Author Topic: Avast acting like a Trojan  (Read 19246 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Avast acting like a Trojan
« Reply #45 on: August 04, 2011, 12:54:29 PM »
MrSafe, are you saying that you have set both VPS and Program updates to "Manual" (Avast -> Settings -> Updates) and disabled the Web Shield, and you're still seeing some connections originating from AvastSvc.exe?
If at first you don't succeed, then skydiving's not for you.

Offline MrSafe

  • Newbie
  • *
  • Posts: 19
Re: Avast acting like a Trojan
« Reply #46 on: August 04, 2011, 03:59:09 PM »
Hi Vlk,

I am not sure how VPS is implemented or configured in avast!, but automatic updates were definitely disabled and when I reinstalled it I did not install any of the shields or other features, but you have to install a language pack so that is the only thing that was selected. Immediately after reinstalling avast! it automatically tried to scan, but I cancelled that immediately so that it would have no detections to report. Then I went into to the settings and disabled everything I could. At first AvastSvc.exe only triggered 1 firewall alert, but later it made several more attempts.

I have put a lot of effort into my posts on this thread to ensure their accuracy and clarity, but for now I have other things I must do and may not be able to post (I will if possible) so if anyone is concerned about this then please conduct your own 'experiments/analysis'.

In the meantime, I hope you will appreciate my post on this page:

http://forum.avast.com/index.php?topic=82531.15

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9347
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Avast acting like a Trojan
« Reply #47 on: August 04, 2011, 04:58:12 PM »
MrSafe, are you saying that you have set both VPS and Program updates to "Manual" (Avast -> Settings -> Updates) and disabled the Web Shield, and you're still seeing some connections originating from AvastSvc.exe?

I'm guessing news snippet inside interface is also creating connections, in free versions there are also ads that use net connection. And you also have those community features for FB and Twitter which i assume also use something. Plus i've heard before that avast! was still checking connection even though users disabled updating entirely.
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11765
    • AVAST Software
Re: Avast acting like a Trojan
« Reply #48 on: August 04, 2011, 06:07:38 PM »
Not from AvastSvc.exe (at the moment at least).

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: Avast acting like a Trojan
« Reply #49 on: August 04, 2011, 07:52:24 PM »
I'm guessing news snippet inside interface is also creating connections, in free versions there are also ads that use net connection.
Both, tray ads and the ads / offers displayed inside the main GUI of Avast, have no (simple and known) way to be avoided (in the Free Edition). So any of those might trigger connections (but I don't know which specific program / process / service will show up in the firewall log).

Quote
And you also have those community features for FB and Twitter which i assume also use something.
If that is indeed the case, then that's a problem. The posts / reports of the OP clearly said he DISabled "everything" he could, and in the last installation of Avast he avoided any "optional" the Avast setup program was allowing to be "non installed".

So those features (and alike) should be either
A_ not even installed, hence not connecting; or,
B_ installed but DISabled, hence not connecting.

So, no "community", no "social", no "credit something", no "shield", no "web something", no "protecting web something sandbox / safe...", not "network something"...

So, either the user hasn't really opted out "everything" (?), or "something" is still connecting to some place. I'm not saying this is completely and absolutely 100% wrong, and I'm not imposing on Avast Software to publish any specific information. Hey, there might be also a possible bug, who knows.

Of course these are not common and usable settings / situations / conditions. The OP is just testing the connections and wants to find out what are they doing (their goal), and if those connections are avoidable. Again, whether Avast Software is able and willing to provide a satisfying answer (that won't make the software "unsafe"), is another issue.

Quote
Plus i've heard before that avast! was still checking connection even though users disabled updating entirely.
As mentioned before in this same topic (and in others too), the "manual" update is only avoiding the "downloading and applying updates" parts of the update process. The "checking for available updates" part is performed in any case (but in "manual update" mode/setting, it shouldn't IMHO and I hope they change this in the near future).

