Author Topic: New feature announcement - Remote Access Shield  (Read 49731 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: New feature announcement - Remote Access Shield
« Reply #15 on: October 19, 2020, 05:52:35 PM »
Re Bruteforce. Also see this:
https://forum.avast.com/index.php?topic=238916.0

That is the thread that got me to this one.  The screen shots of the alerts in that other thread are just like the ones that I am getting, however, the ones that I am getting are from a single device on my own network, not from outside.

There is nothing in that other thread or posts that tells me why one (and not the other two) of my NVIDIA SHIELD TV Media Streaming device would be causing these alerts.

I would suggest following the instructions in Reply #9 to
Quote from: Jakub Dubovic
Create a support package (https://support.avast.com/en-eu/article/Submit-support-file) and post the ID here.

And read what was in Reply #10.

You don't say what Avast program you are using,  just wonder if it has the Avast Firewall component ?
If so do you have the Firewall set to Private or Public network mode ?

That said why it would only alert on one and not the others (but not knowing what they are) is strange.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #16 on: October 20, 2020, 12:41:18 AM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden.  The alerts started yesterday.  The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

Since October 18, 2020, there have been 2936 connection attempts blocked.  The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.

I am really puzzled by this alert for the following reason...

192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.

I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.

So, is this a false positive notification?  Has someone hacked my NVIDIA SHIELD TV device?

Hello computer guy,

Thanks for the information.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.

SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.

Thank you for your patience, I realize it must be annoying.

Offline computer guy

  • Newbie
  • *
  • Posts: 10
Re: New feature announcement - Remote Access Shield
« Reply #17 on: October 22, 2020, 09:58:56 PM »

You don't say what Avast program you are using,  just wonder if it has the Avast Firewall component ?
If so do you have the Firewall set to Private or Public network mode ?

That said why it would only alert on one and not the others (but not knowing what they are) is strange.

My apologies, I am using Avast Premium Security.  I do not have any of Avast Firewall components installed.

Anyway, I have 3 nvidia shield tv media streaming devices.  They are all connected to my network with ethernet (not WiFi).  The only differences in their configurations may be that they have different apps installed on them (ie, they may all have netflix, but only 2 may have hulu, etc.).  Otherwise, all other settings are basically the same.  So I found it very odd that one of them would be doing a "bruteforce" attack over SMB protocol.

And as strangely as the alerts started, they also just stopped.  There has not been any more alerts since yesterday morning.

I opened support case with both AVAST and NVIDIA.  I have not heard anything back from AVAST yet.  I need to respond to NVIDIA after 24 - 48 hours to let them know if I am still getting the alerts. 

Also, I did restart the SHIELD TV device that was generating the alerts.  If I had to guess, these were maybe false positive alerts.

Offline computer guy

  • Newbie
  • *
  • Posts: 10
Re: New feature announcement - Remote Access Shield
« Reply #18 on: October 22, 2020, 10:06:23 PM »

Hello computer guy,

Thanks for the information.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.

SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.

Thank you for your patience, I realize it must be annoying.

Thank you for the information.  Yes, I found that the SMB scanning can be turned off and I actually did turn it off for a while.  I had to turn it back on again while on support chat with NVIDIA.  So far, there are no settings enabled on the SHIELD TV device for network file sharing or connections to PC folders.

What I also found to be odd is that I have a few other PCs with AVAST Premium Security and there have been no connections blocked from the SHIELD TV device on any of the other PCs.  Why would the SHIELD TV device only target one PC on the network if it is just "polling" or attempting to connect to a PC on my network?

And, I also have 2 other SHIELD TV devices which are configured on the network in the same way.  They just may have different streaming apps installed.  Why would we not see blocked connections from those other two devices.

In any case, the alerts have stopped since yesterday morning.
« Last Edit: October 22, 2020, 10:08:23 PM by computer guy »

Offline computer guy

  • Newbie
  • *
  • Posts: 10
Re: New feature announcement - Remote Access Shield
« Reply #19 on: October 23, 2020, 04:12:30 PM »
It seems that the alerts started up again last night, 10/22/2020 at around 9:19 pm.  I started using the nvidia shield tv device around 7:00 pm and I was using the Plex app to view some TV shows that were recorded on my Windows 10 PC, the one that is getting the alerts.

