Avast/RPCSS.exe accessing the internet..worried user

[pcb]

Techie 101,

Unlike you, I have had RPCSS.exe access the net, and also receive, regularly. This is one of the "alerts" from my Firewall:

 "Someone from c-134-76-211.b.dial.de.ignite.net [62.134.76.211], port 4944 wants to send UDP datagram
to port 135 owned by 'Distributed COM Services' on your computer"  "c:\windows\system\rpcss.exe" . )

I have queried Ripe Whois about that address, which  came up with this:

inetnum: 62.134.64.0 - 62.134.127.255
netname: BT-IGNITE-DIAL-5
descr: BT Ignite Dialin
country: DE
admin-c: BCCC-RIPE
tech-c: BNMC-RIPE
status: ASSIGNED PA
remarks: was VIAG-DIAL-5
remarks: appr. RIPE-NCC-20000918
mnt-by: IGNITE-DE-MNT
changed: dave.pratt@viaginterkom.de 20001017
changed: katrin.bihlmayer@btignite.de 20020115
changed: hermann.maser@btignite.de 20020404
source: RIPE

route: 62.134.0.0/16
descr: DE-VIAG-20000918
origin: AS8472
mnt-by: IGNITE-DE-MNT
changed: david.pratt@viaginterkom.de 20000919
source: RIPE

role: BT Ignite Customer Care Centre
address: Mergethaleralle 6-8,
address: 65760, Eschborn, Germany
phone: +49 69 3307 6611
fax-no: +49 69 3307 1111
e-mail: bccc.internet@btignite.de
trouble: SPAM/COMPLAINTS to: btignite-abuse@btignite.de
trouble: SPAM/COMPLAINTS to other addresses will probably be ignored.
admin-c: KM2133-RIPE
tech-c: HK376-RIPE
tech-c: ST378-RIPE
tech-c: SR1985-RIPE
notify: ripe@de-ignite.net
nic-hdl: BCCC-RIPE
mnt-by: IGNITE-DE-MNT
changed: dp@planning.viaginterkom.de 20010703
changed: hermann.maser@btignite.de 20020227
changed: hermann.maser@btignite.de 20020429
source: RIPE

Looks harmless, and maybe even helpful (an anti-spam service?)- I presume the BT is my telecoms provider: British Telecom. ( I have emailed Dave Pratt asking for information)

Why should my RPCSS.exe be wanting access to the net, and not yours?
 As I mentioned earlier, I started off by blocking the service( when I didn't know what it was all about), but then, as it appeared to be a legitimate use by Avast I have been allowing both in & out...(stopping it all from now though!)


Jusme,
Thanks for your tip on how to disable RPCSS.exe without in fact disabling it ;-).
Yes, I'm sorry, I misunderstood. (Reading too fast, I suppose).

I would like to have this workaround verified as acceptable by the experts.
 
By the way, you could try not to be too wild in your accusations. I think that Pavel was pretty restrained in his reply to you, considering!


This for the Avast team:

 If Avast does not assign RPCSS.exe to access the net, why has a warning (that it might do so and can be safely blocked by a firewall) not been included (in the installation process or the readme or the helpfile) ? And to advise users to block it with a firewall.
Surely this would have been sensible, so as to avoid this worrying misunderstanding?

 (Of course not everyone uses firewalls. I can see the problem there for you. Other AV programs don't seem to use RPC, (with great respect) could you not find some other way to fulfil the same function?


All the best,

PcB

[JusMe]

Ok guys, point taken.
I'm a little rough around the edges, I know ok, lol
Never been very....errr.... diplomatic.
(thats real close to an apology you know)

Maybe I did fly off the handle a bit, said some controversial shi......hmmm......and 'crusty' stuff, but I was real mad when I realised I was connected to the net with a listening port known to be EASILY exploited.

I musta presumed you guy's would know better than to let this happen, so I thought you'd musta done it on purpose.
Not sure which is more worrying.
You knowing, or not knowing........

I'm calm and mellow now, (disabling the server listening on 135 helped)
Along with a little more research, I now beleive this to be just another UNINTENTIONAL SECURITY FLAW.


