Author Topic: Network Shield - What's the point of logging it?  (Read 10073 times)

0 Members and 1 Guest are viewing this topic.

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #15 on: July 31, 2012, 05:00:15 AM »
Last one includes the log on the screen shot

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Network Shield - What's the point of logging it?
« Reply #16 on: July 31, 2012, 12:06:05 PM »
Firstly I'm an avast user not an avast developer, so I can't only comment on what I see from a users stand point.

Well since you don't use a signature to indicate what security software, OS etc. etc. on your system we have no reference point, e.g. we have to continually go back over your posts to try and find that information (a forum profile, signature helps us to help you).
What your firewall that you are creating these rules with ?

I can't explain why avast is indicating TclockEx as I have never used it and I don't know exactly know how it achieves this getting the time, if it calls the the Windows Time Service and that goes of and syncs the time, I would assume that avast would still see TclockEx as being the initiator process.

As for Opera, being a browser there is a possibility that in the course of browsing there is a link in a website to this phpinclude-bin then the network shield would jump on that as and when a connection attempt to that was made. The PIDs change as can be seen between your images different PID for Opera in both, since there is no time stamp on process explorer it is hard to say for certain. That will have to come from someone more knowledgable of the internal workings of the network shield.

I certainly can't say anything other than as an avast user on how the network shield is meant to work in identifying the parent process accessing the object, from my own experience and in the forums the parent process I have found to be correct.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #17 on: July 31, 2012, 04:46:25 PM »
Bottom line first: I'm pretty sure that the number in ( ) is PID, therefore nshield was not always reporting the application correctly. Remember my first log with a real trojan? Opera did show up there, so it's not always TClockEx.

TClockEx is not calling Windows Time Service. Using DDE it collects time value from some SystemTime variable using its hook to a windows process, I suppose. If it did call the service, I'd see WindowsTime going out in the firewall log, since it's one of few allowed connections I log.

Today, using Autoruns, I disabled TClockEx from startup and rebooted. Then I ran the same old link three times. In all cases Opera was identified in the log and it matches PID.
Note anotations in my screenies. I promise I won't post any more of those unless somebody asks for more :)
As I described, Process Explorer is behind the Opera window - I start PE before starting Opera, so the clock values apply.
Time stamp in these last screen shots is the crummy windows display since TClockEx not running. See bottom right corner in these as well as yesterday's shots. So to answer your question that there's no timestamp on PE - well there is, always there, in the right corner.

I wish I didn't hijack this thread, ouch :( Could we split it out since it's about nshield?

Thank you for your patience, and whom do you think we should ask to explain?

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #18 on: July 31, 2012, 04:47:51 PM »
... continued, 2of3

cooby

  • Guest
Re: Network Shield - What's the point of logging it?
« Reply #19 on: July 31, 2012, 04:49:48 PM »
... final 3of3