However, at around 10:30 pm, I turned everything off, though I guess the shield tv devices only goes to sleep.  The alerts are still coming in at a regular constant rate.  I can't say that it is every minute or every 5 minutes, but it is constantly blocking the incoming SMB traffic.
« Last Edit: October 23, 2020, 04:19:00 PM by computer guy »

Offline computer guy

  • Newbie
  • *
  • Posts: 10
Re: New feature announcement - Remote Access Shield
« Reply #20 on: October 23, 2020, 05:17:54 PM »
So I have been grasping at straws here.  I just did a complete uninstall and reinstall of Avast Premium Security. 

So far, for the last 30 minutes there have been no more connection blocked alerts for any incoming SMB traffic from the SHIELD TV device.

About 20 minutes after I made this post, the alerts started again.
« Last Edit: October 23, 2020, 07:20:54 PM by computer guy »

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #21 on: October 26, 2020, 04:46:04 AM »
So I have been grasping at straws here.  I just did a complete uninstall and reinstall of Avast Premium Security. 

So far, for the last 30 minutes there have been no more connection blocked alerts for any incoming SMB traffic from the SHIELD TV device.

About 20 minutes after I made this post, the alerts started again.

The reinstall won't change anything - those are actual connection attempts being detected.

If the other devices don't share this behavior, it might be infected with malware that is attempting the brute force attacks. Have you downloaded any apps manually from an unauthorized store?
It might be prudent to scan the device with antivirus software or reinstall it completely.

Also, if you have any software for capturing network traffic like Wireshark, you could take a look at incoming connections to your computer's port 445. The SMB client's username is sent in plaintext. Example attached.

Offline sheridan.todd

  • Newbie
  • *
  • Posts: 1
Re: New feature announcement - Remote Access Shield
« Reply #22 on: November 03, 2020, 06:25:54 PM »
I am getting the same BruteForce error from within my own network that Jakub is.  In my case it appears to be a drive-mapping problem.  I have Avast Internet Security on both machines.  The attacking machine has drives mapped to the blocking machine.  I can see each time it tries to connect the mapped drive, the brute force error comes up on the other machine.  Eventually it errors-out and stops trying to connect the mapped drive, at which point, the BruteForce errors stop.  But then I can't access those drives, which are essential for my work (as software needs those drives to access project files).

I received 5000 SMB:BruteForce errors from the other machine.  I have other machines on the network also mapped to those drives in the same fashion, but don't receive errors from those.  The attacking machine differs in that it is a windows 7 machine rather than windows 10 like all the others.  As soon as I unmapped the network drive mapping the attacks immediately stopped.  So in my case, it is clearly related to the drive mapping.
« Last Edit: November 03, 2020, 06:38:04 PM by sheridan.todd »

Offline TsPCs

  • Newbie
  • *
  • Posts: 3
Re: New feature announcement - Remote Access Shield
« Reply #23 on: November 11, 2020, 09:40:33 PM »
this feature is junk and blocks connections to file sharing on a network so if you use file sharing on your network you need to turn it off there is no easy way to tell it to allow network computers to connect to file and print sharing turned it off and the office can connect to the shared drive again

Avast should make a lite version that just has antivirus they keep adding stuff that is not practical for the work environment
« Last Edit: November 11, 2020, 09:42:08 PM by TsPCs »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: New feature announcement - Remote Access Shield
« Reply #24 on: November 11, 2020, 09:53:51 PM »
this feature is junk and blocks connections to file sharing on a network so if you use file sharing on your network you need to turn it off there is no easy way to tell it to allow network computers to connect to file and print sharing turned it off and the office can connect to the shared drive again

Avast should make a lite version that just has antivirus they keep adding stuff that is not practical for the work environment

There is nothing to stop you Customising your installation.
Choosing either a Recommended, Minimal, Custom or Full installation and simply choose the components that you want/need.

Minimalist installation
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline TsPCs

  • Newbie
  • *
  • Posts: 3
Re: New feature announcement - Remote Access Shield
« Reply #25 on: November 12, 2020, 02:01:33 AM »
My honest opinion the software should be able to know the difference between internal network connections and stuff coming in through the internet

it seems like it would be pretty easy to tie this in with the firewall feature of public or private network switch and when switched to private Network should allow access to file and print sharing.

