Bruteforce

[4ahobbs]

Hi Jakob,

Thanks for the tools, but I am not proficient in packet analysis.  I did download my logs and I have hundreds, maybe a thousand, of SMB entries, with the status [SMB:BruteForce] going back to October 26, 2020.  The entries run 10 or so a minute.  All the blocked entries have a link-local IPv6 address. All of the allowed entries also have a link-local IPv6 address.

I have eight PC's on my network, and all of them, including the one detecting the Brute Force attack were set to not allow remote connections to this computer. I also have Malwarebytes Premium and that software did not detect any attack.

This leads me to believe that AVAST is giving me false positives from my internal network.  Should I send the Avast Remote Access logs to Avast to take a look?  Should I disable IPv6 on all the computers in the network?  I'm not sure if that will affect anything since I only use IPv4 addresses to my knowledge.  Thanks.

[Jakub Dubovic]

Hi Jakob,

Thanks for the tools, but I am not proficient in packet analysis.  I did download my logs and I have hundreds, maybe a thousand, of SMB entries, with the status [SMB:BruteForce] going back to October 26, 2020.  The entries run 10 or so a minute.  All the blocked entries have a link-local IPv6 address. All of the allowed entries also have a link-local IPv6 address.

I have eight PC's on my network, and all of them, including the one detecting the Brute Force attack were set to not allow remote connections to this computer. I also have Malwarebytes Premium and that software did not detect any attack.

This leads me to believe that AVAST is giving me false positives from my internal network.  Should I send the Avast Remote Access logs to Avast to take a look?  Should I disable IPv6 on all the computers in the network?  I'm not sure if that will affect anything since I only use IPv4 addresses to my knowledge.  Thanks.

Hello 4ahobbs,

It is of course possible that the detections are false positives. It might be different devices than PCs - for example a music/video player that automatically tries to connect to your shared folders using SMB and then lets you play music or videos from your PC.

I'm afraid we won't be able to tell any more from the logs than you. As I wrote, you can try to find the device from which the connections originate using Avast WiFi Inspector. Then it should be easier to figure out what is going on. You just click WiFi Inspector -> Network Scan. When the scan is finished, click a discovered device and it will show you its address.

In case the detections are false positives, we are working on a GUI feature you'll be able to use. It lets you hide detections from a specified address, as this is a common issue.

[4ahobbs]

Hi Jakub,

I SOLVED the issue, and yes, AVAST is at fault for providing false positives with its latest update.  This is for AVAST Program Version 20.9.2437 (build 20.9.5758.615). Here's a short recap of what we were discussing. Just after an October AVAST update, I started getting second by second notifications from the Remote Access Shield feature that a BruteForce attack was being made.  The notifications appeared to be in waves with some being blocked and others allowed, but always a connection attempt going in bursts of seconds, then ceasing after a while, then resuming again.  All the IP Addresses were in IPv6 and not IPv4.  I've never dealt with IPv6 addresses so I could not identify the origin and tell you whether the IP addresses were internal in my network or from the outside. I did tell you that it was unlikely that I was receiving an attack from the outside since all the PC's on the network had Remote Desktop turned off.  What I did to understand what was going on was to download a demo copy of Net Scan Tools Pro and look at the Network Neighbors table.  The Network Neighbors table is like an IPv4 ARP cache but for IPv.6.  I never knew that.  From the Network Neighbors table, I was able to identify the MAC addresses of the IPv6 addresses recorded by AVAST.  I then used Angry IP Scanner to identify  and correlate the MAC addresses with IPv.4 addresses, which allowed me to identify the sources of the "attacks".  The so-called "attacks" were merely the 5 PC's on my network coming on and off of the network at different times of the day.  This flaw is more annoying than debilitating, but is should be corrected by AVAST.   Thanks.

[Richard16]

I've had the Omni Hub for over a year now and during the past few months I've started getting alerts on my desktop about RDP Brute Force threats.

It lists the "URL" as rdp://192.168.0.69/BruteForce. This is the local IP address of the Omni Hub.
 

Why am I getting this message on my Windows 10 laptop with the IP address of my Omni Hub?  I have the Avast Omni application installed on all the machines on my network.
Is this a problem that needs to be fixed?  If so, then how do I fix it.
Thanks, Richard

[polonus]

Hi Richard16,

Question here: Is Remote Desktop Service allowed?
The alert could then be because of some form of penetration hacking being performed.
This could be by a botnet, compromised Polycom device or illegal use of a penetration test tool

Students for instance may use this for illegal purposes yes also on Omni Hub:
also read: https://github.com/AzizKpln/Bruter19

So not all detections can be explained away as false positives.

polonus

[Jakub Dubovic]

I've had the Omni Hub for over a year now and during the past few months I've started getting alerts on my desktop about RDP Brute Force threats.

It lists the "URL" as rdp://192.168.0.69/BruteForce. This is the local IP address of the Omni Hub.
 

Why am I getting this message on my Windows 10 laptop with the IP address of my Omni Hub?  I have the Avast Omni application installed on all the machines on my network.
Is this a problem that needs to be fixed?  If so, then how do I fix it.
Thanks, Richard

Hello Richard,

thanks for sharing the issue! We are working to correct it - it's a problem on our side.

