22

I have a Toshiba notebook, which came with Norton Internet Security. In addition, I have installed Avast.

I received a warning from Norton about a OS Attack: GNU Bash CVE-2014-6271 intrusion attempt.

Norton "blamed" Avast, in my own computer, for the attempt.

How should I regard the warning?

More details follow.

  1. I was at a hotel.
  2. I had plugged an external long range Wi-Fi adapter for the first time in my PC. It was not operative since I do not have the drivers installed yet, but perhaps it was involved in the attack.
  3. The report is attached below. It mentions 4 items involving 2 different IPs. It is confusing about who were the attacker and attacked. OFFICE2 is the name of my computer (unless some device replicated it).
  4. My intention is to let go Norton when the trial period expires, but for the time being, both are active. The point in question here is beyond the convenience or not of having both active.
  5. I have found only one link with a similar case. It is brief, and in Arabic, I guess.

Report:

Category: Intrusion Prevention
Date & Time:  15/09/2015 01:20:45 p.m.
Risk:  High
Activity:  An intrusion attempt by OFFICE2 was blocked.
Status:  Blocked
Recommended Action:  No Action Required
IPS Alert Name:  OS Attack: GNU Bash CVE-2014-6271
Default Action:  No Action Required
Action Taken:  No Action Required
Attacking Computer:  "OFFICE2 (10.100.105.51, 56941)"
Attacker URL:  10.100.100.1/cgi-bin/a2/out.cgi
Destination Address:  "10.100.100.1, 80"
Source Address:  10.100.105.51 (10.100.105.51)
Traffic Description:  "TCP, Port 56941"

Network traffic from <b>10.100.100.1/cgi-bin/a2/out.cgi</b> matches the signature of
a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME4\PROGRAM FILES\AVAST 
SOFTWARE\AVAST\AVASTSVC.EXE.  To stop being notified for this type of traffic, in the
<b>Actions</b> panel, click <b>Stop Notifying Me</b>.

enter image description here

sancho.s ReinstateMonicaCellio
  • 434
  • 3
  • 9
  • 63
    You should not install several pro-active anti-virus on the same Windows environment. – WhiteWinterWolf Sep 16 '15 at 11:07
  • 9
    Avast has been in the news for actively scanning for router vulnerabilities. It could be that this is a shellshock scan (based on the very limited information provided by Norton in the report). [Their blog](https://blog.avast.com/2014/11/04/avast-2015-new-feature-home-network-security-scanning/) discusses it, as does e.g. [this news post](http://securitywatch.pcmag.com/hacking/329237-survey-shows-many-home-networks-are-insecure); ' Avast Free Antivirus 2015 includes a scanner that will check for problems with your router configuration' – Rens van der Heijden Sep 16 '15 at 11:32
  • [CVE-2014-6271](http://www.cvedetails.com/cve/CVE-2014-6271/) & [Symantec report :](http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27907) – Nikhil_CV Sep 16 '15 at 14:03
  • 1
    Something very wrong with that report. "Attacker URL"? Attackers don't have URLs, and the URL listed has the IP address of the target. The first line of the explanation is also incoherent (same reason). – Ben Voigt Sep 16 '15 at 18:47
  • @Ben May be that naming is bit confusing, since its detected as an outbound traffic, the file-path requested is what Attack URL refers to. Suspicious traffic will surely download some bad files in case of infected system. Host computer (OFFICE2) is the source of request which is suspected by Norton as Intrusion. The creator of that traffic/request is AVASTSVC.EXE, residing on host. – Nikhil_CV Sep 16 '15 at 19:27
  • @Nikhil_CV: But then is the malicious code detected in the request sent by Avast to that URL, or in the response? If the latter, then it would be reasonable to say that the URL is the attacker. But then why is the client listed as "Attacking Computer", rather than the HTTP server? – Ben Voigt Sep 16 '15 at 19:30
  • @Ben Avast may be possibly trying to scan the gateway/router for vulnerabilities. But Norton saw that scan attempt itself as an 'Attack' (because it didn't like the presence? ) Possibly the request is flagged, judging on ports involved. – Nikhil_CV Sep 16 '15 at 19:44
  • Get rid of Norton and many of your problems, including unrelated problems, will go away. – ZaxLofful Sep 16 '15 at 21:05

4 Answers4

53

This is probably an issue with the co-existance' of multiple realtime AV software. One will suspect the other one's activities as malicious.

