Author Topic: New feature announcement - Remote Access Shield  (Read 31296 times)

0 Members and 1 Guest are viewing this topic.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
New feature announcement - Remote Access Shield
« on: June 24, 2020, 06:27:03 PM »
Remote Desktop Protocol (RDP) is the most dominant cyber security attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019.[1] The average downtime related to a ransomware attack is 7.3 days and its average cost is $64,645.[1] Besides spreading malware, RDP attacks are used by skilled hackers to infiltrate corporate environments. RDP is the ultimate infection vector that evades all security layers in most antivirus software and compromises the system directly. During the recent COVID-19 pandemic, the frequency of RDP-based attacks has drastically increased as a result of a large number of employees working from home.[2][3]

The most common ways of gaining access of a computer via RDP are the following:
  • Brute-force attack - the attackers attempt to sign in to an account by using trial-and-error methods. These can include repeatedly trying to log in with commonly used or stolen credentials, leading to many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds.[4]
  • Unpatched OS - the operating system is vulnerable to known Remote Desktop exploits. An example is BlueKeep[5], which allows the attacker to run malicious code in the kernel memory of the server, taking control of the entire system.


We are proud to introduce our solution to the Remote Desktop vulnerabilities - Remote Access Shield.
The shield offers the protection of your business or your personal data with the following features:
  • Choose who can remotely access the protected computer using Remote Desktop, blocking all other connection attempts.
  • Automatically block any brute-force attacks trying to crack the protected computer's credentials.
  • Automatically block connections attempting to use Remote Desktop exploits like BlueKeep to take control of the protected computer.
  • Automatically block Remote Desktop connections from high-risk IP addresses.
  • Get notifications about Remote Desktop connection attempts blocked by Avast.

The Remote Access Shield is available in Avast Premium Security starting with version 20.5 and it will reach Avast Business edition soon.
If you have any questions or suggestions for this new feature, please let us know! We would appreciate all of our beta testers to try the Remote Access Shield out and give us feedback!


[1] https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases
[2] https://healthitsecurity.com/news/covid-19-remote-work-causes-spike-in-brute-force-rdp-cyberattacks
[3] https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820
[4] https://www.microsoft.com/security/blog/2019/12/18/data-science-for-cybersecurity-a-probabilistic-time-series-model-for-detecting-rdp-inbound-brute-force-attacks
[5] https://blog.avast.com/what-is-bluekeep

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85757
  • No support PMs thanks
Re: New feature announcement - Remote Access Shield
« Reply #1 on: June 24, 2020, 07:14:09 PM »
How does this impact/benefit anyone with Windows 10 Home version, which doesn't have the Remote Desktop function.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
Re: New feature announcement - Remote Access Shield
« Reply #2 on: June 25, 2020, 01:45:44 AM »
How does this impact/benefit anyone with Windows 10 Home version, which doesn't have the Remote Desktop function.

If your system doesn't have Remote Desktop enabled (e.g., because it is running Windows 10 Home, or you have disabled it manually), the shield will have no effect at the moment. There might be new supported protocols/methods of access in the future.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72213
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: New feature announcement - Remote Access Shield
« Reply #3 on: June 25, 2020, 07:43:54 AM »
Hi Jakub, thanks for the details. :)
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.670] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85757
  • No support PMs thanks
Re: New feature announcement - Remote Access Shield
« Reply #4 on: June 25, 2020, 10:02:33 AM »
How does this impact/benefit anyone with Windows 10 Home version, which doesn't have the Remote Desktop function.

If your system doesn't have Remote Desktop enabled (e.g., because it is running Windows 10 Home, or you have disabled it manually), the shield will have no effect at the moment. There might be new supported protocols/methods of access in the future.

Thanks for the clarification.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72213
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: New feature announcement - Remote Access Shield
« Reply #5 on: June 25, 2020, 12:24:35 PM »
Hi, could you please provide a FAQ article..!? Cheers
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.670] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline lukor

  • Moderator
  • Super Poster
  • *
  • Posts: 1885
    • AVAST Software
Re: New feature announcement - Remote Access Shield
« Reply #6 on: June 25, 2020, 10:24:48 PM »
Hi, could you please provide a FAQ article..!? Cheers

