Author Topic: .  (Read 22337 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: Avast accessing websites (DNS logs)
« Reply #15 on: January 04, 2015, 11:14:37 PM »
avast does not load the sites, it merely connects to the router and ask it a few questions. It does not connect to the IP, does not check if the IP is accessible or not, nothing. Compare it to for example the prefetch feature of the modern browsers - where site might get downloaded only because it is shown in the search result list.

Thx....but if Avast does not go "out" past the router then why does OpenDNS show the sites as OP outlined ?

Also, alexa.com is meant as an analytics tool.
On the surface this looks less like "security" and more about data collection, etc.
It is items like this that get people wondering if Avast collect and sell user data ?
At the very least Avast is using the access to generate a ton of analytics.....seems awful heavy handed.
The Avast EULA http://files.avast.com/files/legal/eula-avast-free.pdf states the information collected.......
The information collected by the Software is generally not correlated with any other personal information related to you that AVAST may be processing such as information given by you to AVAST or its distributors or agents during the process of ordering and downloading the Software. Unless you have permitted otherwise, the information collected by the Software is used anonymously in aggregation with similar information from other users of the Software for analytical purposes to identify new viruses and threats and for improvement and development of the Software and for statistical purposes.
« Last Edit: January 05, 2015, 12:43:48 AM by thekochs »

Offline stibi

  • Sr. Member
  • ****
  • Posts: 383
Re: Avast accessing websites (DNS logs)
« Reply #16 on: January 04, 2015, 11:45:45 PM »
I don't use DNS logs, but I also don't understand the reason to "connect to the router and ask it a few questions" for a mass of IP addresses. The result will not be very surprising. The addresses will be well known. Or do you search for any kind of forgery?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Avast accessing websites (DNS logs)
« Reply #17 on: January 05, 2015, 08:35:09 AM »
So, if I understand it correctly, avast! connects to router and checks if the address it asked for is also returned by the router. If it's not, this may be indication that something is redirecting your connections on your computer. Or have I failed understanding it? This is basically an internal connectivity check and doesn't actually go beyond your home network.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast accessing websites (DNS logs)
« Reply #18 on: January 05, 2015, 09:32:03 AM »
avast does not load the sites, it merely connects to the router and ask it a few questions. It does not connect to the IP, does not check if the IP is accessible or not, nothing. Compare it to for example the prefetch feature of the modern browsers - where site might get downloaded only because it is shown in the search result list.

Thx....but if Avast does not go "out" past the router then why does OpenDNS show the sites as OP outlined ?

I don't think Lukor meant to say that the DSN queries don't go past the router... the router doesn't have a table of all domains on the Internet, it propagates the queries further - to the DNS servers.

Also, alexa.com is meant as an analytics tool.
On the surface this looks less like "security" and more about data collection, etc.
It is items like this that get people wondering if Avast collect and sell user data ?
At the very least Avast is using the access to generate a ton of analytics.....seems awful heavy handed.

I think you got it wrong (vice versa, I would say)... alexa.com list if built on the results of analytics. To trigger the analytics, you would not only have to connect to the particular site (which doesn't happen there), but also to download its web page and download the links from that web page (one of those being the analytical link).
Selling DNS results? They would be basically the same for almost all the users - no interesting data here ;)


I don't use DNS logs, but I also don't understand the reason to "connect to the router and ask it a few questions" for a mass of IP addresses. The result will not be very surprising. The addresses will be well known. Or do you search for any kind of forgery?

Yes, exactly. The expected results are well known - and that would be the case for most users. However, if you have a compromised router that redirects some domains to fake/phishing pages, you get something unexpected and you may report a problem (of course, assuming that it's at least one of checked domains that gets redirected - that's why the top alexa.com domains were chosen - being popular, they are also likely to be used for an attack).


So, if I understand it correctly, avast! connects to router and checks if the address it asked for is also returned by the router. If it's not, this may be indication that something is redirecting your connections on your computer. Or have I failed understanding it? This is basically an internal connectivity check and doesn't actually go beyond your home network.

Lukor may correct me if I'm wrong, but I believe Avast simply makes a number of DNS queries. Sure, they go via your router (all your traffic does), the router could be the potential cause of problems (if any are found), but I wouldn't say it doesn't go beyond your home network - the queries would be propagated to DNS servers (usually supplied by your ISP, or OpenDNS if you manually configured that).

