Author Topic: ashServ.exe has changed.  (Read 9414 times)

0 Members and 1 Guest are viewing this topic.

Offline notdarkyet

  • Jr. Member
  • **
  • Posts: 50
  • I'm a llama!
ashServ.exe has changed.
« on: November 24, 2003, 11:00:25 PM »
Hello all I am new to avast! AV and the forum, I have read through some posts and the avast help for answers without luck before posting here and I hope you can help me with my problem.

I recently got a program alert from Zonealarm saying that ashServ.exe was trying to access the internet and also it had changed since the last time it had access, ZA told me I should be wary of programs that have changed because there might be a virus at work and so I denied access, it's been a few days and I haven't recieved any more alerts. What I'd like to know is if ashServ.exe should be asking for internet access and if it is normal for it to have changed, I'll provide information about the alert and my system below, please ask if you need me to provide any other relevant info.

Alert Information:

Program Name: ashServ.exe
Program Version: 4,1,287,0
Program Size (bytes): 0
Date Modified: Nov-30-1979 12:00am (I think this is the time of day I got down, if not, it's close)

System Details:

Windows XP Home Edition
900MHz Intel Celeron Processor
128mb RAM


Installed Programs:

avast! version 4.1 Home Edition (running in demo period)
Build: oct 2003 (4.1.289)
Virus Database Version: 0301-13  21.11.03

Zonealarm (free version)

Connection: Cable Modem (Broadband)

« Last Edit: November 24, 2003, 11:01:52 PM by notdarkyet »

Offline Culpeper

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1187
Re:ashServ.exe has changed.
« Reply #1 on: November 24, 2003, 11:07:01 PM »
I don't think you have a problem there at all.  Sygate does the same thing after Avast does auto updates.  It's just your firewall noticing the change.
The wind in the wires made a tattletale sound
And a wave broke over the railing
And every man knew, as the Captain did, too,
T'was the witch of November come stealing.

Offline notdarkyet

  • Jr. Member
  • **
  • Posts: 50
  • I'm a llama!
Re:ashServ.exe has changed.
« Reply #2 on: November 25, 2003, 10:46:00 PM »
Program Name: ashServ.exe
Program Version: 4,1,287,0
Program Size (bytes): 0
Date Modified: Nov-30-1979 12:00am (I think this is the time of day I got down, if not, it's close)


Hi again, I have a few questions I want to ask:

1. So is it normal for ashServ.exe to need internet access and sometimes to have changed? (what is it's function and why does it need access and to change)

Also, I think I had my internet lock on at the time which may have caused the alert.

2. Does avast! keep a log of when it updates so I can see if it has updated recently or is there another suggestion you can make where I could find if my current version is different from the version I installed.

2b. Can you tell me what version of ashServ is the most recent.

3. Do you think the details of the program (quoted above) are strange e.g it being 0 bytes, the fact it was last modified in 1979?

4. Finally, could this be a malicious program masquerading as an avast component to gain internet access?


Thanks for the help, and I'm sorry for being a bit of an amateur but I want to make sure everything is okay with my system.



« Last Edit: November 25, 2003, 10:49:09 PM by notdarkyet »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:ashServ.exe has changed.
« Reply #3 on: November 26, 2003, 01:23:01 AM »
Program Name: ashServ.exe
Program Version: 4,1,287,0
Program Size (bytes): 0
Date Modified: Nov-30-1979 12:00am (I think this is the time of day I got down, if not, it's close)

Updated versions are: 4.1.289 and VPS (virus database) 0311-0

1. So is it normal for ashServ.exe to need internet access and sometimes to have changed? (what is it's function and why does it need access and to change)

ashserv.exe manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. aswUpdSv.exe is avast! iAVS4 Control Service, which provides automatic updating for the avast! antivirus. The answer for your questions are: the file itself could be updated since your version are not the last one. Right now, this file does not need to access the Internet (at last, in my system it never asked for. I just have: avast.setup file and avastmaisv.exe (the mail scanner).

Also, I think I had my internet lock on at the time which may have caused the alert.

2. Does avast! keep a log of when it updates so I can see if it has updated recently or is there another suggestion you can make where I could find if my current version is different from the version I installed.

2b. Can you tell me what version of ashServ is the most recent.

Manually update could inform (and download) you about the new versions. The last one is 4.1.289 (see About dialog from the tray icon 'a').

3. Do you think the details of the program (quoted above) are strange e.g it being 0 bytes, the fact it was last modified in 1979?

Could you explain a little bit more?

4. Finally, could this be a malicious program masquerading as an avast component to gain internet access?

Definitevely not.

Have fun and luck. Technical.
The best things in life are free.

