Hi,
I am running Avast free antivirus, 2015.10.0.2208 on WinXP SP3. I "Load Avast services only after loading other system services". Webshield is active. I use a third-party software firewall which loads before all other third-party services. Windows is set to synchronise with an Internet time server (pool.ntp.org).
I noticed that avastsvc.exe was sending UDP to port 123 (various endpoint IP addresses) at system start-up. Fearing malware somehow making use of avastsvc I did some more digging. The packet of data that avastsvc sends (typically from port 1032, 1033, 1035) appears to be garbage (no valid data) - here is an example:
User Datagram Protocol, Src Port: mxxrlogin (1035), Dst Port: ntp (123)
Network Time Protocol (NTP Version 1, reserved)
Flags: 0x08
00.. .... = Leap Indicator: no warning (0)
..00 1... = Version number: NTP Version 1 (1)
.... .000 = Mode: reserved (0)
Peer Clock Stratum: unspecified or invalid (0)
Peer Polling Interval: invalid (0)
Peer Clock Precision: 1.000000 sec
Root Delay: 0.0000 sec
Root Dispersion: 0.0000 sec
Reference ID: NULL
Reference Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Origin Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Receive Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Transmit Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
- the endpoint (which is an NTP server) responds with:
User Datagram Protocol, Src Port: ntp (123), Dst Port: mxxrlogin (1035)
Network Time Protocol (NTP Version 1, server)
Flags: 0x0c
00.. .... = Leap Indicator: no warning (0)
..00 1... = Version number: NTP Version 1 (1)
.... .100 = Mode: server (4)
Peer Clock Stratum: secondary reference (2)
Peer Polling Interval: invalid (3)
Peer Clock Precision: 0.000000 sec
Root Delay: 0.0011 sec
Root Dispersion: 0.0251 sec
Reference ID: 145.238.203.14
Reference Timestamp: Feb 13, 2015 14:03:44.446554000 UTC
Origin Timestamp: Jan 1, 1970 00:00:00.000000000 UTC
Receive Timestamp: Feb 13, 2015 14:08:52.199725000 UTC
Transmit Timestamp: Feb 13, 2015 14:08:52.199738000 UTC
- I have monitored this start-up behaviour several times and as far as I can tell the remote address contacted varies but is always an NTP server.
If I manually re-synchronise Windows time with pool.ntp.org the following sequence (typically) occurs:
Source Destination Protocol Length Info
10.0.0.3 10.0.0.2 DNS 72 Standard query 0x4fd5 A pool.ntp.org
10.0.0.2 10.0.0.3 DNS 136 Standard query response 0x4fd5 A (IP addresses - see below)
10.0.0.3 143.210.16.201 NTP 90 NTP Version 3, symmetric active
10.0.0.3 178.62.24.228 NTP 90 NTP Version 3, symmetric active
10.0.0.3 129.250.35.251 NTP 90 NTP Version 3, symmetric active
10.0.0.3 178.79.177.120 NTP 90 NTP Version 3, symmetric active
178.62.24.228 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
143.210.16.201 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
178.79.177.120 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
129.250.35.251 10.0.0.3 NTP 90 NTP Version 3, symmetric passive
- Avast (webshield) does not appear to get involved. I have also tried setting svchost.exe as an excluded application from the webshield and even disabling the webshield altogether. I have also tried disabling Windows internet time synchronisation. The odd UDP from avastsvc.exe still occurs at start-up. I can create a firewall rule to allow or deny this seemingly odd avastsvc behaviour, but I would be happier if I knew WHY it was happening in the first place. I see other communications taking place between Avast application and servers at start-up but it all seems normal (checking for updates etc). I know that "a little knowledge can be a dangerous thing" but I am still curious to know what is going on here.
Can anyone help?