Author Topic: Remote Access Shield - Incoming connection blocked  (Read 3952 times)

0 Members and 1 Guest are viewing this topic.

Offline peelpel94

  • Newbie
  • *
  • Posts: 6
Remote Access Shield - Incoming connection blocked
« on: December 10, 2020, 01:09:13 AM »
I am getting alerts for Incoming connection blocked and I am trying to figure out why this is happening all of a sudden. The alert is as follows...

Incoming connection blocked

Threat name: SMB:BruteForce
URL: smb://fe80::9d3b:87c3:73d6:f547/BruteForce
Process: System
Detected by: Remote Access Shield
Status: Connection blocked

The URL is a PC in my local network and never before was blocked like this. I tried to unblock by ticking the "Block all connections except the following" and added the URL address above, fe80::5801:7d88:xxxx:xxxx. But it still blocks it, the only way I can unblock is by un-ticking "Enable Samba protection". But that makes it unsafe obviously. Besides, the IP will change so even if it worked with the exceptions I would have to add new ones every time the IP changes, which makes no sense, why did it just start doing this and how can I fix without losing protection to my PC?

I can report that the exception list works for me when using an IPv4 address (192.1.168.xxx), but doesn't work with IPv6 addresses like the one above (fe80::5801:7d88:xxxx:xxxx). Any way this can be fixed? Right now the only way I'm able to connect from one PC to another is by disabling Samba Protection, which defeats the purpose of it's existence.

Offline rocksteady

  • Super Poster
  • ***
  • Posts: 1283
Re: Remote Access Shield - Incoming connection blocked
« Reply #1 on: December 10, 2020, 03:20:43 PM »

Offline peelpel94

  • Newbie
  • *
  • Posts: 6
Re: Remote Access Shield - Incoming connection blocked
« Reply #2 on: December 10, 2020, 04:28:12 PM »
Re Bruteforce, see this item:
https://forum.avast.com/index.php?topic=238916.0

Hi rocksteady, Like every other thread here, there are no answers to the real issue, this all started with the new Remote Access Shield, it is 100% at fault for the problems many of us are seeing, Avast will not publicly accept the issue at hand, hopefully they are working to fix it even without acknowledging the problem. I've read every related thread in this forum, no real answers to be found and no Avast solutions at all.

Besides all of the above, and as I described in detail in my initial post, why exactly is it that I am able to use "block all connections" and use the exception list to allow/whitelist IPv4 addresses but it will not work on IPv6 addresses, how about Avast providing an answer to that if nothing else, hi there Jakub, maybe you have something to say about this specific issue, as I said, I 100% identified the address being blocked as another PC in my local network,  I need real answers with real solution, as it is, Avast has become unusable garbage software, sorry to say.


Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 46
Re: Remote Access Shield - Incoming connection blocked
« Reply #3 on: December 14, 2020, 12:34:22 AM »
Hello peelpel94,

I hereby publicly accept the issue at hand. I'm sorry you are having this issue and I'll do my best to resolve it. As stated in the other threads, we realize that non-malicious connections can be blocked if they appear suspicious. Even if the originating computer is in your local network - local SMB is a common vector for spreading malware from a computer to the rest of the network (as explained for example here: https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities).

When multiple consecutive authentication attempts from a single IP fail, the Remote Access Shield classifies this as suspicious behavior. Therefore they are blocked. The PC originating the connections could be infected with malware trying to self propagate, or be part of a botnet launching a brute force attack. It is also possible that an application is trying to access shared folders (e.g., a video player trying to load shared videos/songs) without correct credentials, but it's impossible for the shield to know. In this case I'd advise to find the responsible application and configure it correctly or disable it.


I realize it's annoying to have block messages that could likely be "false positives", and that it can make the shield inconvenient enough to disable it and compromise the computer's security. We are indeed working on ways to decrease the number of false positives. But in this case, investigation seems to be the fastest option. If you don't know the origin of the connections, you can use software like Wireshark to capture the network traffic on port 445 and take a look at the username in the connection attempts - it might provide some clues (screenshot of a captured unsuccessful connection attempt included).


As for the "Block all connections except the following" - its purpose is not to whitelist an address and remove it from scanning. It is meant to block all addresses outside of the specified address/range. That could explain why it didn't solve the Remote Access Shield blocking connections from your computer.

Offline k_bahrami

  • Newbie
  • *
  • Posts: 3
Re: Remote Access Shield - Incoming connection blocked
« Reply #4 on: January 19, 2021, 05:00:57 AM »
Has there been any progress on this topic? I am starting to reconsider my options with respect to Avast. In my case it was simply VLC on my Nvidia Shield Android TV that was identified as a malicious connection. Like others the only workaround was to disable Remote Access Shield to watch my file and then reactivate it. Not very convenient. I appreciate your team working on a resolution so any updates would be great. Thanks!

Offline jhanks64

  • Newbie
  • *
  • Posts: 4
Re: Remote Access Shield - Incoming connection blocked
« Reply #5 on: July 11, 2021, 09:27:18 AM »
I came here looking for a different fix to this.

I am an Avast reseller and I often setup RDP for clients and then need to test it, setup the RDP file and send to them.

They are often traveling and will be remoting into their PC from different places and different IP Addresses.

Sometimes My IP address gets blocked and I am unable to test the connection from my office computer or remote in and fix some other problem they are having.

How can I remove my IP Address from the blocked list, but still maintain the Remote Access Shield functionality?

Offline r@vast

  • Avast team
  • Super Poster
  • *
  • Posts: 2389
Re: Remote Access Shield - Incoming connection blocked
« Reply #6 on: July 12, 2021, 04:38:52 PM »
I came here looking for a different fix to this.

I am an Avast reseller and I often setup RDP for clients and then need to test it, setup the RDP file and send to them.

They are often traveling and will be remoting into their PC from different places and different IP Addresses.

Sometimes My IP address gets blocked and I am unable to test the connection from my office computer or remote in and fix some other problem they are having.

How can I remove my IP Address from the blocked list, but still maintain the Remote Access Shield functionality?

Hi,

As stated above, it's not possible to set up an exception for the Remote Access Shield. If you suspect that your IP address is incorrectly detected by Remote Access Shield, please make sure that your RDP software is set up correctly to access the target device and then restart the target device.
If the problem persists, you can report it as a false positive via the following webform https://www.avast.com/false-positive-file-form.php