Unusual high incoming/outgoing traffic by Avast! Web Scanner

[Marthirial]

Is it normal that Avast! web Scanner is transfering a lot of info from/into my computer? My firewall is telling me the following:

Avast WebScanner 4.6.602.0  ashWebSv.exe Incoming Allowed: 193055803
Incoming total: 193135286
Outgoing total: 28659547

Transfer has been going on for almost half an hour on a DSL connection and see no other activity besides this one.

[sded]

Avast! Web Scanner doesn't transfer anything; http://data just passes through it on the way in and out.  Something like automatic update is running in the background.  What firewall are you using?  It should tell you what program is actually doing the transfer (except Sygate).  Or take a look at Windows Task Manager to see who else besides Avast! is doing a lot of reading and writing.

[Marthirial]

I am using Sygate Firewall and in the list of applications/activity, ashWebSv.exe is the only one with high transfer rate, the rest is normal.

This is the detail about the connection:

ashWebSv.exe TCP CONNECTED LOCAL PORT 40?? REMOTE PORT 80
IP ADDRESS 66.225.205.??

and in my graphic I see a high amount of data in/out.  the ?? are placed by me.

For sure, this exe is transfering all this.

[sded]

I mentioned Sygate because that firewall has a well known flaw, explained on their website in that it does not detect the use of a proxy to transfer data, only recognizes the last program in the chain-in this case avast!  See http://forums.sygate.com/vb/showthread.php?s=&threadid=7813 for example.  You can also search this site to see discussions of that flaw and how it affects security.  Try looking at your Windows Task Manager to see if there is another program doing a lot of I/O.  Web Scanner transfers nothing, it is only a proxy for passing data through and scanning it for viruses.

[Marthirial]

Well, I am not interested in the way sygate handles information or its flaws at this moment as I am more worry about an intrusion.

I went plan B here and just terminated ashWebSv.exe from task manager and all the incoming/outgoing activity stopped.

That pretty much narrows down to this software causing the activity, that, after several  months of installing the software, is the first time I notice such behavior.

[rasta]

Well, I am not interested in the way sygate handles information or its flaws at this moment as I am more worry about an intrusion.

I went plan B here and just terminated ashWebSv.exe from task manager and all the incoming/outgoing activity stopped.

That pretty much narrows down to this software causing the activity, that, after several  months of installing the software, is the first time I notice such behavior.

Depending on the software that was using the connection, terminating ashWebSv in the middle might simply be treated like terminating your internet connection. Same result.

Do you have RealPlayer installed by any chance?

[alanrf]

Marthirial,

I wonder if perhaps some of the points made here are clear to you.

The Webshield (ashWebSv.exe) is new in this latest release of Avast, so you will never have seen its behaviour before.

With Webshield active you will not see your firewall reporting activity of your browser or any other programs that access http traffic through port 80.  When the Webshield is active all of the http traffic to/from the internet is routed through the Webshield so that it can be scanned for viruses.

The Webshield is being used by countless thousands of Avast users,  it does not by itself access the internet.  It does not by itself download data to your computer and it certainly is not the path of an intrusion.  Any data being downloaded and reported by your firewall coming through the Webshield is coming because some other function in your system is requesting it. 

Perhaps you might want to take a few minutes to read the user manual for Avast and especially to educate yourself on the new features.

[Vlk]

Marthirial, I strongly recommend updating your avast to the latest version (4.6.623). The previous version contained a bug that could, in some circumstances, cause WebShield to keep downloading data that you no longer wanted (especially streaming data such as listening to online radios).

Thanks
Vlk

[Marthirial]

vlk your explanations makes a lot of sense, specially due the fact that I did use shoutcast early in the day, for the first time after installing Avast! several months ago.

I will then update the software

Thanks