Author Topic: Strange SMB:BruteForce Alerts  (Read 1443 times)

0 Members and 1 Guest are viewing this topic.

Offline KDibble

  • Full Member
  • ***
  • Posts: 199
Strange SMB:BruteForce Alerts
« on: September 07, 2021, 11:00:57 PM »
I'm aware that there are other threads on this topic here, and I've read all of them. Most of them seem to relate to free or home-user versions of Avast, and that's not what I'm using. Also, the explanations offered by Avast people in those threads are general in nature. That isn't helpful to me.

Can anyone provide some specific and detailed explanation of what could possibly cause the specific behavior described below:

I am using Avast Business Pro with the on-Premise Console. Program 21.6.x

On Sunday morning September 5 (EDT, Eastern USA), the Avast client on a single Windows 7 workstation on my network issued three alerts of SMB:BruteForce, each precisely 30 minutes apart. The alerts reported that an IP4 address leased to a single iMac was attempting to connect to this workstation. This iMac only connects to my network via wireless, and it only has access to a separate VLAN that is configured only to provide internet connection sharing.

The iMac was unattended, and had been left in "sleep mode". However, the IP address is definitely leased to that device, and the lease doesn't expire until September 14--a week from now.

Therefore, this iMac should not have been able to even see any other workstation on my network. As I understand it, because it was on a separate internet-only VLAN, it should not have even been aware that it was ON a network.

So what specific set of circumstances could cause the exact behavior that I have described here?

Thanks very much for any specific--not generic--response.

[Edited Sep 8 2021 10:30 am EDT to correct an error (it was an iMac, not a Mac laptop) and to add that it was running at the time but in "sleep mode".]
« Last Edit: September 08, 2021, 04:35:15 PM by KDibble »

Offline KDibble

  • Full Member
  • ***
  • Posts: 199
Re: Strange SMB:BruteForce Alerts
« Reply #1 on: October 27, 2021, 05:42:46 PM »
Can anybody tell me how to stop these bogus "BruteForce" alerts???

I've looked at threads on this topic and they all say there's a way to at least allow specific IP addresses to do whatever it is they are doing without triggering these alerts. However, they say this involves tweaking a setting on the Remote Access Shield (or something similar).

THERE IS NO REMOTE ACCESS SHIELD in the on-premise console. HOW DO I DO THIS?? It's driving me nuts!

Thanks.

Offline Infratech Solutions

  • Avast Reseller
  • Super Poster
  • *
  • Posts: 2127
  • Mayorista e integrador de AVAST Software en España
    • Ciberseguridad Avast para empresas y MSPs en España.
Re: Strange SMB:BruteForce Alerts
« Reply #2 on: October 28, 2021, 05:32:38 PM »
You cannot manage Remote Access Shield from Avast Business On-Premise Management Console.

Try to configure exeptions locally on the afected device.

Offline jjunc

  • Newbie
  • *
  • Posts: 14
Re: Strange SMB:BruteForce Alerts
« Reply #3 on: November 01, 2021, 02:44:28 PM »
I am getting the SMB:BruteForce attacks on a new imaged laptop starting 10/28/2021.  It is blocking my Microsoft System Center server that is trying to install programs that I have approved.  There isn't a remote access shield to disable or configure.

Configuring it locally at each computer is not an option.  Managing everything remotely is why I am paying for this. 

Offline Infratech Solutions

  • Avast Reseller
  • Super Poster
  • *
  • Posts: 2127
  • Mayorista e integrador de AVAST Software en España
    • Ciberseguridad Avast para empresas y MSPs en España.
Re: Strange SMB:BruteForce Alerts
« Reply #4 on: November 01, 2021, 06:22:01 PM »
You cannot manage Remote Access Shield from Avast Business On-Premise Management Console on current version.

You only can manage Remote Access Shield with Avast Business Hub (cloud console).

Offline KDibble

  • Full Member
  • ***
  • Posts: 199
Re: Strange SMB:BruteForce Alerts
« Reply #5 on: November 02, 2021, 07:09:49 PM »
I got the same response about the on-premise console when I filed a ticket on this.

What we REALLY NEED is for Avast to FIX this BUG that causes the remote access shield to interpret harmless behavior by Apple devices that are on a SEPARATE VLAN and CANNOT SEE other network devices, as an attempt to connect to a network device.

That's what we really need here.

Edited to add:

Actually, there is NO Remote Access Shield in the client either. Avast Business Pro, program version 21.8.2670 (August 2021 but the client says this is up to date). The only shields available in the client are File Shield, Behavior Shield, Web Shield and Mail Shield.

I have the "Firewall" and "Real Site" features turned off.
« Last Edit: November 02, 2021, 07:29:36 PM by KDibble »

Offline jjunc

  • Newbie
  • *
  • Posts: 14
Re: Strange SMB:BruteForce Alerts
« Reply #6 on: November 05, 2021, 04:44:21 PM »
I put in a help ticket.  I was advised to put in a URL Exception in the Web Shield.  smb://ip address

So far, no more threats detected.

Offline KDibble

  • Full Member
  • ***
  • Posts: 199
Re: Strange SMB:BruteForce Alerts
« Reply #7 on: November 08, 2021, 09:14:21 PM »
I put in a help ticket.  I was advised to put in a URL Exception in the Web Shield.  smb://ip address

So far, no more threats detected.

Oooh... that's interesting.

These alerts appear intermittently, repeat several times, and then stop. days or weeks later they start again, perhaps on a different machine, but always pointing at the local IP address of the same iMac device.

If they start up again I'll try that.

BTW, the Remote Access Shield feature is extremely buggy in a completely different way. It may, or may not, show up in an Avast Business Pro client that is managed by the On Premise Console at all. I have several workstations that don't have it, and others that do. Reinstalling the client has no effect on this. I suspect the root cause is various factors that impede the client's communication with the console; it's not really supposed to be available at all when using the On Premise Console, but the client may or may not get that message quickly and so, for a while, it displays that shield.

I've got a ticket in on this.