Author Topic: Does Avast SecureLine VPN send pings?  (Read 3859 times)

0 Members and 1 Guest are viewing this topic.

Offline paul.edwards

  • Newbie
  • *
  • Posts: 4
Does Avast SecureLine VPN send pings?
« on: November 03, 2016, 06:15:53 PM »
We believe our network IDS is false positive'ing on ICMP (pings) coming from the Avast SecureLine VPN client.
The packets we see are normally considered to be associated with the Alureon Trojan and wanted to establish if there was a way to distinguish between the two.

Can you please confirm functionality of your software?
  • Does your product send ICMP pings?
  • If so, what is the purpose?
  • If so, is it configurable?  Can it be changed, enabled, disabled?

Thanks and best regards.

Offline rysan

  • Avast team
  • Newbie
  • *
  • Posts: 18
Re: Does Avast SecureLine VPN send pings?
« Reply #1 on: November 21, 2016, 10:47:08 AM »
Hello Paul,
yes, we are sending pings, but only to our servers to test the reachability during connection setup. Currently it's not configurable.

Is it causing you big problems?

Thanks,
David

Offline paul.edwards

  • Newbie
  • *
  • Posts: 4
Re: Does Avast SecureLine VPN send pings?
« Reply #2 on: November 21, 2016, 03:25:19 PM »
We have had to retire a signature that detected the Alureon Botnet and explain a false positive to the customer.  This is already done.  You are sending the same string of "E"s that the Bot did.   :( 

If you want to avoid this in the future, you would have to change the ping payload.  My suggestion would be something like "AvastAvastAv...".  :)

Paul

Offline rysan

  • Avast team
  • Newbie
  • *
  • Posts: 18
Re: Does Avast SecureLine VPN send pings?
« Reply #3 on: November 21, 2016, 04:05:46 PM »
Thank you for the clarification, we'll look at it!

Offline paul.edwards

  • Newbie
  • *
  • Posts: 4
Re: Does Avast SecureLine VPN send pings?
« Reply #4 on: November 21, 2016, 05:11:41 PM »
Sorry, one more thing cause it isn't 100% clear.

Do you indeed send pings with EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE as the payload? 
If so why?  Was there a reason for the E's or was this just a coincidence?

Offline Marek (dev)

  • Avast team
  • Newbie
  • *
  • Posts: 4
  • Avast Team
Re: Does Avast SecureLine VPN send pings?
« Reply #5 on: November 22, 2016, 10:41:54 AM »
Hello,

yes, we send ICMP Echo Requests with payload consisting of 32 'E's. The payload was chosen randomly.

The payload pattern is not restricted to a single company and anyone can use whatever he wants. Unfortunatelly, in this case it was chosen by the botnet and the same can happen even in case of 'AvastAvast...' pattern you're suggesting.

As the pings are deterministic (destination is one of our servers) I suggest extending the signature.

Best regards

Marek

Offline paul.edwards

  • Newbie
  • *
  • Posts: 4
Re: Does Avast SecureLine VPN send pings?
« Reply #6 on: November 22, 2016, 02:53:28 PM »
Thankyou.  That's exactly what I thought.  I just needed confirmation.  :)

Paul