Author Topic: New feature announcement - Remote Access Shield  (Read 49736 times)

0 Members and 1 Guest are viewing this topic.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: New feature announcement - Remote Access Shield
« Reply #30 on: November 17, 2020, 11:56:49 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden.  The alerts started yesterday.  The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

Since October 18, 2020, there have been 2936 connection attempts blocked.  The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.

I am really puzzled by this alert for the following reason...

192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.

I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.

So, is this a false positive notification?  Has someone hacked my NVIDIA SHIELD TV device?

Hello computer guy,

Thanks for the information.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.

SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.

Thank you for your patience, I realize it must be annoying.


I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.

I completely understand. We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
How will the average user know if the attack is genuine or a false positive? Simply adding an ability to bypass the attack might not be the best solution.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline greg262

  • Newbie
  • *
  • Posts: 1
Re: New feature announcement - Remote Access Shield
« Reply #31 on: November 18, 2020, 05:19:10 PM »
I am having the same issue but the URL is not a local 192.168.1.*** address but something completely different.

I am using Avast Premium Security and the details are:

Threat Name - SMB: BruteForce
URL - smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process - System
Detected By - Remote Access Shield
Status - Connection Blocked

Any way to stop this, getting it several times a day.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #32 on: November 23, 2020, 12:44:49 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden.  The alerts started yesterday.  The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://192.168.1.207/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

Since October 18, 2020, there have been 2936 connection attempts blocked.  The history shows "Samba connection blocked - Avast blocked a possible brute-force attack from the IP address 192.168.1.207.

I am really puzzled by this alert for the following reason...

192.168.1.207 is on my internal network.
The device at this IP address is a NVIDIA SHIELD TV Media Streaming Device (Android TV).
The device is currently sleeping and not in use.
The device does not have any remote desktop applications installed on it.

I have two other NVIDIA SHIELD TV devices on my network and I do not get any alerts from them.

So, is this a false positive notification?  Has someone hacked my NVIDIA SHIELD TV device?

Hello computer guy,

Thanks for the information.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector. It seems likely that the TV uses the protocol to communicate with the PC, or maybe just scans the network for other compatible devices. When we detect multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection.

SMB scanning can be turned off in Avast settings, but it will compromise your computer's security. I will look into it and try to come up with a solution to this issue - there are multiple reports of devices that repeatedly unsuccessfully to try connect using SMB and trigger the detection alerts.

Thank you for your patience, I realize it must be annoying.


I guess this explains why I am getting tons of SMB:BruteForce attack alerts from Avast stating that one of my Onkyo receivers (NR-636) is trying to access my desktop via RDP. It is quite annoying as it is very frequent so I will turn it off. Any way to prevent this? Turning off annoying alerts defeats the purpose of the protection but right now it is constantly crying "wolf wolf" if you get my reference. When the real attack comes... I'll likely end up ignoring it.

I completely understand. We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
How will the average user know if the attack is genuine or a false positive? Simply adding an ability to bypass the attack might not be the best solution.

We are working on a FAQ with instructions on how to tell false positives from attacks.

Also this:
Quote
We are working on a GUI feature that lets you hide detections from a specified address, as this is a common issue.
doesn't mean that anything will be bypassed, just hidden.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #33 on: November 23, 2020, 12:49:58 PM »
I am having the same issue but the URL is not a local 192.168.1.*** address but something completely different.

I am using Avast Premium Security and the details are:

Threat Name - SMB: BruteForce
URL - smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process - System
Detected By - Remote Access Shield
Status - Connection Blocked

Any way to stop this, getting it several times a day.

Hello greg262,

please refer to the FAQ: https://support.avast.com/en-us/article/Antivirus-Remote-Access-Shield-FAQ

The section "Why am I receiving threat detection alerts?" should cover this.

Offline peelpel94

  • Newbie
  • *
  • Posts: 6
Re: New feature announcement - Remote Access Shield
« Reply #34 on: December 07, 2020, 08:59:41 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?

Offline peelpel94

  • Newbie
  • *
  • Posts: 6
Re: New feature announcement - Remote Access Shield
« Reply #35 on: December 08, 2020, 11:39:11 PM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?

I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.

Offline peelpel94

  • Newbie
  • *
  • Posts: 6
Re: New feature announcement - Remote Access Shield
« Reply #36 on: December 11, 2020, 12:23:01 AM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?

I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.

So where is Avast hiding? why no answers? Are you working on a solution or what is the status????

Hey Jakub maybe you have some answers to the above whitelist question at least, if nothing else. No?

Offline peelpel94

  • Newbie
  • *
  • Posts: 6
Re: New feature announcement - Remote Access Shield
« Reply #37 on: December 11, 2020, 12:24:43 AM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?

I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.

So where is Avast hiding? why no answers? Are you working on a solution or what is the status????

Hey Jakub maybe you have some answers to the above whitelist question at least, if nothing else. No?

This is the question I am referring to:

Besides all of the above, and as I described in detail in my initial post, why exactly is it that I am able to use "block all connections" and use the exception list to allow/whitelist IPv4 addresses but it will not work on IPv6 addresses, how about Avast providing an answer to that if nothing else, hi there Jakub, maybe you have something to say about this specific issue, as I said, I 100% identified the address being blocked as another PC in my local network,  I need real answers with real solution, as it is, Avast has become unusable garbage software, sorry to say.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: New feature announcement - Remote Access Shield
« Reply #38 on: December 14, 2020, 12:38:28 AM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

The IP is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the IP address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?

I can report that the exception list works for me when using an IPv4 address (192.1.168.133), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.

So where is Avast hiding? why no answers? Are you working on a solution or what is the status????

