Author Topic: AVAST 4 Home TCP-IP Exploit!  (Read 6750 times)

0 Members and 1 Guest are viewing this topic.

xer

  • Guest
AVAST 4 Home TCP-IP Exploit!
« on: December 29, 2004, 10:37:19 PM »
Hi to all!
I think Avast 4 Home is a Free Home user good product, but... it have a problem...

I'm a networking student, and i use my XP Home Edition with SP2 for my exercises..
When i try with a simple tool as YAPS or Superscan or something else, to scan a PUBLIC IP locate in Internet, or a PRIVATE IP locate in my LAN, this programs says that the REMOTE IP has severals ports OPEN, for example the numbers: 21, 25, 110, 143 ......

But that's wrong! ALL the ports in that pc or thats Pcs are closed!
So, i spent a lot of time to understand what was going on...and after i did UNISTALLED Avast..... that's IT!!!
After that, XP and Yaps, without AVAST says that the remote ports are all CLOSED...

I tried to STOP all the AVAST services, but still remain a problem, XP with AVAST turn off, says that a remote IP have just 21 port open...
I repeat, if i will active again AVAST, all the other ports of the remote IP mentioned..will be shown as open

For FIX this trouble, i MUST deinstall AVAST, no other WAY!

So.... i still remain without AVAST, i hope this post will help, but i need another antivirus.
Thanx anyway


xer

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #1 on: December 29, 2004, 10:44:33 PM »
Got this image

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31299
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #2 on: December 29, 2004, 11:12:29 PM »
OK, you got a few things wrong here.

1] Avast does not open/close ports. That is a task for a firewall (or if you have it router with hardware firewall)
2] If you look at the ports you mentioned you will see that normally they should be open.
port 21 = File Transfer [Control]
port 25 = Simple Mail Transfer
port 110 = Post Office Protocol
port 143 = =Internet Message Access Protocol

Quote
But that's wrong! ALL the ports in that pc or thats Pcs are closed!
So you mean that the system you scanned isn't capable of picking up/sending mail? (That's what will happen if ports 25, 110 and 143 are closed, unless you have some very strange setup)
If you have Avast installed on the scanned system (or any other av) and on that system it is allowed for the av to scan mail, this is normal behaviour. How do you expect the av to scan mails if it can't recieve/send them?

Another thing is that you never must scan for open ports within the lan (especially when it comes to a student network) but from the outside.

Quote
So.... i still remain without AVAST, i hope this post will help, but i need another antivirus
No you don't need another av, you need to learn how things work. (no offense)
« Last Edit: December 30, 2004, 09:11:52 AM by Eddy »

xer

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #3 on: December 30, 2004, 09:19:32 AM »
Okay, maybe before i was not very clear, well i'll try again.

first step: I have a PC with XP Sp2, i did a port scan of a MINE EXTERNAL PUBLIC IP that is a UNIX System and have not any open ports or any other services...
XP says that the PUBLIC IP have the following open ports: 21,25,110,143 and many others....

second step: I have a Linux Box installed on the same PC as dual boot, i did again a port scan of the same MINE PUBLIC IP, with nmap -O xxx.xxx.xxx.xxx (Public IP) and nmap says that ALL the ports of the remote IP are CLOSED!

third step: i did the unistall of AVAST and i leave XP without antivirus, also the windows firewall working. I did again a port scan of the same MINE PUBLIC IP, and superscan this time says that ALL the ports of the remote IP are CLOSED!

So... 2+2=4
Who that make this error? TCP stack of XP or Avast antivirus?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #4 on: December 30, 2004, 11:28:46 AM »
21 (ftp) is hardly related to avast but for the rest (25 [stmp], 110 [pop], 143 [imap]), these ports are opened by the avast mail scanner.

But by default, they're open for localhost access only (unless you've changed this in your avast4.ini file). I.e. remote hosts (either LAN or WAN) shouldn't be able to connect to the ports and/or report them as open.

Isn't this the case on your machine?


BTW it's very unlikely that an uninstall of the program (avast) would be necessary to prevent the machine from opening the ports. Have you tried stoping the "avast Mail Scanner" service?

Ciao
Vlk
If at first you don't succeed, then skydiving's not for you.

xer

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #5 on: December 30, 2004, 12:50:33 PM »
I.e. remote hosts (either LAN or WAN) shouldn't be able to connect to the ports and/or report them as open.

Isn't this the case on your machine?

Yes, that's right! Finally you understand me!
The remote host doesn't have NO ONE SERVICE, is a Unix Firewall with all the ports CLOSED!
But with Avast running, Xp says that are open..

BTW it's very unlikely that an uninstall of the program (avast) would be necessary to prevent the machine from opening the ports. Have you tried stoping the "avast Mail Scanner" service?

Sure! And the scanner work! but is not useful have a Antivirus stopped... don't you think so?

