Author Topic: Important: Strange UDP Connection from Avastsvc Service to suspicious domain  (Read 3147 times)

0 Members and 1 Guest are viewing this topic.

Offline MohamedRaheem

  • Newbie
  • *
  • Posts: 7
is this connection from Avastsvc to that suspicious domain is usual ??

(Snapshot from windows resource monitor & Avast)


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
You don't say what Avast version and build number you are using ?

I don't see any attached snapshot, so we can't see that this suspicious domain is.  EDIT: now I see it, it didn't appear when I first viewed your post.

Don't forget that the Avast Service is used by the various shields, so it is possible the web shield could have been scanning a site or links from it.
« Last Edit: November 25, 2019, 08:01:43 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MohamedRaheem

  • Newbie
  • *
  • Posts: 7
Avast Premium Security
Program version: 19.8.2393 (build 19.8.4793.544)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
OK, aside from your using Avast Premium Security and I'm using Avast Free we are on the same version and build number.  The AvastSvc.exe is the main scanning engine, this would be used by the Shields and very likely by the Web Shield.

Given this is a URL when you are browsing the web shield scans content and also checks links from that page to prevent redirects to malicious or blacklisted sites.  I suspect was related to the web shield, but I have no way of positively confirming this.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Hello,

Thank you for reporting the issue. Could you please generate a process dump of AvastSvc.exe so that we can investigate it further?

You can follow the instructions here: https://support.avast.com/en-in/article/56/

Thank you!

Edit: specified which process dump to generate

Offline MohamedRaheem

  • Newbie
  • *
  • Posts: 7


I think the process is running in kernal mode http://cloanto.com/kb/14-139

« Last Edit: November 26, 2019, 02:42:23 PM by MohamedRaheem »

Offline jaroslav.nix

  • Avast team
  • Jr. Member
  • *
  • Posts: 71
Hello MohamedRaheem, if you are able to reproduce, could you please also attach output of command: "netstat -ano" (from CMD line), together with the PID of AvastSvc process?

Offline MohamedRaheem

  • Newbie
  • *
  • Posts: 7

Offline jaroslav.nix

  • Avast team
  • Jr. Member
  • *
  • Posts: 71
Thank you. Have you please seen that strange connection in resource monitor at the same moment (as the netstat command was run)?

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50


I think the process is running in kernal mode http://cloanto.com/kb/14-139

In that case, could you please try running the following from cmd as administrator to generate the dump file? Replace SVC_PID with the real AvastSvc PID (5272 in the last screenshot).
It will create, run and delete a task that uses Avast dump system.

Code: [Select]
@schtasks.exe /CREATE /SC ONIDLE /I 999 /RU "NT AUTHORITY\SYSTEM" /TN "SvcDumper" /TR "\"c:\Program Files\AVAST Software\Avast\avdump.exe\" --pid SVC_PID --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file c:\service.dmp"

@schtasks.exe /RUN /TN "SvcDumper"

@timeout 10

At this point, please check that the scheduled task has really run. If the file "c:\service.dmp" was not generated, run Windows Task Scheduler, look up the created "SvcDump" task, right-click it and select run (shown in attached screenshot).
The last command deletes the task.

Code: [Select]
@schtasks.exe /DELETE /TN "SvcDumper" /F

Offline MohamedRaheem

  • Newbie
  • *
  • Posts: 7
Hello,

Thank you for reporting the issue. Could you please generate a process dump of AvastSvc.exe so that we can investigate it further?

You can follow the instructions here: https://support.avast.com/en-in/article/56/

Thank you!

Edit: specified which process dump to generate

dump file has been uploaded to ftp with name service.zip

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Hello,

Thank you for the dump, we've started to investigate it. There is one more thing that would help - would you please run:

Code: [Select]
ipconfig /displaydns > c:\dns.txt
And upload the DNS dump to the FTP server?

Offline MohamedRaheem

  • Newbie
  • *
  • Posts: 7
Hello,

Thank you for the dump, we've started to investigate it. There is one more thing that would help - would you please run:

Code: [Select]
ipconfig /displaydns > c:\dns.txt
And upload the DNS dump to the FTP server?

Thanks Jakub for your follow up
the file has been uploaded to ftp with name dns_MohamedRaheem.txt

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Hello Mohamed,

The IP address of the milena12.niklanovic.example.com PTR record in the DNS dump belongs to a legitimate Avast server.

It's strange that the PTR record is this and not *.ff.avast.com, but it will most likely be fixed when your DNS cache (and maybe the cache of your ISP's recursive name server) is flushed.
Thank you for being vigilant and reporting the issue!
« Last Edit: December 02, 2019, 11:50:21 AM by Jakub Dubovic »