Hi Jakub and Anyone else in the Forum,
In response to your reply--I have two questions:
1) Is there a way for me to print a log file of these blocked and allowed attacks in the Remote Access Shield? They come every second and from the same IPv6 source and AVAST blocks them. Then a few from come from a different IPv6 source and AVAST allows them. so viewing them as the 12 lines that AVAST displays is not helpful to see a pattern.
2) I am not familiar with IPv6 addresses. How can I possibly determine which device is initiating these attacks and eliminate it? Are there specialized AV programs which would permit me to determine that (like freefixer etc.).
Thanks.
Hello 4ahobbs,
1) You can turn on debug logging in Avast -> Menu -> Settings -> Troubleshooting -> Enable debug logging. The log will be generated in C:\ProgramData\AVAST Software\Avast\log\StreamFilter.log.
Inside the log, just search for "SMB". The individual entries will look like this:
[2020-10-09 10:25:13.779] [info ] [nsf_rdp_mim] [ 4564: 8640] RdpFilterCtx.NewConnection [proto:SMB,ip:[10.187.43.140],port:51041,conn_id:164107]
[2020-10-09 10:25:13.909] [info ] [nsf_rdp_mim] [ 4564: 8640] RdpFilterCtx.ConnectionBlocked [proto:SMB,ip:[10.187.43.140],port:51041,status:[SMB:BruteForce],conn_id:164107]
Here you can find the time, protocol, source IP address and port, connection ID (used to follow the logs related to a single connection), status (reason for blocking the connection).
2) Avast allows you to do this using the WiFi Inspector feature:
https://antivirus-protection.co/avast-wifi-inspectorAnother program I'd recommend if you are proficient with packet analysis is Wireshark. It can be set to scan all communication on your port 445 (the SMB port) and you can inspect the packets in its UI. As the username is sent in plaintext during the SMB authentication, you can view it and it might give you some insight into what is causing this. Screenshots of setting up Wireshark and of a captured failed authentication attempt are included.
The provided examples/screenshot use IPv4, but it should be similar when IPv6 is used.