Author Topic: Avast/RPCSS.exe accessing the internet..worried user  (Read 35607 times)

0 Members and 1 Guest are viewing this topic.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #15 on: July 17, 2003, 06:09:09 PM »
There is no doubt that Avast does initialise the RPCSS command, which is basically a local server which kicks in PRIOR to my firewall. So c'mon MODS, where's the answers to these questions?????

After doing a little Boardsearch, i think i found the answer you looking for. For the rest wait untill VLK is back!:)
http://www.avast.com/forum/index.php?board=2;action=display;threadid=220;start=0
MfG Ralf

Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #16 on: July 17, 2003, 06:34:55 PM »
well, Jusme,

I'm surprised to find another person concerned about this issue-only Techie101, and now you, have voiced any concern.

You say that RPCSS.exe is not used in updating  the virus signatures. If you did the updating manually, then I am not too surprised, as I presume that  the RPC is only used to LOOK for updates. I have just tried updating manually after killing RPCSS.exe, and it worked fine, as you say.

However, I have been permitting the RPC service to access the net, and I received an update about an hour ago ( before trying the manual update).
( I have set the update service to advise me when an update is found).

I reckon that we will discover, when the moderators get back from their R&R, that there is nothing to worry about..at least I certainly hope so-I am beginning to like this program.

take care,

PcB


Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #17 on: July 17, 2003, 07:12:04 PM »
raman,
 
I wish you had posted this earlier-I would have had my answers then, and saved a lot of bother, lol.

I actually did a search before I posted originally, looking for "RPCSS.exe", and your link did not come up.
If I had known, I would not have posted.

I still think, however, that someone more knowledgable than me should query this further:

Most importantly: is  RPCSS.exe , in fact, seeking access to the internet in order to look for updates, or not? ( is it OK to NOT allow it permission to access the net with a firewall?)

Does Avast really need RPC ? Can it not use some other service: what do other AV programs use to look for updates, or to communicate with themselves internally, as VLK seems to be asserting?

Is the RPC communicating with itself continuously, or only when it is looking for updates?

Cheers all,

PcB

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #18 on: July 17, 2003, 07:26:34 PM »
I wish you had posted this earlier-I would have had my answers then, and saved a lot of bother, lol.

I did not follow this thread and i  am certainty the wrong person to answer that question!:)


MfG Ralf

Offline snevouk

  • Newbie
  • *
  • Posts: 9
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #19 on: July 17, 2003, 07:57:36 PM »
Thought you might be interested in this:-

Microsoft has released a patch for a critical flaw in Windows Exchange Server 2003, Windows XP, 2000 and NT 4.
The flaw involves the Remote Procedure Call (RPC) protocol, which deals with inter-computer communications. Microsoft warned that, under certain circumstances, the RPC might not check messages sent to the PC properly.

If a malformed message is sent to the target PC it can be routed through port 135 and used to run code on the infected PC.

A patch is now available.

"Microsoft has rightly classified this vulnerability as 'critical', said Pete Philips, penetration tester with security vendor Integralis.

"Any host with port 135 open to a hostile environment, such as the internet, is very vulnerable. We'd recommend patching as a matter of urgency."




Note the last line particularly.
Note also that the patch is not valid for Win 98.

I too am very concerned that RPCSS is called into action by Avast and have blocked it with my firewall.  I am finding a steady stream of inbound UDP messages heading for port 135 getting stopped by the wall.  Activating RPCSS allows remote control and configuration of your computer by a remote operator as far as I am aware.  I would rather have a virus!!!

I have not yet found out how to disable RPCSS in Win 98 since the DCOM config commands from Win 2000 etc do not seem to be available.

Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #20 on: July 17, 2003, 08:09:44 PM »
Here's a quick fix that doesn't stop the process running, but strips the 'gummings' it needs to enable a server.
Disable the virus scanner from starting up using START/RUN then type msconfig and click ok.
Select the STARTUP tab in the pop up window, then uncheck the box alongside avast! to stop it loading.
Restart the PC.
If the virus scanner fails to start which is what you need, you can then simply go to C:\WINDOWS\SYSTEM and look for a dll file named Rpcltscm.dll.
Rename this to Rpcltscm.txt (note the change of extension)
Now run mscofig again to re-enable the virus scanner (check the box you un-checked earlier)
Restart the PC.
Avast still runs, still updates as normal, but now this pesky server is history.
Remember, the process RPCSS.EXE still starts and runs in the background, it just doesn't know how to run as a server anymore.
I don't know how effective this workaround is, the dll file may get re-written at some point, but so far, so good.

Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #21 on: July 17, 2003, 10:32:22 PM »
Hi pcb.

No I didn't update manually, avast still does that despite disabling RPCSS.EXE  !!! (it updated with a new fileset only today)
Now someone still try to tell me it's used for updating!
Also, not allowing it to connect to the net does not seem to affect the functionality of the software, mine starts and seems to be running fine.

I gotta say MODS, all this seems a little fishy to me.
Microsoft have ADMITTED (under pressure, as usual) that there is security flaw with RPCSS, yet you seem unwilling to even explore this further despite these posts.

Can I ask, does your company use the RCPSS process for comunicating with our PC's, or have you enabled it for someone else, maybe for a fee?
Someone like..................................................MICROSOFT?

I know we've been asked to wait for a reply, but waiting 'aint one of my attributes, especially when it takes 3 hours to rebuild my operating system from scratch just because some scrote thinks he's Neo and has the right to fcuk with my PC!

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #22 on: July 17, 2003, 10:41:12 PM »
Microsoft have ADMITTED (under pressure, as usual) that there is security flaw with RPCSS, yet you seem unwilling to even explore this

Like i said, i did not follow this thread, but if you do not like this Microsoft service why not disable it?
MfG Ralf

Offline Pavel

  • Massive Poster
  • ****
  • Posts: 4305
  • Nostalgia isn't what it used to be...
    • ALWIL Software
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #23 on: July 17, 2003, 11:04:46 PM »
JusMe:
You have already read it above: VLK will be back on Monday and I can't help you with this technical question relevantly. If waiting 'aint one of your attributes, you can read the opinion VLK expressed in the thread above several times.

Quote
Can I ask, does your company use the RCPSS process for comunicating with our PC's, or have you enabled it for someone else, maybe for a fee?

Total bullshit. We are working hard on our antivirus programs for 15 years this month (well at least some of us  ;) ) and we still like it. The reason why avast! Home is free is that we want to help to the home users and well, to make avast! a little bit more famous as well .

If you do not trust your antivirus vendor, how you can trust his programs? If you believe there is some kind of spyware/backdoor in avast, please by so kind and deinstall it immediately. But do not spread false accusations without any facts, please!

Pavel
All of us could take a lesson from the weather. It pays no attention to criticism.

Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #24 on: July 17, 2003, 11:47:36 PM »
Pavel,
I come from a place where the saying 'calm down' is sort of a catchphrase.
That was the first thing I thought of when reading your response, especially when I got to the bit that said:

 

Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #25 on: July 17, 2003, 11:48:28 PM »
OOOOPS!!!

Offline pcb

  • Jr. Member
  • **
  • Posts: 22
  • I am not a llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #26 on: July 17, 2003, 11:53:30 PM »
Pavel,

It's nice to hear from you..it's been a long time since a moderator has responded to this thread.
I realise the others are on holiday, and you must be pretty busy.

Please realise that we are just concerned about this issue.
I don't know about anybody else posting here, but I am not a computer expert, though neither am I a newbie.
I have been letting RPCSS.exe access the internet, believing it to be a legitimate action, used by Avast to get virus updates.

At first, I blocked it, but then later, as it seemed OK to give it access, I did so, and have been doing so for the last 2 days.
Now, if this is NOT Avast calling on it to access the net, what have I been allowing to be sent in and out of my computer?

I hope you can appreciate my/our concern.

I would like to add that I have never even come across RPCSS.exe intill I installed Avast a short while ago.

If it turns out that RPCSS.exe has nothing to do with the Virus signature updating service, and can be blocked by a firewall without preventing Avast from doing it's job, (please see Jusme's last posting though, which I quote below) then I'll be quite happy, and won't bother anyone about it again.

