Author Topic: Avast Free probing Internet router  (Read 2903 times)

0 Members and 1 Guest are viewing this topic.

Offline gneuner_2

  • Newbie
  • *
  • Posts: 11
Avast Free probing Internet router
« on: March 14, 2019, 10:43:53 PM »
Hi all,

I have several computers, and since updating Avast everywhere on March 7th, my Internet router has been reporting failed admin login attempts from all stations on a daily basis.  It happens whenever any computer is started or woken from sleep, and then periodically (at least daily) as long as the computer remains active.

I have confirmed that it is Avast probing the router ... I set up firewall rules on my always-on stations to catch and log any attempts to contact the router's UI ports.

I know failed login alerts are generated by Avast's network scan, but AFAIK, network scans (or "smart" scans that include netork) must be invoked manually in the free version.  I can't find anywhere in the UI to set up an *automatic* network scan.  I don't see any new entries in the system task scheduler - only the "backup settings" and "overseer" tasks that have always been there, and their activation times don't appear to coincide with the router logs.

I'm currently on version 19.3.2369 (build 19.3.4241.404) everywhere.

Does anyone know from where these scans are scheduled and how to stop them?  I don't need (or want) them running every day and filling up my router logs with useless alerts.

Thanks,
George

Offline gneuner_2

  • Newbie
  • *
  • Posts: 11
Re: Avast Free probing Internet router
« Reply #1 on: March 28, 2019, 02:03:50 PM »
Ok, I have discovered that the router probes are generated by the so-called "Exploit detection" located on the Core Shields page. 

However, turning off Exploit detection seems to also turn off Rootkit detection.  It seems that you can turn Rootkit detection back on only after leaving and re-entering the Core Shields page  [GUI bug?].

Moreover, I have a 32-bit Win7 machine which continues to probe the router even with Exploit detection disabled.  Disabling seems only to work on 64-bit machines.


What exactly does Exploit detection do?  What else is lost by turning it off?

George

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Avast Free probing Internet router
« Reply #2 on: March 28, 2019, 02:11:10 PM »
Quote
What exactly does Exploit detection do?  What else is lost by turning it off?
This i guess  >>  https://www.avast.com/exploit-protection.php


Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 133
Re: Avast Free probing Internet router
« Reply #3 on: March 29, 2019, 11:04:32 AM »
Hello,

Thank you for reporting the issue.
Could you please help us with investigation by providing some data?

Please enable debug logging (Menu > Settings > General > Troubleshooting > Enable debug logging)
Reproduce the issue (restart computer / wake from sleep to start probing your router)

Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

Thank you very much,
HK

Offline gneuner_2

  • Newbie
  • *
  • Posts: 11
Re: Avast Free probing Internet router
« Reply #4 on: March 29, 2019, 12:03:20 PM »
Please enable debug logging (Menu > Settings > General > Troubleshooting > Enable debug logging)
Reproduce the issue (restart computer / wake from sleep to start probing your router)

Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.


I will do that.  It seems that [except for the 32-bit station] disabling Exploit detection stopped the daily probes by machines that are always running, but it seems probes happen also when the machine is rebooted regardless of the Exploit setting.

George

Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 133
Re: Avast Free probing Internet router
« Reply #5 on: March 29, 2019, 03:31:22 PM »
This is strange because it has nothing to do with Exploit detection option in UI. Will check that.
Best regards,
HK

Offline gneuner_2

  • Newbie
  • *
  • Posts: 11
Re: Avast Free probing Internet router
« Reply #6 on: March 29, 2019, 04:28:43 PM »
Even stranger:  I enabled debug logging on both a desktop that is always on and a laptop.  Neither one probed the router following reboot.  To double check, I rebooted a 2nd desktop that is not debug logging, and it did probe.  Hopefully enabling debug doesn't prevent the behavior it's meant to catch!

Before you ask:  yes, all the machines were rebooted after I disabled Exploit detection.  I am aware that some settings won't take effect until restart.

Right now I'm waiting to see if there are probes by any the machines that are debug logging.  I suppose I can enable it everywhere, but I am concerned that the logs may get very large while waiting for something to happen.

George

Offline gneuner_2

  • Newbie
  • *
  • Posts: 11
Re: Avast Free probing Internet router
« Reply #7 on: March 30, 2019, 08:05:49 AM »
Ok, I have a debug log from the 32-bit machine: the id is  NH5NN.  With Exploit detection turned off, there was a series of 3 probes of the router  (part of a repeating daily pattern):

[admin login failure] from source 192.168.0.4, Friday, March 29, 2019 21:39:08
[admin login failure] from source 192.168.0.4, Friday, March 29, 2019 21:39:08
[admin login failure] from source 192.168.0.4, Friday, March 29, 2019 21:39:08


The 64-bit machines have not performed any repeating probes since turning off Exploit detection.  However, since turning on debug logging, they don't seem to want to probe at startup either.  I'll leave the logging on for several days and try to catch something.


But now a question:  is there some document that explains how Exploit detection works?  (even "executive" overview)   I've seen the page at https://www.avast.com/exploit-protection.php, but that appears only to say *what* is guarded against - not *how*.  If Exploit detection is performing active environment scans, then I think that is something the users should know about.

Thanks,
George


Offline gneuner_2

  • Newbie
  • *
  • Posts: 11
Re: Avast Free probing Internet router
« Reply #8 on: March 31, 2019, 12:35:10 PM »
Ok, I have a debug log from a 64-bit machine: the id is  OL6Z2.  With Exploit detection turned off, there was a series of 3 probes of the router

[admin login failure] from source 192.168.0.3, Saturday, March 30, 2019 08:57:54
[admin login failure] from source 192.168.0.3, Saturday, March 30, 2019 08:57:54
[admin login failure] from source 192.168.0.3, Saturday, March 30, 2019 08:57:54

The probe does not correspond timewise to any task in the task scheduler (although it was ~16 minutes ahead of a scheduled Avast update.  Coincidence?).

Another 64-bit machine (not logging) also probed on Saturday.  This was the 1st probe by either machine in several days.  They are always on.  I haven't touched any of the settings, other than to enable debug logging on the one.

George

Offline HK

  • Avast team
  • Full Member
  • *
  • Posts: 133
Re: Avast Free probing Internet router
« Reply #9 on: April 04, 2019, 06:23:46 PM »
Hi gneuner,

many thanks for the logs, we've identified the problem. Now you should not see any connection attempts to your router.

Best regards,
HK