Author Topic: D-link router reporting Avast as Twinge Attack  (Read 14527 times)

0 Members and 1 Guest are viewing this topic.

Offline 112

  • Newbie
  • *
  • Posts: 4
D-link router reporting Avast as Twinge Attack
« on: January 07, 2007, 08:01:05 AM »
After recently updating my firmware on my d-link di-624 router it now keeps more logs of suspicious activities. Anyways I have a wireless computer running avast and apparently avast is casuing the router to report :
"Jan/05/2007 01:28:57 TWINGE ATTACK Detect Packet Dropped
Jan/05/2007 01:28:14 TWINGE ATTACK Detect Packet Dropped "

I'm getting these about 40 seconds and I later ran a search on google and found out that avast send ICMP ping requests and this is one website said:
"avast! antivirus update feature is reported to produce ICMP pings with
zero data when connecting to the avast servers. This can occur every 40
seconds if no reply is received by the client."

I later shut down avast and this twinge ttack disappeared.

Anyone know how I can work around this problem. I would hate to give up avast because i've used for over a year and like the features and configurations for different programs and I've been impressed by the reults.

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: D-link router reporting Avast as Twinge Attack
« Reply #1 on: January 07, 2007, 08:32:00 AM »
Welcome to the forum 112.

Does your firewall log shows these attacks coming from the LAN side or the WAN side?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline 112

  • Newbie
  • *
  • Posts: 4
Re: D-link router reporting Avast as Twinge Attack
« Reply #2 on: January 07, 2007, 08:45:51 AM »
thanks.

The firewall doesn't give any details that's why i've been breaking my head trying to figure out what the problem was. I had to do some packet sniffs and with the help of someone else I took the ip address of the ICMP ping request. my computer was the source the ip was the destination and basically, on one of the whois tests it reported avast under one of the domains or something. I later shut down the AV and the problem cleared up...

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: D-link router reporting Avast as Twinge Attack
« Reply #3 on: January 07, 2007, 08:55:09 AM »
Hmmmm

There a several varieties of the DI-624.  Here's a screen shot of my never ending XMAS scans from my DI-624 H/W vE1 F/W v5



Nothing like that on yours?


EDIT:  Can you post a link to the web site about avast!
« Last Edit: January 07, 2007, 08:58:09 AM by mauserme »
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: D-link router reporting Avast as Twinge Attack
« Reply #4 on: January 07, 2007, 10:49:30 AM »
I may be out in left field on this, but isn't that how avast auto update is supposed to work? Try to connect to a server, if no connection is made, then retry in 40 seconds until a connection is made or all servers have been attempted. Then check in 4 hours.

You said shutting down avast cures the log enteries. What happens if you set updates to manual?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85644
  • No support PMs thanks
Re: D-link router reporting Avast as Twinge Attack
« Reply #5 on: January 07, 2007, 03:40:56 PM »
Your not out of left field, that is how the auto update works. So I guess it is the chicken and the egg the check for connection is blocked/dropped so guess what auto update will check again in 40 seconds. If it is allowed through and a check made (update available or not) silence for 4 hours (240 minutes is the default) or whatever interval you set in Program Settings Update (Basic) Details.

What are the settings in Update (Connections) 'My computer is permanently connected to the internet' or different ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.691) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: D-link router reporting Avast as Twinge Attack
« Reply #6 on: January 07, 2007, 03:46:45 PM »
Quote
I may be out in left field on this, but isn't that how avast auto update is supposed to work?

Well, yeah ...

I think there are two different, unrelated events happening.  There are some references to avast! causing false positives to Snort Rule 469

http://72.14.203.104/search?q=cache:rLtl97RY94YJ:web2.uwindsor.ca/courses/cs/aggarwal/cs60564/Assignments/Assign2_HasanDorian.doc+%22avast!+antivirus+update+feature+is+reported+to+produce+ICMP+pings+with&hl=en&gl=us&ct=clnk&cd=1

Quote
The only False Positives cases are when Avast antivirus update feature is reported to produce ICMP pings with zero data when connecting to the Avast servers. This can occur every 40 seconds if no reply is received by the client. The Avast clients attempts to ping one of the following servers: (URL: http://www.asw.cz/iavs4pro; IP: 195.70.130.34), (URL:http://www.avast.com/iavs4pro;IP: 66.98.166.72),
(URL: http://www.iavs.net/iavs4pro; IP: 207.44.156.15)
URL: http://www.iavs.cz/iavs4pro; IP: 62.168.45.69)

But then you also get statements like this

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci998669,00.html

Quote
SID 469 is not a very good rule. It causes a lot of false positives, because it's rather "loose." Other applications beside NMAP send echo request packets with no payload, and there are no other criteria to make the rule "tighter" or more specific

The reason for these quotes is to point out that packet sniffers may not be giving a true picture of what's happening in that you see the avast! activity but not the true source of the attack which is being blocked by the router.

