogus.
What really matters is the IP address - if it was really 74.55.80.203, I don't think there's anything suspicious going on...

Blocking AvastUi.exe in the firewall may have negative consequences as it may limit some of the product's functionality.


Thanks
Vlk
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 18, 2011, 11:11:51 PM
Blocking AvastUi.exe in the firewall may have negative consequences as it may limit some of the product's functionality.

Which exactly..??
Thanks,
asyn
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Lisandro on September 18, 2011, 11:53:28 PM
Which exactly..??
Remote content, for instance.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 18, 2011, 11:56:12 PM
Remote content, for instance.

Which would be..??
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Lisandro on September 18, 2011, 11:59:19 PM
Which would be..??
News.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 19, 2011, 12:00:05 AM
Which would be..??
News.

Anything more..??
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Lisandro on September 19, 2011, 02:41:45 AM
Anything more..??
Vlk's secrets ;D
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: MartinZ on September 19, 2011, 10:12:18 AM
Registration, expiration warnings...
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 19, 2011, 10:18:23 AM
Registration, expiration warnings...

Thanks Martin..!
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DonZ63 on September 19, 2011, 12:56:59 PM
The only baseline software reason I can determine avastui.exe is used for is the WebRep feature. I don't use that feature.

I personally detest "cloud" concepts and processing. To me it equates to giving vendors a built-in spyware backdoor; something by the way that MS has built into their OSes since day one. The risks of clould compting far outweight its benefits.

As far as my situation goes, I could live with the Avast advertising but not when DNS resolution is to questionable sources.

Also closely look at the WhoIs data from my original screen shot. You will notice that the Indian city mentioned is Bombay. Has that city not been named Mumbai for sometime?   
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 19, 2011, 01:16:23 PM
The only baseline software reason I can determine avastui.exe is used for is the WebRep feature.

WebRep doesn't need avastui, afaik.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DavidR on September 19, 2011, 02:50:39 PM
The only baseline software reason I can determine avastui.exe is used for is the WebRep feature. I don't use that feature.

The avastUI.exe is the graphical interface and is used by many shields, I believe that the alert windows are also handled by the avastUI so if that isn't running, I guess you wouldn't see the alert window. You could test that by downloading the eicar test file whilst you don't have the avastUI running.

I don't believe it is required by the WebRep to display the WebRep information, as I believe that would be done by the browser as essentially it is a pop-up displaying the data when you click on the webrep icon, etc.

I personally detest "cloud" concepts and processing. To me it equates to giving vendors a built-in spyware backdoor; something by the way that MS has built into their OSes since day one. The risks of clould compting far outweight its benefits.

I guess you are going to have a hard time with that one, as it seems that this is the way most AVs are going. I'm no cloud fan as when your internet is down so to is that element, but it rather depends on how heavily the AV is dependant on cloud processing.

As far as my situation goes, I could live with the Avast advertising but not when DNS resolution is to questionable sources.

Also closely look at the WhoIs data from my original screen shot. You will notice that the Indian city mentioned is Bombay. Has that city not been named Mumbai for sometime?   

The resolution of the IP address isn't something in the control of avast, that is down to whatever application (TCPView) resolves it and the DNS server it used to resolve the IP address.

Get the IP resolution wrong and the whois details taken from the domain name (resolved IP address) will also be wrong. As Vlk said "Reverse DNS lookup is often bogus." perhaps, bogus should be replaced by wrong.

As you found doing a whois on the wrong domain name returns a different IP address, so the problem is one of incorrect resolution of the IP address...
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 19, 2011, 02:55:22 PM
...I believe that the alert windows are also handled by the avastUI so if that isn't running, I guess you wouldn't see the alert window.

You're wrong about this Dave.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: igor on September 19, 2011, 02:59:19 PM
I would add: "That, however, may change at any time, even via a virus definition update".
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: Asyn on September 19, 2011, 03:02:33 PM
I would add: "That, however, may change at any time, even via a virus definition update".

Hope you tell us before. ;)
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DonZ63 on September 21, 2011, 12:36:41 AM
I unblocked avastui.exe and checked to see what it connected to. IP is 75.125.212.75 with no DNS resolution for two connections. This is an iPlanet IP so I assume it's OK. The other two connections are to avast.com, IP 207.218.232.82.

Still would like to know what avastui.exe does. It just stays in a perpetual wait state for port 443.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: DavidR on September 21, 2011, 12:44:19 AM
Yes, avast has a number of hosted servers at planet internet.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: cavehomme on September 21, 2011, 05:37:25 PM
Why is is that software today always seems to like connecting to the internet for no apparent reason, I must say, on top of all the scareware, logic bombs and shovelware this does seem suspicious.

How do you think that some free products cover their costs? They need advertising, and may be also sell "aggregate" data?!  As for Indian IP addresses, that is one of the "benefits" of the "wonderful" cloud that every one is so hot about these days.

I wish Avast were a bit more upfront on this. I was thinking of buying a few professional licenses for our small office but this now worries me a bit. I will wait for an answer befroe I decide next week.
Title: Re: Why Is AvastUI.exe Dialing Out To India?
Post by: igor on September 21, 2011, 05:48:49 PM
Please read the thread again... there is no Indian IP - it's just a problem with the reverse lookup on the original poster's machine.