Avast is trying to scan your router/default gateway and Norton flags it as malicious here. You should uninstall any of the two as soon as possible.

Running multiple AV's on the machine can have effects like low performance, instead of increasing security, it decreases the security level, more false positives etc. Instead of running multiple AVs you can supplement your favorite ONE with Anti-Malware tools like Malwarebytes antimalware or Hitman Pro and observe safe internet usage practices.

Also, when uninstalling any, be sure to use the removal tool provided by vendor. For Norton : Norton Removal Tool

Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are initiated, each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "false positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that threat. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you may encounter the problem of both wanting to scan each other's zipped or archived and update files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found after it has already been neutralized.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of another and may insist that it be removed prior to installation. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms as described above while trying to use it. In some cases, one of the anti-virus programs may even get disabled by the other.

To avoid these problems, use only one anti-virus solution.

Nikhil_CV
  • 856
  • 5
  • 14
  • 2
    Besides the on-demand AVs, a few other good things to run include anti-exploit (EMET and MBAE are the two I can think of), a VPN and/or Tor if you frequent public WiFi, and some of the handful of anti-spyware software if you're paranoid like me :) – timuzhti Sep 16 '15 at 12:40
  • 3
    Browser addons like ublock, noscript, adblock plus, Web of trust are also a handful of tools in browser level protection... I thought of editing my answer reply to add some generic info... – Nikhil_CV Sep 16 '15 at 12:49
  • Mods, may I create a blog / wiki on this ( If I have privilage) ? – Nikhil_CV Sep 16 '15 at 12:56
  • @Nikhil_CV I am no mod, but you really should go ahead and create a wiki page for that. – Mindwin Sep 16 '15 at 18:59
  • Looks like this answer is a little product specific. I'll try creating a wiki article after talking via chat/meta to someone who can guide me through creating an enhanced and more generic article to promote the intention of community wiki. Let this article be as it is. :) – Nikhil_CV Sep 16 '15 at 19:18
2

Just to add, some anti-malware solutions work like a vulnerability assessment sometimes in an attempt to verify a vulnerability or weakness that can be exploited. This test "pattern" has a specific signature that will trigger an alert for other security solutions. For anti-malware software, it is better to have only one to avoid the conflict and confusion.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Nader
  • 21
  • 1
1

I encountered the same problem. It is indeed a false positive; Norton will alert you every few days, when Avast tries to perform certain scheduled actions. Repairing Avast using the Windows Uninstall/Change Program tool won't help, either.

Also, per my own experience, I was unable to open the Avast launcher to perform scans, or anything else for that matter. However, Avast functioned perfectly within my browsers- blocking sites, tracking, etc. If YOU PERSONALLY are Okay with decreased performance from Avast such as a lack of scanning, and are fine with receiving that notification from Norton... I actually recommend keeping Avast. And Norton. Avast beats even some of the browser add-ons listed here in finding things. Just be aware that's about all it can do while Norton is installed. Norton blocks the actions of most other antivirus programs. Pairing it with tools like MalwareBytes and Reason Core Security, which it won't conflict with, can make quite the security suite.

I know a lot of people don't like Norton, but anecdotally, it DOES find stuff no other Antivirus I've ever used does, as far as real-time protection. So I'm not sure I understand the animosity, aside from the fact it's paid protection, and USED TO suck, once upon a time. There was a period of a couple years where Norton wasn't keeping up with other similar free programs. And it got a reputation as a result. I'm using the free trial currently; when it expires, I'll go with Avast only. But in the meantime, I'll take advantage of the unique strengths of both, and recommend others do the same.

Will Simmaco
  • 11
  • 1
1

I have several PCs in my home network. Norton Endpoint Protection is installed on one of them and Avast! protects the others.

Avast! seems to carry out a kind of network vulnerability check once in a while and Norton detects the check as an attack of WannaCry and gives me a security alert.

The workaround to stop the annoying alert messages is to prevent Avast! from scanning your network vulnerability. You can go Avast! > Setting > General > Smart Scan and turn off the Network Scan feature.

This solution worked for my environment.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Taiki Bessho
  • 111
  • 3