Author Topic: outgoing connection avast!service to 192.168.101.1 port 8080  (Read 18020 times)

0 Members and 1 Guest are viewing this topic.

NewbieAvastUser

  • Guest
outgoing connection avast!service to 192.168.101.1 port 8080
« on: January 23, 2011, 12:28:12 AM »
I just recently uninstalled Symantec because it was using up nearly 300MB of RAM.  So I'm new to Avast (free edition).  It works fine when I'm on my WLAN at home, but when I'm in a cafe, I repeatedly get the warning from Kerio Personal Firewall 4 that Avast!Service is establishing an outgoing connection to 192.168.101.1 port 8080.  The message is gone at the moment, but I believe that it said something to the effect that the remote end has a domain name that includes "boldstreet", which I see alot when accessing public WiFi from various establishments.

The closest topic I can find in this forum is http://forum.avast.com/index.php?topic=58035 .  But I'm not sure exactly how much it corresponds to my situation.

I have several questions.

1. Why does this warning only show up on cafes, but not at home?

2. I'm not an IT person, but from web surfing, 192.168.xxx.xxx are addresses for intranets.  Why would Avast be accessing an intranet address?

3. If it is a legitimate access, what is the most restrictive firewall rule I can create to allow such accesses and not be bothered by such messages?

Thanks!

sded

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #1 on: January 23, 2011, 12:38:45 AM »
1.  Did you uninstall Symantec using the special Symantec uninstall tool available from their site?  If not, use it first, then uninstall and reinstall Avast! to avoid future problems.
2.  This is indeed a local address, probably a redirection to a server that takes information about you for the public wifi system you are using, whether paid or logon for customers.  Since Avast! is a proxy for http port 8080, all the traffic from your browser actually goes out via Avast! to the intranet/internet.
3.  KPF should allow you to make an avastsvc.exe allow rule for tcp out that specific IP and port.  KPF probably already allows access  routinely for port 80, although I am not using it.

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #2 on: January 23, 2011, 01:03:02 AM »
Hey, sded,

I browsed about for quite some time before attempting to uninstall Symantec, because I knew of its history of being problematic to uninstall.  I wasn't able to locate the tool on their site, but I did come across comprehensive instructions at their site, including manual registry scrubbing.  I did that instead.

For question 1 & 2, I'm still not sure why the behaviour would differ in the public WiFi versus home WiFi.  Do you understand enough about the difference to have a suspicion about the reason?

About question 3, I wanted to avoid trial and error in setting up a firewall exception.  The simplest guess would be to allow the Avast!Service app (wherever it's located) to access the IP address port 8080 for outgoing traffic, and also specifying the kind of traffic reported (TCP/UDP).  But I'm hesitant to do this because this seems to only be an issue at the cafe and because my understanding of network protocols is a bit handwavy.  I was hoping to understand the reason for all of those parameters and when they might change (e.g. at home) so that I could create one rule for both situations (if such a rule would not be too open).  I understand tidbits, such as port 80 being the same as 8080, and it is the port that a web server listens to for client requests over http.  But why would my browse, going through avast, go to an intranet site?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #3 on: January 23, 2011, 01:13:56 AM »
Norton removal tool #26a   http://uninstallers.blogspot.com/

192.168. IP range, is that not for routers ?

sded

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #4 on: January 23, 2011, 01:23:53 AM »
At home, are you using your own modem/router and ISP?   Usually public wifi is set up with its own server on the lan (or router firmware) (IP 192.168.101.1, listening on port 8080 in this case) along with the users to take care of authentication-you either pay, or log in with a password as one of their customers, or share the service in some other way.  Often you are redirected by the wireless router when you try to log in to an initial website, although some may be accessed directly.  After that is satisfied, you are connected to the routed internet modem.  I also use a lot of public wifi, and most work this way except for open repeaters which are just routers you log onto that someone has not secured.
Port 80 is the standard port for internet (http) requests, but 8080 is a legal alternate used by many websites.  If you look in Avast!/settings/troubleshooting/redirect settings you will see that there are some other fairly standard http ports that Avast! also intercepts and virus checks for you-whether on the intranet or internet.
You should already have a KPF rule that allows TCP out by avastsvc.exe on port 80-you couldn't get to the internet otherwise.  So yes, the simplest thing you can do is just add port 8080 to that rule-there are even some real internet sites that might get blocked otherwise.