Offline notdarkyet

  • Jr. Member
  • **
  • Posts: 50
  • I'm a llama!
Re:ashServ.exe has changed.
« Reply #4 on: November 26, 2003, 01:17:12 PM »
I ran the update for the program and VPS and I have the latest versions, I don't think I've updated the program since I installed so could a VPS update cause Zonealarm to say ashServ.exe had changed? What you should also notice is that the build of my program and the build of ashServ.exe given in the alert are not the same (you can see the build in my first post), is this normal?

Also, I know I've asked this before but I don't seem to have read a clear cut answer of whether or not ashServ.exe needs internet access to function?

I'm also listing the processes in task manager which I think are related to avast! so you can see if I have any missing or there are any anomalies.

ashMaiSv.exe
ashServ.exe
ashSimpl.exe
aswUpdSv.exe



3. Do you think the details of the program (quoted above) are strange e.g it being 0 bytes, the fact it was last modified in 1979?

Could you explain a little bit more?


If you look at my initial post Technical you'll see this information that Zonealarm gave me about the program asking for internet access, please look through the details and tell me if anything looks out of place to you:

Alert Information:

Program Name: ashServ.exe
Program Version: 4,1,287,0
Program Size (bytes): 0
Date Modified: Nov-30-1979 12:00am (I think this is the time of day I got down, if not, it's close)



As well as asking on the forum I also ran a complete avast scan on my system and found nothing. EDIT: I also forgot to add that I recently got an error message about ashServ.exe at shutdown and was asked to close it manually, unfortunately I was in the last stages of shutdown and I couldn't get down the details, this may be linked so is there anywhere errors like these are logged?

Lastly I can supply the IP address it was trying to contact if that will help and it is safe to do so.

Thanks.

PS I assume it's okay to leave resident protection on while I scan? This is what I have been doing.

« Last Edit: November 26, 2003, 01:24:41 PM by notdarkyet »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:ashServ.exe has changed.
« Reply #5 on: November 27, 2003, 01:17:25 AM »
ashMaiSv.exe - Internet Mail Provider
ashServ.exe - Windows Service. Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler
ashSimpl.exe - Simple User Interface (skinned application)
aswUpdSv.exe - Windows Service. avast! iAVS4 Control Service, which provides automatic updating for the avast! antivirus.

All these files are listed on task manager. Just ashMailSv.exe and other file, named avast.setup must have the rights to access the Internet. None of them must have server rights (ie, could be accessed by the Internet).

Do you have a net card in your system (even if you do not have a net or LAN but just the card)? ZoneAlarm could ask for access rights if the LAN is not well-configured. I'm not sure, but ashServ.exe does not have to connect the Internet...

The IP addresses that are contacted must be found at the FAQ or help files of avast:

URL: http://www.asw.cz/iavs4pro
IP: 195.70.130.34

URL: http://www.avast.com/iavs4pro
IP: 64.246.6.135

URL: http://www.iavs.net/iavs4pro
IP: 207.44.156.15

URL: http://www.iavs.cz/iavs4pro
IP: 62.168.45.69

At last, you're right, you could leave the resident protection on while you perform a scanning.
The best things in life are free.

Offline notdarkyet

  • Jr. Member
  • **
  • Posts: 50
  • I'm a llama!
Re:ashServ.exe has changed.
« Reply #6 on: November 27, 2003, 04:08:46 PM »
Hi again Technical,

ashMaiSv.exe - Internet Mail Provider
ashServ.exe - Windows Service. Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler
ashSimpl.exe - Simple User Interface (skinned application)
aswUpdSv.exe - Windows Service. avast! iAVS4 Control Service, which provides automatic updating for the avast! antivirus.

I looked in program control in ZA and have three avast componets that have asked for access before, ashMaiSv.exe, avast.setup and ashServ.exe. I checked the properties of the ashServ.exe file and some weren't the same as ZA gave me such as Date Modified and the size of the file so this could either be an error in ZA or a malicious program?

Do you have a net card in your system (even if you do not have a net or LAN but just the card)? ZoneAlarm could ask for access rights if the LAN is not well-configured. I'm not sure, but ashServ.exe does not have to connect the Internet...

If you mean by net card do I have an LAN card then yes I do, although my PC is a single workstation and I access the internet through cable modem (Broadband).
I don't have much knowledge about net/LAN but could you give me some directions on where and how to check if this is set up properly.

Also, the IP ashServ.exe was supposedly trying to contact matches none of the IP addresses you listed, which makes me even more concerned this could be something suspicious...

It would be great if a member of the Alwil staff could to drop by and confirm that ashServ.exe should or shouldn't require net access and I also welcome any other suggestions anyone else might have as I've kinda hit a dead end here.

Thanks.
« Last Edit: November 27, 2003, 04:12:32 PM by notdarkyet »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:ashServ.exe has changed.
« Reply #7 on: November 27, 2003, 05:56:18 PM »
I have an LAN card then yes I do, although my PC is a single workstation and I access the internet through cable modem (Broadband).
I don't have much knowledge about net/LAN but could you give me some directions on where and how to check if this is set up properly.

