Author Topic: Network Shield - What's the point of logging it?  (Read 10105 times)

0 Members and 1 Guest are viewing this topic.

Offline Skakara

  • Full Member
  • ***
  • Posts: 198
Network Shield - What's the point of logging it?
« on: July 21, 2012, 11:55:55 PM »
What's the point of logging Network Shield (NetworkShield.txt) when it doesn't even list blocked items?!

It seems that the log file only contains started & stopped datetime, and run-time info, nothing else.

There's absolutely no way to check past "blocked" events by this shield. The "statistics" page in GUI only shows graphs.

According to the "statistics" page in GUI for network shield, I had 147 connections blocked last year. None is in the log. Why?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Network Shield - What's the point of logging it?
« Reply #1 on: July 22, 2012, 12:21:56 AM »
Mine does - Are you viewing it in notepad as other text editors can mangle the actual alert format.

This format I believe has recently been changed as previously the URLs of blocked sites could cause a false positive on the report file. So when this change in format was made I don't know if the previous entries were removed.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Skakara

  • Full Member
  • ***
  • Posts: 198
Re: Network Shield - What's the point of logging it?
« Reply #2 on: July 22, 2012, 12:46:18 AM »
Thanks for the URL to test this with. On my desktop PC I browsed to the URL in your screencaps with Opera, and I got the warning popup from avast Network Shield. Same thing with my laptop, except I used Firefox.

Both computers are using the latest avast version in Windows XP SP3, plus the avast in my laptop (which has "clean" install of WinXPSP3), is in unmodified state (no settings changed, just registered) after install of 7.0.1456.

I tested opening the NetworkShield.txt with Windows Notepad, Notepad2 and with Notepad++ on both PC's, there's no blocked items at all!?

There are 0 blocked items listed in my desktop PC NetworkShield.txt which spans from "Wednesday, May 12, 2010" to today (~1200 lines of text). All I see is started & stopped datetime, and run-time info, nothing else.

EDIT: I stopped and restarted the Network Shield on my desktop PC, and then tried to load the malicious URL again, got the warning, but nothing in the log except new stop and start messages. It is not working.
« Last Edit: July 22, 2012, 12:53:32 AM by Skakara »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Network Shield - What's the point of logging it?
« Reply #3 on: July 22, 2012, 01:29:30 AM »
I don't know why it isn't working on your systems, it did work on my XP Pro system as my images show.

Having said that I have just tested it again and it hasn't logged the alert (XP system) and checking my win7 system no entries since 19/7/12, that netbook doesn't get switched off that frequently, mostly on standby/hibernation. But stop/start network shield shows a start entry but a test after that doesn't get recorded.

So there appears to be a problem in recording, certainly from some time after 2012/7/11.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Skakara

  • Full Member
  • ***
  • Posts: 198
Re: Network Shield - What's the point of logging it?
« Reply #4 on: July 28, 2012, 01:03:33 PM »
What's the policy around here? Is bug reports accepted through forum? Will somebody from avast answer that the report is acknowledged? (Why was this message deleted earlier? Can't I ask this?)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Network Shield - What's the point of logging it?
« Reply #5 on: July 28, 2012, 11:26:47 PM »
The blocked URLs are logged into log/nshield.log file, not into report/Network Shield.txt.
What's the point of this report file... well, not much I guess; you can check out whether the Network Shield is/was really running. The existence of the report file is "caused" by an automatic report creation for every shield started/stopped. Why is the nshield.log file there... I believe the Network Shield used to write the log directly from kernel, without actually going into the user mode - so it couldn't interfere with the usual report file.

What makes me worried though, is the first David's screenshot. That block shouldn't be there...