Either way, the OP posted that he deliberately allowed for database updates (and ONLY for them), so "checking for available updates" (whether Avast actually finds an available update or not) *is* indeed allowed and NOT part of MrSafe's questions.

At least, that's how I understood it.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline aguy

  • Newbie
  • *
  • Posts: 2
Re: Avast acting like a Trojan
« Reply #50 on: August 05, 2011, 05:33:06 AM »
Mr.Safe, I actually registered just for you.

I happened on this page because I too was looking why this process was throwing out so many network requests.  It is alarming how quickly and suddenly you were attacked.  I am in awe how you maintained your composure in the realm of users like Nesivos and RejZoR

Nesivos:
"Since I have been posting on this forum for about one year Mr.Safe is the second poster that I have seen who is complaining about avast! connecting to the internet."

Gopher John:
RejZoR,  I agree.  If one doesn't trust their security program, then why are they running it at all?

RejZoR:
Too many to list... but his logo next to his name, "We are supersheep, resistance is futile!" ... really didn't realize he took that to heart...sheesh.

I'm pretty sure this thread will be deleted because we are making this up... afterall, how can you and me SUDDENLY be having this problem given the MILLIONS out there who aren't!

So not to threadcap with my dire predictions on the fate of this thread, let me divulge a few thoughts of my own.

1. The files sending data back to Avast.
Avastsvc.exe
avast.setup
AvastUI.exe

2. Common sense tells us that the programs will send data back and forth for the following

a) Program updates (checked every 240 minutes (4 hours))
b) Virus definition updates (checked every 240 minutes (4 hours))
c) Renewing free registrations (1 time a year)
d) Credit Alerts (costs $10/month)
e) Avast Community
f) Avast Community recommended features
g) Avast Community social networking features
h) Webrep

The sheep want you to believe everything Avast is is righteous.  I'm not so sure given how much effort was diverted into trying to pull the wool over your eyes Mr. Safe  ;)

I mean technically, in order for the "Avast Community" to work, you would have to have a list of every file on your computer, or submit every file to a list (upload the file to Avast's servers).  Since this isn't feasible, the next best option is to create a checksum that would represent that file.  So more than likely, Avast is sending a "secret code" back to homebase alerting them of every file you open and how often you access that file.  It is basically the ultimate of ultimate spyware.  You would then have to trust Avast to immediately delete the file and lookup history for your IP.  If not, they know more than your government.

Also running an antivirus requires read privileges for your ENTIRE hard drive, password files and all.  If you want to trust it to remove "virii" you also have to enable WRITE access. 

The fact that people are saying you shouldn't question your antivirus software is *ridiculous*!  And if the response is "you're free to uninstall it" then you should consider not walking away from avast, but RUNNING!

Unless you like lambchops... mmmm.

P.S.  IANAL, nor even a citizen of the Czech Republic so I have no idea the rules or government oversight (if any) they must submit to.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9347
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Avast acting like a Trojan
« Reply #51 on: August 05, 2011, 07:48:29 AM »
CommunityIQ doesn't index your files or list them all or upload them entirely or anything like that. It just logs the data what was the infection name of a very specific (detected) file, it's path, filetype and maybe basic structure which is analyzed by the engine itself, user decision when not in auto mode, user decision in Auto Sandbox mode etc. It logs this, packs it and sends to AVAST Software which can then based on this aggregate statistics and get more feedback from its userbase on what are the malware trends, how users behave when something gets detected etc. If you know all this you can provide better protection and make automatic modes better so users don't have to make decisions they don't understand. And that's the whole point of CommunityIQ.
Users giving automated feedback to the vendor so they can improve things.
Visit my webpage Angry Sheep Blog

Offline aguy

  • Newbie
  • *
  • Posts: 2
Re: Avast acting like a Trojan
« Reply #52 on: August 05, 2011, 10:20:59 AM »
I searched the knowledgebase and it is painful to find technical info for modern versions of avast.  It seems there is a lot of glossing over things which is disappointing.  For instance:

Q: What should I know about using avast! 4 together with a firewall?