Hey Jakub maybe you have some answers to the above whitelist question at least, if nothing else. No?

This is the question I am referring to:

Besides all of the above, and as I described in detail in my initial post, why exactly is it that I am able to use "block all connections" and use the exception list to allow/whitelist IPv4 addresses but it will not work on IPv6 addresses, how about Avast providing an answer to that if nothing else, hi there Jakub, maybe you have something to say about this specific issue, as I said, I 100% identified the address being blocked as another PC in my local network,  I need real answers with real solution, as it is, Avast has become unusable garbage software, sorry to say.

https://forum.avast.com/index.php?topic=243267.0

Offline Chris1239

  • Newbie
  • *
  • Posts: 1
Re: New feature announcement - Remote Access Shield
« Reply #39 on: February 14, 2021, 01:14:55 AM »
this feature is junk and blocks connections to file sharing on a network so if you use file sharing on your network you need to turn it off there is no easy way to tell it to allow network computers to connect to file and print sharing turned it off and the office can connect to the shared drive again

Avast should make a lite version that just has antivirus they keep adding stuff that is not practical for the work environment

ACTUALLY what this is doing is telling you that a computer is attempting to access a resource TOO FREQUENTLY.

This is an integral part of ANY firewall service. MAN I hate people like you. Can't figure something out and go mental on it.  What you NEED to be doing is figuring out why your devices on your network are hitting your main drive so often while you're not viewing your illegal downloads.  That's the real question.

Right now I'm on Rogers and since I need to have a number of ports available for real computer things vs stealing videos and stuff, I'm getting Brute Force attacked by someone on the Rogers network which should have ZERO ability to get inside both a hardware and software firewall.  The BrueForce attempt is flagged but I sure as hell don't know why it's getting through my router/firewall so that Avast see's and react's to it.

Offline David2700

  • Newbie
  • *
  • Posts: 1
Re: New feature announcement - Remote Access Shield
« Reply #40 on: March 06, 2021, 01:08:47 PM »
Hello

I am getting the alert constantly from the Avast Omni Hub IP address.  Is this something the Omni Hub might be doing?

Offline Polk

  • Newbie
  • *
  • Posts: 2
  • Polk
Re: New feature announcement - Remote Access Shield
« Reply #41 on: March 07, 2021, 11:04:13 AM »
Установлена программа Avast Premier Security. Странная блокировка в модуле "Удаленный доступ".
Объясните такую вещь, почему Аваст блокирует входящее соединение по сети на расшаренную папку. Вижу, что в модуле "Удаленный доступ" блокируется мой IP. В белом списке указал IP-адрес входящего компьютера и даже его IPv6. Самое интересное, блокирует по IP, а разрешает по IPv6. Как это возможно? Это что Аваст такой проблемный или что-то не так делаю? При этом еще и тормозит в проводнике, когда обращаюсь на расшаренную папку. Хотя в мониторе "Удаленный доступ" о блокировке нет упоминания.
Поэтому пришлось в модуле "Удаленный доступ" убрать галочку с "Включить защиту Samba".

Installed Avast Premier Security program. Strange blocking in the "Remote Access" module.
Explain such a thing why Avast blocks an incoming connection over the network to a shared folder. I see that my IP is blocked in the "Remote Access" module. In the white list indicated the IP address of the incoming computer and even its IPv6. The most interesting, blocks the IP, and permits on IPv6. How is it possible? Is that avast such a problem or something wrong? It also slows down in the conductor when I appeal to the shared folder. Although there is no mention in the "Remote Access" monitor on blocking.
Therefore, it was necessary in the "Remote Access" module to remove the checkbox with "Enable Samba's Protection".

Я полностью изучил Faq (https://support.avast.com/article/Antivirus-Remote-Access-Shield-FAQ) и все эти действия сделал в настройках Avast.
В белом списке все IP-адреса моей сети, а также указаны все IPv6. А также продублировал IP в виде диапазона: 192.168.0.20-192.168.0.24.
Но все равно происходит блокировка по IP-адресу, а затем соединение разрешено по IPv6. Почему так происходит?

I fully studied the FAQ (https://support.avast.com/article/Antivirus-Remote-Access-Shield-FAQ) and made all these actions in the Avast settings.
In the white list, all IP addresses of my network, as well as all IPv6. And also duplicated IP in the form of a range: 192.168.0.20-192.168.0.24.
But still there is a lock on the IP address, and then the connection is allowed by IPv6. Why is this happening?

Offline OutbackMatt

  • Newbie
  • *
  • Posts: 8
Re: New feature announcement - Remote Access Shield
« Reply #42 on: May 09, 2021, 03:29:49 AM »
Unlike many in this thread I quite like this new feature

My issue is that it is being listed as an 'ignored issue', effectively inactivating that shield.
I'm not doing that, and I want to see the list of threats, specifically date, time and IP addresses

I seem to get a flood of rdp attempts when I send a file from a particular software vendor to the Avast Threat Labs. I'm trying to see what triggers this thread, and if go looking for rdp attempts at time not related to me sending a file the threat labs, it looks like the shield has been inactivated - certainly not of my doing.

Why is this shield being turned off automatically on my machine?

Offline Koczeka

  • Newbie
  • *
  • Posts: 1
Re: New feature announcement - Remote Access Shield
« Reply #43 on: May 25, 2021, 01:28:27 PM »
Hi!

My kid's computer is trying to access my PC and get this SMB BruteForce alarm.
How to add an exception (would be best to add for my internal IP range of 192.168.1.x)?

thx
« Last Edit: May 25, 2021, 01:30:42 PM by Koczeka »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0