Author Topic: Avast reports "Your router is accessible", "Your router is infected" - really?  (Read 13016 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Avast 2015.10.0.2208 Home Network Security scan is reporting:
"Your router is accessible from the Internet" - claiming "we have found that your admin interface can be accessed by anyone on the Internet"
(It also says this may be a false positive from port forwarding - and I do have some ports forwarded to another machine, but no admin page is accessible.)

I have two wireless bridges configured behind a wireless router, all with strong security settings, and their admin interfaces are not remote accessible.

?? How do I find out what admin interface Avast thinks is accessible?

YOUR ROUTER IS INFECTED!!!!?????

Scrolling down on the "accessible" notice is an even more concerning claim: "Your router is infected" and "Your router has been hacked and its DNS settings have been modified to serve malicious contents."

(Why is this less important than your admin interface is accessible?)

Checking the DNS on the router which fronts my home network to the cable modem, shows the primary and secondary DNS entries to be what the Cable ISP (Comcast) is using. 

?? What evidence is Avast using to identify that my router is infected or hacked??

This sure seems like a false claim to scare folks into buying the Avast SecureDNS feature.





REDACTED

  • Guest
Yeah, I enabled that as well on .2206...  I was wondering then what it could find.

It's an industrial-strength router, I won't say which make/model, but it cost Au$250 about 3 years ago.  I'm using WPA2, with a "very strong" PSK, "nearly as strong" Admin password, absurdly long randomly generated SSID which is hidden, WPS disabled and strict MAC binding.  My router also disables SIP/ALG NAT Traversal by default for VoIP.  HMS has not asked me for the Admin password, so it can't get in that way to suss the works, I guess it must phone home to get some server to see what it can find.

HNS is unable to get into the router even when I'm running Soulseek, telling me that my network "is not visible from the internet" and the router "is configured correctly".  I was fairly sure when I enabled HNS that it would tell me these things...

So I do have to wonder where the leaks in your system are.  For example,
Quote
(It also says this may be a false positive from port forwarding...)

When i'm running Soulseek or uTorrent I have ports forwarded, but not with UPnP which I have never used because that holds UDP port 1900 open for BiDi traffic, plus any needed TCP ports.
Quote
Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.
(From Wikipedia#UPnP).

Do you have UPnP enabled in your system?  If so, I recommend strongly that you disable it and do any port forwarding manually.  That should solve many of your problems.

I wouldn't worry over the infection notices.  Apart fom anything else, your router is probably running a Linux or Adroid OS...

Gordon.

REDACTED

  • Guest
So do I disable  Upnp on the router?to avoid this mesdsaGE ABOUT HAVING AN INFECTED ROUTER vERIZON SAYS ITS IS NOT INFECTED.

Offline gevjr

  • Newbie
  • *
  • Posts: 1
I received the same error about my router being open to the Internet and being infected.  In my case I am running my own router behind the ISP's Huawei HG8245 fiber gateway.  I didn't really like the dual router but had to leave the ISP configured mostly as it was (as a router) to avoid other issues, and already had my own much nicer router when I moved here.

I checked and I hadn't turned off WAN side access on the ISP's Huawei device, and once I did that (for both WAN and ONT access) and re-ran the Avast network scan, it said everything was fine.  So I don't think that I believe the "infected router" part of the initial report since that went away from simply removing WAN access and nothing else.   
 
By default if I clicked the button after the scan to go to the router and fix the issue, it pulled up my own router's address rather than the ISP's - even though it apparently detected an issue due to the ISP's router being open to WAN management, it sent me to the router of the network my computer sits in.  (i.e., ISP router is 192.168.1.1 and my router/computers are 192.168.2.x network).