What IP addresses should avast be trying to access?

[greg-au]

Hi all,
I've been using the free version of avast for a while, new to these forums and have a question re the update facility of avast.

Recently (within the last week) most likely due to an update, avast is trying to access IP addresses I've never seen (or perhaps not noticed?) before. In the past I granted access to the web via zonealarm and never got asked again till the last week. Normally that happens when the exe file changes etc and I grant access again, however this time the ip addresses look peculiar and I'm getting multiple requests.

Avast is trying to access addresses I think are wrong: for example.
70.85.96.90, 178.63.99.4, 174.36.159.208 (may have been 207?), 74.86.126.236, 74.55.74.110

Is there an issue here or should I let zonelalarm grant access? When I reverse dns these they go back to softlayer and "the planet" etc

To be on the safe side I've uninstalled avast, ran the cleaner and re-installed 5.1.889 and I'll see if that behaviour continues, but I'd like to know if there is a set ip range or set IP that avast should be accessing for updates.

thanks for your help

Greg

[Lisandro]

server.def file contain the servers accessed by avast during the installation.
Due to balancing the 140+ million users, the IP changes and also the server.def file.

[SafeSurf]

Hello greg-au and welcome to the forum.

There have recently been Avast server changes, and depending on where you live may use a different server as well.  Perhaps the recent changes are why you are seeing different activity.  Thank you.

[stxNTrm06]

"...What IP addresses should avast be trying to access?..."

Avast Antivirus Free Connections

cmd command: netstat -aon

Avast User Interface Connections:

Process:
C:\Program Files\Alwil Software\Avast5\Avastui.exe

Proto  Local Address          Foreign Address        State           PID
TCP    xx.xxx.xxx.xxx:1783    74.86.126.236:443      CLOSE_WAIT      344
TCP    xx.xxx.xxx.xxx:1784    74.86.126.236:443      CLOSE_WAIT      344
TCP    xx.xxx.xxx.xxx:1785    174.37.192.139:443     CLOSE_WAIT      344
TCP    xx.xxx.xxx.xxx:1786    174.37.192.139:443     CLOSE_WAIT      344
TCP    xx.xxx.xxx.xxx:1788    174.37.192.139:443     CLOSE_WAIT      344
TCP    xx.xxx.xxx.xxx:1789    174.37.192.139:443     CLOSE_WAIT      344

Avast Service Listening Ports:

Process
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

Proto  Local Address          Foreign Address        State           PID 
TCP    127.0.0.1:1192         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1193         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1194         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1195         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1196         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1197         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1198         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:1199         0.0.0.0:0              LISTENING       1836
TCP    127.0.0.1:12080        0.0.0.0:0              LISTENING       1836


Update Virus Definitions Connections (uses different addresses and ports):

Process:
C:\Program Files\Alwil Software\Avast5\Setup\Avast.Setup

Proto  Local Address          Foreign Address        State           PID 
TCP    xx.xxx.xxx.xxx:1790    174.120.185.26:80      ESTABLISHED     3004
TCP    xx.xxx.xxx.xxx:1791    87.248.217.253:80      ESTABLISHED     3004


Update Program Connections (uses different addresses and ports):

Process:
C:\Program Files\Alwil Software\Avast5\Setup\Avast.Setup

Proto  Local Address          Foreign Address        State           PID
TCP    xx.xxx.xxx.xxx:1793    74.52.200.114:80       ESTABLISHED     3396
TCP    xx.xxx.xxx.xxx:1794    208.43.71.137:80       ESTABLISHED     3396


Note: Avast.Setup is a "phantom" process, it loads in memory and exists only during update, that's why it appears in Firewall as an "Unidentified Flying Object":



Thanks. 

[Hermite15]

exactly, AvastUI, especially in the free version, accesses constantly tens and tens of IPs on misc servers for advertising purposes (including AIS promotion). Nothing to do with the setup process or upgrade as funnily mentioned by some of the posters above Block these IPs, and Avastfree will keep running properly with no restriction at all.