D-link router reporting Avast as Twinge Attack

[112]

After recently updating my firmware on my d-link di-624 router it now keeps more logs of suspicious activities. Anyways I have a wireless computer running avast and apparently avast is casuing the router to report :
"Jan/05/2007 01:28:57 TWINGE ATTACK Detect Packet Dropped
Jan/05/2007 01:28:14 TWINGE ATTACK Detect Packet Dropped "

I'm getting these about 40 seconds and I later ran a search on google and found out that avast send ICMP ping requests and this is one website said:
"avast! antivirus update feature is reported to produce ICMP pings with
zero data when connecting to the avast servers. This can occur every 40
seconds if no reply is received by the client."

I later shut down avast and this twinge ttack disappeared.

Anyone know how I can work around this problem. I would hate to give up avast because i've used for over a year and like the features and configurations for different programs and I've been impressed by the reults.

[mauserme]

Welcome to the forum 112.

Does your firewall log shows these attacks coming from the LAN side or the WAN side?

[112]

thanks.

The firewall doesn't give any details that's why i've been breaking my head trying to figure out what the problem was. I had to do some packet sniffs and with the help of someone else I took the ip address of the ICMP ping request. my computer was the source the ip was the destination and basically, on one of the whois tests it reported avast under one of the domains or something. I later shut down the AV and the problem cleared up...

[mauserme]

Hmmmm

There a several varieties of the DI-624.  Here's a screen shot of my never ending XMAS scans from my DI-624 H/W vE1 F/W v5



Nothing like that on yours?


EDIT:  Can you post a link to the web site about avast!

[oldman]

I may be out in left field on this, but isn't that how avast auto update is supposed to work? Try to connect to a server, if no connection is made, then retry in 40 seconds until a connection is made or all servers have been attempted. Then check in 4 hours.

You said shutting down avast cures the log enteries. What happens if you set updates to manual?

[DavidR]

Your not out of left field, that is how the auto update works. So I guess it is the chicken and the egg the check for connection is blocked/dropped so guess what auto update will check again in 40 seconds. If it is allowed through and a check made (update available or not) silence for 4 hours (240 minutes is the default) or whatever interval you set in Program Settings Update (Basic) Details.

What are the settings in Update (Connections) 'My computer is permanently connected to the internet' or different ?

[mauserme]

I may be out in left field on this, but isn't that how avast auto update is supposed to work?

Well, yeah ...

I think there are two different, unrelated events happening.  There are some references to avast! causing false positives to Snort Rule 469

http://72.14.203.104/search?q=cache:rLtl97RY94YJ:web2.uwindsor.ca/courses/cs/aggarwal/cs60564/Assignments/Assign2_HasanDorian.doc+%22avast!+antivirus+update+feature+is+reported+to+produce+ICMP+pings+with&hl=en&gl=us&ct=clnk&cd=1

The only False Positives cases are when Avast antivirus update feature is reported to produce ICMP pings with zero data when connecting to the Avast servers. This can occur every 40 seconds if no reply is received by the client. The Avast clients attempts to ping one of the following servers: (URL: http://www.asw.cz/iavs4pro; IP: 195.70.130.34), (URL:http://www.avast.com/iavs4pro;IP: 66.98.166.72),
(URL: http://www.iavs.net/iavs4pro; IP: 207.44.156.15)
URL: http://www.iavs.cz/iavs4pro; IP: 62.168.45.69)

But then you also get statements like this

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci998669,00.html

SID 469 is not a very good rule. It causes a lot of false positives, because it's rather "loose." Other applications beside NMAP send echo request packets with no payload, and there are no other criteria to make the rule "tighter" or more specific

The reason for these quotes is to point out that packet sniffers may not be giving a true picture of what's happening in that you see the avast! activity but not the true source of the attack which is being blocked by the router.

Here's the definition of a Twinge attack

http://www.pcflank.com/expl_d.htm

The Twinge program sends a large number of false ICMP control messages very rapidly to a system. This usually results in performance degradation, and may cause the attacked system to crash. This spoofed attack, utilizes all types of ICMP packets with random IP source addresses.
Affected systems: Win 95,98,NT

If you google something like "DI-624 Twinge Attack" there are lots of hits - usually from people posting that the router is logging Twinge Attacks but without mention of also having avast! installed.  There's an interesting thread that offers plausible explanations for the attack here

http://episteme.arstechnica.com/eve/forums/a/tpc/f/469092836/m/682008402831

So my short answer is that I have a router from the same family as yours, 112, and I also have avast!, but I do not log any Twinge Attacks from any source.  I think you are subject to this attack from outside your own computer and are erroneously connecting the attack to the way some packet sniffers react to avast's update method. And maybe i should have just left it that.

[112]

Problem fixed.
followed this link and all is well  .
http://www.avast.com/eng/updates2.html

thanks for the help guys.

[oldman]

Dould you expand a bi? I'm curious, as I'm sure are others. 

[112]

^ I had to edit the AVAST4.INI file and change the line "AssumeAlwaysConnected=1" it used to be AssumeAlwaysConnected=0.

This fixed the problem. It apparently tells avast that the computer is directly connected to the internet even though under options I had that checked. By making the change it bypasses the pings every 40 seconds and therefore no more attacks.

Before this my computer was sending ICMP pings about every 40 seconds and my router viewed this as an attack.

mauserme: I think this is the link you're asking me for.
http://www.snort.org/pub-bin/sigs.cgi?sid=469
look under false positives.

[mauserme]

Thanks for the link 112.

When I change my avast4.ini to AssumeAlwaysConnected=0 I still don't log any Twinge Attacks and I'm not sure I see the connection between a Snort false positive and your router logging these attacks.  But if the problem has ended that's a good thing.   

[DavidR]

Usually 0=no and 1=yes so you are effectively saying you are on dial-up, I would be interested to see what the Update (Connections) settings now shows ?

[mauserme]

Me or 112?

On my computer I changed to AssumeAlwaysConnected=0 and left UseRAS=0 assuming 112 did not change the latter. 

According the avast! link posted by 112, UseRAS=1 tells avast! the connection is dial up only, effectively ending all pings.  Tech would know more about this.

[DavidR]

It was directed to 112.

Since 112 had previously set the Update (Connections) My computer is permanently connected to the internet, then the UseRAS should have been set to 0.

The problem is the Update (Connections) allows you to have four settings, both checked, both unchecked, one checked, then switch to the other option checked.