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #5 on: January 23, 2011, 02:00:29 AM »
Norton removal tool #26a   http://uninstallers.blogspot.com/

192.168. IP range, is that not for routers ?


Thanks, Pondus.  As a first option, I'd rather not assume that remnant registry mods are the source of the problem and go to a third party site to download a tool.  I'd rather first understanding the redirection and try create a suitable rule.  Is there any reason why Symantec remants are being identified as the likely cause in my circumstance, considering the behaviour that I'm observing?

As for the 192.168.xxx.xxx address range, my understanding comes from web surfing.  It is for enterprise intranets, as far as I can determine.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #6 on: January 23, 2011, 02:53:41 AM »
Well you could go to the source site (though the uninstallers.blogspot.com is fine) Norton has a bit of form at leaving remnants behind and that can cause issues with the next security installation. Though I have to admit that that should theoretically be the same if you are at home of a cafe.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
Or ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

The 192.168.xxx.xxx range of IP addresses are local networks in general and not specifically Enterprise intranets, see image of what my firewall reports as my IP address.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #7 on: January 23, 2011, 03:11:55 AM »
At home, are you using your own modem/router and ISP?   Usually public wifi is set up with its own server on the lan (or router firmware) (IP 192.168.101.1, listening on port 8080 in this case) along with the users to take care of authentication-you either pay, or log in with a password as one of their customers, or share the service in some other way.  Often you are redirected by the wireless router when you try to log in to an initial website, although some may be accessed directly.  After that is satisfied, you are connected to the routed internet modem.  I also use a lot of public wifi, and most work this way except for open repeaters which are just routers you log onto that someone has not secured.
Port 80 is the standard port for internet (http) requests, but 8080 is a legal alternate used by many websites.  If you look in Avast!/settings/troubleshooting/redirect settings you will see that there are some other fairly standard http ports that Avast! also intercepts and virus checks for you-whether on the intranet or internet.
You should already have a KPF rule that allows TCP out by avastsvc.exe on port 80-you couldn't get to the internet otherwise.  So yes, the simplest thing you can do is just add port 8080 to that rule-there are even some real internet sites that might get blocked otherwise.

My home ADSL box serves as a modem and router.  As a router, it provides ports for wired ethernet LAN and it serves as a WiFi access point.  I understand what you say about logging in, but my firewall popups for 192.168.101.1 is well after logging in.  For example, when I'm streaming in a recorded webinar, I am getting the popups all the time.  Very frustrating.

I am trying to understand your comment about redirection...while the general *concept* of redirection is simple, I don't know the details.  What follows might sound quite naive, but thanks for any clarification.

Does the public WiFi access point simply intercept requests for webpage downloads and act as the middleman, going out to the URL, getting the content, and providing it to the WiFi client?  In this scenario, why would the WiFi client have to know about the existence of the middleman at all?  In other words, why would the client even attempt to access 193.168.101.1?

Alternatively, does the access point somehow inform the WiFi client that they have to explicitly resubmit the webpage request using an intranet address (193.168.101.1)?  I'm not sure how that would work, but that would certainly cause the WiFi client to attempt to access 192.168.101.1.

I did "ipconfig /all" and found that all of the following are set to 192.168.101.1:
•Default Gateway
•DHCP Server
•DNS Servers

Also:
•Lease is for approximately 30 minutes
•Protocol: TCP
•Local port for outgoing request 0.0.0.0:xxxx
  - "xxxx" represents various 4-digit integers

The rule I created was to permit the following:
•App: c:\program files\alwil software\avast5\avastsvc.exe
•Direction: Outgoing
•Protocol: TCP
•Created IP group "Intranet"
  - Address: 192.168.0.0
  - Mask: 255.255.0.0
•Local end: Any
•Remote end:
  - Address: "Intranet" IP group
  - Port: 8080

I could not find a pre-existing rule for avastsvc, but the above new rule seemed to solve the problem.  However, my vague familiarity of how to set up this rule was not gotten through any formal computer networks education, so I'm not sure if the rule is too loose.  And it's still not clear why this problem didn't show up at home.