Then it should also have an easy to use screen that resolves all the IP addresses on the network and the windows names of each one and be able to simply click allow or deny which computers you want to talk to yours then do it through the MAC address and not the IP address so if DHCP changes the IP address the network can still work 😁 😉. My ideas should have me working for you guys lol

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: New feature announcement - Remote Access Shield
« Reply #26 on: November 12, 2020, 02:21:32 AM »
My honest opinion the software should be able to know the difference between internal network connections and stuff coming in through the internet

it seems like it would be pretty easy to tie this in with the firewall feature of public or private network switch and when switched to private Network should allow access to file and print sharing.

Then it should also have an easy to use screen that resolves all the IP addresses on the network and the windows names of each one and be able to simply click allow or deny which computers you want to talk to yours then do it through the MAC address and not the IP address so if DHCP changes the IP address the network can still work 😁 😉. <snip>

Have you even got Avast ?

There is no Firewall in the Avast Free program, that is in the Avast Premium product.

If as you said you think "Avast should make a lite version that just has antivirus" why then would you get/want the Avast Premium product with even more modules.

You have a choice do a custom minimal installation, that is your choice
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #27 on: November 12, 2020, 02:28:20 PM »
My honest opinion the software should be able to know the difference between internal network connections and stuff coming in through the internet

it seems like it would be pretty easy to tie this in with the firewall feature of public or private network switch and when switched to private Network should allow access to file and print sharing.

Then it should also have an easy to use screen that resolves all the IP addresses on the network and the windows names of each one and be able to simply click allow or deny which computers you want to talk to yours then do it through the MAC address and not the IP address so if DHCP changes the IP address the network can still work 😁 😉. My ideas should have me working for you guys lol

Hello TsPCs,

It is common for malware to infect one device, and then to use it to gain access to the rest of the network. That's the reason why it's essential for us to scan internal connections.

Edit: see https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/
"Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network."

The same can easily happen when a device with outdated OS/SW gets infected and then connects to your network, or if a person inside the network downloads an infected e-mail attachment, etc.



I am getting the same BruteForce error from within my own network that Jakub is.  In my case it appears to be a drive-mapping problem.  I have Avast Internet Security on both machines.  The attacking machine has drives mapped to the blocking machine.  I can see each time it tries to connect the mapped drive, the brute force error comes up on the other machine.  Eventually it errors-out and stops trying to connect the mapped drive, at which point, the BruteForce errors stop.  But then I can't access those drives, which are essential for my work (as software needs those drives to access project files).

I received 5000 SMB:BruteForce errors from the other machine.  I have other machines on the network also mapped to those drives in the same fashion, but don't receive errors from those.  The attacking machine differs in that it is a windows 7 machine rather than windows 10 like all the others.  As soon as I unmapped the network drive mapping the attacks immediately stopped.  So in my case, it is clearly related to the drive mapping.



Hello sheridan.todd,

Thank you for reporting the issue. Are the credential used by the Win7 "attacking" device configured correctly? The detection should only happen in case of multiple consecutive unsuccessful connections.

I will look into what differences there could be between using the different versions of Windows and what could be causing the false detection.
« Last Edit: November 12, 2020, 02:36:49 PM by Jakub Dubovic »

Offline alex387

  • Newbie
  • *
  • Posts: 2
Re: New feature announcement - Remote Access Shield
« Reply #28 on: November 15, 2020, 10:12:48 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden.  The alerts started yesterday.  The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

Since October 18, 2020, there have been 2936 connection attempts blocked.  The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.

I am really puzzled by this alert for the following reason...

192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.

I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.

So, is this a false positive notification?  Has someone hacked my NVIDIA SHIELD TV device?

Hello computer guy,

Thanks for the information.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.

SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.

Thank you for your patience, I realize it must be annoying.


I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #29 on: November 17, 2020, 08:58:47 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden.  The alerts started yesterday.  The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

Since October 18, 2020, there have been 2936 connection attempts blocked.  The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.

I am really puzzled by this alert for the following reason...

192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.

I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.

So, is this a false positive notification?  Has someone hacked my NVIDIA SHIELD TV device?

Hello computer guy,

Thanks for the information.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.

SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.

Thank you for your patience, I realize it must be annoying.


I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.

I completely understand. We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.