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Avast accessing websites (DNS logs)
« Reply #19 on: January 05, 2015, 09:33:23 AM »
I don't use DNS logs, but I also don't understand the reason to "connect to the router and ask it a few questions" for a mass of IP addresses. The result will not be very surprising. The addresses will be well known. Or do you search for any kind of forgery?

We are doing this to detect so called DNS hijacking, where a malicious attacker might change the settings inside your PC (and point you to a infected DNS server), or with the help of router vulnerabilities (such as ROM0) or misconfiguration (such as default passwords) change the DNS settings on your router.

http://www.gohacking.com/dns-hijacking/
http://www.whogothacked.com/2014/02/hackers-exploiting-router.html
http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/

REDACTED

  • Guest
Re: Avast accessing websites (DNS logs)
« Reply #20 on: January 05, 2015, 02:10:37 PM »
OK...thx.......but I do not understand why all these type websites OP lists are pinged to DNS IP ?
Also, why so many times/frequency ?

It seems to me (like the example you use with the web browser pre-fetch) that Avast would look in the router table and only test the DNS addresses of IPs visited or some "basic" well known sites......while all the porn and suspect sites ?......seems like you would be testing "good" sites for bad IPs ?

Also......and I am by FAR no expert on this......why would you mess with the router ?
Why wouldn't Avast do this at the "PC" & Browser level ?
IMHO I don't want Avast mucking about on my network....I want you resident on the PC snooping/blocking/etc. items that are from/to the PC.....not upstream.  In fact, I'd rather see Avast expand your coverage to exploit attacks....ala new MBAM Exploit.
https://www.malwarebytes.org/antiexploit/
Just my opinion but Avast needs to improve on the A/V side at the client level....these other "Tools" and Network efforts appear to be diluting you....the more of this you do the less I like Avast.

Thx.
« Last Edit: January 05, 2015, 02:16:09 PM by thekochs »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast accessing websites (DNS logs)
« Reply #21 on: January 05, 2015, 03:11:02 PM »
Those sites from the list are known and popular sites. Sure, not for everybody, but in the global point of view, that's how it is.

Why do it? Well, the more layers of protection you have, the better protected you are. No antivirus product detects everything... so as I wrote before - yes, the Web Shield should/could detect the fake content if you were redirected to a malicious page. But detecting even the presence of the redirection itself is better then just detecting the subsequently downloaded content (also because you know the problem is on your machine/network, while in the other case you may think the remote web page got compromised).
Plus, they may not even be any malicious content to report... in some cases the attackers may just be eavesdropping on your communication and getting your personal data - without serving any malicious content do detect. So it's better to report the vulnerability on the network than to wait for some "visible" problems to manifest.

REDACTED

  • Guest
Re: Avast accessing websites (DNS logs)
« Reply #22 on: January 05, 2015, 03:41:52 PM »
Those sites from the list are known and popular sites. Sure, not for everybody, but in the global point of view, that's how it is.

Why do it? Well, the more layers of protection you have, the better protected you are. No antivirus product detects everything... so as I wrote before - yes, the Web Shield should/could detect the fake content if you were redirected to a malicious page. But detecting even the presence of the redirection itself is better then just detecting the subsequently downloaded content (also because you know the problem is on your machine/network, while in the other case you may think the remote web page got compromised).
Plus, they may not even be any malicious content to report... in some cases the attackers may just be eavesdropping on your communication and getting your personal data - without serving any malicious content do detect. So it's better to report the vulnerability on the network than to wait for some "visible" problems to manifest.

OK....I get the intent (valid/good reason) but I will politely disagree with the amount/frequency and "way" this is being done.
If Avast wants to protect the user from this you need to restrict yourself to the sites being visited at the "time" of request.
Again, not an expert but this seems like it can be done in the Web Shield (not just fake content but the re-direct)....intruding on how the router works only causes more layers of things to go wrong (example: how does this work if thru OpenDNS I am blocking these type sites ?, also if this causes network issues it is VERY difficult to trace/ID).  Also, I completely disagree that just because these sites are OK every else that it is OK for them to show up on my connections in any form.  For me I am a FREE user mostly and the one PC I am not on FREE I am now downgrading to FREE......."this" protection/layer you offer is not worth this intrusion.....sorry.  I can easily lock down my router without the need for this. 

Also, I only point this out because it the bulk of Avast users were educated that this type traffic/operation is going on you'd get a lot of rejection and bad press.  I hope you re-think "how" this layer is done.
« Last Edit: January 05, 2015, 03:51:31 PM by thekochs »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast accessing websites (DNS logs)
« Reply #23 on: January 05, 2015, 03:50:00 PM »
It cannot be done for visited domains only because it's simply not enough data to judge by (plus, it's not possible to check every DNS request for every insignificant domain - if that's what you mean - Geo DNS would interfere with that) - so it would be basically the same as removing that functionality altogether.