Goner

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #6 on: December 30, 2004, 07:51:05 PM »
he's right, there is something funny going on ... don't know if it's an exploit, but it is very strange.

when i scan my wireless acces-point (192.168.1.1) from my PC (192.168.1.2) over the LAN with Avast running, Superscan says that ports 25, 80 and 110 are open on the AP.
that is absolutely not true !! there is only a webserver running on the AP for the GUI interface.

when i close down Avast and scan again, only port 80 shows ... which is correct.
(the AP is an ASUS Wl-300g, running some Linux distro)
« Last Edit: December 30, 2004, 07:57:48 PM by Goner »

xer

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #7 on: December 30, 2004, 09:05:01 PM »
I hope the guys from avast will found a solution abiut that...

I rmember that the Beta version 7 of AVG did the same problem... but not now with Xp Sp1.... infact i have tested again it with a Xp Sp2 and AVG make the same problem...


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11809
    • AVAST Software
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #8 on: December 31, 2004, 12:59:27 AM »
Vlk, I'd say there's some kind of misunderstanding here. If I understand it correctly, xer says that after installing avast! on machine A, the ports on machine B seem to be open (when scanned from machine A) - which is not possible.

I sort of doubt avast! (or AVG, as you say) can confuse the port scanner such that it reported these results (especially when avast! certainly doesn't have anything to do with port 21, even on the local machine). Did you try some other port scanner?
« Last Edit: January 03, 2005, 11:52:53 AM by igor »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31299
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #9 on: December 31, 2004, 01:07:45 AM »
Quote
I have a PC with XP Sp2, i did a port scan of a MINE EXTERNAL PUBLIC IP
If this system (XP SP2) is on the same lan as the "MINE EXTERNAL PUBLIC IP that is a UNIX System" (as I understand it) he performed the port scan in a wrong way. You can't run a port scan on a public IP from with the lan itself unless the lan and the public IP are on different networks.

I could be wrong here, but this is how I understand what he did.

xer

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #10 on: December 31, 2004, 08:45:13 AM »
Quote
If this system (XP SP2) is on the same lan as the "MINE EXTERNAL PUBLIC IP that is a UNIX System" (as I understand it)
You UNDERSTAND WRONG....
My lan have 3 pc and it is connected with a simple dial-up...
MINE EXTERNAL PUBLIC IP.... is another provider, another host, another machine, another city.... you understand now? THEY ARE NOT ON THE SAME BROADCAST DOMAIN!
he performed the port scan in a wrong way. You can't run a port scan on a public IP from with the lan itself unless the lan and the public IP are on different networks.
Again.... they are on different broadcast domain... you did understand that?....and you know what? The problem exist also in a simple LAN like mine...
Example, 3 PC on a LAN, PC A with avast and XP Sp2, scan PC B (it doesn't matter what OS it have), PC A says that PC B have the ports OPEN, that are regolar closed...
As did Goner...
I'm just found a lot of people that have the same trouble with avast, but they doesn't matter becasue they don't use networking tools... but i do.. so i need to unistall it.
This post was intended for help the developer to FIX this strange thing, and also i still think tha avast is a good antivirus but i must unistall it.
I could be wrong here, but this is how I understand what he did.
Yep right...you ARE wrong!

Anyway, i wish you a good year and i'm sure you'll find a solution
See Ya guys

Offline lukor

  • Avast team
  • Super Poster
  • *
  • Posts: 1886
    • AVAST Software
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #11 on: January 03, 2005, 11:49:48 AM »
Friends,
avast! automaticaly monitors every connection to port 25,143,110 (unless modified in the avast4.ini) and checks these connections for viruses. It does this by running the "avast! Mail Scanner" service on the localhost. So, when the port scan is trying to connect to the remote host:110, this connection is intercepted by avast! Thus the portscan program is fooled and thinks remote host has port 110 opened.

Hardly any security threat but I admit it limits the use of port scan programs a little. Fortunately, the solution is simple - you must exclude the portscan process from the automatic virus scan.

Find your avast4.ini ( c:\program files\alwil software\avast4\data\avast4.ini ) and in the section [MailScanner] add (or edit) the following key:

[MailScanner]
IgnoreProcess=portscan.exe

(of course, substitute portscan.exe by the exact name of the portscan's executable)

Multiple process names can be separated with commas.

Lukas

Goner

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #12 on: January 04, 2005, 12:16:20 AM »
[MailScanner]
IgnoreProcess=portscan.exe
great tip, works like a charm !  ;-)  thanks.

Goner

  • Guest
Re:AVAST 4 Home TCP-IP Exploit!
« Reply #13 on: January 04, 2005, 12:31:28 AM »
[MailScanner]
IgnoreProcess=portscan.exe
great tip, works like a charm !  ;-)  thanks.