Pavel. Another thing.

I don't know who you guys are.
I'm sure you really are straight up, but remember, I've just walked in off the street.
Am I to just instantly trust EVERYBODY that produces software?
(My experience says no, suss 'em out first!)

Yet another thing.
Would you be telling me to uninstall if I'd paid for it?

Sorry if it sounds like I'm having a go again, it's only self defense : )

**********************************************
A nose walked into a bar and asked for a shot of JD.
"No chance" said the barman, "your off your face"

[snevouk]

Hi JusMe.

Thanks for the tip about disabling the rpcltscm.dll.

Have renamed it and am happy to see that RPCSS no longer has any connections open to the outside world.

I feel better now, even though I already had the firewall blocking it.

While I really like the quick incremental upgrades for Avast and a number of other features, it does appear to have a few rough edges like this, but I suppose that's why it's free.

Took me a while to realize that it was Avast which had activated RPCSS on my PC as I did a number of simultaneous changes recently (always a bad idea) and it was only discovering this forum which confirmed my suspicions.

Really do not like the idea of a server running on my Win98 machine, even if it is hiding behing a firewall!

[techie101]

Unlike you, I have had RPCSS.exe access the net, and also receive, regularly......
Why should my RPCSS.exe be wanting access to the net, and not yours?

pcb,
I wish I had an answer for you, but my rpcss does not communicate with the internet.  I have never heard of Ignite, but that may be a service in Europe that does not extend itself to the US.
Hopefully, VLK who is the senior guru might come back with some more information.

Fact remains, if you disable rpcss completely, Avast will not do anything!  

If we keep "asking".....we may get a more detailed answer from the Avast Team.

Wish I had more to offer on this, but I am as puzzled as you.

 

[pcb]

Many thanks for all your input, Techie101, Svenouk, and Jusme,

Looks like we're getting this sorted out, without Avasts' help. Just our luck that they are on holiday!

Jusme & Svenouk, by disabling the rpcltscm.dll, are you sure you're not preventing some other important/useful program/process from working?

Does anybody have any in-depth knowledge on this one?

Cheers all,

PcB

[raman]

Does anybody have any in-depth knowledge on this one?

The one with the dll is a bit quick and dirty.  There is a good german   "how to disable Windows XP/2000 Services" guide http://www.kssysteme.de/s_content.php?id=fk2002-01-31-3823
A quick google search brings up this site. Maybe it is usefull(did not read it completly)   http://www.overclockersclub.com/windowsxpservices.shtml
But be carefull, if you not know what you doing, it could affect the "behavior" of your Computer!

[pcb]

Raman,

Thanks for the input and links. I'm afraid, though that I'm still using 98se, so wonder whether what goes for XP goes for 98se in this case.
Anyway, given what was mentioned on the second link:

Remote Procedure Call (RPC) (Automatic) -Critical! Leave this set to Automatic. Just about everything depends on this service to be running.

Remote Procedure Call (RPC) Locator (DISABLE) -Manages the RPC name service database. I have not found a reason to keep this service running. If something on your network breaks after you disable this service, put it back to Manual or Automatic.

...which RPC are we talking about here..the locator (seemingly OK to disable), or the former (Critical!) one?

I'm still unwilling to follow Jusme's tip, until more sure of what can transpire.

PcB

[JusMe]

Hi snevouk.
Your welcome, although raman is right, it is a dirty fix, (but as you've found, it does work.)

pcb
Don't think you need to worry about it affecting your PC, remember the majority of RPCSS still runs, just the bit that starts the SERVER is 'hacked off'.
Other programs that need the process should still work unless they need to act as a SERVER FROM YOUR PC.
At the end of the day, if anything DOES go wrong, just rename it back, no harm done.

Servers mean letting people gain access to your PC, not for me that's sure.
Having said that, it seems you CAN kill RPCSS once avast has STARTED.
As far as I can tell, NOT ONE PART OF RPCSS IS USED FOR UPDATING or KEEPING THE PROGRAM FUNCTIONAL.