A: Once you install avast! 4, you will be receiving warnings by your firewall, because avast! tries to connect to our servers - it looks for virus definition file updates and for program updates. You should allow avast! to connect, otherwise the update feature will not work. Here is some useful information:

1) Servers that avast! connects to:
URL: http://www.asw.cz/iavs4pro
IP: 195.70.130.34

URL: http://www.avast.com/iavs4pro
IP: 64.246.6.135

URL: http://www.iavs.net/iavs4pro
IP: 207.44.156.15

URL: http://www.iavs.cz/iavs4pro
IP: 62.168.45.69

Why a professional product can't tell me these things makes it so I cannot recommend to the boss (CEO) to switch Antivirus.

The problem MrSafe may have had was with Web Shield.  As I thought it might work is it sets up a proxy on localhost and scans traffic web traffic over that, however on my machine all web requests were not going to 127.0.0.1, but back to avast's servers? 

I tried getting information about web shield, but I have to go back to documentation for 4.8 to get something beginning to look helpful.  http://www.avast.com/download-documentation#tab3  And it only states that Win98 used to do this and setting the network to route through a proxy is no longer needed on NT based OS'.  I'm running Avast free 6.0.1203 and no other antivirus program.

Why should all my web traffic be diverted to Avast's servers?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11765
    • AVAST Software
Re: Avast acting like a Trojan
« Reply #53 on: August 05, 2011, 11:03:01 AM »
1. The files sending data back to Avast.
Avastsvc.exe
avast.setup
AvastUI.exe

And how did you come to the conclusion that they are "sending data back" (which applies to the original post as well)? Except for avast.setup, which may submit some stuff - such as the false alarms you want to report, files you send from chest, suspicious files from the Community, the connections are there simply to download or look-up something.


I mean technically, in order for the "Avast Community" to work, you would have to have a list of every file on your computer, or submit every file to a list (upload the file to Avast's servers).  Since this isn't feasible, the next best option is to create a checksum that would represent that file.  So more than likely, Avast is sending a "secret code" back to homebase alerting them of every file you open and how often you access that file.  It is basically the ultimate of ultimate spyware.  You would then have to trust Avast to immediately delete the file and lookup history for your IP.  If not, they know more than your government.

Again, no idea what might have given you the idea that the avast! community works that way - it certainly does not, there's no list of all existing files, nor the list of hashes of all existing files.

On the other hand, when the "file reputation" feature is introduced in the next version of avast!, it actually would be something similar. But we are talking about statistics here - matching a file signature to a particular IP address (i.e. storing thereof) is irrelevant - what matters is just the count, and possibly age, of that file.

I searched the knowledgebase and it is painful to find technical info for modern versions of avast.  It seems there is a lot of glossing over things which is disappointing.  For instance:

Q: What should I know about using avast! 4 together with a firewall?

A: Once you install avast! 4, you will be receiving warnings by your firewall, because avast! tries to connect to our servers - it looks for virus definition file updates and for program updates. You should allow avast! to connect, otherwise the update feature will not work. Here is some useful information:

1) Servers that avast! connects to:
URL: http://www.asw.cz/iavs4pro
IP: 195.70.130.34

URL: http://www.avast.com/iavs4pro
IP: 64.246.6.135

URL: http://www.iavs.net/iavs4pro
IP: 207.44.156.15

URL: http://www.iavs.cz/iavs4pro
IP: 62.168.45.69

Why a professional product can't tell me these things makes it so I cannot recommend to the boss (CEO) to switch Antivirus.

I'm afraid your quote is from quite a few years ago.
Such a list still exists, it's stored in <avast>\Setup\Servers.def of your avast! installation. The thing is that everything has grown a bit bigger in between - the list is currently a few hundreds of servers, and may actually change from day to day (to balance the loads on the servers, to allow server maintenance, to add new servers, ...). So I can't really imagine you'd enter these rules into your firewall, and verify the rules every day.
On the other hand, you can set up a mirror in your company (with the managed avast! clients) - so only one computer will access the internet, all your local workstations will update from that local mirror.

