Why Is Avastsvc.exe Listening/Connecting Via Svchost.exe Port 135 RpcSs

[DonZ63]

Win 7 x64 SP1, Avast! 6.0.1289

I am configuring WIN 7 firewall for outbound protection and I have observed some strange activity pertaining to avastsvc.exe.

I have Avast's web shield set to "only connect to well known browsers". Therefore as I understand it avastsvc.exe should only be using TCP port 12080 to/from localhost 127.0.0.1 and outbound TCP port to port 80.

So why do I have a avastsvc.exe process listening on port 135 and using svchost.exe RpcSc services? See below netstat -anob output.

[DonZ63]

Here's a second pic showing a connect to a RIPE server in Germany. I am in the US.

[DavidR]

1. It doesn't follow that it will only monitor port 80, just take a look at the avastUI, Settings, Troubleshooting, Redirect settings for the web and you will see many more than just port 80. Effectively it will monitor http protocol traffic on whatever port is used. Also look at the redirect ports for the Mail SMTP, POP, IMAP and NNTP ports, generally the local port will have 12 in front of these ports.

The avastSvc.exe manages all of the shields and all of the ports that those shields redirect on, namely the Mail shield, 12110, 12119, 12143, the secure redirects also 12465/12563/12993, etc. etc.

2. You are aware that the avast forum server is located in Germany and the IP is the one in your image 178.63.99.109.

In all honesty trying to micromanage the avastSvc.exe settings in a firewall is a little like peeing into wind, lots of effort for little return.

[DonZ63]

Not trying to micro manage anything.

The outbound rule I have for avastsvc.exe in WIN 7 firewall is to allow all. No restrictions on protocol, ports, etc. Yet I keep getting popup alerts from the firewall on svchost.exe connections. Appears avastsvc.exe is doing activity that the WIN 7 firewall does not like.

I have allowed both RpsSc services which I really should not have to and I am still getting firewall alerts.

I am allowing TCP port 21, 80, 443, and 1935 outbound for IE8. I also have a separate rule for IE8 to allow outbound TCP to port 12080 localhost 127.0.0.1.

I do not have a firewall rule for avastsvc.exe inbound.

I never received a firewall alert for avastsvc.exe by the way. 

[DavidR]

Svchost.exe, in case you aren't aware is also used to connect to do windows updates and these connections would also be http. So you would have to make an appropriate rule for that.

Since you checked the "only connect to well known browsers" the avastSvc.exe (web shield) shouldn't be monitoring this.

So the popups for svchost.exe are unrelated to avast as far as I'm aware.

[DonZ63]

I just found something interesting and disturbing. If I set web shield to monitor all outbound connections, it bypasses WIN 7 firewall outbound processing! I testing this multiple times by disabling firewall rules for software that does updating and watching them connect with no firewall alerts. When I enable the firewall rule, the connection attempts are blocked.

I don't know what this .1289 update is about but I don't like it one bit.

BTW - I am still getting firewall alerts on outbound activity and they are always when I am connected to this forum.

[CraigB]

You'll save yourself alot of time and effort by restoring default settings to the windows firewall and install a third party firewall which is more easyly configured imo.