Try it.
Get a decent 'background programs' viewer, there are free ones if you look around.
Some viewers will also let you Kill the running tasks it finds.
Kill the RSPCC program.
Avast doesn't 'die', and it still scans, updates and works fine.
It's just that avast won't STARTUP if RSPCC is disabled or removed, for example, if you re-boot your PC, hence the need for dll 'hatchet job' if you want avast to run as normal, but not start this unnecesary and dangerous service.


I'm quite pleased with the product up to now, like snevouk said, just the odd burr that needs filing down to give a nice and smooth, sleek product.
A bit worried about the limited and lengthy time to respond though.
It seems we have to wait for one guy to come back from his hol's before anything can even be looked at, never mind fixed and resolved.
In the meantime, many of us could be broadcasting away to the underbelly of the WWW.
Who knows, we may get some answers this coming week.

[pcb]

JusMe,

I have in fact a couple of process viewers..started using them when I discovered RPCSS.exe in my TaskKiller list -wanted to find out about it.

And yes, I too have killed RPC on several occasions, without any apparent effect on Avast, but I wasn't sure if it was effecting it's ability to do it's job properly.
You say that

NOT ONE PART OF RPCSS IS USED FOR UPDATING (we all know that now) OR KEEPING THE PROGRAM FUNCTIONAL

..but if Avast needs the service to communicate between it's modules, won't killing it prevent this "communication"?

Raman doesn't seem too keen on your dll renaming trick. I expect it's fine to do it, but I'm afraid I'm still not 100% convinced.
I think I'll wait for more opinions, with respect.

all the best,
PcB

[FlashFlood]

Hello!

I have a dial-up connection, and so every time Avast! tries to access the net on its own whim it can cost me money, and it's also a waste of time and an annoyance.

I tried the RPCSS dll solution, but apparently on WindowsME it isn't as effective as on other platforms, because Avast!/RPCSS still initiated a dial-up connection at startup.

Also, on WinME it's much harder to rename the dll in the first place: the renaming needs to be done in Safe Mode, because otherwise the automatic System File Protection (SFP) restores a copy of the file within seconds after it is modified!

I thought I'd include some info from my firewall program in case this can assist anyone:

Connection origin :File Version :      4, 0, 234, 0
File Description :   avast! antivirus service
File Path :      C:\Program Files\Alwil Software\Avast4\ashServ.exe
Process ID :      FFFEC159 (Heximal) 4294885721 (Decimal)

   local initiated
Protocol :      ICMP
Local Address :    203.220.231.46
ICMP Type :      8 (Echo Request)
ICMP Code :       0
Remote Name :      www.avast.com
Remote Address :   64.246.6.135

Ethernet packet details:
Ethernet II (Packet Length: 44)
   Destination:    20-53-52-43-00-00
   Source:    44-45-53-54-00-00
Type: IP (0x0800)
Internet Protocol
   Version: 4
   Header Length: 20 bytes
   Flags:
      .0.. = Don't fragment: Not set
      ..0. = More fragments: Not set
   Fragment offset:0
   Time to live: 64
   Protocol: 0x1 (ICMP - Internet Control Message Protocol)
   Header checksum: 0xb675 (Correct)
   Source: 203.220.231.46
   Destination: 64.246.6.135
Internet Control Message Protocol
   Type: 8 (Echo Request)
   Code: 0
   Data (4 bytes)

Binary dump of the packet:
0000:  20 53 52 43 00 00 44 45 : 53 54 00 00 08 00 45 00 |  SRC..DEST....E.
0010:  00 1C 0A A3 00 00 40 01 : 75 B6 CB DC E7 2E 40 F6 | ......@.u.....@.
0020:  06 87 08 00 EC FF 02 00 : 09 00 00 00             | ............    


I'm not totally sure about this, but I think that RPCSS is also responsible for the Scandisk disruptions which have been an issue for some users (see separate thread: scandisk).

Overall, RPCSS seems to me to be an outdated, annoying, and unreliable protocol.

Anyway, that's all. For now...

Cheers.