[usalabs14]

Hi All,

I am also getting repeated notices of AVAST blocking a connection from a Samba connection which it identifies as an internal (I think) IPv6 address.  For example, in the attached screen shot, the attacks were coming once every second, hundreds of times.  This goes on for hours each day.  You will see in the snippit that all the attacks were blocked by AVAST, but then at 2:47:39 AVAST "Allowed" a SMB connection from another IPv6 address and the log stops at that time (it is now 5:04 PM).  You will also see in the upper right hand corner that the "All" tab lists 4832 attacks, but only 4561 blocked attacks.

Could someone tell me is this some kind of an attack, or is the AVAST Remote Access Shield just recording as a false positive some routine network activity.  Thanks.

A quick question, do you have SMB open to the WAN?  If so, it shouldn't be, SMB is mainly for file sharing from within the LAN such as using Samba protocol for network file sharing, which tells me if Avast is blocking connections inside the LAN, then someone on your network is trying to hack your system, they don't have to be on a wired network, they can still hack using your WiFi, if it's not protected.

I have never in the the years that I have been using Avast had any SMB blocking and I have a NAS server running for sharing files internally across the network, and I make sure the SMB ports are blocked in the firewall, on the router, but open on the NAS's firewall.

Any SMB data that tries to come in on those ports is immediately dropped.  So my advice is to remove any entries in the router port forwarding for SMB, and also disable IPV6, using IPV4, is much better for tracing where the attacks are coming from.

[Mark657]

Hi Jakub,

I SOLVED the issue, and yes, AVAST is at fault for providing false positives with its latest update.  This is for AVAST Program Version 20.9.2437 (build 20.9.5758.615). Here's a short recap of what we were discussing. Just after an October AVAST update, I started getting second by second notifications from the Remote Access Shield feature that a BruteForce attack was being made.  The notifications appeared to be in waves with some being blocked and others allowed, but always a connection attempt going in bursts of seconds, then ceasing after a while, then resuming again.  All the IP Addresses were in IPv6 and not IPv4.  I've never dealt with IPv6 addresses so I could not identify the origin and tell you whether the IP addresses were internal in my network or from the outside. I did tell you that it was unlikely that I was receiving an attack from the outside since all the PC's on the network had Remote Desktop turned off.  What I did to understand what was going on was to download a demo copy of Net Scan Tools Pro and look at the Network Neighbors table.  The Network Neighbors table is like an IPv4 ARP cache but for IPv.6.  I never knew that.  From the Network Neighbors table, I was able to identify the MAC addresses of the IPv6 addresses recorded by AVAST.  I then used Angry IP Scanner to identify  and correlate the MAC addresses with IPv.4 addresses, which allowed me to identify the sources of the "attacks".  The so-called "attacks" were merely the 5 PC's on my network coming on and off of the network at different times of the day.  This flaw is more annoying than debilitating, but is should be corrected by AVAST.   Thanks.

4ahobbs, what did you do to fix it? Were you able to add the IP addresses as an exception or did you turn something off?

I have four PCs on my network, my main workhorse is my laptop. Two of the other three PCs can access my shared laptop folders just fine. The fourth one was hit and miss. Mainly miss. Occasionally it could connect to the laptop, but mostly was blocked.

I did narrow it down to Avast on the laptop treating it as a Brute-force attack much like yourself.  I tried to set Avast to allow the specific problematic IP through but no luck, so I turned off "Block Brute-Force Attacks". That worked. But I'd like to know if you took a different/better approach than me. Did you do something different?
Thanks.

[bob3160]

Reported to Avast let's see if that helps.

[4ahobbs]

Hi Mark 657,

I didn't do anything.  The high volume of "attacks" stopped a week or so after my last posting, so I just assumed that Avast fixed it in an update.  I do get notifications of an "attack" from time to time, but nothing like the high volume I was getting several months ago. Maybe one notice once a week or so from PC's behind my firewall.  Sorry I could not be of more help.

[gkinrade]

I'm suddenly getting this exact same issue.  I cannot access my home server, which runs Windows 10 and Avast Premium, from any PC any more using its name ("Server" - original I know) and can only access the server using its IP address.  Logging into the server using Remote Desktop I can see the Avast popups saying
 
Incoming connection blocked
Threat name SMB:BruteForce
URL smb://blahblahblah

The URL matches the link-local IPv6 Address of my main desktop PC found using ipconfig /all.  Avast claims it's fully up to date with the following versions installed:

Virus definitions - Release Date 23rd January 2021 09:34 (ver: 210122-10)
Application - Release Date 9th December 2020 08:25 (ver. 20.10.2442 - build 20.10.5824.624)

Any help greatly appreciated!

Edit:  Disabling Samba protection withing the Remote Access Shield settings seems to 'fix' it although I wouldn't really count disabling part of the protection offered an actual fix...

[Jakub Dubovic]

Hello gkinrade,

Thanks for reporting the issue. As with similar issues, the detections are caused by multiple unsuccessful connections from the blahblahblah address to your PC. Without more information it's impossible to decide whether the connections are a malicious attempt to guess your credentials, or just a legitimate application that has, for example, wrong configuration and thus fails to connect.

We have published an FAQ article with answers to some of your questions: https://support.avast.com/en-sg/article/95/
There is a way to disable notifications ("What can I do if Remote Access Shield shows too many notifications?" in the FAQ) if they bother you. But the computer attempting the unsuccessful connections will still be blocked from Samba connections to your PC by Avast, unless you disable the Samba protection. But, as you said, it could compromise your security.

A more secure way to solve this would be to find out why the connections are sent - if an application is misbehaving (common offenders are for example music/video sharing applications attempting automatically to access shared folders in the local network), or whether actual malware is involved.