Avast was caught trying to send Mail!

[petescabin]

What gives? Zonealarm caught Avast (ashmailsv.exe) trying to send email to my ISP!
Can you explain this? I did not give Zonealarm permission to send it, so nothing was transmitted.
If this was normal, please explain why Avast would send out email without my permission and please put it in the documentation.

[RejZoR]

ashmailsv.exe is avast! Mail scanner... so do the math for everything else.
If you haven't sent any mail at that time you most probably have a mail worm on your PC. Or just P2P program like eMule using SMTP port...

[petescabin]

Not the case. I'm very experienced with computers and don't use any P2P software. I've been running three FTP and HTTP servers from three different locations 24/7 since 1997 and have never been successfully hacked.
I've scanned my system with several virus scanners as well as several AdAware-type scanners as well as trojan scanners with no signs of problems.
I am well aware of what ashmailsv.exe is supposed to do. It's supposed to scan my incoming mail for nasties! It is NOT supposed to be sending email to my ISP without my permission.

[Spiritsongs]

   Hi :

     Have you run any rootkit detection programs, like Ice
     Sword, Blacklight, RootkitRevealer, etc ?

[alanrf]

petescabin,

Welcome to the avast forum.

RejZoR is absolutely correct.

Despite your proclaimed experience it seems that you are not aware of what ashmaisv.exe is supposed to do ... you seem to only be aware of what you think it should do.

avast intercepts the well known mail ports, it then passes control for any calls on those well known ports to ashmiasv.exe (check your ports via TCPView or activeports).  It is the process ashmaisv.exe that really executes the functions that you think are being excuted by your mail client so that avast can take over execution of the mail receive/send stream and perform scanning of the POP3/SMTP streams of mail messages.

In order for outbound mail scanning by avast to work you must provide permission for ashmaisv.exe to have outbound access.  If you don't like it - then turn off scanning of your outbound mail in avast - if you don't like that ... find another antivirus that works differently ... if you can.     

[RejZoR]

ashmaisv.exe is just a proxy (pretty much the same as the Web Scanner component) which relays the data from original program (lets say Outlook Express) to ISP mail server (and vice versa).
Now firewall is a dumb tool, it doesn't know anything and most of the job is on user anyway. So original sending program most probably won't be showed, you'll just see ashmaisv as sending data even though it's just relaying it.
Now, good firewall that can show you parent application is the first place to start (it'll show which application actually launched ashmaisv.exe, i know Comodo Firewall does this, Outpost too if i remember). Second would be to hover mouse over Mail Scanner tray icon when it does send that data so you'll see mail server domain. If it's some unknown address you can be quiet sure that you have a worm or some other thing thats connecting through SMTP port...
If it's not unknown you set something wrong (or too much) like notice/warnings sending to your email when they accour or something...

Besides why would Alwil send anything to your ISP? Or anywhere else in that matter?
Posting HiJack This log may help us find the reason for this though so i think we should start with it.

[Lisandro]

Now, good firewall that can show you parent application is the first place to start (it'll show which application actually launched ashmaisv.exe, i know Comodo Firewall does this, Outpost too if i remember).

Comodo and Kerio free does this.
Sygate could have troubles with proxing.
ZoneAlarm (free) does not show the parent application.

[lukor]

While the ashmaisv.exe is sending an email (and ZA dialog pops up) you may use some TCP monitoring tools (like TcpView) to determine whose mails are being processed (scanned) a what application is actually doing this - if this is really your mail client or some kind of a rogue software.

Taking into consideration your waste computer experience it is no doubt superfluous to add that you should be looking for connections from localhost:<anyport> to localhost:12025

Lukas.

[Eddy]

Not the case. I'm very experienced with computers and don't use any P2P software. I've been running three FTP and HTTP servers from three different locations 24/7 since 1997 and have never been successfully hacked.

A good hacker won't leave a trace if he doesn't want to.
On what kind of system did you saw that avast was sending one or more mails?
If it was on a server, what are you doing with home software on a server system?
Or did you post in the wrong forum?

I've scanned my system with several virus scanners as well as several AdAware-type scanners as well as trojan scanners with no signs of problems.

I sure hope you never installed more than one at a time on a system.
If you did, that is asking for problems.

I am well aware of what ashmailsv.exe is supposed to do. It's supposed to scan my incoming mail for nasties! It is NOT supposed to be sending email to my ISP without my permission.

Very clearly you don't know what it is suposed to do.
- Depending on the settings it also checks your outbound mail.

Not the case. I'm very experienced with computers and don't use any P2P software.

You may be experienced, but in a limited field only at the best.
Definatly not with computers in general and certainly not in depth on how things are working.
- It never sends a email by itself not to your ISP not anywhere else.
      Iit only checks email that is handed to it, checks it and then pass it on.
      It can do this with incomming as well as outgoing email.

[RejZoR]

Hackers will never attack regular users. What? To steal them bunch of MP3's and pr0n ? Nah. Government systems, large corporation systems etc, these are the things that catch hackers attention.

[MikeBCda]

Excellent point, RejZoR.  A top-level (i.e., professional) hacker could probably easily break through our multi-layer defenses -- but for what?  The odds of my ever having to worry that someone was targeting me individually are essentially infinitesimal. Our defenses are -- and should be -- protection from the kinds of things we're likely to run into as end-users, like bot-worms.

As an analogy, only someone insane would risk the consequences of using a firearm to rob someone else who might turn out to have all of 30 cents in his pocket, right?

[calcu007]

Lol, it is funny, He wanted to show that is a computer expert, but ended showing that is dumberer than a novice.

[lukor]

Hi,
surely we are not speaking of some master-of-arts hacker attacking home PC here, but on the other hand a spyware sending and unwanted emails might be something pretty common. With the help of firewall and/or the TcpView I've suggested it should be possible to find the process very easily. So, petescabin, don't be upset for our serene tone here and post your findings.

Lukas.