Odd datagram to time server at start-up - what is going on?

[REDACTED]

Hi,

I am running Avast free antivirus, 2015.10.0.2208 on WinXP SP3.  I "Load Avast services only after loading other system services".  Webshield is active.  I use a third-party software firewall which loads before all other third-party services.  Windows is set to synchronise with an Internet time server (pool.ntp.org).

I noticed that avastsvc.exe was sending UDP to port 123 (various endpoint IP addresses) at system start-up.  Fearing malware somehow making use of avastsvc I did some more digging.  The packet of data that avastsvc sends (typically from port 1032, 1033, 1035) appears to be garbage (no valid data) - here is an example:

User Datagram Protocol, Src Port: mxxrlogin (1035), Dst Port: ntp (123)
Network Time Protocol (NTP Version 1, reserved)
    Flags: 0x08
        00.. .... = Leap Indicator: no warning (0)
        ..00 1... = Version number: NTP Version 1 (1)
        .... .000 = Mode: reserved (0)
    Peer Clock Stratum: unspecified or invalid (0)
    Peer Polling Interval: invalid (0)
    Peer Clock Precision: 1.000000 sec
    Root Delay:    0.0000 sec
    Root Dispersion:    0.0000 sec
    Reference ID: NULL
    Reference Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Origin Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Receive Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Transmit Timestamp: Jan  1, 1970 00:00:00.000000000 UTC

 - the endpoint (which is an NTP server) responds with:

User Datagram Protocol, Src Port: ntp (123), Dst Port: mxxrlogin (1035)
Network Time Protocol (NTP Version 1, server)
    Flags: 0x0c
        00.. .... = Leap Indicator: no warning (0)
        ..00 1... = Version number: NTP Version 1 (1)
        .... .100 = Mode: server (4)
    Peer Clock Stratum: secondary reference (2)
    Peer Polling Interval: invalid (3)
    Peer Clock Precision: 0.000000 sec
    Root Delay:    0.0011 sec
    Root Dispersion:    0.0251 sec
    Reference ID: 145.238.203.14
    Reference Timestamp: Feb 13, 2015 14:03:44.446554000 UTC
    Origin Timestamp: Jan  1, 1970 00:00:00.000000000 UTC
    Receive Timestamp: Feb 13, 2015 14:08:52.199725000 UTC
    Transmit Timestamp: Feb 13, 2015 14:08:52.199738000 UTC

 - I have monitored this start-up behaviour several times and as far as I can tell the remote address contacted varies but is always an NTP server.

If I manually re-synchronise Windows time with pool.ntp.org the following sequence (typically) occurs:

Source                Destination           Protocol Length Info
10.0.0.3              10.0.0.2              DNS      72     Standard query 0x4fd5  A pool.ntp.org
10.0.0.2              10.0.0.3              DNS      136    Standard query response 0x4fd5  A (IP addresses - see below)
10.0.0.3              143.210.16.201        NTP      90     NTP Version 3, symmetric active
10.0.0.3              178.62.24.228         NTP      90     NTP Version 3, symmetric active
10.0.0.3              129.250.35.251        NTP      90     NTP Version 3, symmetric active
10.0.0.3              178.79.177.120        NTP      90     NTP Version 3, symmetric active
178.62.24.228         10.0.0.3              NTP      90     NTP Version 3, symmetric passive
143.210.16.201        10.0.0.3              NTP      90     NTP Version 3, symmetric passive
178.79.177.120        10.0.0.3              NTP      90     NTP Version 3, symmetric passive
129.250.35.251        10.0.0.3              NTP      90     NTP Version 3, symmetric passive

 - Avast (webshield) does not appear to get involved.  I have also tried setting svchost.exe as an excluded application from the webshield and even disabling the webshield altogether.  I have also tried disabling Windows internet time synchronisation.  The odd UDP from avastsvc.exe still occurs at start-up.  I can create a firewall rule to allow or deny this seemingly odd avastsvc behaviour, but I would be happier if I knew WHY it was happening in the first place.  I see other communications taking place between Avast application and servers at start-up but it all seems normal (checking for updates etc).  I know that "a little knowledge can be a dangerous thing" but I am still curious to know what is going on here.

Can anyone help?

[REDACTED]

I see a few have viewed this subject but no replies.  So I'll advance my theory / answer my own question.

The Avast program is sending a simple "null data" packet to a Time server (0x08 followed by a string of 0x00's) - in effect a sort of "Ping" that apparently causes the server to respond with the current time: in other words a simple check for UTC by the program so that the program "knows" the time, independent of local (Windows / PC hardware) time.  This may be used to make decisions such as sending usage information or checking for updates, I do not know.  This is my best guess.  From my observations the program only ever sends a single datagram to the remote IP address (port 123) and the server appears to be one selected (at random?) from a pool.  This activity occurs first, before the Avastsvc contacts any other servers.

[Eddy]

Since your query is not a general one but rather one for specialist, it is not surprising no-one has replied so far.
I've asked avast to have a look at this thread and expect someone to respond to you soon.

[REDACTED]

Thank you - that's much appreciated 

[Eddy]

It is just a small thing to do.

[mauricio.chiessi]

I have the opposite problem. It appears that avast is blocking my time servers. If I disable the shields I can synchronize with my time servers. It may had happened when I has the trial version that included the firewall but I chose to keep the windows builting instead and/or when I downgraded to the free version. should I unistall the version I have and reintall the free version or should I configure the Windos firewall?

[Asyn]

I have the opposite problem. It appears that avast is blocking my time servers. If I disable the shields I can synchronize with my time servers. It may had happened when I has the trial version that included the firewall but I chose to keep the windows builting instead and/or when I downgraded to the free version. should I unistall the version I have and reintall the free version or should I configure the Windos firewall?

First, reviving a thread from 2015 isn't helpful.
Second, provide details, else we could only guess.

[bob3160]

I have the opposite problem. It appears that avast is blocking my time servers. If I disable the shields I can synchronize with my time servers. It may had happened when I has the trial version that included the firewall but I chose to keep the windows builting instead and/or when I downgraded to the free version. should I unistall the version I have and reintall the free version or should I configure the Windos firewall?

First, reviving a thread from 2015 isn't helpful.
Second, provide details, else we could only guess.

Do your posts in your own NEW post not this old unrelated post. Thanks