First, enable your LAN into Control Panel (or into System > Hardware or in Connections). You can be sure of this adding an icon to the System Tray.

In ZoneAlarm > Firewall > Zones > See if you have properly configured your Internet Adapter (generally, WAN (PPP/SLIP) Interface - IP - Adapter Subnet - Internet Zone).

In ZoneAlarm > Firewall > Main > you can set both to 'High' (Internet and Trusted Zone Security).

Also, the IP ashServ.exe was supposedly trying to contact matches none of the IP addresses you listed, which makes me even more concerned this could be something suspicious...

It would be great if a member of the Alwil staff could to drop by and confirm that ashServ.exe should or shouldn't require net access and I also welcome any other suggestions anyone else might have as I've kinda hit a dead end here.

I'll let this for the avast! team.
The best things in life are free.

Offline notdarkyet

  • Jr. Member
  • **
  • Posts: 50
  • I'm a llama!
Re:ashServ.exe has changed.
« Reply #8 on: November 27, 2003, 09:14:37 PM »
First, enable your LAN into Control Panel (or into System > Hardware or in Connections). You can be sure of this adding an icon to the System Tray.

In ZoneAlarm > Firewall > Zones > See if you have properly configured your Internet Adapter (generally, WAN (PPP/SLIP) Interface - IP - Adapter Subnet - Internet Zone).

Can a single workstation be part of an LAN? I checked in Start > Control panel > Network and Internet Connections > Network Connections and I have 3 connections set up, 2 are enabled and one is unplugged, they are listed below:

AEI USB To Fast Ethernet adaptor - Packet scheduler miniport

WAN Network driver - Packet scheduler miniport

Linksys LNE100TX fast ethernet Adaptor(LNE100TX v4) - Packet scheduler miniport (This Network Cable is unplugged)


When I switched from dial-up to broadband I left the connections pretty much as they were, do you think I need to "clean" this area up a bit?

Also all the connections are listed as in the Internet zone in ZA and the only one showing any activity in Task Manager is the AEI USB To Fast Ethernet adaptor - Packet scheduler miniport.

In ZoneAlarm > Firewall > Main > you can set both to 'High' (Internet and Trusted Zone Security).

The security level for the Internet zone is set to high and for the trusted zone is set to medium (recommended), should I change this?


Going back to what you said here...
ZoneAlarm could ask for access rights if the LAN is not well-configured. I'm not sure, but ashServ.exe does not have to connect the Internet...

I think you're asking if ZA has any trouble connecting to the Internet?,  the answer is it doesn't, also I haven't had any problems with my connection and other programs connect fine too.

I hope this info helps, just ask if you need me to do anything else.

Thanks.
« Last Edit: November 27, 2003, 09:24:41 PM by notdarkyet »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:ashServ.exe has changed.
« Reply #9 on: November 28, 2003, 01:20:09 AM »
Linksys LNE100TX fast ethernet Adaptor(LNE100TX v4) - Packet scheduler miniport (This Network Cable is unplugged)
When I switched from dial-up to broadband I left the connections pretty much as they were, do you think I need to "clean" this area up a bit?

This answer your question: for Windows, a single workstation is a part of a LAN with an unplugged cable!
I think everything is ok in your settings...

The security level for the Internet zone is set to high and for the trusted zone is set to medium (recommended), should I change this?

You can try, if you have just one computer in your 'network', it should not have any harmfull effect. Anyway, if ZoneAlarm start to ask you for accesss rights with frequency, you can turn back to Medium level.

If you do not have connections problems, let's go and do not worry to much about the ashServ.exe...
The best things in life are free.

Offline notdarkyet

  • Jr. Member
  • **
  • Posts: 50
  • I'm a llama!
Re:ashServ.exe has changed.
« Reply #10 on: November 28, 2003, 06:37:41 PM »
You can try, if you have just one computer in your 'network', it should not have any harmfull effect. Anyway, if ZoneAlarm start to ask you for accesss rights with frequency, you can turn back to Medium level.

Since I updated ZA, "Zone Labs Client"(changed from "Zonealarm" before) is shown in the logs to be asking for internet access and is granted but I never see an alert asking me for it, am I right in thinking the firewall automatically gives itself access? I don't think ZA used to show up in the logs.

If you do not have connections problems, let's go and do not worry to much about the ashServ.exe...

If I don't let ashServ.exe connect avast! doesn't seem to be able to check for updates, in the log all avast requests for internet access are listed as being from "avast! antivirus service" so it's hard to distinguish between what is trying to connect. I'd still like to see a reply from a member of the Alwil team or I might have to email them.