So maybe someone here can shed some light on some events I ran into earlier.
On a brand new fresh install of Windows 7 (Home Premium OA 64bit) with nothing other than Chrome, Avast, and the drivers off the HP site for the device installed I'm seeing the AvastSvc.exe make a lot of connection requests and actually establish connections to various devices on my network that have port 21 (FTP) open.
This was not following a user-initiated Network Scan or even user-initiated system scan, this is just with the machine idle following an install of the Avast software.
As shown in the attachments, this was with a fresh install of Avast vers. 17.1.2286 (build 17.1.3394.0)
The second and third attachments are images displaying the network connections out to other PC's on the local network. The Task manager screenshot is just evidence of the PID (1680) later shown in the third attachment in fact being correctly identified as the AvastSvc.exe
In the third screenshot, which is just the output of a netstat-ano command, I've blocked out some irrelevant network connections and some subsets of the relevant network connections as I'm unwilling to provide that type of networking information publicly and it is not relevant to the troubleshooting we're doing here. The local address for which the final two octets are blocked out is all the local machine in question, the 10.1.X.X addresses they were connecting to were all different machines (largely printers with FTP ports open) and an FTP server which is the connection in the ESTABLISHED state.
So my question is why is Avast doing this when it hasn't in the past done random network scanning and why is it centered on the FTP port? Also - why is it trying to connect to these devices at all? This is an employee's personal home PC that auto-upgraded to Win10 on them but was having driver compatibility issues so we let them bring it into the office so we could roll it back to 7 for them. As we don't use Avast on any of our PC's it's difficult to say whether this is isolated behavior but the volume of port scanning and noise this single install made was enough to cause my corporate monitoring system to kick in thinking it had an attack underway coming from within the firewall.