I am, apart from this one issue, very impressed with Avast, and once reassured about this issue, and have a fuller understanding of how/why RPCSS.exe is used by the Avast, I will be a devoted user, I am sure.

Thankyou. I look forward to hearing from one of the software authors, hopefully on Monday or soon after.


Jusme..

you say:
Quote
No I didn't update manually, avast still does that despite disabling RPCSS.EXE  !!! (it updated with a new fileset only today)
and:
Quote
Also, not allowing it to connect to the net does not seem to affect the functionality of the software, mine starts and seems to be running fine.
.

If what you say is true, then what Pavel and Vlk said in this posting: http://www.avast.com/forum/index.php?board=2;action=display;threadid=220;start=0
is not true.

Raman,
I must believe them- that the RPC service is needed for Avast to be fully functional.

Cheers, all,

PcB





Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #27 on: July 18, 2003, 12:31:13 AM »
Strange, the preview is posting???
Anyway.........
the bit where you say I'm spreading false accusations.
Not to be too bitchy about it, I think you'll find they were questions, which you have ANGRILY denied.
Ok, I do beleive you (dunno why? jus do. maybe trust has to start somewhere)

I never really suspected your company of this type of underhand tactic.
What would be the point?
In the short term, yeah, make a quick killing by bundling, but in the long term you'd be doomed once the techies were onto it.

Lets just say the 'MS theory/QUESTION' was my way of 'opening doors'.

I love this scanner up to now, I even like the scanning GUI, and want it to work on my PC 'cause others I've tried just hog too much resource, so don't be putting me off by tellin' me to 'uninstall' just because I've said something that you don't like.
Isn't that called washing your hands?

I've read the previous on this, seen the comments VLK made.
Local ports can be routed to, so it 'aint safe.
An open port is an open port, be it local or otherwise.
The fact the program is RUNNING and LISTENING is a security threat.
Along with Microsoft themselves admiting this process can be exploited, I just cannot believe this is not seen as problem.

VLK has said he see's no problem with letting it run in the background.
There are many out there that disagree, including myself, but I look forward to seeing what the man has to say on his return in light of these postings.

At the end of the day, I've disabled it, and if you guys are happy with that, then so am I.
Still leaves one nigglin question though.
Why?

Guess I'll have to be patient :p'






Offline JusMe

  • Newbie
  • *
  • Posts: 11
  • I'm a tokin' llama!
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #28 on: July 18, 2003, 12:42:45 AM »
PcP

I'm sorry, but I think I've got you confused a bit.
You have misunderstood what I have actually disabled on my PC.
I have not disabled RPCSS.EXE, VLK is right, it IS needed. (just try renaming it, see if avast works after that, you'll find it wont)
What I HAVE disabled is the DLL that allows REMOTE ACCESS.(Rpcltscm.dll)
That is not the same as disabling the WHOLE RPCSS process.

Sorry about that.


Offline techie101returns

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1900
Re:Avast/RPCSS.exe accessing the internet..worried user
« Reply #29 on: July 18, 2003, 05:26:06 AM »
Boy....this turned out to be one heck of a thread!

Anyway...everyone please calm down!  Name calling and insults (and cursty language) won't get this matter resolved.  We ALL are interested in this now.

One thing I can add.  My W98 system has RPCSS.exe called up whenever Avast is running, BUT DOES NOT ASK FOR INTERNET ACCESS.  I have this blocked by my firewall, therefore, VLK's remarks that this process is used by Avast for inter-process communication seems believable.
I think that at this point, it has been determined that Avast uses the RPCSS not only for updating, but for the On line Protection Control, and all of it's other internal components since Avast will not function when RPCSS is disabled (not just blocked from internet access)

My FW has not recorded any attempts by the RPCSS process to communicate with, or to be used by any outside server other than "local machine".

I certainly take exception to the remark that Avast put a backdoor in to secretly communicate with our pcs.
Bunk on that one!

The Avast team has proven themselves in doing everything they can to make Avast one of the best av programs around.  With every new release, "a bug" can creep in, but with cooperation from users......it gets fixed! If you can't stand with them and cooperate in a proper manner, then go find another av to use.

 ;)
« Last Edit: July 18, 2003, 05:33:04 AM by techie101 »