The problem MrSafe may have had was with Web Shield.  As I thought it might work is it sets up a proxy on localhost and scans traffic web traffic over that, however on my machine all web requests were not going to 127.0.0.1, but back to avast's servers?

That doesn't make any sense - avast! is certainly not redirecting all your web request to avast! servers, that would DDoS the servers immediately :)
I'd say there's something wrong with how you track the connections or the tools you use for that, but I'm just guessing.
« Last Edit: August 05, 2011, 11:11:18 AM by igor »

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: Avast acting like a Trojan
« Reply #54 on: August 05, 2011, 03:16:40 PM »
I am sorry I have even participated in this topic. This topic is already "trashed", in a practical sense.

The original questions were technical and specific (and valid), although maybe not specific enough to get a direct answer from people actually knowing those technical answers.

Most posts in this topic are useless, for anyone reading the topic. Almost no concrete information.

If someone from Avast Team wants to add something, great. If for any other user these questions are not "acceptable", then I would tend to think that by now there is no point in adding any new comment of such kind. If anyone else wants to say (rant) about how bad this forum works, or to quote some specific info that proves nothing at all (and shows the limited ability to search for the current real info), then please make all of us a favor...

Obviously anyone is free to keep posting whatever, if it is "inside the rules" of the forum (essentially be respectful, and try your best not to throw false information).

Some actual information was given, including from Avast Team members. The info may or may not answer some of the questions, but it was still useful (for someone).

Now we have people throwing out accusations, guesses, assumptions and what not, and making them appear as facts, without having any kind of real proof. I would even say that I, a simple common user, could easily demonstrate those phrases to be wrong. I won't bother.

MrSafe, I'm sorry your topic went this way. In an open forum, it certainly can happen some times. It has happened to me too. Please do NOT interpret this specific topic as a generalization of Avast's forum. I still have some hope that some more real answers or useful information can be posted.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9347
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Avast acting like a Trojan
« Reply #55 on: August 05, 2011, 04:51:57 PM »
Well, i never understood ppl who expect explanation of things they are not required to be explained. In fact no one explains them in detail. If you'll ask Symantec, Trend Micro, AVG or anyone else about some specific core logic, they won't give you a detailed answer. Why would they? It's a trade secret as such and it just cannot be disclosed.

I also don't quite understand MrSafe part where he's mentioning "sending data to avast!". Sending what data? Sending a ping request to avast! update server to check if its online will trigger an outbound alert in firewall, but it's just a ping packet. Or whatever they use to check, be it a handshake UDP packet or whatever. I mean it's a difference between a small packet and a large chunk of data being sent.
Visit my webpage Angry Sheep Blog

Offline mashak

  • Avast team
  • Jr. Member
  • *
  • Posts: 24
    • LinkedIn profile
Re: Avast acting like a Trojan
« Reply #56 on: August 17, 2011, 01:06:25 PM »
It appears MrSafe has motives other than simply acquiring information and understanding things: https://badwarebusters.org/main/itemview/25859

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Avast acting like a Trojan
« Reply #57 on: August 17, 2011, 01:29:41 PM »
Don't feed the troll.
The best things in life are free.

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: Avast acting like a Trojan
« Reply #58 on: August 17, 2011, 04:46:29 PM »
Well, reviewing the topic, there is a setting that was never mentioned.

Avast -> Settings -> Updates -> Updates Parameters -> "My computer is permanently connected to the internet".

With this setting UNchecked, Avast tries to connect to the servers to assure a connection is possible/available.

With this setting CHecked, Avast doesn't need to check the availability of a working connection.

This may reduce the number of connections seen in the firewall (or whichever tool is being used to test/check/log the connections).

This comment of course doesn't contradict any other post in this topic.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?