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #8 on: January 23, 2011, 06:41:23 AM »
Well you could go to the source site (though the uninstallers.blogspot.com is fine) Norton has a bit of form at leaving remnants behind and that can cause issues with the next security installation. Though I have to admit that that should theoretically be the same if you are at home of a cafe.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
Or ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

The 192.168.xxx.xxx range of IP addresses are local networks in general and not specifically Enterprise intranets, see image of what my firewall reports as my IP address.

Thanks, David.

What I uninstalled was the enterprise version of Symantec, I believe.  I looked up Symantec on Wikipedia and learned that Norton was the consumer side of the business, so I was wondering if it is wise to use the Norton removal tool.

My gut feeling is that Symantec remnants is not a likely candidate cause for the behaviour I see.  This is because they had a fairly extensive manual procedure I followed to remove it.  Of course, it's just a guess, so your take on the likelihood is also welcome.

sded

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #9 on: January 23, 2011, 03:31:16 PM »
your ipconfig/all identifies 192.168.101.1 as your router address.  Is this at home or at a cafe?  Don't know why it should pop up frequently, though.  Maybe part of the hotspot record keeping?  Or because of some other KPF rule?  In any case, if the new rule stops the popups you should be OK with a TCP out like that.
Redirection just means that until you are authenticated by the hotspot, your DNS requests to go to the internet are routed to a LAN address.  After you sign on, they should be routed to the internet as usual.

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #10 on: January 23, 2011, 06:02:50 PM »
your ipconfig/all identifies 192.168.101.1 as your router address.  Is this at home or at a cafe?  Don't know why it should pop up frequently, though.  Maybe part of the hotspot record keeping?  Or because of some other KPF rule?  In any case, if the new rule stops the popups you should be OK with a TCP out like that.
Redirection just means that until you are authenticated by the hotspot, your DNS requests to go to the internet are routed to a LAN address.  After you sign on, they should be routed to the internet as usual.

192.168.101.1 was the router address in the cafe.  Maybe it is hotspot bookkeeping.  No other KPF rule appears to be pertenant, but then again, I'm not an expert and KPF 4 is kind of complicated compared to their 2.x personal firewalls.

Glad to hear your opinion of the sanity of the rule.  The thing that concerned me is the possibility that it might allow web page requests from another IP address in the intranet, including other WiFi clients.  Maybe that's getting too paranoid.

Thanks for the clarification on redirection.  Makes me more certain that redirection isn't happening after login.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #11 on: January 23, 2011, 06:49:06 PM »
http://uninstallers.blogspot.com/ also has the removal tool for the corporate version too and it is not third party.

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #12 on: January 24, 2011, 05:52:40 AM »
http://uninstallers.blogspot.com/ also has the removal tool for the corporate version too and it is not third party.

Thanks for that, Craig.  The info link for the enterprise version says to use Add/Remove Programs first, and then use http://ca.huji.ac.il/bf/mcafee/NoNav.exe if the uninstall did not succeed.  Accessing a nonsymantec site is what I am trying to avoid as the first course of action.  It's probably just as well, since the instructions don't really specify what it means for the uninstall to fail.  When I used Add/Remove Program, the client AV seemed to go away, but a check of the registry (as per the symantec instructions I was following) showed lots of stuff yet to be cleared manually.  As far as I knew, this doesn't necessarily mean the uninstall failed, since I did not know how relevant it was for those registry entries to be present.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #13 on: January 24, 2011, 06:27:05 AM »
Most of the tools on that site are legitimate one's from the company's themselves so im surprised that that one isnt, anyway the tool does not install anything so no need to worrie there, just download it and run and then delet from download's, to easy  :)

NewbieAvastUser

  • Guest
Re: outgoing connection avast!service to 192.168.101.1 port 8080
« Reply #14 on: January 25, 2011, 04:17:50 AM »
OK, thanks, Craig.