Offline Skakara

  • Full Member
  • ***
  • Posts: 198
Re: Network Shield - What's the point of logging it?
« Reply #6 on: July 28, 2012, 11:58:30 PM »
Thanks again Igor. Found my 21st day tests logged in the nshield.log (with the rest of the blocked items starting from 19.05.2010). Mystery solved. :)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Network Shield - What's the point of logging it?
« Reply #7 on: July 30, 2012, 11:07:01 AM »
David, can you please send me (e.g. on the FTP) the NetworkShield.txt file you showed, together with the nshield.log?
You don't happen to remember what you did around that time the block (whose information is "present" in NetworkShield.txt) occurred... did you stop the Network Shield after it has blocked the site, or...?
Thanks.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Network Shield - What's the point of logging it?
« Reply #8 on: July 30, 2012, 03:05:39 PM »
David, can you please send me (e.g. on the FTP) the NetworkShield.txt file you showed, together with the nshield.log?
You don't happen to remember what you did around that time the block (whose information is "present" in NetworkShield.txt) occurred... did you stop the Network Shield after it has blocked the site, or...?
Thanks.


OK, uploaded as file name DavidR_NetworkShied_Log_Report_files.7z.

I can't recall exactly what I was doing around that time, the hits in my network shield log/report files are normally due to investigating sites reported in the viruses and worms forum. Though it is a rare occasion when I would disable the network shield when investigating, but it would depend on the circumstances.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #9 on: July 30, 2012, 10:14:19 PM »
Windows XP-sp3, Avast free 7.0.1456

The site in DavidR last screenshot was flagged here and recorded in nshield.
What baffles me a bit is the content of the log - Avast sometimes implicates Opera which is correct, sometimes TClockX which is a DDE type of thing for a nicer timestamp - seems wrong to me.

I attached two nshield logs - the first one is from long ago, the trojan was in an invisible iFrame script, the second one is from the run I just did.
In both instances, Opera had just one tab open.
In both instances, the old one and now, what nshield says matches what the alert says, it's just flaky with the tclockx dragged in.
Are the numbers in parenthesis pid of what's implicated? See 2-opera screenie.

Thoughts?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Network Shield - What's the point of logging it?
« Reply #10 on: July 30, 2012, 11:03:58 PM »
It isn't the Process that is the issue but the Object, given the image you posted it is more likely that the site that TClockEX.exe is connecting with has been hacked. If you actually do a forum search (viruses and worms forum)  for phpinclide-bin you will see many such network shield blocks on what are hacked sites redirecting to this phpinclide-bin url.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #11 on: July 30, 2012, 11:27:29 PM »
Well, TClockX doesn't go anywhere, just sits on my computer. Ever. Honest.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Network Shield - What's the point of logging it?
« Reply #12 on: July 31, 2012, 12:34:13 AM »
Well I have no idea what it does, my assumption is that it is a clock and much get its timings from somewhere. But that is the parent process trying to make a connection, which has subsequently been redirected to a site that the Network Shield considers malicious.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #13 on: July 31, 2012, 04:57:37 AM »
Well, then what might the (number) be? See my expanded log and new screen shots 3,4,5,6 and a composite log of all today.
It maybe a coincidence but the numbers match Opera PID (for 17:36 today I failed to grab a screenshot but it also matched Opera, it was 872).

When I try to connect to that flawed site, Opera is what's doing it. There is no redirection. I typed in the URL from your earlier post.
TclockEx is not the parent of anything :)

Why is it that the only time ever that's I've seen anything related to TclockEx and the internet is in these logs where the first was a real trojan link, the second one is the address I picked up in this thread?

All I know is this:
TClockEx sets a windows hook right after login to Windows never to be heard of again (my old SSM logs showed it to be quiet long ago).
It silently communicates with ??? time service on windows to grab the time and just makes a nice display.
As far as I know it just gathers the time by DDE from the clock of Windows set by the Windows Time Service (W32Time) which is running and updates the clock when it feels like it.

Finally,
TClockEx on my box cannot get out to the internet because it is not in the firewall rules allowing out through the avast proxy over 12080 port.
Nor is it allowed to go directly to port 80 or any other port out there.

If it tried to sneak out, I would see an alert or simply a log entry of a denied connection in the firewall. I've never seen any such for TClockEx.

Needless to say, Avast! blocks it. I'm happy. But what I see, I don't understand.

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #14 on: July 31, 2012, 04:58:52 AM »
Have to split attachments due to size - one more post after this
« Last Edit: July 31, 2012, 05:01:05 AM by cooby »