Hi Asyn, we don't have many frequently asked questions yet. Mostly only those that were asked here in this very thread. What else would you like to have in FAQ article? Maybe as others start seeing the detections or will start to interact with this new shield, we'll have more questions and answers. ;-) L.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72213
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: New feature announcement - Remote Access Shield
« Reply #7 on: June 26, 2020, 07:03:42 AM »
Let's put it this way, it would be nice to have a general article in the support section for reference when v20.5 gets released. Cheers
Win 8.1 [x64] - Avast PremSec 21.9.6660.IBC [UI.670] - EEK - Firefox ESR 78.15 [NS/uBO/PB] - TB 91.2
Avast-Tools: Secure Browser 94.0 - Cleanup 21.3 - SecureLine 5.13 - Driver Updater 21.3 - CCleaner 5.85
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline mikeyt

  • Newbie
  • *
  • Posts: 1
Re: New feature announcement - Remote Access Shield
« Reply #8 on: August 03, 2020, 08:24:44 AM »
Hi,

This new Remote Access Shield feature seems to break the Remote Web Access in Small Business Essentials 2016. Users get a protocol error when trying to connect. Have made sure that the 'Allow Remote Desktop' setting in AVG is set to enabled but AVG still blocks their connections. Disabling the feature immediately allows the connection to be made again.

Any suggestions?

Thanks,

Mike

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
Re: New feature announcement - Remote Access Shield
« Reply #9 on: August 10, 2020, 11:25:30 AM »
Hi,

This new Remote Access Shield feature seems to break the Remote Web Access in Small Business Essentials 2016. Users get a protocol error when trying to connect. Have made sure that the 'Allow Remote Desktop' setting in AVG is set to enabled but AVG still blocks their connections. Disabling the feature immediately allows the connection to be made again.

Any suggestions?

Thanks,

Mike

Hello Mike,

Thank you for reporting the issue.

Could you please help us with the investigation by providing some data?
Please enable debug logging (Menu > Settings > General > Troubleshooting > Enable debug logging).

Reproduce the issue (try to connect with the Remote Access Shield enabled).

Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

Thank you very much,
Jakub

Offline kenhagin

  • Newbie
  • *
  • Posts: 15
Re: New feature announcement - Remote Access Shield
« Reply #10 on: October 12, 2020, 06:45:37 PM »
Took me quite a while to figure it out, but "Enable Samba protection" on "Remote Access Shield" is an all-or-nothing deal.  When enabled, it shuts down my local network because I transfer lots of files frequently.  Seems to me an exclusion option for specific computers and/or the local subnet would be helpful.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
Re: New feature announcement - Remote Access Shield
« Reply #11 on: October 15, 2020, 02:47:56 PM »
Took me quite a while to figure it out, but "Enable Samba protection" on "Remote Access Shield" is an all-or-nothing deal.  When enabled, it shuts down my local network because I transfer lots of files frequently.  Seems to me an exclusion option for specific computers and/or the local subnet would be helpful.

Hello kenhagin,

Yes, that is correct at the moment. The reasoning behind not having an exclusion list is that one compromised computer on the network would be able to attack all the other devices. We expected many companies to internally exclude all SMB (or RDP) communication and trust us to keep the network safe, but even one person opening an e-mail attachment would pose a threat to the whole network.

How exactly does it shut the network down? Does Avast slow the file transfers down, or are there false positive detections when a SMB connection fails?

Thank you,
Jakub

Offline computer guy

  • Newbie
  • *
  • Posts: 10
Re: New feature announcement - Remote Access Shield
« Reply #12 on: October 19, 2020, 03:08:11 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden.  The alerts started yesterday.  The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

Since October 18, 2020, there have been 2936 connection attempts blocked.  The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.

I am really puzzled by this alert for the following reason...

192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.

I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.

So, is this a false positive notification?  Has someone hacked my NVIDIA SHIELD TV device?
« Last Edit: October 19, 2020, 10:15:21 PM by computer guy »

Offline rocksteady

  • Advanced Poster
  • **
  • Posts: 1199
Re: New feature announcement - Remote Access Shield
« Reply #13 on: October 19, 2020, 03:33:09 PM »

Offline computer guy

  • Newbie
  • *
  • Posts: 10
Re: New feature announcement - Remote Access Shield
« Reply #14 on: October 19, 2020, 03:42:43 PM »
Re Bruteforce. Also see this:
https://forum.avast.com/index.php?topic=238916.0

That is the thread that got me to this one.  The screen shots of the alerts in that other thread are just like the ones that I am getting, however, the ones that I am getting are from a single device on my own network, not from outside.

There is nothing in that other thread or posts that tells me why one (and not the other two) of my NVIDIA SHIELD TV Media Streaming device would be causing these alerts.
« Last Edit: October 19, 2020, 03:45:52 PM by computer guy »