Here's the definition of a Twinge attack

http://www.pcflank.com/expl_d.htm

Quote
The Twinge program sends a large number of false ICMP control messages very rapidly to a system. This usually results in performance degradation, and may cause the attacked system to crash. This spoofed attack, utilizes all types of ICMP packets with random IP source addresses.
Affected systems: Win 95,98,NT

If you google something like "DI-624 Twinge Attack" there are lots of hits - usually from people posting that the router is logging Twinge Attacks but without mention of also having avast! installed.  There's an interesting thread that offers plausible explanations for the attack here

http://episteme.arstechnica.com/eve/forums/a/tpc/f/469092836/m/682008402831

So my short answer is that I have a router from the same family as yours, 112, and I also have avast!, but I do not log any Twinge Attacks from any source.  I think you are subject to this attack from outside your own computer and are erroneously connecting the attack to the way some packet sniffers react to avast's update method. And maybe i should have just left it that.

"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline 112

  • Newbie
  • *
  • Posts: 4
Re: D-link router reporting Avast as Twinge Attack
« Reply #7 on: January 07, 2007, 06:51:37 PM »
Problem fixed.
followed this link and all is well  ;D.
http://www.avast.com/eng/updates2.html

thanks for the help guys.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: D-link router reporting Avast as Twinge Attack
« Reply #8 on: January 07, 2007, 06:55:34 PM »
Dould you expand a bi? I'm curious, as I'm sure are others.  ;D

Offline 112

  • Newbie
  • *
  • Posts: 4
Re: D-link router reporting Avast as Twinge Attack
« Reply #9 on: January 07, 2007, 11:58:58 PM »
^ I had to edit the AVAST4.INI file and change the line "AssumeAlwaysConnected=1" it used to be AssumeAlwaysConnected=0.

This fixed the problem. It apparently tells avast that the computer is directly connected to the internet even though under options I had that checked. By making the change it bypasses the pings every 40 seconds and therefore no more attacks.

Before this my computer was sending ICMP pings about every 40 seconds and my router viewed this as an attack.

mauserme: I think this is the link you're asking me for.
http://www.snort.org/pub-bin/sigs.cgi?sid=469
look under false positives.
« Last Edit: January 08, 2007, 12:04:21 AM by 112 »

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: D-link router reporting Avast as Twinge Attack
« Reply #10 on: January 08, 2007, 01:01:01 AM »
Thanks for the link 112.

When I change my avast4.ini to AssumeAlwaysConnected=0 I still don't log any Twinge Attacks and I'm not sure I see the connection between a Snort false positive and your router logging these attacks.  But if the problem has ended that's a good thing.   :)
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85644
  • No support PMs thanks
Re: D-link router reporting Avast as Twinge Attack
« Reply #11 on: January 08, 2007, 01:05:17 AM »
Usually 0=no and 1=yes so you are effectively saying you are on dial-up, I would be interested to see what the Update (Connections) settings now shows ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.691) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: D-link router reporting Avast as Twinge Attack
« Reply #12 on: January 08, 2007, 01:14:40 AM »
Me or 112?

On my computer I changed to AssumeAlwaysConnected=0 and left UseRAS=0 assuming 112 did not change the latter. 

According the avast! link posted by 112, UseRAS=1 tells avast! the connection is dial up only, effectively ending all pings.  Tech would know more about this.
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85644
  • No support PMs thanks
Re: D-link router reporting Avast as Twinge Attack
« Reply #13 on: January 08, 2007, 01:26:46 AM »
It was directed to 112.

Since 112 had previously set the Update (Connections) My computer is permanently connected to the internet, then the UseRAS should have been set to 0.

The problem is the Update (Connections) allows you to have four settings, both checked, both unchecked, one checked, then switch to the other option checked.
« Last Edit: January 08, 2007, 01:28:38 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.691) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security