Feel free to disable to Home Network Security tool if you don't like it (but I certainly disagree with your conclusions, sorry).
« Last Edit: January 05, 2015, 03:53:16 PM by igor »

REDACTED

  • Guest
Re: Avast accessing websites (DNS logs)
« Reply #24 on: January 05, 2015, 03:53:06 PM »
Feel free to disable to Home Network Security tool if you don't like it (but I certainly disagree with your conclusions, sorry).

That's OK........my gut feel tells me if other users find out "how" Avast is implementing you are going to get a fairly negative response.  I think the only reason you are not now is that typical users are blind to what is being done.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Avast accessing websites (DNS logs)
« Reply #25 on: January 05, 2015, 04:16:47 PM »

That's OK........my gut feel tells me if other users find out "how" Avast is implementing you are going to get a fairly negative response.  I think the only reason you are not now is that typical users are blind to what is being done.

I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don't see any actuall reason why this operation (doing a DNS query) be something we should avoid.

From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.

Anyway, thanks for the feedback, we'll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.

Thanks, Lukas.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast accessing websites (DNS logs)
« Reply #26 on: January 05, 2015, 04:30:54 PM »

That's OK........my gut feel tells me if other users find out "how" Avast is implementing you are going to get a fairly negative response.  I think the only reason you are not now is that typical users are blind to what is being done.

I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don't see any actuall reason why this operation (doing a DNS query) be something we should avoid.

From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.

Anyway, thanks for the feedback, we'll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.

Thanks, Lukas.
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Avast accessing websites (DNS logs)
« Reply #27 on: January 05, 2015, 04:43:38 PM »
<snip quote>
I can hardly think about something less intrusive and benign than resolving a DNS query. As I said before, I understand the inconvenience if you gather logs of DNS queries and then get confused, but beside this I don't see any actuall reason why this operation (doing a DNS query) be something we should avoid.

From what you said it seems that you have issues with Avast doing any network related probes - not that you would find DNS queries the problem them selves. In this case I would really suggest you to disable Home Network Security completely.

Anyway, thanks for the feedback, we'll try to find out some improvements to the functionality so that these questionable domains are queried only if really required.

Thanks, Lukas.
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Personally I would think that may well make it look even more suspicious as the users firewall or sniffer logs would still be logging this activity - yet looking in the avast log would essentially just show the encrypted data. So the user would still be wondering what the hell avast is doing.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: Avast accessing websites (DNS logs)
« Reply #28 on: January 05, 2015, 04:45:30 PM »
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Hi Bob, the OP reported that he used OpenDNS to create log of all DNS activity. You can also capture packets on the network and create a log file from the capture. From the packet log, you can however also tell that the domains are not accessed - which means no connection and traffic between your PC and the suspicous site(s).

REDACTED

  • Guest
Re: Avast accessing websites (DNS logs)
« Reply #29 on: January 05, 2015, 05:08:22 PM »
Why can't the list (log) be encrypted. Avast gets what it needs and we or any one else looking at our computer don't have to put up with that list.

Hi Bob, the OP reported that he used OpenDNS to create log of all DNS activity. You can also capture packets on the network and create a log file from the capture. From the packet log, you can however also tell that the domains are not accessed - which means no connection and traffic between your PC and the suspicous site(s).

As you stated, there are a lot of people who use OpenDNS.....great solution.  One of the very nice features is to see the statistics of what is being accessed & frequency.  I use OpenDNS for variety of things....manage websites my kids can visit on a "global" level within the home, log/see what is going on, and also even look at the stats.......one very good way to see that you have a lot of Adware to go resolve. 

I no longer have as they say "any dog in the hunt" since I've disabled the Avast Home Network function but as an Avast fan I hope to see Avast look into how this works/looks at the ISP level.  Avast has 200million users......OpenDNS is HUGE as well.
The issue as outlined by the OP is that while Avast is not contacting the sites it is seen in the OpenDNS logs.
It would also be a good experiment.....which I did not try.....to put some of these sites on the OpenDNS blacklist of your OpenDNS account and see what happens during an Avast query of the IP thru this layer.

Anyway, I'd suggest Avast do some testing with OpenDNS.....seems it would be beneficial.

Cheers.