I keep getting this warning

[EricB]

Hey.

I keep getting this warning. Is this a legit warning or?

Thank you!!

[DavidR]

A reverse IP lookup for this IP address returns "saucy-border.aeza.network"
Is this in anyway familiar to you  ?

Whilst there are legitimate reasons why svchost.exe would connect to the internet (usually windows related) but it has in the past been used for bad reasons.

There is one other hit on this check - https://www.virustotal.com/gui/url/77a9208e25b344698fb55fe134089565377ed3c9ac7f69b2d353c6417fce0ecf?nocache=1
Other issues reported here - https://en.internet.nl/site/saucy-border.aeza.network/1871842/

Webpage Security Score F and JavaScript Libraries with vulnerabilities - https://snyk.io/test/website-scanner/?test=230113_AiDc5Q_CGK&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner

However a search for that ports usage :7680 https://www.speedguide.net/port.php?port=7680 so this would appear to be used for

TCP port 7680 is used by WUDO (Windows Update Delivery Optimization) to distribute updates in Windows LANs.

But the IP address before that doesn't appear to be related to Microsoft Updates.

[EricB]

Hey, thanks for the answer. No, it is in no way familiar to me. Any idea what this could be? It looks suspicious to my amateur eyes.

[DavidR]

I'm not an Avast Team member but an Avast User - Whilst I'm not an expert by any means, it is very hard to determine what it is.

Is there any occurrence that has changed recently, program installation/update, etc.  ?
What were you doing at the time of the alert/s (if the same thing or just browsing may be related).
How frequently is this happening  ?

However, another test on the IP address returns an error - https://www.ipaddress.com/ipv4/89.185.85.175 - this means an interaction is occurring with Cloudflare and there have been instances where this is detected by Avast.

So I would suggest reporting it to the Avast virus labs for Analysis:
You can use the - Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two. 

This is the link/website that you want to report tXp://89.185.85.175:7680 - I have changed the tcp to tXp so the link isn't active in the forums.  You should use the Full URL in your image - I would suggest you also give a link back to this topic in your possible false positive website submission, as this contains a lot of additional information that may be helpful.

[EricB]

I just had an epiphany about windows update and allowing to download updates from other computers in the internet. I turned that off and it didnt happen since then. Thats not a 100% confirmation that it worked..... but maybe?!

[DavidR]

I just had an epiphany about windows update and allowing to download updates from other computers in the internet. I turned that off and it didnt happen since then. Thats not a 100% confirmation that it worked..... but maybe?!

I would say that is a high probability.

I certainly have never considered allowing that option, trusting sort that I am (not), but I would have thought that would have been from other systems on your network.  But I could well be wrong on that.

However, monitor and see how it goes.

Interestingly, now you have disabled that option, have you had to download any windows update to your system ?

[EricB]

I remember activating that option due to some update issues a while ago. A good possibility, so far no warnings.

No update currently. However, win10 is trying very pro-actively to get me to download win11. Maybe thats the reason.

[DavidR]

Fingers crossed that was the cause. 

Fortunately for me this laptop is deemed unsuitable for Win11 by Microsoft, so that can wait until I replace it.

[polonus]

See the suspicious reputation of that IP here: https://maltiverse.com/ip/89.185.85.175

Various malicious activities reported on URLhaus

Also see: https://sitereport.netcraft.com/?url=http://89.185.85.175  risk rate: 9 red out of 10.

8 vendors to flag here: https://www.virustotal.com/gui/ip-address/89.185.85.175
communicating flie:

Scanned   Detections   Type   Name
2022-10-12   
53/ 72   Win32 EXE   팟플레이어

polonus

[EricB]

Thanks for that.

Do you think blocking this IP in the windows firewall helps? Is there additional steps i could take for safety?

[polonus]

Hi EricB,

You are welcome. The best thing you did was reporting here on the forums,
also making the unaware aware. Always a good scheme i.m.h.o.

So do not worry, avast has done what it should have done,
alerting you and taking you from there and that redirection route. 

Blocking a known potentially malicious and suspicious IP can be done with the windows host file,
if that will set your mind at ease. But there is a whole chain of redirects to block then.
(See the IP delegation chain -( USA, the Netherlands and Russian Federation)).

At least this redirect has been taken down: https://sitecheck.sucuri.net/results/saucy-border.aeza.network  -> https://www.shodan.io/search?query=194.26.229.0

Redirecting, also with 9 red out of 10 netcraft risk rate here:
https://sitereport.netcraft.com/?url=http://45.15.159.145

But here we only meet with a 2 red out of 10 netcraft risk rate:
https://sitereport.netcraft.com/?url=http://saucy-border.aeza.network

But we could have established that network is or has been open to abuse of sorts.

I think you are out of the woods now, no pack of wolves threatening 

Have a nice and secure day both online as offline,

polonus

[EricB]

Alright, thanks a lot!