Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firewall Logs


  • Please log in to reply
17 replies to this topic

#1 Beaker77

Beaker77

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 13 May 2015 - 11:08 AM

I have been using PrivateFirewall for a long time and it works perfectly for me.

 

When I recently changed my AV from AVG 2015 Free to Avast Free, the number of FW logs increased enormously. On checking the Local IP`s they are all private addresses to do with the Internet. My FW blocks them. If I rate these IP`s as "trusted", it reduces the number of logs, but as the Remote IP`s often differ for the same Local IP`s, the logs keep coming.

 

Why did this happen when I changed my AV to Avast and how can I stop it ?



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:04 PM

Posted 13 May 2015 - 05:20 PM

Private IP's are local network traffic, they arent routable to the internet. Maybe Avast is using a "cloud" real time technology? Turn off logging? A log may be helpful.


How Can I Reduce My Risk to Malware?


#3 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 14 May 2015 - 03:08 AM



Private IP's are local network traffic, they arent routable to the internet. Maybe Avast is using a "cloud" real time technology? Turn off logging? A log may be helpful.

This avalanche of FW logs only happened when I installed Avast.

 

My puzzle is that if Avast is generating these private IP`s for some process reason, then my FW is blocking them - Catch 22. Does that mean Avast is being restricted ? I have no idea what all these IP`s mean or what they are supposed to be doing.

 

An example is shown below. Most of these logs appeared whilst my PC was on Standby. The up arrow is outgoing and the down arrow is incoming.

 

fqHTpB3l.jpg



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:04 AM

Posted 14 May 2015 - 02:41 PM

There is one outgoing ICMP connection to an IP address that is owned by AVAST. That looks normal to me.

 

Most of the other ICMP and IGMP packets are incoming. I don't have enough information to know if they are replies.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 15 May 2015 - 02:58 PM

There is one outgoing ICMP connection to an IP address that is owned by AVAST. That looks normal to me.

 

Most of the other ICMP and IGMP packets are incoming. I don't have enough information to know if they are replies.

I find it confusing that legitimate IP`s are being blocked by PFW. I do not  even know the purpose of this IP traffic.

 

Are all IP`s with 255.255 etc. to be trusted ?

Will it help if I put PFW in training mode for a while in the hope that it establishes its own rules from activity patterns ? I do not honestly know what to do best.

It goes against the grain to trust something I know nothing about just to cut down FW logs.


Edited by Beaker77, 15 May 2015 - 03:00 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:04 AM

Posted 17 May 2015 - 05:31 AM

I'm not familiar with PFW, can't advise you on training mode.

Do you mean 255.255.255.255? That's a broadcast address.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 17 May 2015 - 08:26 AM

I'm not familiar with PFW, can't advise you on training mode.

Do you mean 255.255.255.255? That's a broadcast address.

Dear Didier,

 

I really am at sea with these addresses and know nothing about them.

No, not all 255`s, like this for example - 239.255.255.250.

 

Is a broadcast address legitimate ? They all seem to be normal communications between something and something, but if they are legitimate, why does my FW block them ? And if they are blocked, what does that mean to the communication if it is necessary ?

 

I have had my PFW on a 3 day training mode. The avalanche of logs appear to have reduced. From what I understand, PFW forms its own rules during training relative to activity traffic and decides whether the signal is legitimate or not. Don`t ask me how, sheer magic I guess.

 

It has come out of training mode now, we will see what happens.


Edited by Beaker77, 17 May 2015 - 08:35 AM.


#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:04 PM

Posted 17 May 2015 - 10:28 AM

This guide may help:

 

https://www.privacyware.com/PF_User_Guide.pdf


How Can I Reduce My Risk to Malware?


#9 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 17 May 2015 - 02:13 PM

Thanks, That is very interesting. I have bookmarked it.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:04 AM

Posted 17 May 2015 - 03:49 PM

239.255.255.250 is a multicast address used for the SSDP protocol, which is used by Universal Plug and Play (UPnP).

I assume you've heard of UPnP? It's very likely that you have this on your local network.

 

Usually, in learning mode, firewalls will consider the traffic they see as normal traffic, and will not alert you if this traffic is seen when learning is done.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 19 May 2015 - 02:16 PM

239.255.255.250 is a multicast address used for the SSDP protocol, which is used by Universal Plug and Play (UPnP).

I assume you've heard of UPnP? It's very likely that you have this on your local network.

 

Usually, in learning mode, firewalls will consider the traffic they see as normal traffic, and will not alert you if this traffic is seen when learning is done.

Didier,

 

Almost all the blocked logs are IGMP and ICMP. Please tell me if these are OK to be blocked.



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:04 AM

Posted 19 May 2015 - 04:20 PM

Do you use ICMP? You use the ICMP protocol when you use commands like ping and tracert.


Edited by Didier Stevens, 19 May 2015 - 04:29 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 20 May 2015 - 09:49 AM



Do you use ICMP? You use the ICMP protocol when you use commands like ping and tracert.

I have no idea where they came from, certainly do not use  them, but they don`t seem to do any harm as far as I am aware.

 

An Avast scan listed the following as being files they could not access.

 

4T3b7IP.jpg



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:04 AM

Posted 20 May 2015 - 11:55 AM

If you don't use it, you can block ICMP and IGMP.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Beaker77

Beaker77
  • Topic Starter

  • Members
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 AM

Posted 20 May 2015 - 01:47 PM

If you don't use it, you can block ICMP and IGMP.

Brilliant Didier. That is all I wanted to hear. So it is over to PFW.

Thank you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users