[whocares]

Raman,

Thanks for the input and links. I'm afraid, though that I'm still using 98se, so wonder whether what goes for XP goes for 98se in this case.
Anyway, given what was mentioned on the second link:

Remote Procedure Call (RPC) (Automatic) -Critical! Leave this set to Automatic. Just about everything depends on this service to be running.

Remote Procedure Call (RPC) Locator (DISABLE) -Manages the RPC name service database. I have not found a reason to keep this service running. If something on your network breaks after you disable this service, put it back to Manual or Automatic.

...which RPC are we talking about here..the locator (seemingly OK to disable), or the former (Critical!) one?

I'm still unwilling to follow Jusme's tip, until more sure of what can transpire.

PcB

Hi, on my W2k-SP4
RPC ist set to automatic, but RPC-Locator to manual
I don't know if I set the locator settings myself though
but, no probs here

[pcb]

Well, I have renamed the RPCLTSCM.dll as suggested by JusMe.
And RPC is not longer opened up to the net.
I feel much better, so long as no problem occurs as a result.

Thanks Jusme.

PcB

[JusMe]

Hi Flash,

Unfortunate, the dll 'chop' will only disable the server (which I'd do whether your on dial-up, cable or ANY INTERNET CONNECTION, just stop that damn server if it's running : port 135)
I've removed all dial up features from my PC, so not sure which process is responsible for starting your connection, but to be honest, from your report, I'd say its avast ITSELF, dialing up to check for updates, a TOTALLY seperate process from what RPCSS does.
Have you disabled the avast auto update?
As for that system restore...........blahhhhh........

I'm the same as you pcb, not to keen on having to hack away at my system, so I'm as keen to hear the views of the sunburnt techies at avast. lol

[Vlk]

OK guys, I feel lots of you are eagerly waiting for me to write something to this thread but I wish I had something new for you...

I will try to be as technical as possible - I believe there has been enough haggling already.

avast! uses RPC for its communication between ashServ.exe and ashDisp.exe (under NT based OSs only). I know most of you are not programmers but I can assure you that using RPC for such a purpose is a completely normal, supported, and recommended way of doing such things, and there must be hundreds of Windows programs that do just same... And, in fact, Windows itself uses LRPC (i.e. local RPC) for internal communication between some of its parts. It's not that it is "listening on a port" - RPC is just a shell on top of other protocols (transports). One of these protocols is TCP/IP (so only in this case we could be talking about listening on a port), but avast does not use it. It just uses the LRPC - a custom, Windows-proprietary protocol that never ever touches the network and that you really don't have to worry about - next time, you could have concerns about the security of displaying blue bitmaps on your screen, -- little paranoid, don't you think...? What I'm trying to say is that (the consumer edition of) avast never uses RPC for any kind of network communication, be it updating or anything else.

- the other thing is that all the RPC stuff is hosted in the RPC service (RPCSS), and I'm not familiar with a way to selectively disable RPC's individual transports. If the DLL hack you've described works, good for you. But please note that what you're doing has really nothing in common with avast -- the RPC service is part of Windows (and by default, it's ON). If you don't like, you can disable it (or otherwise hack it) but you must be prepared that some other apps just won't work. E.g. both Exchange Server and Outlook rely heavily on RPC over TCP/IP (as do things like NFS under Unix, though - just FYI).

Hope this helps,
Vlk

[pcb]

Vlk,
Good to hear from you..hope you enjoed your holiday.

After all the initial brouhaha, I am now happy that the RPC issue is not of serious concern. However, Avast does launch it as a process, and mine has regularly sought access to the net, and has received data, as you can see from my postings.

You say that

avast! uses RPC for its communication between ashServ.exe and ashDisp.exe (under NT based OSs only)

...if this is so, then it is not used by Avast on 98se systems (mine). Why, then, is it then launched?- surely you could write the program so that it isn't, on non NT base OSs? Maybe in the next version?

For now, is there any way for us to prevent it's launch by Avast, in our present installations!?  (out of sight, out of mind).

Thanks for your prompt response, and many thanks for a great program. Wish I had thought of downloading it long ago.

All the best,

PcB